SECURITY OF INFORMATION Digital signatures Cryptography PKI Encryption RSA Algorithm Hash Function CYBERLAWS-Paper –I -LECTURE III Karnika.

SECURITY OF INFORMATION Digital signatures Cryptography PKI Encryption RSA Algorithm Hash Function

CYBERLAWS-Paper –I-LECTURE III Karnika Seth, Partner, Seth Associates

SECURITY OF INFORMATION

DIGITAL SIGNATURES

OVERVIEW

Brief outline of the technology

Business implications

Barriers and future developments

Various online Authentication technologies Click Through, Click Wrap: a signer is asked to affirm intent or

agreement by clicking a button. PIN or password: a signer accesses a system, is requested to

enter name and PIN and/or password to "authenticate" and affirms intent to sign at the point signature is applied.

Digitized Signature: a graphical image of a handwritten signature is created by using a special computer input device, such as a digital pen and pad.

Signature Dynamics: a variation on a digitized signature in which each pen stroke is measured (e.g., duration, pen pressure, size of loops, etc), creating a metric.

Shared Private Key (Symmetric) Cryptography: a signer electronically signs a document and the recipient verifies a signature using a single key that is not publicly known but is a shared secret.

Public/Private Key (Asymmetric) Cryptography - Digital Signatures: two (2) mathematically linked keys are generated -- a private signing key and a publicly available validation key.

Various online Authentication technologies Biometrics: a signer’s physical characteristic

(fingerprint, retina, voice) is measured by a microphone, optical reader, or some other device; converted into digital form; and then compared with a copy of that characteristic stored in the computer and authenticated beforehand as belonging to the signer.

Smart Card: a plastic card containing an embedded chip that can generate, store, and/or process data. Information from the card's chip is read by security software only when a person enters a PIN, password or biometric identifier

What is a digital signature?

A digital signature is an electronic means of authenticating an online identity

A digital signature can: Authenticate the identity of the sender of a

message or signer of a document-(Authentication of identity)

Encrypt the message so that it can only be read by the intended recipient-(Confidentiality of info)

Be used to ensure that the original content of the message is unchanged-(Integrity of message)

The message can be attributable to the sender-( Non-repudiation)

Be automatically time-stamped

Cryptography

Cryptography The digital signatures functional

framework anchors on processes of encryption and decryption for maintaining security, confidentiality and integrity of information exchanged between the parties. This process is known as cryptography .

Encryption-Decryption

Encryption is the transformation of data into an unintelligible form that cannot be the converted into the of original format without the decryption key .

Cryptographic algorithms are used to transform plain text data into encrypted data. In simple words, the act of transforming the information is called the encryption and the process of transforming data back into plain text is called decryption.

Types of Cryptography

There are two basic types of cryptography: symmetric cryptography and asymmetric cryptography.

In symmetric cryptography a single secret key is used for both encryption and decryption of a message, where as in asymmetric cryptography , encryption and decryption is carried out involving an asymmetric key pair consisting of a public and private key. The public-key is for public accessibility and private key is to be kept as highly confidential.

In an asymmetric crypto system, a private key is mathematically related to public-key and it is computationally impossible to calculate one key from the other. Hence, the private key can not be compromised through the knowledge of the associated public-key. Digital signatures are based on the asymmetric public-key cryptography

Symmetric Cryptography

Three examples of symmetric key encryption algorithms are Data Encryption Standard (DES) Federal Information Processing Standard (FIPS) 46-3, Advanced Encryption Standard (AES) FIPS 197, and International Data Encryption Algorithm (IDEA).

Disadvantage of symmetric cryptography- No matter how secure an encryption algorithm (a process of programmed steps and conversions) it uses, the single key cryptosystem has two inherent security weaknesses. First, the sender and the recipient of the message need to share knowledge of the same secret key, which means that each is required to trust the other not to compromise knowledge which is exclusively known by the two of them. Second, the sender and recipient have a key distribution problem. It is not possible to securely communicate the knowledge of a secret key to both parties who need it, without going offband (using a different channel).

Asymmetric public key cryptography Digital signatures are based on the

asymmetric public-key cryptography . The concept of Digital signatures offer a

very attractive alternative to paper based signatures as it fulfills all the prime security objectives namely, message authentication, integrity and non-repudiation function which is instrumental in enhancing global trade and e-commerce.

Basic Features of Digital Basic Features of Digital SignatureSignature Private key: sender uses the private key to

sign the document Public key: recipient uses the public key to

authenticate the document Message hash algorithm: perform a

mathematical calculation on the document and generate a hash value unique to the message

Encryption algorithm: accept the private key and a hash value to generate a digital signature or accept a public key and a digital signature to generate a hash value

How does Digital Signature How does Digital Signature Work?Work?

Document Private Key

Send

Public Key

Check validity of document

Not tampered

How does Dig sig work?

Digital signature technology grew out of public key cryptography. In public key cryptography, you have two keys: a private key and a public key. When you send a document to someone, you use your private key to sign the document. When recipients receive the signed document, they use the sender's public key to authenticate the document.

Figure 1 illustrates the digital signature process. Suppose you want to send a digitally signed document to John. After you create the document, you pass it through a message hash algorithm. The algorithm generates a hash of the document that is a checksum of the contents of the document. You then encrypt the message hash with your private key. The result is a digital signature. You append this digital signature to the document to form a digitally signed document, then send it to John.

When John receives the document, he passes the document contents through the same message hash algorithm that you used, and creates a new hash. At the same time, John uses your public key to decrypt your digital signature, thereby converting the signature to the original hash. John then compares the newly generated hash and the original hash. If the hashes match, John can be sure that the document he received is really from you and that no one altered it during transmission. If the hashes don't match, John knows that tampering or a transmission error changed the document contents.

Essential steps of the digital signature process

The use of digital signatures usually involves the following steps, performed either by the signatory or by the receiver of the digitally signed message:

STEP1 -The signatory is the authorized holder a unique cryptographic key pair;

STEP2 -The signatory prepares a data message (for example, in the form of an electronic mail message) on a computer;

STEP 3- The signatory prepares a “message digest”, using a secure hash algorithm. Digital signature creation uses a hash result derived from and unique to the signed message;

STEP 4- The signatory encrypts the message digest with the private key. The private key is applied to the message digest text using a mathematical algorithm. The digital signature consists of the encrypted message digest;

STEP 5 -The signatory typically attaches or appends its digital signature to the message;

Essential steps of the digital signature process STEP 6 -The signatory sends the digital signature and the

(unencrypted or encrypted) message to the relying party electronically;

STEP 7- The relying party uses the signatory’s public key to verify the signatory’s digital signature. Verification using the signatory’s public key provides a level of technical assurance that the message came exclusively from the signatory;

STEP 8- The relying party also creates a “message digest” of the message, using the same secure hash algorithm;

STEP 9- The relying party compares the two message digests. If they are the same, then the relying party knows that the message has not been altered after it was signed. Even if one bit in the message has been altered after the message has been digitally signed, the message digest created by the relying party will be different from the message digest created by the signatory;

STEP 10-Where the certification process is resorted to, the relying party obtains a certificate from the certification service provider (including through the signatory or otherwise), which confirms the digital signature on the signatory’s message. The certificate contains the public key and name of the signatory (and possibly additional information), digitally signed by the certification service provider.

How does Digital Signature How does Digital Signature Work?Work?

RSA Algorithm

There are four major asymmetric algorithms ,namely, RSA, Diffie-Hellman (DH), Digital Signature Algorithm (DSA), and Elliptic Curve Digital Signature Algorithm (ECDSA).

RSA is named after its inventors (Ron Rivest, Adi Shamir, and Leonard Adleman) in 1977 [RSA1] and uses the concept that factoring a big number is hard. It is published as American National Standards Institute (ANSI) X9.31. The key is generated from two large (about 256 bit) prime numbers multiplied together. The product of these two primes is transmitted along with the public key, but the two prime numbers are kept secret and used for the generation of the private key. If anyone had a method of factoring this very large product they would have enough information to generate the private key. RSA is used for both encryption of messages and digital signatures. Key sizes for RSA usually range from 512 to 1024 bits or larger.

