Tuesday, January 1, 2008


President Clinton passed the E-Sign Law in July of 2000 allowing a digital signature to complete a valid enforceable contract, but there is still little done by consumers using digital signatures. A few years ago, someone in my office came to me asking for my help in creating a digital signature. I did some research, found the costs and what technologies might be appropriate, and presented the options to my coworker. It turned out that all my coworker needed was for me to scan a signature from a piece of paper to insert into a Word document. I didn't explain that it wasn't really a digital signature I'd be creating; I just created it. Five-plus years later, I don't think that general consumer knowledge has risen much from where it was back then.

TCP/IP and the Internet in general was not designed to be secure. It was designed to not fail. In order to become secure, layers must be added at higher levels to protect data when it is being handed around the Internet. PGP (Pretty Good Privacy) and GPG (GNU Privacy Guard) are programs that use PKI for encrypting and signing data.

Public Key Infrastructure (PKI) is an application of cryptography. Technology is used to implement cryptography, but cryptography itself is inherently mathematic. Symmetric cryptography involves using one key to both lock and unlock or encode and decode a set of data. The sender and receiver must both have a copy of the same key. Asymmetric cryptography involves a public key and a private key. The public key is passed out to anyone, but the private key must be kept secret. With asymmetric cryptography, one key is used to encrypt or mark a set of data and the other key is used to decrypt or verify that the data sent has not changed. An asymmetric pair of keys can be used for either encryption or a digital signature or both. A symmetric key can only be used for encryption.

A regular, paper-based signature is used to prove to a third party that a transaction has taken place. Likewise, a digital signature is a mathematical operation to a set of data that proves that a message or transaction was enacted by the person who signed it and that it has not been changed.

A message goes through the following when it is encrypted: the message is written, a mathematical hashing operation is used to process the message, it is encrypted using a public key, the message is received and another hash is performed, and the message is decrypted using the receiver's private key.

A digital certificate, often used on websites and other transactions, contains the public key of a certain user or organization and identifying information such as email address, website, phone number, name, expiration date, etc. The digital certificate is signed by the organization or person who issued the certificate. Their certificate is in turn signed by the organization or person who issued their certificate, until a root is reached. Ultimately, it is that root that must be trusted. Each issuer must take the proper steps to verify the identity of an applicant before the digital certificate is issued.

No comments: