510 likes | 529 Vues
This paper provides an overview of the technology behind digital signatures, its business implications, and barriers to adoption. It also explores various online authentication technologies and the role of cryptography in maintaining the security, confidentiality, and integrity of exchanged information.
E N D
CYBERLAWS-Paper –I-LECTURE III Karnika Seth, Partner, Seth Associates • SECURITY OF INFORMATION • Digital signatures • Cryptography • PKI • Encryption • RSA Algorithm • Hash Function
SECURITY OF INFORMATION DIGITAL SIGNATURES
OVERVIEW • Brief outline of the technology • Business implications • Barriers and future developments
Various online Authentication technologies • Click Through, Click Wrap: a signer is asked to affirm intent or agreement by clicking a button. • PIN or password: a signer accesses a system, is requested to enter name and PIN and/or password to "authenticate" and affirms intent to sign at the point signature is applied. • Digitized Signature: a graphical image of a handwritten signature is created by using a special computer input device, such as a digital pen and pad. • Signature Dynamics: a variation on a digitized signature in which each pen stroke is measured (e.g., duration, pen pressure, size of loops, etc), creating a metric. • Shared Private Key (Symmetric) Cryptography: a signer electronically signs a document and the recipient verifies a signature using a single key that is not publicly known but is a shared secret. • Public/Private Key (Asymmetric) Cryptography - Digital Signatures: two (2) mathematically linked keys are generated -- a private signing key and a publicly available validation key.
Various online Authentication technologies • Biometrics: a signer’s physical characteristic (fingerprint, retina, voice) is measured by a microphone, optical reader, or some other device; converted into digital form; and then compared with a copy of that characteristic stored in the computer and authenticated beforehand as belonging to the signer. • Smart Card: a plastic card containing an embedded chip that can generate, store, and/or process data. Information from the card's chip is read by security software only when a person enters a PIN, password or biometric identifier
What is a digital signature? • A digital signature is an electronic means of authenticating an online identity • A digital signature can: • Authenticate the identity of the sender of a message or signer of a document-(Authentication of identity) • Encrypt the message so that it can only be read by the intended recipient-(Confidentiality of info) • Be used to ensure that the original content of the message is unchanged-(Integrity of message) • The message can be attributable to the sender-( Non-repudiation) • Be automatically time-stamped
Cryptography • Cryptography • The digital signatures functional framework anchors on processes of encryption and decryption for maintaining security, confidentiality and integrity of information exchanged between the parties. This process is known as cryptography .
Encryption-Decryption • Encryption is the transformation of data into an unintelligible form that cannot be the converted into the of original format without the decryption key . • Cryptographic algorithms are used to transform plain text data into encrypted data. In simple words, the act of transforming the information is called the encryption and the process of transforming data back into plain text is called decryption.
Types of Cryptography • There are two basic types of cryptography: symmetric cryptography and asymmetric cryptography. • In symmetric cryptographya single secret key is used for both encryption and decryption of a message, where as in asymmetric cryptography , encryption and decryption is carried out involving an asymmetric key pair consisting of a public and private key. The public-key is for public accessibility and private key is to be kept as highly confidential. • In an asymmetric crypto system,a private key is mathematically related to public-key and it is computationally impossible to calculate one key from the other. Hence, the private key can not be compromised through the knowledge of the associated public-key. Digital signatures are based on the asymmetric public-key cryptography
Symmetric Cryptography • Three examples of symmetric key encryption algorithms are Data Encryption Standard (DES) Federal Information Processing Standard (FIPS) 46-3, Advanced Encryption Standard (AES) FIPS 197, and International Data Encryption Algorithm (IDEA). • Disadvantage of symmetric cryptography-No matter how secure an encryption algorithm (a process of programmed steps and conversions) it uses, the single key cryptosystem has two inherent security weaknesses. First, the sender and the recipient of the message need to share knowledge of the same secret key, which means that each is required to trust the other not to compromise knowledge which is exclusively known by the two of them. Second, the sender and recipient have a key distribution problem. It is not possible to securely communicate the knowledge of a secret key to both parties who need it, without going offband (using a different channel).