SSL

Short for Secure Sockets Layer, a protocol developed by Netscape for transmitting private documents via the Internet. SSL uses a cryptographic system that uses two keys to encrypt data − a public key known to everyone and a private or secret key known only to the recipient of the message. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers.By convention, URLs that require an SSL connection start with https: instead of http

Important terms

MIME-Multipurpose Internet Mail Extensions. PEM-Privacy Enhanced Mail. A protocol for exchanging

digitally signed and/or encrypted mail. that never gained much use.

PGP-Pretty Good Privacy. A protocol for exchanging digitally signed and/or encrypted mail

RSA-Rivest-Shamir-Adelman. The name of a cryptographic key-exchange algorithm popular in many security protocols. Also the name of the company which controls the US patent on the algorithm

S/MIME-Secure MIME. A protocol for exchanging digitally signed and/or encrypted mail

Certification AuthorityCertification Authority

A digital signature ensures that the document originated with the person signing it and that it was not tampered with after the signature was applied.

However, the sender could still be an impersonator and not the person he or she claims to be.

To verify that the message was indeed sent by the person claiming to send it requires a digital certificate (digital ID) which is issued by a trusted third party known as the certification authority (CA).

Certification AuthorityCertification Authority

CAs issue digital certificates after verifying that a public key belongs to a certain owner.

Drivers licenses, identification cards and fingerprints are examples of documentation required.

Some examples of CAs are:

Digital CertificateDigital Certificate

The digital certificate usually contains the following data: Owner name, company and address Owner public key Owner certificate serial number Owner validity dates Certifying company ID Certifying company digital signature

Business Implications of Business Implications of Digital SignatureDigital Signature

Commercial Entities: B2C B2B

Non-commercial Entities: Government General Society

Business Implications of Business Implications of Digital SignatureDigital Signature

Advantages of Digital Signature• Prevent fraud• Prevent unauthorised access of data• Preserve data integrity

Implications

Wider acceptance of digital signature will lead to Greater security in transactions and data

integrity over the Internet Enhancement of e-commerce, thereby

leading to greater cost savings, safer information gathering

Greater efficiency in data interchanges between businesses

Applications

Contract signing Areas like:

-Business transactions (e-commerce)

-Banking

-Insurance

Example: Finance

Digital signature-based products and services enable financial institutions to leverage its information assets and offer a wider range of services to customers, both consumers and businesses.

E-forms• Easy and inexpensive to create, transmit, handle, manage,

store and retrieve• Lessen operational and compliance risks from data

transfer

Digital certificates• For bank customers to access banking systems more

securely than username and pins

E-government/society

More efficient G admin/support for public and businesses

Filing of Documents by the Public • No waiting time and delivery costs• Facilitates handling, processing and storage E-bids easier to compare • Ease of capturing data directly to spreadsheets for more

efficient comparison. • Ease of transmission and storage  G Employees filling out many forms • Save time, paper, storage and handling costs.

Considerations

Barriers against Digital Signature to be more PERVASIVE Technological Security Cost Legal Social

Considerations - Barriers

Technological No common international standard. Any

number of companies will say their digital-signature technology is the safest and best

Security Security threat always exists Hackers are constantly finding

loopholes or cracking codes CA will need to be

cross-verified

Considerations - Barriers

Cost of Implementation Subscriber and relying party costs

Subscription to certificate Software Training

Companies implementing DS should balance cost against benefit

Legal barriers

Legal Legal framework must recognise the legality of digital

signature Dependant on decision of each jurisdictions

Some jurisdiction might adopt a broad legislation whereas others might apply one that has stricter technological specifications

Contract laws being governed by state/country laws Since Internet making the transaction over it a global

one, cross-border transaction needs a common legal platform - international efforts should be made

Current Legal Developments

International Efforts for building a common legal platform

European Union Electronic Signature Directive- In the European Union, the

enforceability of electronic transactions is governed by the Electronic Signatures Directive adopted in 1999, and the Electronic Commerce Directive adopted in 2000

International Chamber of Commerce (ICC) GUIDEC -- General Usage in International Digitally Ensured

