Digital signature

Digital signatures are a method of authenticating digital information analogous to ordinary physical signatures on paper, but implemented using techniques from the field of cryptography. Digital signatures differ in some respects from their physical counterparts, however.

The term electronic signature, although sometimes used for the same thing, has a distinct meaning: it refers to any of several, not necessarily cryptographic, mechanisms for identifying the originator of an electronic message. In common law, such electronic signatures have included cable and Telex addresses, as well as FAX transmission of handwritten signatures on a paper document.

Contents

1 Uses 1.1 Authenticity 1.2 Integrity 1.3 Non-repudiation 2 Implementation 3 Some digital signature algorithms 4 The current state of use — legal and practical 5 Evidential status 6 Legal aspects 6.1 United States 6.2 England, Scotland and Wales 6.3 India 6.4 New Zealand 6.5 United Nations Commission on International Trade Law 6.6 Brazil 7 Legal cases

Uses

There are three common reasons for applying a digital signature to communications:

Authenticity

Public key cryptosystems allow anybody to send a message using the public key. A signature allows the recipient of a message to be confident that the sender is indeed who s/he claims to be. Of course the recipient cannot be 100% sure that the sender is indeed who s/he claims to be - only confident - since the cryptosystem may have been broken.

The importance of authenticity is especially obvious in a financial context. For example, suppose a bank sends instructions from its branch offices to the central office in the form (a,b) where a is the account number and b is the amount to be credited to the account. A devious customer may deposit £100, observe the resulting transmission and repeatedly restransmit (a,b).

Integrity

Both parties will always wish to be confident that a message has not been altered during transmission. The encryption makes it difficult for a third party to read a message, but that third party may still be able to alter it in a useful way. A popular example to illustrate this is the homomorphism attack: consider the same bank as above which sends instructions from its branch offices to the central office in the form (a,b) where a is the account number and b is the amount to be credited to the account. A devious customer may deposit £100, intercept the resulting transmission and then transmit (a,b³) to become an instant millionaire!

Non-repudiation

In a cryptographic context, the word repudiation refers to the act of denying association with a message (ie claiming it was sent by a third party). The recipient of a message may insist that the sender attach a signature in order to prevent any later repudiation, since the recipient may show the message to a third party to prove its origin.

Implementation

Digital signature schemes rely on public key cryptography. In public key cryptography, each user has a pair of keys: one public and one private. The public key is distributed freely, but the private key is kept secret and confidential; another requirement is that it should be infeasible to derive the private key from the public key.

A general digital signature scheme consists of three algorithms:

• A key generation algorithm
• A signing algorithm
• A verification algorithm

For example, consider the situation in which Bob sends a message to Alice and wants to be able to prove it came from him. Bob sends his message to Alice and attaches a digital signature. The digital signature is generated using Bob's private key, and takes the form of a simple numerical value (normally represented as a string of binary digits). On receipt, Alice can then check whether the message really came from Bob by running the verification algorithm on the message together with the signature and Bob's public key. If they match, then Alice can be confident that the message really was from Bob, because the signing algorithm is designed so that it is very difficult to forge a signature to match a given message (unless one has knowledge of the private key, which Bob has kept secret).

More usually, for efficiency reasons, Bob first applies a cryptographic hash function to the message before signing. This makes the signature much shorter and thus saves time since hashing is generally much faster than signing in implementations. However, if the message digest algorithm is insecure (for example, if it is possible to generate hash collisions), then it might be feasible to forge digital signatures.

Some digital signature algorithms

• RSA
• DSA
• ECDSA
• ElGamal signature scheme

The current state of use — legal and practical

Digital signature schemes all have several prior requirements without which no such signature can mean anything, whatever the cryptographic theory or legal provision.

• First, quality algorithms. Some public key algorithms are known to be insecure, practicable attacks against them having been identified.
• Second, quality implementations. An implementation of a good algorithm (or protocol) with mistake(s) will not work. (Software developers typically expect about 1 defect per 1,000 lines, unless intense efforts have been taken to raise its quality, in which case 1 defect per 1,000,000 lines is typically expected).
• Third, the private key must remain actually secret; if it becomes known to some other party, that party can produce perfect digital signatures of anything whatsoever.
• Fourth, distribution of public keys must be done in such a way that the public key claimed to belong to Bob actually belongs to Bob, and vice versa. This is commonly done using a public key infrastructure and the public key<math>\leftrightarrow<math>user association is attested by the operator of the PKI (called a certificate authority). For 'open' PKIs in which anyone can request such an attestation (universally embodied in an identity certificate), the possibility of mistake is non trivial. Commercial PKI operators have suffered several publicly known problems. Such mistakes could lead to falsely signed, and thus wrongly attributed, documents.
• Fifth, users (and their software) must carry out the signature protocol properly.

