Electronic Signature as the Core Category in Digital Economy Background For E-Business of any kind private or public sector to grow, businesses must implement the use of electronic signa
Trang 1• Globalization: E-Business goes to the future of the Internet worldwide, and it’s
clear that some of greatest impact of information-communications systems will be
in developing global E-Business, marketplaces and alliances
Currently and in nearly future, the critical technologies for E-Business environment are:
• Embedded computing,
• Wireless technology,
• Intelligent agents,
• Open and transparent communications infrastructure,
• Simulation and data visualization
These constraints reshaped management challenges for most of the subjects acting
within the digital economy New technologies of data visualization, simulation
tech-niques and broadband telecommunications platforms will become important E-Business
tools (Volti, 2001) E-mail, networked groupwork and intelligent agents will rise in use
among all organizations, improving communication and logistical coordination through
an e-logistic environment
Under these terms exists a new generation of employees and customers who will use
information technology and the Internet as part of growing up Their expectations about
media, about service, about communications, and about transactions will be vastly
different from a decade ago, and their behavior patterns will turn out to be the biggest
surprise that information technology delivers to business in the next century
And, what are the defining characteristics of E-Business? This is partly defined by the
nature of the business activity Typical features would include:
• A broad range of suppliers and products, with a strong representation of buyers,
thus providing a critical mass of participants to establish the market, and the
liquidity to buy or sell as needed;
• Well-established technical specifications and requirements for participation in the
market;
• Quality assurance for the market, with feedback loops regarding product quality,
fulfillment history, and financial transactions;
• Paperless transactions with enforceable legal agreements;
• Online contracts with digital signatures to associate authorized agents with
specific documents;
• Security of the market, with strong user authentication, high standards for
docu-ment integrity, transaction security, and preservation of the privacy of data of the
participants
Trang 2It is evident that the technical expectations imposed by participation in the digital
economy will increase Businesses with high levels of e-competence will have a
competi-tive advantage over those who do not What are the requirements for successful
participation? The answer will change, from industry to industry, but the minimal
requirements would include a strong telecommunications infrastructure, with open
Internet connectivity, and routine telecommunications services, along with a
commit-ment to modern technical standards, system security, and transparent legislation and
regulation environment.
Businesses that offer services and have taken to the Internet seriously have a
respon-sibility to their customers to offer services in a secure manner (Ang, Dubelaar & Lee,
2001) With increasing networks across the globe for mission critical electronic
com-merce, securing the networks would be the primary focus Various technologies and
concepts is in place such as Virtual Private Networks (VPN), Secure Sockets Layer (SSL),
Secure Electronic Transactions (SET) and many more to overcome and mitigate risks of
transacting over the Internet While security of operating systems, applications,
physi-cal, logical security are addressed by the respective organizations, the areas that are
exposed are the networks and communication lines which leave the organization’s gates
Security is a fundamental requirement for E-Business applications such as e-mail,
purchase orders, the transmission of credit card information and workflow automation
using signature-based forms
Secure and Trustworthy E-Business
The unprecedented global growth of the Internet, the promise of E-Business, and the
emergence of mobile business have a profound effect upon the way organizations
operate The digital economy, that leverages the benefits of technological convergence
and new business models, offers unparalleled advantages for an immense variety of
service providers and their customers in the cyber marketplace Providers see significant
economies in operating in an E-Business environment that has global reach, with the
prospects of cost reductions being passed on to the customer Similarly, for online
consumers, the Internet offers infinitely expanded buyer information and a range of
choices that are daunting to comprehend However, in spite of these apparent benefits
the transition to the digital economy has not been without problems For many
organi-zations there is continuing uncertainty over which operating model to adopt, and the
rather intimidating lessons of some high profile failures The global E-Business
environ-ment will continue to pose difficult and far-reaching manageenviron-ment challenges to leaders
of online businesses Some of these challenges are already evident and have a profound
effect upon the ways of doing business Among them, and of paramount importance, is
the issue of how E-Business can maximize its value to consumers and simultaneously
retain their trust and confidence
It is evident that the biggest barriers to E-Business today come from the notion that
people don’t trust the security and authenticity of E-Business environment Building
consumer trust and confidence requires thoughtful analysis of the nature of the
Trang 3relationship between buyers and sellers This notion is also about privacy in the
E-Business environment (E-Privacy) In the context of E-E-Business, E-Privacy has to be
established as a core value that connects organizational culture with the best interests
of the consumer The value of E-Privacy can be viewed as an important indicator of
business success Worldwide, many high profile business failures are attributable to the
lack of recognition accorded E-Privacy, and the lack of commitment to it as a consumer
issue The consequences of this oversight can lead to an erosion of consumer loyalty,
negative publicity, and the loss of potential business
When examining barriers to the implementation of E-Business, numerous studies have
singled out consumers’ lack of trust as a major factor Some people reduce the trust
problem to one of security, arguing that if security issues are resolved, people will be
happy to transact online However, when the trust problem is broken down into its
constituents, privacy, ease-of-use or the credibility of information on the Web is revealed
to be as important to consumers as security
As far as the introduction of a new e-payment system is concerned, one should not
underestimate the power of the media and reputable institutions in approaching
consum-ers and assuring them of the system’s security Since the average consumer is unlikely
to be able to assess the objective security of, say, an encryption algorithm, this issue
remains, to a large extent, one of trust – namely trust in familiar information sources Thus,
a well-orchestrated marketing effort would help give consumers enough
pre-interac-tional trust to understand, accept and use the new E-Business system Thus, security
and trust mechanisms inhibit the free flow of business information required to achieve
the full potential of business benefits promised by E-Business investments
Lack of trust is a significant problem for any Business – the parties evolved in the
E-Business processes must feel trust in the people and companies doing business on the
Internet In many traditional business relationships, trust is based on a combination of