Commerce (November 6, 1997) The GUIDEC aims to draw together the key elements involved in electronic commerce, to serve as an indicator of terms and an exposition of the general background to the issue. It also addresses one of the key problems in talking about electronically signed messages, in that they are not signed physically , but require the intervention of an electronic medium

OECD adopted Guidelines for Cryptography Policy

principles to guide countries in formulating their own policies and legislation relating to the use of cryptography

International initiatives

UNCITRAL Model Law on Electronic Signatures in 2001

Internationally, model laws governing the enforceability of electronic transactions have also been developed by the United Nations Commission on International Trade Law (“UNCITRAL”) Working Group on Electronic Commerce, which completed work on its Model Law on Electronic Commerce in 1996, and finalized and approved its Model Law on Electronic Signatures in 2001.

These model laws have served as the basis for legislation enacted in several countries such as Thailand and Mexico.

International initiatives

Digital Signature Guidelines – American Bar Association

The "Guidelines" describe a system for ensuring the identity of the holder of a private key, for making digital signatures as usable in commerce and in legal proceedings as a written signature on paper, and for ascribing appropriate responsibility to those engaged in electronic commerce should one of the parties involved deny liability under the transaction.

See for detailed text http://www.abanet.org/scitech/ec/isc/dsgfree.html

U.S- E-Sign Act

In the U.S., the enforceability of electronic transactions is primarily governed by the Electronic Signatures in Global and National Commerce Act (“E-SIGN”), a federal law enacted in 2000 that largely preempts inconsistent state law, and the Uniform Electronic Transactions Act (“UETA”), a uniform state law that was finalized by the National Conference of Commissioners on Uniform State Laws (“NCCUSL”) in 1999 and has now been adopted by 40 states.

[

Technology neutral approach

A good example of legislation that provides for technology neutral approach is the Illinois Electronic Commerce Security Act, which creates a technology neutral class of signatures called “secure electronic signatures.”

Similar approach has been adopted by Albama and Ohio in U.S. Countries like Australia, Austria, Bermuda, Canada, Finland, Hongkong, Ireland, Singapore, Japan, South Korea, U.K have enacted “electronic signature “legislations ,which are essentially technology neutral legislations. While all electronic signatures are enforceable under this Act, an electronic signature that qualifies as a secure electronic signature enjoys a rebuttable presumption that the signature is that of the person to whom it correlates.

This approach was followed in the European Union Electronic Signature Directive.

Technology specific approach

Technology-specific statutes that confer similar legal presumptions on certain cryptographically created “digital signatures” have been enacted in Minnesota, Missouri, Utah, and Washington.

Countries like Argentina, Columbia ,Estonia, Germany, India, Italy ,Malaysia, have enacted “digital signature” legislations ,i.e these legislations are Technology specific.

IT Act,2000-India

The Information Technology Act, 2000-India

In May 2000 the Indian Parliament passed the Information Technology Bill now known as the Information Technology Act, 2000. The Act covers cyber and related information technology laws in India.

This Act seeks to "provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as 'electronic commerce,' which involve the use of alternatives to paper-based methods of communication and storage of information, [and] to facilitate electronic filing of documents with the Government agencies. . "

It establishes the legal validity and enforceability of digital signatures and electronic records, as well as secure digital signatures and secure electronic records.

Some important provisions –IT Act,2000 Digital Signature (Section 2(1) (p)): "Means authentication of any electronic record

by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3"(using an asymmetric cryptosystem and hash function).

Authentication of electronic records (Section 3)-Digital signatures.(1) Subject to the provisions of this section any subscriber may authenticate an electronic record by affixing his digital signature.

(2) The authentication of the electronic record shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record.

Explanation - For the purposes of this sub-section, "hash function" means an algorithm mapping or translation of one sequence of bits into another, generally smaller,set known'as "hash result" such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input making it computationally infeasible -

to derive or reconstruct the original electronic record from the hash result produced by the algorithm;

that two electronic records can produce the same hash result using the algorithm. (3) Any person by the use of a public key of the subscriber can verify the electronic

record.