Asymmetric public key cryptography • Digital signatures are based on the asymmetric public-key cryptography . • The concept of Digital signatures offer a very attractive alternative to paper based signatures as it fulfills all the prime security objectives namely, message authentication, integrity and non-repudiation function which is instrumental in enhancing global trade and e-commerce.
Basic Features of Digital Signature • Private key: sender uses the private key to sign the document • Public key: recipient uses the public key to authenticate the document • Message hash algorithm: perform a mathematical calculation on the document and generate a hash value unique to the message • Encryption algorithm: accept the private key and a hash value to generate a digital signature or accept a public key and a digital signature to generate a hash value
Document Private Key Send Check validity of document Not tampered Public Key How does Digital Signature Work?
How does Dig sig work? • Digital signature technology grew out of public key cryptography. In public key cryptography, you have two keys: a private key and a public key. When you send a document to someone, you use your private key to sign the document. When recipients receive the signed document, they use the sender's public key to authenticate the document. • Figure 1 illustrates the digital signature process. Suppose you want to send a digitally signed document to John. After you create the document, you pass it through a message hash algorithm. The algorithm generates a hash of the document that is a checksum of the contents of the document. You then encrypt the message hash with your private key. The result is a digital signature. You append this digital signature to the document to form a digitally signed document, then send it to John. • When John receives the document, he passes the document contents through the same message hash algorithm that you used, and creates a new hash. At the same time, John uses your public key to decrypt your digital signature, thereby converting the signature to the original hash. John then compares the newly generated hash and the original hash. If the hashes match, John can be sure that the document he received is really from you and that no one altered it during transmission. If the hashes don't match, John knows that tampering or a transmission error changed the document contents.
Essential steps of the digital signature process • The use of digital signatures usually involves the following steps, performed either by the signatory or by the receiver of the digitally signed message: • STEP1 -The signatory is the authorized holder a unique cryptographic key pair; • STEP2 -The signatory prepares a data message (for example, in the form of an electronic mail message) on a computer; • STEP 3- The signatory prepares a “message digest”, using a secure hash algorithm. Digital signature creation uses a hash result derived from and unique to the signed message; • STEP 4- The signatory encrypts the message digest with the private key. The private key is applied to the message digest text using a mathematical algorithm. The digital signature consists of the encrypted message digest; • STEP 5 -The signatory typically attaches or appends its digital signature to the message;
Essential steps of the digital signature process • STEP 6 -The signatory sends the digital signature and the (unencrypted or encrypted) message to the relying party electronically; • STEP 7- The relying party uses the signatory’s public key to verify the signatory’s digital signature. Verification using the signatory’s public key provides a level of technical assurance that the message came exclusively from the signatory; • STEP 8- The relying party also creates a “message digest” of the message, using the same secure hash algorithm; • STEP 9- The relying party compares the two message digests. If they are the same, then the relying party knows that the message has not been altered after it was signed. Even if one bit in the message has been altered after the message has been digitally signed, the message digest created by the relying party will be different from the message digest created by the signatory; • STEP 10-Where the certification process is resorted to, the relying party obtains a certificate from the certification service provider (including through the signatory or otherwise), which confirms the digital signature on the signatory’s message. The certificate contains the public key and name of the signatory (and possibly additional information), digitally signed by the certification service provider.
RSA Algorithm • There are four major asymmetric algorithms ,namely, RSA, Diffie-Hellman (DH), Digital Signature Algorithm (DSA), and Elliptic Curve Digital Signature Algorithm (ECDSA). • RSA is named after its inventors (Ron Rivest, Adi Shamir, and Leonard Adleman) in 1977 [RSA1] and uses the concept that factoring a big number is hard. It is published as American National Standards Institute (ANSI) X9.31. The key is generated from two large (about 256 bit) prime numbers multiplied together. The product of these two primes is transmitted along with the public key, but the two prime numbers are kept secret and used for the generation of the private key. If anyone had a method of factoring this very large product they would have enough information to generate the private key. RSA is used for both encryption of messages and digital signatures. Key sizes for RSA usually range from 512 to 1024 bits or larger.
