Upload
caitlin-osborne
View
212
Download
0
Embed Size (px)
Citation preview
Risks of data manipulation and theft
Gateway
Average route travelled by an email sent via the Internet from A to B
Washington DC
A's provider
Paris
A BB's provider
Berlin
New York
Sydney
Potential risks
Reading
Modifying
Copying
Intercepting
Cape Town
Rome
Helsinki
Electronic Signatures
Electronic Signatures11
Areas of application for electronic signatures
Communicating with judicial bodies• eg lawyers writing, signing, encrypting (safeguarding clients' secrets) and emailing
electronic claims and actions to the competent courts
Communicating with public authorities• eg individuals completing, signing, encrypting and emailing electronic tax returns• eg building contractors signing, encrypting and emailing electronic bids in response to invitations to tender
Communicating in the private sector• eg customers communicating with companies, for instance for banking purposes• eg strangers communicating via the Internet• eg signing emails
Anywhere where legally binding declarations of will require a signature and where
– trustworthy communications, – reliable identification, and – integrity of electronic data
are a key factor,
can legally compliant electronic signatures legally compliant electronic signatures be used.
Electronic Signatures
22
Electronic Signatures
Smartcard
Smart card reader
(Internal/external)
• PC and smart card reader
• Smart card with signature key
• Communication link
• Appropriate software
33
Which components does a user need?
An electronic signature is the electronic equivalent of a handwritten signature;
in other words, it can be used to
Electronic signatures cannotcannot ensure the confidentiality of electronic
documents.
• reliably verify that an electronic document
has not been modified,
• reliably identify the person who has signed
an electronic document, and
• verify both the INTEGRITY of an electronic
document and the IDENTITY of the person
who has signed it on a long term basis.
INTEGRITY
IDENTITY
VERIFIABILITY
Electronic Signatures
44
What does an electronic signature do?
Electronic Signatures
IDENTITYINTEGRITY VERIFIABILITY
The INTEGRITY of a document is ensured in two stages:
1. A digital fingerprint, called a "HASH VALUE", is calculated from the electronic data in
the document.
The key characteristics of HASH VALUES are that
a. each hash value calculated from the same document will always be the
same, however many times it is recalculated, and
b. each different document will invariably have a different hash value.
2. The HASH VALUE is attached to the document from which it was calculated.
55
Electronic Signatures
IDENTITYINTEGRITY VERIFIABILITY66
1. The original HASH VALUE is separated from the document.
2. A new HASH VALUE, called the "reference HASH VALUE", is calculated from the
electronic data in the document.
Verification
How to verify whether or not a document has been modified:
If the original HASH VALUE and the
reference HASH VALUE are the same,
then the document has not been modified.
If the document has been manipulated, then
the original HASH VALUE and the reference
HASH VALUE will not be the same.
INTEGRITY = OK INTEGRITY = violated
Electronic Signatures
IDENTITYINTEGRITY VERIFIABILITY
Electronic signature
A HASH VALUE is not personalised; in other words, • the same documents will always have the same HASH VALUE, even if they have been
produced by different people.
Personalising a HASH VALUE, or "electronically signing" a document, means• mathematically calculating a new value from the HASH VALUE using a secret (private)
key; the secret key is unique to one person, which means that the personalised HASH
VALUE is also unique to that one person.
The secret key is called the "SIGNATURE KEY".
A HASH VALUE personalised using a SIGNATURE KEY is also called an
ELECTRONIC SIGNATURE.
77
Electronic Signatures
INTEGRITY VERIFIABILITY
Certificate
88
An ELECTRONIC SIGNATURE is uniquely bound to one natural person by a "CERTIFICATE",
the digital equivalent of an identity card:
The CERTIFICATE contains
details of the identity of the holder of the
SIGNATURE KEY,
details of the period of validity of the
certificate, and
a reference to the service provider issuing
the certificate.
Surname, forename
Pseudonym (optional)
Valid from:
Valid until:
Issued by:
Certification service provider xy
CERTIFICATECERTIFICATE
IDENTITY
Electronic Signatures
INTEGRITY VERIFIABILITY
Signature verification key
99
A CERTIFICATE also contains details of
the SIGNATURE KEY bound to the person named in the CERTIFICATE.
This is done using a
public SIGNATURE VERIFICATION KEY
belonging to the SIGNATURE KEY.
The issuing service provider electronically signs the
CERTIFICATE to protect it against manipulation.
Surname, forename
Pseudonym (optional)
Valid from:
Valid until:
CERTIFICATECERTIFICATE
SIGNATURE VERIFICATION KEY
IDENTITY
Issued by:
Certification service provider xy
Electronic Signatures
INTEGRITY VERIFIABILITY
Root certification authority
1010IDENTITY
A body issuing a CERTIFICATE is called a "CERTIFICATION SERVICE PROVIDER".
In electronic commerce CERTIFICATES are the (official) documents confirming the identity of a
SIGNATURE KEY holder.
This means that the CERTIFICATION SERVICE PROVIDERS have particular importance and
responsibility in electronic commerce.
The trustworthiness of a CERTIFICATION SERVICE PROVIDER is attested in a CERTIFICATE.
The CERTIFICATES for CERTIFICATION SERVICE PROVIDERS are issued by
RegTP, the "ROOT CERTIFICATION AUTHORITY".