judgement or opinion based on face-to-face meetings, or recommendations of
col-leagues, friends and business partners However, the E-Business environment generally
does not involve human interaction and, therefore, this new context requires a new
understanding of trust Trust must be established and managed continuously in a wide
range of E-Business activities
The basis of trust is in ethics, and the topic is frequently discussed in the context of social
and democratic processes (Conte & Castelfranchi, 1995) It is also a fundamental
requirement of economic activity where the behavior of people and organizations takes
place in conditions of uncertainty (Jones & Wilikens, 2000) When one party is
dependent on the behavior of another party, the uncertainties give rise to risks The
notion of trust within an E-Business environment involves having confidence in the
other parties, and hence having an expectation that the risks will not result in financial
or any other loss
The specific application of trust in the E-Business environment involves several key
factors:
• Identity: the ability to identify party, good, service and to locate them in physical
space, including identification and location services such as digital certificates;
Trang 4• Reputation, and recommendations from parties who are themselves trusted or
experienced; and proxies for reputation, such as brand names and seals of
approval;
• Security of the E-Business environment including transaction data, integrity,
authentication and non-repudiability, secrecy and privacy with alternatives that
reduce the risk of data disclosure
E-Business is generally considered to evidence many of the characteristics that render
trust very important The parties commonly have little or no knowledge of one another
They are also usually in different locations They therefore cannot depend on physical
proximity, handshakes, body-signals, a common legal jurisdiction, or even necessarily
a definable jurisdiction
The context of use and domain of application of the E-Business system being designed
should be taken into account Context of use can be viewed as an important requirement
for the design Different applications require diverse levels of security Buying food can
be done with a credit card with basic cryptographic protection, while electronic banking
needs more sophisticated authentication and security mechanisms Several techniques
help in establishing online e-trust:
• Electronic authentication,
• Electronic signature,
• Escrow payment services (online),
• Public Key Infrastructure (PKI)
Trust in E-Business systems is influenced by factors such as anonymity, security,
reliability, and the amount of control that parties have, as well as the reputation of the
entity that introduces the system There are a number of guidelines that address the
different facets of security required for E-Business systems in the digital economy
Issues of trust and security are connected to exchange, storage and management of
business and personal information These techniques includes basic tasks to be done
in order to achieve a secure and trustworthy environment:
• Providing a clear and prominent policy on security with clear visibility of the
security techniques employed;
• Explaining security measures in management and storage of the data;
• Establishing a customer support line on security-related issues;
• Supplying regular information updates on changes and upgrades in security;
• Taking into consideration security issues specific to the type of E-Business
system;
• Giving users access to their data, allowing them to change it, and timely delete
outdated information (it can assist in building trust relations with customers);
Trang 5• Minimizing the security costs (both financial and temporal) imposed on users;
• Creating a security management culture (by educating employees and
implement-ing strict information handlimplement-ing policies within the company);
• Building a trust policy and trust recovery plan in the event of a security breach likely
to undermine trusted relationships with customers
From the wealth of information that proliferates on the topics of the Internet, or e-commerce
specifically, there is a consensus on basic risks Any transaction or message, financial
or otherwise, would be subject to the risks In an ordinary commerce environment, plenty
of avenues are available to address these risks through formal signatures and other
mechanisms that would ensure secure transactions The major risks facing E-Business
environment are considering key issues:
• Identity or authenticity of the person: Who sent the message? Does the sender
have the authority to bind the organization he or she represents?
• Data Integrity: Is the message complete or has it been altered? Is it true that the
copy of the message has not been altered?
• Denial of Service: Launch of an attack which would bring down the service.
• Non Repudiation: Proving up the message in court, ensuring that the sender
cannot falsely deny sending the message, ensuring that the sender cannot falsely
deny the contents of the message
• Confidentiality: Ensuring that information is not disclosed to unauthorized
parties
While E-Business flourishes through the Internet, in the digital world, laws and statutes
must be drafted and enacted to resolve disputes amongst parties Issues will arise in the
courts of law whether documents with electronic signatures are valid or otherwise and
the extent of reliance that can be placed on the third parties Any secure transaction is
sure to have its share of disputes and losses These may be due to negligence by one
of the third parties or the parties to the transaction, or technological failures or any other
reason
If the information-communications systems are used for day-to-day business and private
interests – to buy consumer goods, submit tax forms or to send confidential messages
– there will ultimately be the need for a digital identity Other existing solutions –
identification using credit card numbers, etc – are simply makeshift solutions that are
being used temporarily in certain areas Normally speaking, identity is something very
complex It does not merely refer to name, date of birth, color of eyes and all those other
features contained in personal identification documents, but also means a person’s
entire personality, background and integrity
Digital identity means considerably less than all these everyday meanings: first of all, that
a person owns and uses a digital ID – in other words, an ID expressed in zeros and ones
that can be transmitted via the Internet (or any other data network) This ID is digital or
Trang 6is also termed an electronic certificate It confirms not just name and e-mail address of
a person, but may also confirm other information - the name of company where a person
is working, etc – and the validity of the digital signature
When a machine or a person issues someone with a certificate, this is confirmation of the
existence of this person, including the name and one or two other details This identity
is invaluable for the entire digital economy - it forms a foundation for trust But whether
this person is honest, creditworthy or reliable, or whether the machine is operated by a
reputable company – i.e., what in fact belongs to identity in a broader sense of the word
– remains unknown
Nevertheless, this manner of ensuring reliability is also indispensable for the digital
economy This is carried out using other means, beyond the scope of electronic signature
technologies In the case of companies with a good Web presence – with a shop system,
SSL, credentials, supplier brand, general terms and conditions, quality labels, etc – this
is a good indication of their reliability, and the legislator has provided for legal provisions
(remote sales law, EU e-commerce guideline, etc.)
