Digital signatures There is nothing complicated about digital signatures – they simply act as a means of verification. However, the ramifications of this can be far-reaching, writes Bart Vansevenant, at GlobalSign. The potential of business opportunities and enhanced customer convenience services offered by the Internet is phenomenal. From home banking to network shopping and online information subscription services, security remains a growing concern. Key questions that are asked include:  How do I know that the other party is indeed the person or organisation that he or she claims to be?  Can I be sure that nobody can read the communication or transaction that travels over the Internet?  Can I be sure that nobody can change the information that I send electronically?  As a business, can I be sure that a customer that deals with me electronically cannot deny its online transactions? Digital certificates and digital signatures can answer these important questions and thus secure communications, transactions and access control.

What are digital signatures? Like the signature you use on written documents, digital signatures are now being used to identify authors and co-signers of email or electronic data. Digital signatures are created and verified using digital certificates. To understand what digital certificates are we need to take a closer look at ‘cryptography’. Cryptography is the science of transforming infor- mation you can read (in plain text) into information someone else cannot read. In this process information is coded (encryption) to stop information from being read or altered by anyone but the intended recipient. It may be intercepted, but it will not be intelligible to someone without the ability to decode (decryption) the message. Encryption and decryption require both a mathematical formula (or ‘algorithm’) to convert data between readable and encoded formats and a key. There are two types of cryptography: symmetric (or ‘secret key’) and asymmetric (or ‘public key’). Symmetric key cryptography is characterised by the fact that the same key used to encrypt the data is used to decrypt the data. Clearly, this key must be kept secret among the communicating parties, otherwise the communication can be intercepted and decrypted by others. Until the mid-1970s, symmetric cryptography was the only form of cryptography available, so the same secret had to be known by all individuals participating in any application that provided a security service. However, this all changed when Whitfield Diffie and Martin Hellman introduced the notion of ‘public key cryptography’ in 1976.

Digital signatures use public key cryptography. In such a system two keys are required in order for two parties to exchange information in a secure fashion: a public key and a private key. If one key is used to encrypt a message, then only the other key in the pair can be used to decrypt it. Although the keys of the public and private key pair are mathematically related, it is computationally infeasible to derive one key from the other, so the private key is protected from duplication or forgery even when someone knows the public key. Therefore it is safe to openly distribute your public key for everyone to use, but it is essential that your private key remains closely guarded and secret. The public key can be used to verify a message signed with the private key or to encrypt messages that can only be decrypted using the private key. If someone wants to send you an encrypted message, they encrypt the message with your public key so that you, being the sole possessor of the corresponding private key of the pair, are the only one who can decrypt it.

How are digital signatures created and verified? To create a digital signature, the signer creates a ‘hash’ – an algorithm that creates a unique shortened version of the message – and then uses his/her private key to encrypt the hash. The encrypted hash is the digital signature. If the message were changed in any way, the hash-result of the changed message would be different. The digital signature is unique to both the message and the private key used to create it, so it cannot be forged. The digital signature is then appended to the message and both are sent to the message recipient. The recipient recreates the hash from the received message, and then uses the public key of the original sender to decrypt the hash included in the received message. If the two hash results are identical, two things have been verified: 1. The digital signature was created using the signer’s private key (assurance that the public key corresponds to the signer’s private key) – no one is pretending to be or masquerading as the signer. This verifies the authenticity of the signer, and the signer cannot claim not to have signed the message. 2. The message has not been changed. This verifies the integrity of the message.

The role of a certification authority (CA) A digital signature is created using a digital certificate, which binds a public key to an individual or organisation. The binding of a public key to an individual or organisation is certified by a trusted source, typically a certification authority (CA). A CA is a trusted authority that issues and manages digital certificates. A CA uses a public key infrastructure (PKI) to perform the life-cycle management of digital certificates. These certificates typically include the owner’s public key, the expiration date of the certificate, the owner’s name and other information about the public key owner. CAs may also be involved in a number of administrative tasks such as end-user registration, but these are often delegated to the registration authority (RA). The role of the RA is to verify the identity of the person or organisation that attempts to register.

