Identity Theft is the fastest growing crime in the US according to the FBI
 

Information Security Software : E-Signatures

Written by OSAblog on Sunday, April 26th, 2009

E-Commerce (EC)

The conducting of business communication and transactions over networks and through computers. As most restrictively defined, electronic commerce is the buying and selling of goods and services, and the transfer of funds, through digital communications. However EC also includes all inter-company and intra-company functions (such as marketing, finance, manufacturing, selling, and negotiation) that enable commerce and use electronic mail, EDI, file transfer, fax, video conferencing, workflow, or interaction with a remote computer.

E-signature – The definition

A digital signature is an electronic (code) signature that can be used to authenticate the identity of the sender of a message or the signer of a document and to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time-stamped. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later.

A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that the receiver can be sure of the sender’s identity and that the message arrived intact. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real.

A more formal definition: “(I) A value computed with a cryptographic algorithm and appended to a data object in such a way that any recipient of the data can use the signature to verify the data’s origin and integrity.

(II) Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery, e.g. by the recipient.”

Source: IETF (http://www.ietf.org/rfc/rfc2828.txt).

E-signature – How It Works (with PKI)

Assume you were going to send the draft of a contract to your lawyer in another town. You want to give your lawyer the assurance that it was unchanged from what you sent and that it is really from you.

1. You copy-and-paste the contract (it’s a short one!) into an e-mail note.

2. Using special software, you obtain a message hash (mathematical summary) of the contract.

3. You then use a private key that you have previously obtained from a public-private key authority to encrypt the hash.

4. The encrypted hash becomes your digital signature of the message. (Note that it will be different each time you send a message.)

At the other end, your lawyer receives the message.

1. To make sure it’s intact and from you, your lawyer makes a hash of the received message.

2. Your lawyer then uses your public key to decrypt the message hash or summary.

3. If the hashes match, the received message is valid.

E-signature – The facts we all must know

It is evident from various definitions of e-signature and legislation enacted so far that almost everyone has tried to maintain technology independence so far. But generally it is also seen that use of PKI is catching up as a popular method of creating e-signatures (digital signatures) worldwide.

Use of PKI has some merits, over other methods, which are clearly seen as convenient and secure by the industry and businesses deploying such solution. The convenience of sharing keys, irreversible hashing algorithms and association of keys to an individual using digital certificate issued by a trusted party (Certificate Authority) have mainly contributed to this wining recipe.

A Certificate Authority (CA) issues a digital certificate with the information provided by the certificate subject, verifies information provided for correctness, digitally signs this certificate, associates such certificate with a public key and also publishes this key through its repository.

Through intelligently drafted legal agreements CA also puts all the responsibility liability on the certificate subscribers and relying parties whereas most popular internet browsers and email clients provide mechanism to trust a certificate implicitly or explicitly.

In such scenarios it very important for all to make sure that the certificates are only trusted and relied upon if these are issued by a trusted CA and are validated by issuing authority as not expired and/or revoked. Adding any certificate explicitly to the trust list maintained by your operating system is no less than committing hara-kiri.

CA is required to publish its Certificate Policy (CP) and Certificate Practice Statement (CPS) along with other agreements such as Subscriber’s Agreement & Relying Party’s Agreement. Equally important is the fact that all parties must understand and exactly know indemnities and warranties listed in various legal contracts.

The digital certificate verifies that the key pair used for the digital signature is associated to the person whose information is provided in the certificate. The certificate may also associate a person to an enterprise as authorized signatory. This demonstrates total dependence on the trust relying party must have in the certificate issuing authority (issuing CA) and his ability to get the certificate verified from the CA. It is an accepted fact and recommended best practice to not trust a certificate that cannot be verified for its validity, this means the CA must provide online certificate validation in real-time. Any CA just providing Certificate Revocation Lists is not good enough for serious business.

Trusting a CA must always be a well-thought decision and must be based on good knowledge of the security of the CA it self, its policies and practices pertaining to certificate lifecycle management, hiring of staff, access to sensitive information and areas (physical access), segregation of staff duties etc. An individual needing to rely on a digital signature should not have to be well-informed of all the legal and contractual intricacies on the contrary the individual will be more comfortable if there is some external entity that can audit and accredit certificate issuing CA as trustworthy.

