INTRODUCTION:
In today's commercial environment, establishing a framework for the authentication of computer-based information requires a familiarity with concepts and professional skills from both the legal and computer security fields. Combining these two disciplines is not an easy task. Concepts from the information security field often correspond only loosely to concepts from the legal field, even in situations where the terminology is similar. For example, from the information security point of view, "digital signature" means the result of applying to specific information certain specific technical processes described below. The historical legal concept of "signature" is broader. It recognizes any mark made with the intention of authenticating the marked document.
HISTORY:
It is probably not surprising that the inventors of writing, the Sumerians, were also the inventors of an authentication mechanism. The Sumerians used intricate seals, applied into their clay cuneiform tablets using rollers, to authenticate their writings. Seals continued to be used as the primary authentication mechanism until recent times.
Use of signatures is recorded in the Talmud (fourth century), complete with security procedures to prevent the alteration of documents after they are signed. The Talmud even describes use of a form of "signature card" by witnesses to deeds. The practice of authenticating documents by affixing handwritten signatures began to be used within the Roman Empire in the year AD 439, during the rule of Valentinian III. The subscripto - a short handwritten sentence at the end of a document stating that the signer "subscribed" to the document - was first used for authenticating wills.
The practice of affixing signatures to documents spread rapidly from this initial usage, and the form of signatures (a hand-written representation of one’s own name) remained essentially unchanged for over 1,400 years. It is from this Roman usage of signatures that the practice obtained its significance in Western legal tradition.
When do you need to verify identity?
New ways of verification are being developed daily. Biometrics and other methods keep getting formulated and incorporated into the information technology industry. One interesting biometric authentication mechanism developed by a leading Japanese biometric company has found a way to get your DNA into a pen. You sign a document and it is digitally scanned. This document then can be scanned in the future to verify its authenticity. Identity should be verified when ever there is doubt of the 3rd party being whom they say they are or when there is personal information at risk. Personal information like credit card details and banking information should be kept safe using digital certification as one of the security layers.
Some banking institutions require that a user verifies his/her identity by validating identification credentials using a digital certificate. Important e-mail can also use Digital signatures that verify that the e-mail is from the originating sender and that it has not been tampered with.
On many occasions users are unsure if they are dealing with reputable suppliers of institutions. Digital certification gives the user a sense of legitimacy and formalizes the process. It ensure that the company that the user is dealing with has a registration with a trusted authority and that the transaction is guaranteed to be done with the intended parties.
DIGITAL SIGNATURE:
Digital signatures are a way to ensure the integrity of a message or other data using public key cryptography. Like traditional signatures written with ink on paper, they can be used to authenticate the identity of the signer of the data. However, digital signatures go beyond traditional signatures in that they can also ensure that the data itself has not been altered.
This is like signing a check in such a way that if someone changes the amount of the sum written on the check, an “Invalid” stamp becomes visible on the face of the check.Digital signatures take the concept of traditional paper-based signing and turn it into a digital "fingerprint". This "fingerprint", or coded message, is unique to both the document and the signer.
The digital signature ensures that the signatory is indeed the originator of the message. Any changes made to the document after it was signed invalidate the signature, thereby protecting against forgery. Digital signatures help organizations sustain signer authenticity, accountability, data integrity and non-repudiation of documents and transactions.
Reasons for using digital security.
•It insures by means of verification and validation that the user is whom he/she claims to be. This is done by combine the users credential to the digital certificate and in turn this method uses one point of authentication. '
•Digital certificates insure data Integrity giving the user piece of mind that the message or transaction has not been accidentally or maliciously altered. This is done cryptographically.
•Digital certificates ensure confidentiality and ensure that messages can only be read by authorized intended recipients.
•Digital certificates also verify date and time so that senders or recipients can not dispute if the message was actually sent or received.
The components that a digital signature comprise of
1.Your public key: This is the part that any one can get a copy of and is part of the verification system.
2.Your name and e-mail address: This is necessary for contact information purposes and to enable the viewer to identify the details.
3.Expiration date of the public key: This part of the signature is used to set a shelf life and to ensure that in the event of prolonged abuse of a signature eventually the signature is reset.
4.Name of the company: This section identifies the company that the signature belongs too.
5.Serial number of the Digital ID: This part is a unique number that is bundled to the signature for tracking ad extra identification reasons.
6.Digital signature of the CA (certification Authority): This is a signature that is issued by the authority that issues the certificates.
Signatures and the Law:
A signature is not part of the substance of a transaction, but rather of its representation or form.
Signing writings serve the following general purposes:
•Evidence: A signature authenticates a writing by identifying the signer with the signed document. When the signer makes a mark in a distinctive manner, the writing becomes attributable to the signer.
•Ceremony: The act of signing a document calls to the signer's attention the legal significance of the signer's act, and thereby helps prevent "inconsiderate engagements.