(4) The private key and the public key are unique to the subscriber and constitute a functioning key pair.

Some important provisions –IT Act,2000 Legal recognition of digital signatures (section 5): "Where

any law provides that information or any other matter shall be authenticated by affixing the signature or any document should be signed or bear the signature of any person then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied, if such information or matter is authenticated by means of digital signature affixed in such manner as may be prescribed by the Central Government."

Electronic Record (Section 2(1) (t)): "Means data, record or data generated, image or sound stored, received or sent in an electronic form or microfilm or computergenerated micro-fiche.“

Legal recognition of Electronic Record (section 4): "Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is: (a) rendered or made available in an electronic form; and (b) accessible so as to be usable for a subsequent reference."

Some important provisions –IT Act,2000 Secure Electronic Record (Section 14) : "Where any security procedure

has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification."

Secure Digital Signature(Section 15): "If, by application of a security procedure agreed to by the parties concerned, it can be verified that a digital signature, at the time it was affixed, was: (a) unique to the subscriber affixing it; (b) capable of identifying such subscriber; (c) created in a manner or using a means under the exclusive control of the subscriber and is linked to the electronic record to which it relates in such a manner that if the electronic record was altered the digital signature would be invalidated, then such digital signature shall be deemed to be a secure digital signature."

Certifying Authority (Section (2(1)(g)): "Means a person who has been granted a license to issue a Digital Signature Certificate under section 24" (issuance of certificates by Controller).

Treatment of Certification Authorities (Chapter VI): This Act authorizes the Central Government to appoint a Controller of Certifying Authorities. The duties of the Controller are listed under Chapter VI of the Act, and include exercising supervision over the activities of certification authorities and delineating the duties of these  certification authorities.

Certifying authorities

Digital signatures have been accorded legal acceptance by the IT Act. The Controller of Certifying Authorities, set up to implement the IT Act, has issued licenses to four players who can issue digital signatures. These are Safescrypt Limited, National Informatics Centre (NIC), Institute for Development and Research in Banking Technology (IDRBT), and Tata Consultancy Services (TCS).

Relevant rules and regulations

In October 2000, the rules for IT Act, 2000 were also issued that lay down rules for manner of Authentication of digital signatures, creation and verification of digital signatures, licensing of certifying authorities and provides for the requisite standards to be met by these authorities ,etc

Later, in July 2001, a set of laws known as the Information Technology (Certifying Authority) Regulations, 2001 were issued by the Government of India. These regulations detail the functioning of the certifying authorities in issuing digital signatures. These rules specify the manner in which information has to be authenticated by means of digital signatures, the creation and verification of digital signatures, licensing of certification authorities and the terms of the proposed licenses to issue digital signatures. The said rules also stipulate security guidelines for certification authorities and maintenance of mandatory databases by the said certification authorities and the generation, issue, term and revocation of digital signature certificates.

Considerations - Barriers

Social Digital Divide

Hitting the ‘critical mass’ is important in getting the technology into use

However, slow adoption of IT hinder DS from being widely used

Considerations - Barriers

Social Psychological Barriers

Reluctance among people towards using the technology

Some are cultural, some are rooting from ignorance

Some are simply perceptional - physically signing a contract gives you the impression of a formal event and makes you more cautious

Future Improvements

Technological Legal Social

Technological Any digital signature standards should be

developed globally Adopting the cutting edge technology

Stronger encryption algorithm Biometrics identification to further complicate the

verification process Retina scanning Fingerprint scanning

Future Improvements

Legal Should protect individuals/businesses in

cases of fraud/abuse Should not favor a particular vendor’s

product/technology in its framework - avoiding monopoly

Should leave options open for those who are reluctant to use DS

International efforts to establish a common legal platform should be promoted further

Cross-border dispute resolution procedures must be clearly designed

Future Improvements

Social Government and Vendors should take

initative in educating public to remove psychological barriers

accurate information about the technology, framework and its benefits

Consumers should be fully aware of the importance of transaction employing DS

Conclusion

Digital Signature plays an important part in e-commerce by providing safety and reliability for e-transactions

Still in its growth stage - many aspects need to be worked out