Basic E-Business Legislation and
Regulation
Companies doing E-Business activities are not operating in an unregulated world The
old rules still apply in new digital environment And new statutes and regulations aimed
at digital violations are quickly emerging When it comes to regulations, however,
ignorance is not bliss Advertising, sweepstakes, unsolicited commercial e-mail (Spam),
trade regulation compliance, securities laws, tax regulatory compliance, and other
regulatory issues all can pose significant challenges for E-Business Doing E-Business
activities in a borderless medium raises special challenges, given that many jurisdictions
have inconsistent laws regulating E-Business, e-commerce, e-signatures, etc
At the core of all of E-Business activities is the fundamental question: “Is it legal?” And
the answer to that question will depend on what law applies and how online activities
are structured Yet determining what law applies is easier said than done when
transactions are being conducted in what is essentially a borderless medium At the same
time, the Internet is profoundly changing the law that applies to these business activities
The law that governed our transactions six months ago may not be the law that governs
our transactions today or, even if the prior law is still relevant, it may apply in ways we
never contemplated because of legal developments in the interim (Zoellick, 2001) Many
countries have already enacted numerous statutes and regulations related to some
aspect of E-Business activities In some cases, these laws represent an experiment
designed to anticipate and resolve issues that have not yet arisen, and in other cases
these laws represent significantly conflicting approaches to a common set of issues
Some of the outmost areas of regulation and legislation in the digital economy cover
several key issues:
Trang 7• Electronic Transactions and Contracts (e-commerce): The electronic
communi-cation of documents, as well as electronic advertising, contracting, and payment,
are clearly the future of e-commerce Companies have embraced e-commerce in
order to decrease costs, streamline transactions, and increase sales To really do
high-value deals online, however, companies must feel confident that the
transac-tions they enter into today will be legally enforceable and binding tomorrow In the
paper-based world, putting a contract on company letterhead and using ink
signatures help to provide that reassurance Concern over what that means in the
digital world has produced an explosion of legislation at national, and international
levels
• Electronic Finance (services, Tax and Customs): The proper characterization of
a transaction for tax purposes is probably the most difficult issue in the taxation
of commerce Nevertheless, characterization is critical to determining how an
e-commerce transaction will be treated for income tax and consumption tax (VAT)
purposes Local, national, and international tax authorities and organizations are
struggling with these concepts and trying to decide whether new legislation will
be needed or whether existing rules can be applied to the new concepts
• Intellectual Property Laws (trademarks, copyrights, and patents): Companies
face unprecedented challenges both in protecting their intellectual property
worldwide and in minimizing the likelihood that they might be infringing someone
else’s intellectual property rights (Sang, 2002)
• Privacy and Personal Data Protection: Thanks to information-communications
systems, it has never been so easy to collect, reproduce, disseminate, and compile
personally identifiable information Organizations have never faced such daunting
privacy issues regarding the increasingly indispensable information and,
E-Businesses should address the attendant privacy issues in order to avoid legal
liability Given the current media and legal climate, and the fact that electronic
communications and technology tracking abilities will only increase in the future,
concerns about the privacy of electronic communications are recognized in many
countries, and many privacy-related bills are now pending at both the national and
international scene
• Information Security (Cybersecurity, Cybercrime): New information and
commu-nications technologies give rise to new opportunities for their abuse, which in turn
give rise to legal restrictions This notion arises the need to legislate against a
variety of new abuses and frauds – or old frauds committed in new ways
Cyber-crime may cause serious financial damage, and computer-related offences
fre-quently involve more than economic loss Damage can be a waste of time, or the
loss of privacy and security The most significant harm and danger caused by
cyber-crime is the threat of lost reliability and lost trust in cyber-space There is
another aspect of harmful and dangerous activity within E-Business environment
– the digital content broadcasting There is no consensus yet, neither on what kind
of content should be prohibited, nor how it can be handled
Trang 8• Consumer Protection: Considering the functionality and applicability of such
issues, it is worthy to find one, generic-shaped, key category that links all of these
separate issues in one regulated scene It is obvious that as a signature means
almost everything in the physical world of paper-based business, some kind of the
instrument that could ensure security, trust and functionality of E-Business,
should be introduced This issue is considered the core category of any national
and international regulation in digital economy – the answer lies with introducing
electronic signature equivalence with a hand-written signature no matter what type
of information technology is in use
Electronic Signature as the Core
Category in Digital Economy
Background
For E-Business of any kind (private or public sector) to grow, businesses must implement
the use of electronic signatures correctly, and legally With the advent of electronic
signatures, E-Business is changing the way we sign and store documents Thus, any
business that wants to succeed in the digital economy must deal with electronic
signatures It is considered an everyday activity whenever a law or other arrangement
requires a signature of a person A signature is needed as a medium for authentication
in order to identify the person (the signer), to indicate the person’s approval of the
information communicated and, to be legally applicable
Whether captured on paper or electronically, a signature has a specific legal definition
and purpose The Commercial Codes (the laws adopted by most countries to govern
commercial transactions) defines a document that is “signed” as one that includes any
name, word, mark, or symbol executed or adopted by a party with the present intention
to authenticate the writing A signature usually serves several purposes, including
authentication and attribution of a document to its signer, a reminder of the significance
of the document, evidence that the signer intended the signed document to have legal
effect, and an indication that the signed document was intended to be the final version
