Information Security Software : E-Signatures
E-Commerce (EC)
The conducting of business communication and transactions over networks and through computers. As most restrictively defined, electronic commerce is the buying and selling of goods and services, and the transfer of funds, through digital communications. However EC also includes all inter-company and intra-company functions (such as marketing, finance, manufacturing, selling, and negotiation) that enable commerce and use electronic mail, EDI, file transfer, fax, video conferencing, workflow, or interaction with a remote computer.
E-signature – The definition
A digital signature is an electronic (code) signature that can be used to authenticate the identity of the sender of a message or the signer of a document and to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time-stamped. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later.
A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that the receiver can be sure of the sender's identity and that the message arrived intact. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real.
A more formal definition: "(I) A value computed with a cryptographic algorithm and appended to a data object in such a way that any recipient of the data can use the signature to verify the data's origin and integrity.
(II) Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery, e.g. by the recipient."
Source: IETF (http://www.ietf.org/rfc/rfc2828.txt).
E-signature – How It Works (with PKI)
Assume you were going to send the draft of a contract to your lawyer in another town. You want to give your lawyer the assurance that it was unchanged from what you sent and that it is really from you.
1. You copy-and-paste the contract (it's a short one!) into an e-mail note.
2. Using special software, you obtain a message hash (mathematical summary) of the contract.
3. You then use a private key that you have previously obtained from a public-private key authority to encrypt the hash.
4. The encrypted hash becomes your digital signature of the message. (Note that it will be different each time you send a message.)
At the other end, your lawyer receives the message.
1. To make sure it's intact and from you, your lawyer makes a hash of the received message.
2. Your lawyer then uses your public key to decrypt the message hash or summary.
3. If the hashes match, the received message is valid.
E-signature – The facts we all must know
It is evident from various definitions of e-signature and legislation enacted so far that almost everyone has tried to maintain technology independence so far. But generally it is also seen that use of PKI is catching up as a popular method of creating e-signatures (digital signatures) worldwide.
Use of PKI has some merits, over other methods, which are clearly seen as convenient and secure by the industry and businesses deploying such solution. The convenience of sharing keys, irreversible hashing algorithms and association of keys to an individual using digital certificate issued by a trusted party (Certificate Authority) have mainly contributed to this wining recipe.
A Certificate Authority (CA) issues a digital certificate with the information provided by the certificate subject, verifies information provided for correctness, digitally signs this certificate, associates such certificate with a public key and also publishes this key through its repository.
Through intelligently drafted legal agreements CA also puts all the responsibility liability on the certificate subscribers and relying parties whereas most popular internet browsers and email clients provide mechanism to trust a certificate implicitly or explicitly.
In such scenarios it very important for all to make sure that the certificates are only trusted and relied upon if these are issued by a trusted CA and are validated by issuing authority as not expired and/or revoked. Adding any certificate explicitly to the trust list maintained by your operating system is no less than committing hara-kiri.
CA is required to publish its Certificate Policy (CP) and Certificate Practice Statement (CPS) along with other agreements such as Subscriber’s Agreement & Relying Party’s Agreement. Equally important is the fact that all parties must understand and exactly know indemnities and warranties listed in various legal contracts.
The digital certificate verifies that the key pair used for the digital signature is associated to the person whose information is provided in the certificate. The certificate may also associate a person to an enterprise as authorized signatory. This demonstrates total dependence on the trust relying party must have in the certificate issuing authority (issuing CA) and his ability to get the certificate verified from the CA. It is an accepted fact and recommended best practice to not trust a certificate that cannot be verified for its validity, this means the CA must provide online certificate validation in real-time. Any CA just providing Certificate Revocation Lists is not good enough for serious business.
Trusting a CA must always be a well-thought decision and must be based on good knowledge of the security of the CA it self, its policies and practices pertaining to certificate lifecycle management, hiring of staff, access to sensitive information and areas (physical access), segregation of staff duties etc. An individual needing to rely on a digital signature should not have to be well-informed of all the legal and contractual intricacies on the contrary the individual will be more comfortable if there is some external entity that can audit and accredit certificate issuing CA as trustworthy.
Conclusion
There is no doubt that we have come a long way in improving these technologies to provide the comfort and trust to parties conducting business through electronic documents and transactions from one end of the world to the other there is even more need for governance in a totally new territory for all of us. And I must also be content with these (web) technologies for providing such convenient ways of researching, collecting information and doing business with such speed that would not have been possible only a few decades back.
We offer Information Security Software Solution for System Auditing, Risk Management Utilities, Vulnerability Scanners,Auditing Tools,Penetration Testing Tools, Forensics Tools and Regulatory Compliance.
About the Author:Article Source: ArticlesBase.com - Information Security Software : E-Signatures