Who can use digital signatures? Basically anyone who makes transactions over the Internet and wants those to be secured. If you are an employee of a company that has a website/network with restricted access, then you will probably need a digital certificate to authenticate yourself on this website. You’re tired of queuing in a bank? You want to do home banking? Then you also need a certificate to authenticate yourself. You are developing ActiveX or Java applets? Then you need a certificate to digitally sign your applet and have people trust it! You’re using your email to send sensitive data over the Internet? Then you definitely need a certificate to sign and encrypt your messages.

Legal framework Digital signatures can be compared to the traditional handwritten signature that has been used for centuries to do business. The only difference is that the transactions take place via a new medium, namely the Internet. Therefore new laws have to be implemented to reflect this new reality. The use of digital signatures is supported by recent legislative actions that provide credibility to the concept of electronic signatures and recognition of the need for such a capability. The US E-Sign Law, passed in 2000, and the EU Digital Signature Law, passed in 2001, are examples of this trend.

Using digital signatures in your business One of the most crucial questions in any business transaction is the identity of the entity with which the transaction is being conducted. Historically, personal relationships, face-toface contract signings, notaries and third-party counsel are used to help establish trust in this most important aspect of conducting our business. As the reliance on paper shifts to electronic transactions and documents, so must the reliance on traditional trust factors shift to electronic security measures that authenticate our electronic business partners, customers and suppliers before we engage in the exchange of information, goods and services.  Similarly, the need for confidentiality and confidence in the integrity of exchanged information is critical. Extending this list of security services, there may be further need to establish the non-repudiation of agreements, and to digitally notarise and securely timestamp transactions. Digital signatures support all these security services. Let’s take a look at some applications in different vertical markets that can benefit from the use of digital signatures:  

Financial services: authentication of payment for stock purchases, access control for online banking, digital notarisation of loans;  

Insurance: digital signature quotes, authentication of online payment of premiums, version management of documents;  

Government: electronic ID-cards (such as the Belgian BelPIC project to provide each citizen with an electronic identity card), automation of electronic response to RFPs, secure messaging within government;  

Industry: digital signature of electronic contracts, linking of procurement systems in an automated way, access control for business partner to online applications.

Public key infrastructure (PKI) When it comes to implementing digital signatures, companies have the choice of:  using a public CA such as GlobalSign or VeriSign to provide them with digital certificates;  operating a private CA, meaning that the company will have to purchase and implement its own PKI;  going for an outsourced PKI solution such as Ubizen OnlineGuardian Certificate Management. The first alternative is a good solution if, for example, a company wants to provide its employees with digital certificates to sign confidential email communication. If a company wants to deploy certificates across different applications, involving both internal and external parties, or if it wants to be a CA itself, it will have to chose between options 2 and 3. The main parameters related to the decision between these two options are time-tomarket, size of population, application, financial and human resources, and legal framework, etc. For early implementers of PKI, with huge budgets and sufficient IT and administrative capacity, deploying an infrastructure on an in-house basis was most appropriate. However, as PKI attracts increasing interest from a larger number of large and medium-sized companies and organisations, the case for outsourcing PKI becomes favourable. Outsourced PKI solutions provide a multitude of benefits for business. Although the underlying idea is to transfer the burden of implementation and management of the PKI solution to a service provider, there are undoubtedly important strategic and financial advantages in outsourcing trust as well. GlobalSign is Europe’s leading Certificate Service Provider offering digital certificates to individuals and businesses, allowing secure email communication, fully authenticated and confidential e-commerce and trusted software distribution. GlobalSign’s public root key is by default embedded in all major Internet browsers. Consequently, GlobalSign certificates are globally accepted and are not limited by any application, geographic area or business sector. Furthermore GlobalSign is one of the few Certificate Authorities in the world that attained the WebTrust accreditation level. For further information contact: GlobalSign NV/SA, Philipssite 5, B-3001 Leuven, Belgium. Tel: +32 16 28 74 00; Fax: +32 16 28 74 04; Email: info@globalsign.net; Website: www.globalsign.net