In today’s digital economy environment, establishing a framework for the authentication
of computer-based information requires a familiarity with concepts and professional
skills from both the legal and computer security fields Combining these two disciplines
is not an easy task Concepts from the information security field often correspond only
loosely to concepts from the legal field, even in situations where the terminology is
similar
The historical legal concept of signature is broader It recognizes any mark made with the
intention of authenticating the marked document In a digital setting, today’s broad legal
concept of signature may well include markings as diverse as digitized images of paper
signatures, typed notations, or even addressing notations, such as electronic mail
Trang 9origination headers A signature is not part of the substance of a transaction, but rather
of its representation or form Signing writings serve the following general purposes:
• Evidence: A signature authenticates a writing by identifying the signer with the
signed document When the signer makes a mark in a distinctive manner, the writing
becomes attributable to the signer
• Ceremony: The act of signing a document calls to the signer’s attention the legal
significance of the signer’s act, and thereby helps prevent “inconsiderate
engage-ments.”
• Approval: A signature expresses the signer’s approval or authorization of the
writing, or the signer’s intention that it has legal effect
• Efficiency: A signature on a written document often imparts a sense of clarity and
finality to the transaction and may lessen the subsequent need to inquire beyond
the face of a document
To achieve the basic purposes of signatures outlined above, a signature must have the
following attributes:
• Signer authentication: A signature should indicate who signed a document,
message or record, and should be difficult for another person to produce without
authorization
• Document authentication: A signature should identify what is signed, making it
impracticable to falsify or alter either the signed matter or the signature without
detection
Signer authentication and document authentication are tools used to exclude
imperson-ators and forgers and are essential ingredients of what is often called a non-repudiation
service A non-repudiation service provides assurance of the origin or delivery of data
in order to protect the sender against false denial by the recipient that the data has been
received, or to protect the recipient against false denial by the sender that the data has
been sent Thus, a non-repudiation service provides evidence to prevent a person from
unilaterally modifying or terminating legal obligations arising out of a transaction
effected by computer-based means
Traditional methods, however, are undergoing fundamental changes that are coming
with the digital economy Although digital media is in use, documents continue to be
written on paper, but sometimes merely to satisfy the need for a legally recognized form
In many instances, the information exchanged to effect a transaction never takes paper
form Computer-based information can also be utilized differently than its paper
coun-terpart For example, computers can read digital information and transform the
informa-tion or take programmable acinforma-tions based on the informainforma-tion Informainforma-tion stored in digital
media rather than on paper can travel near the speed of light, may be duplicated without
limit and with insignificant cost Although the basic nature of transactions has not
changed, the law has only begun to adapt to advances in technology The legal and
business communities must develop rules and practices, which use new information
Trang 10technology to achieve and surpass the effects historically expected from paper forms.
Electronic signature technology generally surpasses paper technology in all these
attributes
Electronic Signature: Scope and Definition
The term electronic signature could be defined as a sound, symbol or process attached
to or logically associated with an electronic record by a person (a signer) with the present
intent to authenticate that record Every downloading software activity from the Internet
includes reading the licensing agreement and clicking “I accept,” where a person is using
some kind of an electronic signature (the click combined with a person self identification
create the signature) If a person places a trade over the phone and verbally confirms that
wants to buy or sell stock, the recording of a person’s voice could be considered as an
electronic signature Digital signatures and images of handwritten signatures also
constitute electronic signatures A handwritten signature signals intent to agree with the
terms of a document, and it authenticates – at least in theory – the identity of the signer
Handwritten signatures don’t have an exact parallel online In the electronic world, a
person may end up doing the same things in a different way The authentication may be
done up front and the signal of intent may be done later Authentication, the act of making
sure that signers are who they say they are, can be handled online in several ways A
signer can use a digital certificate or smart card, take a fingerprint or retina scan, answer
additional questions regarding personal identification A signal of intent may be created
online by clicking an “I accept” button, by signing one’s name on an electronic signature
pad or by appending a signature image to a document
Hence, the foregoing definition of electronic signature within most national legislation
is a generic, technology-neutral definition, which recognizes that there are many different
methods by which a person can sign an electronic record In all cases, electronic
signatures are represented digitally, but they can take many forms, and can be created
by many different technologies Examples of electronic signatures include:
• A name typed at the end of an e-mail message by the sender;
• A digitized image of a handwritten signature that is attached to an electronic
document (sometimes created via a biometrics-based technology called signature
dynamics);
• A secret code, password, or PIN to identify the sender to the recipient (such as that
used with phone cards and credit cards);
• A unique biometrics-based identifier, such as a fingerprint, voice print, or a retinal
scan;
• A mouse click (such as on an “I accept” button);
• A sound (or voice) attempting to issue a meaning to agree);
• A digital signature (created through the use of public key cryptography)
Trang 11There are other ways of signing an electronic document, and presumably many more will
be developed in the future However, all forms of electronic signature must satisfy the
three requirements:
• there must be a digitally mediated symbol, or process,
• digitally mediated symbol, or process must be logically associated with an
electronic record, and
• digitally mediated symbol, or process must be made with the intent of a person (a
signer) to sign the electronic record