SSL • Short for Secure Sockets Layer, a protocol developed by Netscape for transmitting private documents via the Internet. SSL uses a cryptographic system that uses two keys to encrypt data − a public key known to everyone and a private or secret key known only to the recipient of the message. Both Netscape Navigator and Internet Explorersupport SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers.By convention, URLs that require an SSL connection start with https: instead of http
Important terms • MIME-Multipurpose Internet Mail Extensions. • PEM-Privacy Enhanced Mail. A protocol for exchanging digitally signed and/or encrypted mail. that never gained much use. • PGP-Pretty Good Privacy. A protocol for exchanging digitally signed and/or encrypted mail • RSA-Rivest-Shamir-Adelman. The name of a cryptographic key-exchange algorithm popular in many security protocols. Also the name of the company which controls the US patent on the algorithm • S/MIME-Secure MIME. A protocol for exchanging digitally signed and/or encrypted mail
Certification Authority • A digital signature ensures that the document originated with the person signing it and that it was not tampered with after the signature was applied. • However, the sender could still be an impersonator and not the person he or she claims to be. • To verify that the message was indeed sent by the person claiming to send it requires a digital certificate (digital ID) which is issued by a trusted third party known as the certification authority (CA).
Certification Authority • CAs issue digital certificates after verifying that a public key belongs to a certain owner. • Drivers licenses, identification cards and fingerprints are examples of documentation required. • Some examples of CAs are:
Digital Certificate • The digital certificate usually contains the following data: • Owner name, company and address • Owner public key • Owner certificate serial number • Owner validity dates • Certifying company ID • Certifying company digital signature
Business Implications of Digital Signature Commercial Entities: • B2C • B2B Non-commercial Entities: • Government • General Society
Business Implications of Digital Signature Advantages of Digital Signature • Prevent fraud • Prevent unauthorised access of data • Preserve data integrity
Implications • Wider acceptance of digital signature will lead to • Greater security in transactions and data integrity over the Internet • Enhancement of e-commerce, thereby leading to greater cost savings, safer information gathering • Greater efficiency in data interchanges between businesses
Applications • Contract signing • Areas like: -Business transactions (e-commerce) -Banking -Insurance
Example: Finance • Digital signature-based products and services enable financial institutions to leverage its information assets and offer a wider range of services to customers, both consumers and businesses. • E-forms • Easy and inexpensive to create, transmit, handle, manage, store and retrieve • Lessen operational and compliance risks from data transfer • Digital certificates • For bank customers to access banking systems more securely than username and pins
E-government/society • More efficient G admin/support for public and businesses • Filing of Documents by the Public • No waiting time and delivery costs • Facilitates handling, processing and storage • E-bids easier to compare • Ease of capturing data directly to spreadsheets for more efficient comparison. • Ease of transmission and storage • G Employees filling out many forms • Save time, paper, storage and handling costs.
Considerations • Barriers against Digital Signature to be more PERVASIVE • Technological • Security • Cost • Legal • Social
Considerations - Barriers • Technological • No common international standard. Any number of companies will say their digital-signature technology is the safest and best • Security • Security threat always exists • Hackers are constantly finding loopholes or cracking codes • CA will need to be cross-verified
Considerations - Barriers • Cost of Implementation • Subscriber and relying party costs • Subscription to certificate • Software • Training • Companies implementing DS should balance cost against benefit
Legal barriers • Legal • Legal framework must recognise the legality of digital signature • Dependant on decision of each jurisdictions • Some jurisdiction might adopt a broad legislation whereas others might apply one that has stricter technological specifications • Contract laws being governed by state/country laws • Since Internet making the transaction over it a global one, cross-border transaction needs a common legal platform - international efforts should be made
Current Legal Developments International Efforts for building a common legal platform • European Union • Electronic Signature Directive- In the European Union, the enforceability of electronic transactions is governed by the Electronic Signatures Directive adopted in 1999, and the Electronic Commerce Directive adopted in 2000 • International Chamber of Commerce (ICC) • GUIDEC -- General Usage in International Digitally Ensured Commerce (November 6, 1997) The GUIDEC aims to draw together the key elements involved in electronic commerce, to serve as an indicator of terms and an exposition of the general background to the issue. It also addresses one of the key problems in talking about electronically signed messages, in that they are not signed physically , but require the intervention of an electronic medium • OECD • adopted Guidelines for Cryptography Policy • principles to guide countries in formulating their own policies and legislation relating to the use of cryptography
International initiatives • UNCITRAL Model Law on Electronic Signatures in 2001 • Internationally, model laws governing the enforceability of electronic transactions have also been developed by the United Nations Commission on International Trade Law (“UNCITRAL”) Working Group on Electronic Commerce, which completed work on its Model Law on Electronic Commerce in 1996, and finalized and approved its Model Law on Electronic Signatures in 2001. • These model laws have served as the basis for legislation enacted in several countries such as Thailand and Mexico.
International initiatives • Digital Signature Guidelines – American Bar Association • The "Guidelines" describe a system for ensuring the identity of the holder of a private key, for making digital signatures as usable in commerce and in legal proceedings as a written signature on paper, and for ascribing appropriate responsibility to those engaged in electronic commerce should one of the parties involved deny liability under the transaction. • See for detailed text http://www.abanet.org/scitech/ec/isc/dsgfree.html
U.S- E-Sign Act • In the U.S., the enforceability of electronic transactions is primarily governed by the Electronic Signatures in Global and National Commerce Act (“E-SIGN”), a federal law enacted in 2000 that largely preempts inconsistent state law, and the Uniform Electronic Transactions Act (“UETA”), a uniform state law that was finalized by the National Conference of Commissioners on Uniform State Laws (“NCCUSL”) in 1999 and has now been adopted by 40 states. • [
Technology neutral approach • Agood example of legislation that provides for technology neutral approach is the Illinois Electronic Commerce Security Act, which creates a technology neutral class of signatures called “secure electronic signatures.” • Similar approach has been adopted by Albama and Ohio in U.S. Countries like Australia, Austria, Bermuda, Canada, Finland, Hongkong, Ireland, Singapore, Japan, South Korea, U.K have enacted “electronic signature “legislations ,which are essentially technology neutral legislations. While all electronic signatures are enforceable under this Act, an electronic signature that qualifies as a secure electronic signature enjoys a rebuttable presumption that the signature is that of the person to whom it correlates. • This approach was followed in the European Union Electronic Signature Directive.
Technology specific approach • Technology-specific statutes that confer similar legal presumptions on certain cryptographically created “digital signatures” have been enacted in Minnesota, Missouri, Utah, and Washington. • Countries like Argentina, Columbia ,Estonia, Germany, India, Italy ,Malaysia, have enacted “digital signature” legislations ,i.e these legislations are Technology specific.
IT Act,2000-India • The Information Technology Act, 2000-India • In May 2000 the Indian Parliament passed the Information Technology Bill now known as the Information Technology Act, 2000. The Act covers cyber and related information technology laws in India. • This Act seeks to "provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as 'electronic commerce,' which involve the use of alternatives to paper-based methods of communication and storage of information, [and] to facilitate electronic filing of documents with the Government agencies. . " • It establishes the legal validity and enforceability of digital signatures and electronic records, as well as secure digital signatures and secure electronic records.
Some important provisions –IT Act,2000 • Digital Signature (Section 2(1) (p)): "Means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3"(using an asymmetric cryptosystem and hash function). • Authentication of electronic records (Section 3)-Digital signatures.(1) Subject to the provisions of this section any subscriber may authenticate an electronic record by affixing his digital signature.(2) The authentication of the electronic record shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record.Explanation - For the purposes of this sub-section, "hash function" means an algorithm mapping or translation of one sequence of bits into another, generally smaller,set known'as "hash result" such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input making it computationally infeasible - • to derive or reconstruct the original electronic record from the hash result produced by the algorithm; • that two electronic records can produce the same hash result using the algorithm. • (3) Any person by the use of a public key of the subscriber can verify the electronic record.(4) The private key and the public key are unique to the subscriber and constitute a functioning key pair.
