1 / 24

Electronic and Digital Signatures

Electronic and Digital Signatures. Richard Warner. What Is An Electronic Signature?.

daw
Download Presentation

Electronic and Digital Signatures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Electronic and Digital Signatures Richard Warner

  2. What Is An Electronic Signature? • An“electronic signature” consists of some string of symbols or characters manifested by electronic means, executed by a party with an intent to authenticate a writing. Examples: the sender’s name typed at the end of an e-mail message, a digital image of a handwritten signature attached to an electronic document, a PIN number, and so on. • The expression ‘digital signature’ is usually used to refer to a special kind of electronic signature.

  3. The Need to Sign Electronically • There is good reasons to have electronic documents signed in a way that allows them to serve the purposes of written documents. • Cost: it is a lot cheaper to use electronic documents. • Checking example: It costs about $1.10 to process a paper check. • It costs about $.10 to process an electronic transfer. • There are billions to be saved.

  4. The Need for Legal Clarification • There is legal uncertainty about the status of electronic signatures • Illinois, for example, has 3000 statutory sections requiring a signed writing. Does an electronic record with an electronic signature satisfy these requirements?

  5. What Is A Digital Signature? • A digital signature is an electronic signature that uses a special kind of encryption program. Here is a sample program. • The message: “The British are coming!” • The encryption instructions: replace every letter with the letter that follows it in the alphabet. • This yields: “Uif Csjujti bsf dpnjoh!”

  6. Asymmetric Encryption • Digital signatures use a special kind of encryption called asymmetric encryption (or public key encryption). • A “key” is just a sequence of numbers. • You add it to the message you want to encrypt; then you then apply the encryption program to the message plus the key.

  7. Example Example Message Message + + Key Key Encrypted result Encrypted result Same message + Different key Different encrypted result Application of the encryption program =

  8. Private and Public Keys • Asymmetric encryption uses two keys. The sender uses one to encrypt; the recipient uses one to decrypt. • The keys are referred to as the private and public keys. • Private key is private in the sense that the key owner makes sure the public does not have access to it. • The public key is public in the sense the owner makes it freely available to the public. • An example is helpful.

  9. How Does A Digital Signature Work? • Suppose Alice wants to digitally sign an e-mail. • She runs a “hash function” on the message. This turns the message into a sequence of letters and numbers, called the message digest. Each message is associated with a unique message digest. • Asymmetric encryption is slow. It is not ideal for encrypting a whole message. • So what you encrypt is the much shorter message digest. • The point is not secrecy, but signature.

  10. Signing the Message • Alice runs the encryption program on the combination of the private key and the message digest. • She attaches the result to the e-mail, and sends it to Bob. • She may also attach the public key. • This is the signature. To see why it works like a signature, consider what Bob does.

  11. Bob’s Response • Bob runs the encryption program on the combination of the public key and the message digest. • Doing so can only decrypt something encrypted with the private key, so, if decryption is successful, the recipient knows the message came from Alice—or, more exactly, someone in possession of Alice’s private key. • We are assuming that Bob knows that the public key is Alice’s. • This is the sense in which the message is signed. Like a handwritten signature, the digital signature indicates the message is from the “undersigned.”

  12. More Than A Signature • Bob then runs the hash function on the message itself. If the result matches the unencrypted message digest, Bob knows that the message was not altered in transmission. • This is better than a signature, which does not do anything to indicate that the message was not altered in transmission.

  13. Public Keys and Identity • We assumed that Bob knows that the public key he uses is Alice’s. How does he know this? • A certification authority verifies that the public key is Alice’s • Alice has previously registered with the certification authority, at which time she provided proof of her identity.

  14. Cost of Certification Authorities • Certification authorities add cost and complexity • When is the cost and complexity justified? • When the benefits exceed the costs • When is that?

  15. Role of Handwritten Signatures • Why do we use handwritten signatures? • To avoid fraud; • to show that the signer at least saw the document; • to secure a signature with recognized legal consequences. • Written documents ensure integrity (note: not a function of the signature). • Digital signatures make sense where they are needed • To avoid fraud; • To ensure legal validity; • To ensure message integrity.

  16. Fraud • Where is there sufficiently likelihood of fraud? • Typically not in: an established relationship; or, in the consumer use of the credit card system in online contracting. • Digital signatures have not proven popular in consumer online contracting. • You do see a significant use of digital signatures in in large value financial transactions, and in electronic payments systems. • But used to establish identity, not to contract.

  17. Digital Signature Risks • Inadequate revocation lists • In theory, CA’s keep lists of revoked certificates; in practice they do not. In addition, technology is inadequate to allow real time access to these lists • Adequately protected private keys • Private keys are often stored on hard drives

  18. Statutory Treatment • There are three types of statute • First: Any electronic symbol will do. Rhode Island: “Electronic signature" means an electronic identifier, created by a computer, and intended by the party using it to have the same force and effect as the use of a manual signature.” • Similar approaches in: Colorado, Florida, Illinois, Indiana, Mississippi, New Hampshire, North Carolina, Texas, Virginia.

  19. Statutory Treatment • Second: the California model of five requirements. A signature must be: (1) unique to the person using it; (2) capable of verification; (3) under the sole control of the person using it; (4) linked to the data in such a way that changes in the data invalidate the signature; (5) in conformity with any other regulations adopted by the Secretary of State.

  20. Statutory Treatment • Third: The Utah model. This approach refers explicitly to asymmetric encryption, sets up rules for certification authorities, and assigns risk in a variety of eventualities.

  21. The E-Sign Statute • The Federal E-Sign statute governs some aspects of electronic signatures • An “electronic sound, symbol, or process attached to or logically associated with a contract or other record, and executed or adopted by a person with the intent to sign the record.” 15 USC Section 7006(5)

  22. Illinois Commerce Security Act • 15 USC section 7002(a)(2)(A)(ii) preempts state laws that that are not technology neutral • Illinois’s Act favors public key encryption in sections 175/15 – 101 and 105 and is thus preempted • Preexisting state legislation is clearly preempted under 15 USC 7002(a)(2)(B)

  23. What Illinois May Still Do • It may still require public key encryption for state procurement, 15 USC 7002(b) • It may impose stricter state filing requirements than the Federal requirement; this may include requiring public key encryption, 15 USC 7004(a)

  24. Effect of E-Sign • The effect may be a slower, more decentralized development of electronic signature infrastructure and business practices • No Federal mandate for a particular technology, preemption of state mandates • Business considerations may of course lead to a rapid development of a particular technology, but it looks like the opposite is happening

More Related