Forms of Electronic Signature Technology
In an E-Business environment and networked economy, the terms of authentication and
identification of parties are vital elements of functionality, operability and security We
should also underline the distinction between authentication and identification
Authentication refers to the authentication or verification of a claimed identity In other
words, the user wishes to log on to a network or service, or undertake an online
transaction and claims to be a certain person The authentication process seeks to verify
this claim via the provision of a characteristic (PIN/password/token/biometrics or other
information), or multiple characteristics, known to be associated with the claimed
identity There is therefore a one-to-one matching process involved, as the characteristic
in question is matched against the reference associated with the claimed identity,
according to predefined threshold criteria in the case of biometrics
Identification seeks to identify a user from within a population of possible users,
according to a characteristic, or multiple characteristics that can be reliably associated
with a particular individual, without an identity being explicitly claimed by the user There
is therefore a one-to-many matching process involved against a database of relevant
data We should perhaps make a further distinction between identifying an individual
from within a known population using relevant characteristics (PIN/password/token/
biometrics, etc.) and seeking to identify an individual via connectivity address
informa-tion In the latter case, we may correctly identify an address and the name that is registered
in association with it, but that does not necessarily guarantee that the same individual
undertook a specific transaction (unless robust biometrics have been used across
multiple processes)
While the rapid development of new information technologies has improved the ease of
access and use of digital information, it has also led to fears that consumer protection,
intellectual property rights, privacy and related issues could be eroded by the illegal
copying and redistribution of digital media Mechanisms to protect digital content are
seen as a necessary step towards the creation of global business and commercial
information infrastructure While equipment capable of copying digital content exists in
any E-Business environment, some technologies of electronic signatures are emerging
to provide organizations with the desired degree of protection, and to act as a
disincen-tive to information piracy These technologies are relating to:
Trang 12• Watermarking: A technique for embedding hidden data that attaches copyright
protection information to a digital object and provides an indication of ownership
of object signed by watermark
• Fingerprinting: A technique that identifies the recipient of a digital object and its
owner, and acts as a deterrent to illegal redistribution by enabling the owner of
digital object to identify the original user of the redistributed copy
E-Business users are not confident enough in the security of online systems to believe
that a hacker can’t break in and steal credentials there Password lists and credit card lists
are stolen regularly from online servers and can just as easily be lifted from unsuspecting
users’ machines by malicious software For instance, the “Love Bug” virus was designed
to collect user credentials and mail them out So shared secret systems, including
passwords and biometrics, are inappropriate for use directly as electronic signatures, but
we will find that they still have an important indirect role What we need are credentials
that don’t have to be given away to prove an identity or to create a verifiable electronic
signature Fortunately, proven technology that solves these problems is available
through the Public Key Infrastructure environment
Public Key Infrastructure
Security is always a concern with any electronic signature technology An electronic
signature based on asymmetric cryptography (digital signature) is considered superior
to a handwritten signature in that it attests to the contents of a message as well as to the
identity of the signer As long as a secure hash function is used, there is almost no chance
of taking someone’s signature from one document and attaching it to another, or of
altering a signed message in any way The slightest change in a signed document will
cause the digital signature verification process to fail Thus, public key authentication
allows people to check the integrity of signed documents If a signature verification fails,
however, it will generally be difficult to determine whether there was an attempted forgery
or simply a transmission error
Within a Public Key Infrastructure technology environment, an electronic signature is
accompanied by the term digital signature – a data item that vouches for the origin and
integrity of a document or message (Forno & Feinbloom, 2001) Digital signature is a
mechanism employed within Public Key Cryptosystem that enables the originator of an
digital object to generate a signature using encipherment in order to provide the recipient
with the proof of the authenticity of the digital object’s originator (author)
Public Key Infrastructure uses a digital signature as one type of electronic signature It
is made by asymmetric encryption in order to authenticate the contents of a document,
secure its integrity and confidentiality, and attribute it to a particular signatory When
a digital signature is used by Public Key Infrastructure, the document is finalized,
encrypted using a private key, and then sealed by attaching a numerical hash file
reflecting the contents of the document Any changes in the document result in a
numerical hash file that does not match that of the original document
Trang 13Within Public Key Infrastructure, the encrypted document is usually transferred through
a third party known as a Certification Authority The Certification Authority may assist
in encrypting the document and in creating the numerical hash file, as well as authenticate
the identities of one or more of the parties through the digital certificate, keep a record
of the digitally signed document’s unique numerical hash file, and maintain the public
key that permits decryption of the document Taken together, this multistep process
constitutes the digital signature
A digital certificate can be issued by the organization initiating the approval process or
by a Certification Authority A certificate usually contains the holder’s name, a serial
number, expiration dates, a private key that signs documents and messages through
encryption, and a public key that the recipient uses to decrypt the message
Cryptogra-phy binds the digital signature to a document If someone changes the terms and
conditions or prices in that electronic document, the signature will become invalid
Although digital signatures and the assistance of Certification Authorities can be costly,
they provide worthwhile safeguards against electronic document tampering, deception,