Electronic Signatures
1111INTEGRITY VERIFIABILITY
Verification
IDENTITY
How to verify an electronically signed document:
DOCUMENT
CERTIFICATESigner
ISSUERCertification
serviceprovider xy
The SIGNATURE VERIFICATION KEY in the CERTIFICATE of the signer is used to verify the
INTEGRITY of the document.
SIGNATUREVERIFICATION KEY
INTEGRITY
Electronic Signatures
1212INTEGRITY VERIFIABILITY
Verification
IDENTITY
How to verify an electronically signed document:
DOCUMENT
SIGNATUREVERIFICATION KEY
INTEGRITY
CERTIFICATECertification
serviceprovider xy
ISSUERRegTP
INTEGRITY
The SIGNATURE VERIFICATION KEY of the CERTIFICATION SERVICE PROVIDER in the
CERTIFICATE of the issuer is used to verify the INTEGRITY of the CERTIFICATE.
CERTIFICATESigner
ISSUERCertification
serviceprovider xy
Electronic Signatures
1313INTEGRITY VERIFIABILITY
Verification
IDENTITY
How to verify an electronically signed document:
DOCUMENT
SIGNATUREVERIFICATION KEY
INTEGRITY
CERTIFICATECertification
serviceprovider xy
ISSUERRegTP
INTEGRITY
CERTIFICATESigner
ISSUERCertification
serviceprovider xy
IDENTITY
As the CERTIFICATE binds the SIGNATURE VERIFICATION KEY to the signer, confirming the
INTEGRITY of the CERTIFICATE also confirms the IDENTITY of the signer.
Electronic Signatures
1414INTEGRITY VERIFIABILITY
Verification
IDENTITY
The trustworthiness of CERTIFICATES is similarly verified:
SIGNATUREVERIFICATION KEY
INTEGRITY
CERTIFICATERegTP
ISSUERRegTP
INTEGRITY
CERTIFICATECertification
serviceprovider xy
ISSUERRegTP
IDENTITYIDENTITY
CERTIFICATESigner
ISSUERCertification
serviceprovider xy
The IDENTITY of the CERTIFICATION SERVICE PROVIDER is verified using RegTP's
CERTIFICATE.
Electronic Signatures
INTEGRITY
CERTIFICATERegTP
ISSUERRegTP
INTEGRITY
CERTIFICATECertification
serviceprovider xy
ISSUERRegTP
IDENTITYIDENTITY
CERTIFICATESigner
ISSUERCertification
serviceprovider xy
INTEGRITY
IDENTITY
RegTP's CERTIFICATE, called the "ROOT CERTIFICATE", can be verified directly.
1515INTEGRITY VERIFIABILITY
Verification
IDENTITY
The trustworthiness of CERTIFICATES is similarly verified:
Electronic Signatures
CERTIFICATERegTP
ISSUERRegTP
INTEGRITY
IDENTITY
1616INTEGRITY VERIFIABILITY
Valid document
IDENTITY
A document has a valid signature where the INTEGRITY of the
DOCUMENT
CERTIFICATESigner
ISSUERCertification
serviceprovider xy
INTEGRITY
IDENTITY
INTEGRITY INTEGRITY
IDENTITY
CERTIFICATECertification
serviceprovider xy
ISSUERRegTP
has been verified. These checks are made automatically.
Electronic Signatures
1717INTEGRITY VERIFIABILITY
Trust centre directory service
IDENTITY
A list is kept of all the CERTIFICATES needed to verify an electronically signed document.
A list, called a "CERTIFICATE REVOCATION LIST", is also kept of all the CERTIFICATES that have been revoked.
A CERTIFICATE can be revoked if, for instance, the SIGNATURE KEY of the holder identified in the CERTIFICATE has been stolen. As soon as a CERTIFICATE has been revoked, it cannot be used to create a valid electronic signature.
The DIRECTORY SERVICE and the technical components used by a CERTIFICATION SERVICE PROVIDER to produce certificates are located in a particularly secure environment, called a "TRUST CENTRE".
The list of CERTIFICATES and the CERTIFICATE REVOCATION LIST together form the DIRECTORY SERVICE. The DIRECTORY SERVICE is available to anyone at any time(24 hours a day) for information for validity checks.
Electronic Signatures
1818INTEGRITY VERIFIABILITY
Infrastructure
IDENTITY
All the elements contributing to the VERIFIABILITY of ELECTRONIC SIGNATURES
are termed "CERTIFICATION INFRASTRUCTURE" and include:
NationalROOT CERTIFICATION
AUTHORITY – State –
CERTIFICATIONSERVICE PROVIDERS
– Private –
USERS– Institutions, companies,
private individuals –
issues certificates for
issue certificates for
ROOT CAGermany
CA 1 CA n...
ROOTCountry XY
Electronic Signatures
1919INTEGRITY VERIFIABILITY
Long term signatures
IDENTITY
In order to create the equivalent of handwritten signatures, electronically signed documents must remain VERIFIABLE over long periods of time (decades):
This means that the DIRECTORY SERVICE of each CERTIFICATION SERVICE PROVIDER must operate reliably over a period of years and must be interoperable with other DIRECTORY SERVICES in the same INFRASTRUCTURE.
In addition, all the procedures and technical components used must have been comprehensively verified in order to guarantee a high level of security for electronically signed documents on a long term basis.
The new Electronic Signatures Act takes full account of these special circumstances by creating a framework that ensures the security of electronic signatures.
RegTP's TRUST CENTRE was the first to meet the stringent security requirements of the Act. It forms the core of Germany's CERTIFICATION INFRASTRUCTURE for electronic signatures.