Presentation is loading. Please wait.

Presentation is loading. Please wait.

Electronic and Digital Signatures

Similar presentations


Presentation on theme: "Electronic and Digital Signatures"— Presentation transcript:

1 Electronic and Digital Signatures
Richard Warner

2 What Is An Electronic Signature?
An“electronic signature” consists of some string of symbols or characters manifested by electronic means, executed by a party with an intent to authenticate a writing. Examples: the sender’s name typed at the end of an message, a digital image of a handwritten signature attached to an electronic document, a PIN number, and so on. The expression ‘digital signature’ is usually used to refer to a special kind of electronic signature.

3 The Need to Sign Electronically
There is good reasons to have electronic documents signed in a way that allows them to serve the purposes of written documents. Cost: it is a lot cheaper to use electronic documents. Checking example: It costs about $1.10 to process a paper check. It costs about $.10 to process an electronic transfer. There are billions to be saved.

4 The Need for Legal Clarification
There is legal uncertainty about the status of electronic signatures Illinois, for example, has 3000 statutory sections requiring a signed writing. Does an electronic record with an electronic signature satisfy these requirements?

5 What Is A Digital Signature?
A digital signature is an electronic signature that uses a special kind of encryption program. Here is a sample program. The message: “The British are coming!” The encryption instructions: replace every letter with the letter that follows it in the alphabet. This yields: “Uif Csjujti bsf dpnjoh!”

6 Asymmetric Encryption
Digital signatures use a special kind of encryption called asymmetric encryption (or public key encryption). A “key” is just a sequence of numbers. You add it to the message you want to encrypt; then you then apply the encryption program to the message plus the key.

7 Example Example = Message Message + + Key Key Encrypted result
Same message + Different key Different encrypted result Application of the encryption program =

8 Private and Public Keys
Asymmetric encryption uses two keys. The sender uses one to encrypt; the recipient uses one to decrypt. The keys are referred to as the private and public keys. Private key is private in the sense that the key owner makes sure the public does not have access to it. The public key is public in the sense the owner makes it freely available to the public. An example is helpful.

9 How Does A Digital Signature Work?
Suppose Alice wants to digitally sign an . She runs a “hash function” on the message. This turns the message into a sequence of letters and numbers, called the message digest. Each message is associated with a unique message digest. Asymmetric encryption is slow. It is not ideal for encrypting a whole message. So what you encrypt is the much shorter message digest. The point is not secrecy, but signature.

10 Signing the Message Alice runs the encryption program on the combination of the private key and the message digest. She attaches the result to the , and sends it to Bob. She may also attach the public key. This is the signature. To see why it works like a signature, consider what Bob does.

11 Bob’s Response Bob runs the encryption program on the combination of the public key and the message digest. Doing so can only decrypt something encrypted with the private key, so, if decryption is successful, the recipient knows the message came from Alice—or, more exactly, someone in possession of Alice’s private key. We are assuming that Bob knows that the public key is Alice’s. This is the sense in which the message is signed. Like a handwritten signature, the digital signature indicates the message is from the “undersigned.”

12 More Than A Signature Bob then runs the hash function on the message itself. If the result matches the unencrypted message digest, Bob knows that the message was not altered in transmission. This is better than a signature, which does not do anything to indicate that the message was not altered in transmission.

13 Public Keys and Identity
We assumed that Bob knows that the public key he uses is Alice’s. How does he know this? A certification authority verifies that the public key is Alice’s Alice has previously registered with the certification authority, at which time she provided proof of her identity.

14 Cost of Certification Authorities
Certification authorities add cost and complexity When is the cost and complexity justified? When the benefits exceed the costs When is that?

15 Role of Handwritten Signatures
Why do we use handwritten signatures? To avoid fraud; to show that the signer at least saw the document; to secure a signature with recognized legal consequences. Written documents ensure integrity (note: not a function of the signature). Digital signatures make sense where they are needed To ensure legal validity; To ensure message integrity.

16 Fraud Where is there sufficiently likelihood of fraud?
Typically not in: an established relationship; or, in the consumer use of the credit card system in online contracting. Digital signatures have not proven popular in consumer online contracting. You do see a significant use of digital signatures in in large value financial transactions, and in electronic payments systems. But used to establish identity, not to contract.

17 Digital Signature Risks
Inadequate revocation lists In theory, CA’s keep lists of revoked certificates; in practice they do not. In addition, technology is inadequate to allow real time access to these lists Adequately protected private keys Private keys are often stored on hard drives

18 Statutory Treatment There are three types of statute
First: Any electronic symbol will do. Rhode Island: “Electronic signature" means an electronic identifier, created by a computer, and intended by the party using it to have the same force and effect as the use of a manual signature.” Similar approaches in: Colorado, Florida, Illinois, Indiana, Mississippi, New Hampshire, North Carolina, Texas, Virginia.

19 Statutory Treatment Second: the California model of five requirements. A signature must be: (1) unique to the person using it; (2) capable of verification; (3) under the sole control of the person using it; (4) linked to the data in such a way that changes in the data invalidate the signature; (5) in conformity with any other regulations adopted by the Secretary of State.

20 Statutory Treatment Third: The Utah model. This approach refers explicitly to asymmetric encryption, sets up rules for certification authorities, and assigns risk in a variety of eventualities.

21 The E-Sign Statute The Federal E-Sign statute governs some aspects of electronic signatures An “electronic sound, symbol, or process attached to or logically associated with a contract or other record, and executed or adopted by a person with the intent to sign the record.” 15 USC Section 7006(5)

22 Illinois Commerce Security Act
15 USC section 7002(a)(2)(A)(ii) preempts state laws that that are not technology neutral Illinois’s Act favors public key encryption in sections 175/15 – 101 and 105 and is thus preempted Preexisting state legislation is clearly preempted under 15 USC 7002(a)(2)(B)

23 What Illinois May Still Do
It may still require public key encryption for state procurement, 15 USC 7002(b) It may impose stricter state filing requirements than the Federal requirement; this may include requiring public key encryption, 15 USC 7004(a)

24 Effect of E-Sign The effect may be a slower, more decentralized development of electronic signature infrastructure and business practices No Federal mandate for a particular technology, preemption of state mandates Business considerations may of course lead to a rapid development of a particular technology, but it looks like the opposite is happening


Download ppt "Electronic and Digital Signatures"

Similar presentations


Ads by Google