fraud, and unwanted disclosure, particularly when the stakes are high Most people
consider digital signatures to be the most robust technology available But the strength
Figure 1 View of the digital certificate
Trang 14of a digital signature depends on the rigor of its registration process In some cases, a
Certification Authority may register new private key holders by simply asking users to
type in their email addresses In other cases, the Certification Authority asks registrants
for several pieces of private information, such as Social Security numbers, the last four
digits of their driver licenses or the amount of the last check they wrote If even greater
security is called for, registrants could be required to appear in person at the certificate
authority’s premises with multiple forms of identification When this last term is used,
the electronic signatures made with assistance of the digital signature is taken as
equivalent to handwriting signatures in most national legislation regarding electronic
business and electronic commerce
Public Key Infrastructure strength is a new issue at the signer side – users (signers) must
keep their private keys private That private key is on a computer or on a smart card and
the user has got to protect it, otherwise someone could get a hold of it and sign with it
Because Electronic Signatures within Public Key Infrastructure environment are created
and verified by asymmetric cryptography, they use public-key cryptography, where one
key is for creating a digital signature and another key is for verifying a digital signature
These two keys (which forms a key pair) are collectively termed as asymmetric
cryptosystem The processes of creating a electronic signature and verifying it through
the Public Key Infrastructure accomplish the essential effects desired of a signature for
many legal purposes:
• Signer authentication: If a public and private key pair is associated with an
identified signer, the electronic signature attributes the message to the signer The
electronic signature cannot be forged, unless the signer loses control of the private
key, such as losing the media or device in which it is contained
• Message authentication: The electronic signature also identifies the signed
message, typically with far greater certainty and precision than paper signatures
Verification reveals any tampering, since the comparison of the hash results (one
made at signing and the other made at verifying) shows whether the message is the
same as when signed
• Affirmative act: Creating an electronic signature requires the signer to use the
signer’s private key This act can perform the ceremonial function of alerting the
signer to the fact that the signer is consummating a transaction with legal
consequences
• Efficiency: The processes of creating and verifying an electronic signature provide
a high level of assurance that the electronic signature is genuinely the signer’s
Compared to paper methods (such as checking specimen signature cards - methods
so tedious and labor-intensive that they are rarely actually used in practice) digital
signatures yield a high degree of assurance without adding greatly to the resources
required for processing
Digital signatures are a reversal of public-key cryptography – data encrypted using a
sender’s private key can only be decrypted using the sender’s public key By obtaining
the sender’s public key to decrypt the digital signature, the recipient ensures that the
digital signature was generated by the sender’s private key Anyone with access to the
Trang 15sender’s public key can verify the digital signature By comparing the hash values
generated from the data by the sender and the recipient, the recipient ensures that the
data did not change during the transfer
Can a digital signature be forged? Not likely It is protected by several layers of highly
complex encryption We like to think that a handwritten signature is unique to the signer
and to the pieces of paper which hold it What if someone produces a good likeness of
your handwritten signature? Or, what if on a long contract, someone changes the text of
the pages previous to the signature page? In these instances, the signature is valid, but
the document has been altered With digital signatures, forgery is next to impossible –
much more difficult than forging a handwritten signature First, a digital signature is more
of a process than just affixing a signature For example, when the document is “digitally
signed,” the digital software scans the document and creates a calculation which
represents the document This calculation becomes part of the “digital signature.” When
the recipient authenticates the signature, a similar process is carried out The sender’s
and the receiver’s calculations are then compared If the results are the same, the
signature is valid If they are different, the signature is not valid
Figure 2 Digital signature verification
Figure 3 Signed document flow within PKI environment
Trang 16The process of creating a digital signature in E-Business communication is accomplished
by the sender The verification of the digital signature is performed by the receiver of the
digital signature The writing and sending a check example, illustrates how digital
signature technology works
Digital Signature Creation
• Sign: To begin the process, a check must be created In order to create a digital
signature with the check, a process known as hash function, must occur A hash
function is a mathematical algorithm that creates a digital representation or
fingerprint in the form of message digest The hash function generally consists of
a standard length that is usually much smaller than the message but nevertheless
substantially unique to it Hash functions ensure that there has been no
modifica-tion to the check (message) since it was digitally signed The next step is to encrypt
the check and signature The sender’s digital signature software transforms the
hash result into a digital signature using the sender’s private key The resulting
digital signature is thus unique to both the message and the private key used to
create it Typically, a digital signature is appended to its message and stored or
transmitted with its message However, it may also be sent or stored as a separate
data element, so long as it maintains a reliable association with its message Since
a digital signature is unique to its message, it is useless if wholly disassociated from
its message
• Seal: Since public-key algorithms can be slow to transmit, the next step is to encrypt
this information The check is encrypted with a fast symmetric key (uniquely
generated for this occasion) and then the symmetric key is encrypted with the
receiver’s public key Now only the private key of the receiver can recover the
symmetric key, and thus decrypt the check A digital version of the envelope has
been created
• Deliver: At this point, the digital envelope is electronically sent to the receiver and
the verification process begins
Digital Signature Verification
• Accept: The encrypted digital envelope arrives at the destination.
