Internet: Security Student Paper: Szabo - California Western
Internet: Security Student Paper: Szabo

Digital Signature and Authentication

by Karin Szabo

I.  Introduction

1. Digital signature is an alternative for a handwritten signature. Like in trade, electronic trade sometimes requires a written contract. For a bigger deal like the purchase of expensive furniture on credit you have to sign documents. In this case we have two problems:

Authenticity: The guarantee that the named parties are really the ones they alleged to be; and

Non-Refusal: The guarantee that after the "contract" is signed nobody can allege that he wasnít the one who signed the contract or didnít want it with this content.

2. Digital signatures that are verified by certification authorities thought a system of key pair encryption technology provide a means for the recipients of electronic documents to verify the senders identity and to confirm that the documents have not been altered. Simply stated, a digital signature is a unique combination of letters and numbers generated by a mathematical algorithm, used to encrypt an electronic document through use of a "private key". A private key is one that belongs to a principal and is never revealed to anyone and is use to encrypt a message digest sent by the principal to anyone.

3. A Certification authority establishes a repository of clients and issues both public keys and a unique private key to each. A certification authority can then determine that an electronic document has been sent by an client sender and that the electronic message is genuine and then can issue a certificate to such effect. The certification authority also assures transmittal of the document to the client-recipient. Using the same process, a responsive message can be sent.

The arrival and expansion of digital signature technology may be the first occasion for technology and statutory law to move forward virtually hand in hand.


II.  Overview of digital signature technology

1. A secure digital signature is believed to be the key to allowing technology to further revolutionize electronic commerce. It accomplished this goal in several ways.

2. First, like a handwritten signature, a digital signature should identify a documentís signer, and it should be difficult to reproduce without permission.

Second, a digital signature verified by a certification authority ensures the integrity of the document itself, making it impossible or impracticable to alter it or its contents without detection. As a digital signature uses the actual text of the message when formulating the encryption algorithm, the slightest alternation will prevent the message from decrypting properly A digital signature verified by a certification authority verifies the entire document.

Third, a digital signature verified by a certification authority eliminates the possibility of reputation by the sender.

Finally electronic documents can be encoded with a digital time stamp, allowing the transmission time to be ascertained. Such non-repudiation features not only assure the recipient that the sender cannot falsely deny that the document was sent, but also prevent either party from unilaterally altering the terms of an agreement. These technological devices should make electronic document certification a safe and reliable means for ensuring security during an electronic transaction.

3. A digital signature is not a computerized image of a handwritten signature. Rather, a digital signature is a phrase of art describing a systematic scrambling of characters to guarantee security and authenticity. More specifically, digital signatures are created and verified through the use of cryptography, ensuring the authenticity of an electronic documentís content and the senderís identity. The cryptographic process used to create digital signatures is currently known as "public key cryptography". This process involves the use of an algorithm using two distinctly separate but mathematically related "keys" or "keypair". A private key, held only by the sender, is used to generate the digital signature and convert the document into an unintelligible form. A corresponding public key is used to transform the document back to its original form. Reliability and authenticity is thus ensured, because the keys operate together in such a way that the digital signature generated by the private key cannot be practicably decrypted by any key other than the public key belonging to the sender. The senderís public key is made accessible to all who need it by posting on a Web site or some other type of directory or repository provided by the Certification Authority.

4. Suppose a buyer wanted to send a digitally signed message to a seller. How would the buyer going about doing so? First, the buyer would draft a document and then send it to a mathematical algorithm called a hash function, which would produce a number known as "hush value" or "hush result". The buyer would next encrypt the hash result with a private key, thus, forming the electronic document and digital signature. The document could then be electronically mailed directly to the seller. After receiving the document, the seller can verify the buyer identity by decrypting the digitally signed document using the buyerís public key.

If successful, the seller most likely can be confident that the buyer is the actual sender of the document.

5. To confirm that the document has not been tampered with, the seller can use the same hash function that the buyer used earlier. If the two-hash results match, the document would appear not to have been altered, and the parties can be to somewhat assured that the integrity of the document has nor been compromised.

For heightened security and reliability, the communication between the seller and the buyer could be sent through the trusted intermediary of a certification authority. Certification authorities have several duties, including key pair management, as well as overseeing issuance, distribution, suspension and revocation of digital certificates. The certification authority acts as a trustworthy third party by assigning key pairs and digital certificates that verify the senderís identity. The certificate identifies the public key as "the subject of the certificate" and verifies that the sender identified by the certificate controls the matching private key. A certificate may typically contain the identity of the issuing certification authority, identification of the subscriberís public key, the subscriberís public key, and the digital signature of the certification authority. It might also contain additional information, such as a certificateís expiration date, a statement of the certifications authorityís financial responsibility, or the context in which the public key may be used. The certificate is then made available in a repository or on the certification authorities web site. The digitally signed documentís recipient may then be access the sender certificate, access a copy of the senderís public key, and decrypt the document. Thus the receiver can rest assured that the sender is indeed who he or she purports to be, and that the document has not been altered.

Faster Working Operations, no rides, less paper consumption and safer compared to a handwritten signatures are the advantages of digital signature.