Only if each and every one of these conditions is met will a digital signature actually be evidence of who sent the message.

Legislatures, being importuned by businesses expecting to profit from operating a PKI, or by the technological avant-garde advocating new solutions to old problems, have enacted statutes and/or regulations in many jurisdictions authorizing, endorsing, encouraging, or permitting digital signatures and providing for (or limiting) their legal effect. The first appears to have been in Utah, followed closely by Massachusetts and California. Assorted non-US countries have also passed statutes or issued regulations in this area as well and the UN has had an active model law project for some time. These enactments (or proposed enactments) vary from place to place, have typically embodied expectations at variance (optimistically or pessimistically) with the state of the underlying cryptographic engineering, and have had the net effect of confusing potential users and specifiers, nearly all of whom are not cryptographically knowledgeable. Adoption of technical standards for digital signatures have lagged behind much of the legislation, delaying a more or less unified engineering position on interoperability, algorithm choice, key lengths, etc and so on what the engineering is attempting to provide.

See also: ABA digital signature guidelines

Evidential status

Many of the legal enactments (statute or regulation) surrounding digital signatures is concerned with their admissibility as evidence. More controversial, however, is their actual value as evidence. Unlike a traditional handwritten signature, a digital signature may be generated automatically, without the knowledge of the authorized user. It is generated by complex software, operating on an operand whose nature and existence cannot be fully or directly verified by the authorized user. Whereas the existence of a digital signature can be evidentially significant in establishing that an electronic communication is uncorrupted, and that it had a certain provenance, it cannot of itself provide any evidence as to whether a particular individual intended or authorized or associated himself or herself with any such communication. In that regard, the term "signature" is potentially misleading as the engineering does not now, and may possibly not be able to, coincide with the assumptions underlying many of the legal enactments. Legal enactments which affirmatively declare that a digital signature is presumptively deemed a valid signature are at variance with the possibilities afforded by the cryptography.

However, if the right software is used in the right way, including not leaking the private key, then the digital signature on some message can be created only by definite actions of the person in question, therefore validating the use of digital signatures.

Legal aspects

Legislation concerning the effect and validity of digital signatures includes:

United States

• Uniform Electronic Transactions Act (UETA)
• Electronic Signatures in Global and National Commerce Act (E-SIGN), at 15 U.S.C. 7001 (http://www4.law.cornell.edu/uscode/15/7001.html) et seq.

England, Scotland and Wales

• Electronic Communications Act, 2000 (http://www.legislation.hmso.gov.uk/acts/acts2000/20000007.htm#7)

India

• Information Technology Act, 2000 (http://www.mit.gov.in/it-bill.asp)

New Zealand

• Electronic Transactions Act, 2003 sections 22-24 (http://www.legislation.govt.nz/)

United Nations Commission on International Trade Law

• UNCITRAL Model Law on Electronic Signatures (2001), a strong influence in the field. (http://www.uncitral.org/english/texts/electcom/ecommerceindex.htm)

Brazil

• Medida provisória 2.200-2 (portuguese) (http://www.planalto.gov.br/ccivil_03/MPV/2200-2.htm) - Brazilian law states that any digital document is valid for the law if it is certified by ICP-Brasil (the official brazilian PKI) or if it is certified by other PKI and the concerns parties agree with the validity of the document.

Legal cases

Court decisions discussing the effect and validity of digital signatures or digital signature-related legislation:

• In re Piranha, Inc., 2003 WL 21468504 (N.D. Tex) (UETA does not preclude a person from contesting that he executed, adopted, or authorized an electronic signature that is purportedly his).
• Cloud Corp. v. Hasbro, 314 F.3d 289 (7th Cir., 2002)[1] (http://www.emlf.org/Resources/cloud.pdf) (E-SIGN does not apply retroactively to contracts formed before it took effect in 2000. Nevertheless, the statute of frauds was satisfied by the text of E-mails plus an (apparently) written notation.)
• Sea-Land Service, Inc. v. Lozen International, 285 F.3d 808 (9th Cir., 2002) [2] (http://www.admiraltylawguide.com/circt/9thsealandlozen.pdf) (Internal corporate E-mail with signature block, forwarded to a third party by another employee, was admissible over hearsay objection as a party-admission, where the statement was apparently within the scope of the author's and forwarder's employment.)de:Elektronische Signatur

fr:Signature numérique it:Firma digitale he:חתימה אלקטרונית pl:Podpis cyfrowy pt:Assinatura_digital ru:Электронная цифровая подпись