• Open: The receiver of the check decrypts the one-time symmetric key by using the
receiver’s private key Then the check is decrypted using the one-time symmetric
key Once this has been completed, the verification process begins
• Verify: Verification of a digital signature is accomplished by computing a new hash
result of the original message Then, using the sender’s public key and the new
hash result, the verifier checks: 1) whether the digital signature was created using
the corresponding private key; and 2) whether the newly computed hash result
matches the original hash result The software will confirm the digital signature as
verified – the sender’s private key was used to digitally sign the message and the
Trang 17message was unaltered If the verification cannot be made, the software will identify
that verification has failed
An electronic signature is a convenient, timesaving, and secure way of signing electronic
documents An electronic document is any document that is generated or stored on a
computer, such as a letter, a contract, or a will In addition, an electronic document can
be an image, such as a blueprint, a survey plat, a drawing, or even a photograph and an
electronic signature can be used to sign these documents It means that the authenticity
of any electronic document can be verified by an e-signature, but only if the document
originally was “signed” using an e-signature program (software) Although this
sounds complicated., it is a simple process and may vary slightly in the software in use,
and e-signature software does all the work The signer selects the signature option, then
selects the document, and finally enters a secret Authorization Code Everything is
accomplished electronically In the PKI environment, a digital certificate is added to the
signed document, thus making verification available at any time after the document is
signed
Unfortunately, nobody can actually see the signers’ handwritten signature, and there is
no relationship to the signer’s handwritten signature While there’s more to it behind the
scenes, the visible portion of the digital signature is the signer’s name, title and firm name,
along with the certificate serial number and the Certification Authority name
Digital signatures still face some cultural hurdles, such as convincing users to accept a
line of hash code instead of a penned name Several software solutions cover both
ideologies by combining a PKI-based digital signature and a pictorial representation of
the handwritten signature
Visible Electronic Signature Protocol is a digital electronic signature protocol that allows
the recipient of a secure electronic document to visually confirm the signature of the
author and the authenticity of the document, just as with a paper document A signature
image, such as a seal or a written signature, is presented to the end user for verification
This intuitive approach to the digital signature process allows for extremely high
confidence in the security and privacy of the encryption-decryption process, and
Figure 4 Verifying graphically presented e-signature; if the document is changed or
used certificate is not valid, the cross-circled mark is presented to the reader
valid signature non valid signature
verifies your signature and document
identifies when a document is modified
Trang 18provides for a tamper-resistant way to transmit documents which must remain secure,
such as e-commerce orders, contracts, blueprints, surveys, drawings, or photographs
the protocol works by encrypting the signature image
As E-Business searches for more secure authentication methods for user access,
e-commerce, and other security applications, it should be noticed that the security field
uses three different types of authentication:
• something user knows - a password, PIN, or piece of personal information
• something user has - a card key, smart card, or token
• something user is - a biometrics
If an E-Business system is carefully constructed, almost any of these technologies could
provide industrial-strength e-signatures with a number of additional tools that are not
available yet:
Smart Cards
With a digital certificate or smart card protected by a password, there is a two-factor
authentication - something owner knows and something owner has—and that makes
e-signature protection stronger Smart cards have finally entered the public domain and are
used in a variety of applications, sometimes without the user being aware that they are
actually using a smart card The smart card itself is simply a plastic card with an integral
embedded chip This provides a degree of tamper resistance and security for the
information held within the card Smart cards may be categorized into two primary types,
memory cards or microprocessor cards Memory cards simply store data and allow that
data to be subsequently read from the card Microprocessor cards on the other hand,
allow for additions and deletions to the data, as well as various manipulations and
processing of the data The smart cards may be further categorized into contact or
contactless cards Contact cards required the card to be physically inserted into a smart
card reader Contactless cards enable the card to be read without physical contact via
a radio frequency link with an antenna embedded into the card There is in fact another
Figure 5.: Smart card occurrences – contact and contactless
Trang 19type of card called a combination card that combines both contact and contactless
technology This allows for the card to be read by either type of card reader, alternatively,
to be read by both techniques at the same time, enabling a higher degree of security
Smart cards support our contemporary networked society via a variety of applications,
including network access control, secure payment systems, health care applications,
ticketing applications, loyalty and other areas They may also be used to store digital
certificates and passwords and can encrypt sensitive data Perhaps one of the most
visible applications is that of SIM cards used for mobile phones SIM stands for
Subscriber Identification Module and the SIM cards store subscriber information which
allows phones to be instantly personalized as well as providing roaming across different
networks and devices The mobile phone SIM card also provides for a variety of
value-added services to be provided by the telecommunication companies as appropriate An
often referred to aspect of smart card technology is the potential for the multi-application
card The idea of multiple applications via the use of a single card is an attractive one
However, for this to be possible there needs to be a degree of interoperability between
cards and applications This interoperability has so far been rather weak, although there
are now various initiatives with the aim of improving this vital aspect of smart card
technology There is of course an ISO standard for smart cards (7816 parts 1-10), although
other different industry sectors have tended to create their own proprietary versions
based around the ISO generic standard There have also been related initiatives such as
the Microsoft PC/SC standard, which was originally for Windows-based systems only,
although this has now been opened up to be an across-platform initiative Indeed, the
PC/SC initiative boasts an impressive membership of several distinguished companies
from the computer and telecommunications market place
Another initiative called OpenCard has similar ambitions to provide interoperability
