Wall Street & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security

12:49 PM
Wall Street & Technology
Connect Directly
RSS
E-Mail
50%
50%

Future Electronic Signature Standards

The E-Sign law is a technology-neutral legislation because it does not favor any one type of security technology.

The E-Sign law is a technology-neutral legislation because it does not favor any one type of security technology. But the law is expected to give a boost to security technologies that will be used to protect online financial transactions as well. There are three various electronic signature standards-shared secrets based upon a unique password, digital certificates based upon a PKI system and biometric signatures that incorporate authentication based upon fingerprints, retinal patterns or voice recognition.

The most common is the shared secret system. An example is a bank customer accessing his bank account with a PIN through an ATM machine. This standard incorporates a symmetric encryption method for Internet communications based upon secure socket layer technology (SSL). A symmetric encryption method is a single cryptographic key associated with a unique password that both encrypts and decrypts data. A cryptographic key is nothing more than a binary number of 1s and 0s.

SSL technology enables four fundamental functions: a) the user to authenticate the Web site server's identity; b) the Web site server to authenticate the user's identity; c) all information sent between the user and the Web site server to be encrypted by the sending software and decrypted by the receiving software providing a high degree of confidentiality; and (d) all information sent over an encrypted SSL connection is protected with a mechanism for detecting tampering providing a high degree of integrity and protection. SSL technology includes SSL record protocol that defines the format used to transmit information and the SSL handshake.

The second standard is digital certificates and a PKI system. A PKI system employs an asymmetric encryption method meaning two keys-a public key and a private key. Both keys are used to either encrypt or decrypt a document and are mathematically related. A document that is encrypted with one key can only be decrypted with the other key. The common practice to encrypt a message that Alice, our hypothetical sender, wants only Bob, our hypothetical recipient, to read is for Alice's encryption software to use Bob's public key to encrypt a computer-generated unique password (a symmetric key). The unique password encrypts the message. When Bob receives the message, he uses his private key to decrypt the password and then uses the password to decrypt the message.

Digital signatures work in reverse. Alice's encryption software computes a one-way hash value that is typically a 128 bit binary number unique to the electronic document to be digitally signed. The hash process is illustrated below. Alice then uses her private key to encrypt the hash value and sends the document and hash value to Bob. Bob uses Alice's public key to decrypt the hash value. This process certifies to Bob that Alice electronically signed the document because Alice's public key can only decrypt documents signed with Alice's private key. Bob then uses his encryption software to ensure that the document sent by Alice creates the same hash value. This process certifies to Bob that the document was not altered after being digitally signed by Alice. The digital signature process is illustrated below.

The adoption of digital signatures and the PKI system has been slowed because of significant drawbacks. These drawbacks include slow communications, tricky installation and difficulty in linking with other systems. SSL technology is used more frequently than the PKI system because it is 10 to 100 times faster and much easier to use than the PKI system. Other problems with the PKI system and digital certificates include the lack of standard software and the lack of a central authority to store the public keys for the computer users.

The last system is based on authentication through biometric signatures that incorporate authentication based upon fingerprints, retinal patterns or voice recognition. This system is the most secure but requires that the user obtain additional hardware to read the biometric standard and be authenticated. Therefore, the adoption of this method will initially be slower than the other methods.

* Republished from White Paper entitled "E-mail Encryption Made Simple," August 1999, prepared by Information and Privacy Commissioner/Ontario, located at https://www.ipc.on.ca/web_site.eng/matters/sum_pap/papers/encrypt.htm.

Register for Wall Street & Technology Newsletters
Video
All Videos
Slideshows
The 10 Hottest Cloud Apps on Wall Street
The 10 Hottest Cloud Apps on Wall Street
Your IT team may not have heard of them.
More Slideshows