Conclusion

There is no doubt that we have come a long way in improving these technologies to provide the comfort and trust to parties conducting business through electronic documents and transactions from one end of the world to the other there is even more need for governance in a totally new territory for all of us. And I must also be content with these (web) technologies for providing such convenient ways of researching, collecting information and doing business with such speed that would not have been possible only a few decades back.

We offer Information Security Software Solution for System Auditing, Risk Management Utilities, Vulnerability Scanners,Auditing Tools,Penetration Testing Tools, Forensics Tools and Regulatory Compliance.

Article Source:http://www.articlesbase.com/security-articles/information-security-software-esignatures-884093.html

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • NewsVine
  • Reddit
  • StumbleUpon
  • Google Bookmarks
  • Yahoo! Buzz
  • Twitter
  • Technorati
  • Live
  • LinkedIn
  • MySpace
  • E-mail this story to a friend!
  • RSS
  • Turn this article into a PDF!

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

  • Share/Bookmark

If you enjoyed this post, make sure you subscribe to my RSS feed!

Blog Traffic Exchange Related Posts
  • ExtraAntivirus Provides No Extras Other Than Trouble ExtraAntivirus is rogue security software that's main purpose is to frighten users in to purchasing their bogus product. Many of these rogues exist, and they all work pretty much the same way. Innocent users may be conned in to believing that severe security threats are lurking on their PC, and......
  • Computer Security.Anti-virus/anti-spyware software Advances in computer technology is a double-edged sword. On one hand, it affords us quick and easy access to numerous conveniences such as bank statements, favorite shopping centers, school and health records, and more. On the other hand, it can also grant the same access to those who aren’t supposed......
  • Removing Malware - Stop the Spy who loves your Data and Information In order to go about removing malware, you first will need to know what malware is. Basically, malware is a malicious piece of software that has been designed for no other intention than to damage or spy on your computer without your knowledge. There are several different types of malware......
  • Network Security Revolution Network security is always been the most concerning topic for the experts. Every one wishes to keep their network safe from hackers. We are in the age of network security revolution. Many companies have been trying to launch a product that keeps the network safe from hackers. As the volume......
  • Business Risks Associated With Data Breaches The EU Data Protection Supervisor – the independent EU supervisory authority responsible for protecting personal data within the EU – recently pushed for the EU ePrivacy directive to be amended to provide for a pan-European data breach notification requirement. In parallel, the UK Information Commissioner, who is charged with enforcing......
Blog Traffic Exchange Related Websites
  • Business Security Signal VOIP Wireless Security If you are a businessman, you keep a lot of information in your office. Information such as business strategies, and business secrets would be included in the information that you keep inside your office. This is why you want to secure this information and keep it confidential in......
  • Avoid 7 Time and Life-Robbing Mistakes and See Your Productivity Soar 41 practical and quick ways to get on top of that mountain of work and free up time for the important things that really matterBy Dr Bill Robb, PhD, DEdWe are all required to do more and more with less and less. This is taking its toll on our......
  • What You Need To Know About VoIP Broadband Telephone Service If you haven't heard much about VoIP before now, you certainly will in the future due to its rapid emergence as a major communications technology. VoIP stands for Voice Over Internet Protocol, and it basically is the ability to make telephone calls over the internet to either a receiving......
  • Petaluma Marina, Petaluma, CAPetaluma Marina, Petaluma, CA Petaluma Marina is located in: Petaluma, CA Phone: None listed. Boat Launch: Yes, the marina does offer a boat launch facility. Launch Fees: Day Use: $2.00 Season Pass - June 1 through May 31: $25.00 Senior Pass - Sixty-two (62+) and Older - Season: $12.50 Berth Rates: Single Finger......
  • The Benefits of Digital Analogue is the process of taking an audio or video signal and then turning it into electronic pulses. Digital is the process of turning the signal into a binary format, represented by a string of 1's and 0's. Analogue technology has been around for a long time now. It......
 

Leave a Comment

CommentLuv Enabled

« Software Downloads For Spyware Removal Review | Home | How To Bypass Blocked Sites »