•Approval: In certain contexts defined by law or custom, a signature expresses the signer's approval or authorization of the writing, or the signer's intention that it have legal effect.
•Efficiency and logistics: A signature on a written document often imparts a sense of clarity and finality to the transaction and may lessen the subsequent need to inquire beyond the face of a document. Negotiable instruments, for example, rely upon formal requirements, including a signature, for their ability to change hands with ease, rapidity, and minimal interruption.
The formal requirements for legal transactions, including the need for signatures, vary in different legal systems, and also vary with the passage of time.
There is also variance in the legal consequences of failure to cast the transaction in a required form. The statute of frauds of the common law tradition, for example, does not render a transaction invalid for lack of a "writing signed by the party to be charged," but rather makes it unenforceable in court, a distinction which has caused the practical application of the statute to be greatly limited in case law.
DIGITAL SIGNATURE WORKS ON THE FOLLOWING PROCESS:
1)A Singing algorithm
2)A key generation algorithm
3)A verification algorithm
METHODS TO CREATE DIGITAL SIGNATURE:
MEHTOD 1:
Digital signatures are created and verified by cryptography, the branch of applied mathematics that concerns itself with transforming messages into seemingly unintelligible forms and back again. Digital signatures use what is known as "public key cryptography," which employs an algorithm using two different but mathematically related "keys;" one for creating a digital signature or transforming data into a seemingly unintelligible form, and another key for verifying a digital signature or returning the message to its original form.
Computer equipment and software utilizing two such keys are often collectively termed an "asymmetric cryptosystem."
The complementary keys of an asymmetric cryptosystem for digital signatures are arbitrarily termed the private key, which is known only to the signer and used to create the digital signature, and the public key, which is ordinarily more widely known and is used by a relying party to verify the digital signature. If many people need to verify the signer's digital signatures, the public key must be available or distributed to all of them, perhaps by publication in an on-line repository or directory where it is easily accessible.
Although the keys of the pair are mathematically related, if the asymmetric cryptosystem has been designed and implemented securely it is "computationally infeasible to derive the private key from knowledge of the public key. Thus, although many people may know the public key of a given signer and use it to verify that signer's signatures, they cannot discover that signer's private key and use it to forge digital signatures. This is sometimes referred to as the principle of "irreversibility."
METHOD 2:
Another fundamental process, termed a "hash function," is used in both creating and verifying a digital signature. A hash function is an algorithm which creates a digital representation or "fingerprint" in the form of a "hash value" or "hash result" of a standard length which is usually much smaller than the message but nevertheless substantially unique to it.
Any change to the message invariably produces a different hash result when the same hash function is used. In the case of a secure hash function, sometimes termed a "one-way hash function," it is computationally infeasible to derive the original message from knowledge of its hash value. Hash functions therefore enable the software for creating digital signatures to operate on smaller and predictable amounts of data, while still providing robust evidentiary correlation to the original message content, thereby efficiently providing assurance that there has been no modification of the message since it was digitally signed.
Thus, use of digital signatures usually involves two processes, one performed by the signer and the other by the receiver of the digital signature:
•Digital signature creation uses a hash result derived from and unique to both the signed message and a given private key. For the hash result to be secure, there must be only a negligible possibility that the same digital signature could be created by the combination of any other message or private key.
•Digital signature verification is the process of checking the digital signature by reference to the original message and a given public key, thereby determining whether the digital signature was created for that same message using the private key that corresponds to the referenced public key.
The creation of a digital signature
In the simplest terms a digital signature is a stream of bits appended to a document. The purpose of a digital signature is to provide assurance about the origin of the message and the integrity of the message contents. When a message with a digital signature is transmitted and received, the following parties are involved:
•
the signer who signs the document;
•
the verifier who receives the signed document and verifies the signature ;
•
the arbitrator who arbitrates any disputes between the signer and the verifier if there is a disagreement on the validity of the digital signature.
Digitally signing a document begins with producing a summary of the document using mathematical functions known as hash functions. Some examples are Message Digest-5 (MD5), Secure Hash Algorithm-1 (SHA-1) and Réseaux IP Européens (RIPE) Message Digest-160 (RIPMED-160). The output of a hash function, a document summary called the hash, always has the same number of bits
e.g. 128 for MD5 and 160 for SHA-1, regardless of the length of the input document. It is obvious that different documents will produce different hashes. It is considered virtually impossible to have an identical hash even from two similar documents.
The hash function is encrypted by the signer using his/her private key and forms the digital signature of the encrypted document.
The verifier receives both the document and the signature, calculates the summary of the document using the same hash function used by the signer. The signature is decrypted using the signer’s public key. The last step is to compare the decrypted summary with the one previously computed by the verifier from the document. If the two summaries are identical then the signature has been verified. The verifier is now sure of the identity of the signer and that the data was not been modified.