Some important provisions –IT Act,2000 • Legal recognition of digital signatures (section 5): "Where any law provides that information or any other matter shall be authenticated by affixing the signature or any document should be signed or bear the signature of any person then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied, if such information or matter is authenticated by means of digital signature affixed in such manner as may be prescribed by the Central Government." • Electronic Record (Section 2(1) (t)): "Means data, record or data generated, image or sound stored, received or sent in an electronic form or microfilm or computergenerated micro-fiche.“ • Legal recognition of Electronic Record (section 4): "Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is: (a) rendered or made available in an electronic form; and (b) accessible so as to be usable for a subsequent reference."
Some important provisions –IT Act,2000 • Secure Electronic Record (Section 14) : "Where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification." • Secure Digital Signature(Section 15): "If, by application of a security procedure agreed to by the parties concerned, it can be verified that a digital signature, at the time it was affixed, was: (a) unique to the subscriber affixing it; (b) capable of identifying such subscriber; (c) created in a manner or using a means under the exclusive control of the subscriber and is linked to the electronic record to which it relates in such a manner that if the electronic record was altered the digital signature would be invalidated, then such digital signature shall be deemed to be a secure digital signature." • Certifying Authority (Section (2(1)(g)): "Means a person who has been granted a license to issue a Digital Signature Certificate under section 24" (issuance of certificates by Controller). • Treatment of Certification Authorities (Chapter VI): This Act authorizes the Central Government to appoint a Controller of Certifying Authorities. The duties of the Controller are listed under Chapter VI of the Act, and include exercising supervision over the activities of certification authorities and delineating the duties of these certification authorities.
Certifying authorities • Digital signatures have been accorded legal acceptance by the IT Act. The Controller of Certifying Authorities, set up to implement the IT Act, has issued licenses to four players who can issue digital signatures. These are Safescrypt Limited, National Informatics Centre (NIC), Institute for Development and Research in Banking Technology (IDRBT), and Tata Consultancy Services (TCS).
Relevant rules and regulations • In October 2000, the rules for IT Act, 2000 were also issued that lay down rules for manner of Authentication of digital signatures, creation and verification of digital signatures, licensing of certifying authorities and provides for the requisite standards to be met by these authorities ,etc • Later, in July 2001, a set of laws known as the Information Technology (Certifying Authority) Regulations, 2001 were issued by the Government of India. These regulations detail the functioning of the certifying authorities in issuing digital signatures. These rules specify the manner in which information has to be authenticated by means of digital signatures, the creation and verification of digital signatures, licensing of certification authorities and the terms of the proposed licenses to issue digital signatures. The said rules also stipulate security guidelines for certification authorities and maintenance of mandatory databases by the said certification authorities and the generation, issue, term and revocation of digital signature certificates.
Considerations - Barriers • Social • Digital Divide • Hitting the ‘critical mass’ is important in getting the technology into use • However, slow adoption of IT hinder DS from being widely used
Considerations - Barriers • Social • Psychological Barriers • Reluctance among people towards using the technology • Some are cultural, some are rooting from ignorance • Some are simply perceptional - physically signing a contract gives you the impression of a formal event and makes you more cautious
Future Improvements • Technological • Legal • Social • Technological • Any digital signature standards should be developed globally • Adopting the cutting edge technology • Stronger encryption algorithm • Biometrics identification to further complicate the verification process • Retina scanning • Fingerprint scanning
Future Improvements • Legal • Should protect individuals/businesses in cases of fraud/abuse • Should not favor a particular vendor’s product/technology in its framework - avoiding monopoly • Should leave options open for those who are reluctant to use DS • International efforts to establish a common legal platform should be promoted further • Cross-border dispute resolution procedures must be clearly designed
Future Improvements • Social • Government and Vendors should take initative in educating public to remove psychological barriers • accurate information about the technology, framework and its benefits • Consumers should be fully aware of the importance of transaction employing DS