across applications Perhaps most interesting development of all in this context is Java
Card (Wenderoth, 2001) Java card provides the potential for Java applets to run right
on the card itself, a very interesting capability for those seeking to develop smart card
applications Smart cards are a valuable addition to this world because they interface
seamlessly with smart devices and intelligent systems, giving people convenient and
direct access to relevant information stored on powerful networks The portable
creden-tials on the smart card can securely identify and authenticate its owner, across the range
of smart devices, providing a consistent means of authorization and digital signature for
E-Business transactions With embedded applications, these reloadable personal data
carriers also allow users to tailor applications to fit personal needs Smart cards are
becoming crucial components of the E-Business economy and contribute to the
realiza-tion of E-Business anytime, anywhere
Public key cryptography is critical element in contactless systems Traditionally,
contactless systems have employed little-to-no security, due in large part to the very
constrained nature (i.e., size or space limitations) of the token or card To date, the
majority of the security leveraged has been password-based technology, symmetric
cryptography for authentication and/or confidentiality services or, in some very limited
situations, legacy public key algorithms like RSA It is clear that no security at all is
unacceptable and that password-based systems have very well known management
issues and security vulnerabilities
Trang 20Currently, the choice for strong security is between symmetric and public key
cryptog-raphy Symmetric key cryptography is characterized by the use of a single key to perform
both the encryption and decryption of data The primary weakness of symmetric key
cryptography is referred to as the key management problem Since the same key is used
for encryption and decryption, it must be kept secure Symmetric key cryptography
transforms the problem of transmitting messages securely into that of transmitting keys
securely Ensuring that the sender and receiver are using the same key and that potential
adversaries do not know this key remains a major stumbling block for symmetric key
cryptography In addition, when a new application is added to a symmetric key-based
system, it must be permitted the same level of trust as the existing applications If this
new application (or any other trusted element of a symmetric key system) is compromised,
so too is the entire system In a contactless system that has tens of thousands of tokens
or tags, the ramifications of this compromise can be catastrophic
Public key cryptography overcomes the key management problem by using different
encryption and decryption key pairs This presents a significant advantage because two
users can communicate securely without exchanging secret keys (Kozlov & Reyzin,
2003) The portable credentials on the smart card can securely identify and authenticate
its owner, across the range of smart devices, providing a consistent means of
authori-zation and digital signature for E-Business transactions With embedded applications,
these reloadable personal data carriers also allow users to tailor applications to fit
personal needs Smart cards are becoming crucial components of the E-Business
economy and contribute to the realization of E-Business anytime, anywhere
Signature Pads
This is a strong way of signaling signer intent because the person is signing in a
traditional way It’s hard for persons (signers) to argue that they didn’t know what they
were doing – a signature pad also offers a biometric signature, so it is used to authenticate
Figure 6 Example of electronic pad system accepting written signature for digitalization
process in electronic signature-based applications
Trang 21the signature as well It is helpful for E-Business to let customers sign applications in their
homes electronically E-signature pads are used too, as the biometrics mechanism for
verifying a hand-written signature with the holder of a pen
Biometrics refers to the automatic identification of a person based on his/her
physiologi-cal or behavioral characteristics This technology of identification is preferred over
traditional methods involving passwords and PINs (Personal Identification Numbers) for
various reasons: the person to be identified is required to be physically present at the
point of identification, and there is no need to remember a password/PIN or carry a token
At the same time, biometrics technology can potentially prevent unauthorized access to
or fraudulent use of computer networks and information appliances connected to the
E-Business environment PINs and passwords may be forgotten, and tokens may be forged,
stolen or lost Thus biometrics technology is used in two basic ways – as an
authenti-cation systems or as an identifiauthenti-cation system It is worthy to note that although
biometrics technology provides stronger identification, a biometric identification
sys-tem based solely on a single identification identifier (fingerprints, faces, voice or another
object) is not able to meet high performance requirements – thus, identification based
on multiple biometrics represents an emerging trend
Security systems use biometrics for two basic purposes: to verify or to identify users
(Nanavati, Thieme & Nanavati, 2002) Biometrics measures individuals’ unique physical
or behavioral characteristics to recognize or authenticate their identity Common
physi-cal biometrics includes fingerprints; hand or palm geometry; and retina, iris, or facial
characteristics E-commerce developers are exploring the use of biometrics and smart
cards to more accurately verify a trading party’s identity For example, many banks are
interested in this combination to better authenticate customers and ensure
non-repudia-tion of online banking, trading, and purchasing transacnon-repudia-tions Point-of-sales (POS)
system vendors are working on the cardholder verification method, which would enlist
smart cards and biometrics to replace signature verification (Schaechter, 2002) MasterCard
estimates that adding smart-card-based biometrics authentication to a POS credit card
payment will decrease fraud by 80 percent
In the smart card – biometrics convergence process, the biometric information could be
represented by a fingerprint (Struif, 2001) During the enrollment phase, a fingerprint
template of the user is stored in a secure environment (smart card) For integrity and
authenticity purposes, the (hashed) fingerprint is then inserted in an “attribute
certifi-cate” and the same smart card also stores an X.509 certificate of the user, which will be
used to digitally sign electronic documents In order to validate the fingerprint-identity
pair, two important pieces of information are added to the attribute certificate:
a) the serial number of the smart card - in this way the fingerprint can only be used
with that smart card
b) the serial number of the X.509 user digital certificate - in this way, the fingerprint
can only be used together with its owner
Since fingerprints cannot be lost, duplicated, stolen or forgotten, a
smart-card-finger-print reader is providing a more reliable and convenient solution than traditional security
devices Security is improved further by storing the fingerprint templates inside a SIM
card instead of the computer This not only provides a more secure environment but it