Colorado Secretary of State UETA Program

1
Colorado Secretary of StateUETA Program

• Authentication
• and
• Electronic Signatures

Colorado Department of State 1700 Broadway Suite
300 Denver, CO 80202 (303) 894-2200 (303)
869-4871 (fax) www.sos.state.co.us
2
Presentation Outline

• Authentication
• Electronic Signatures
• Forms of Electronic Signatures
• Signing with Electronic Signatures
• Digital Signatures Digital Certificates

3
Please come to dinner. Love, Grandma
Laura Schreiber
4
Authentication

• Assurance that a person is who they claim to be.
• Subsequent to successful authentication, a person
  is often issued an identifying credential.
  

5
Authentication

• Electronic authentication credentials can take
  many forms
  
• User ID and Password/PIN
• Biometric
• Iris scan (most accurate, and expensive)
• Retinal scan (can vary with age, health)
• Voice Recognition
• Finger/Hand print
• Facial recognition
• Digital Certificate
• more about this shortly

6
Electronic Authentication

• In general, credentials employ one or more of
  the following elements
  
• Something you know (example password)
• Something you are (example fingerprint)
• Something you have (example ATM card)

7
Electronic Authentication

• Authentication factors are often combined to
  provide a higher level of security (two-factor)
  authentication.
  
• Password and fingerprint (know and are)
• Password and smart card (know and have)

8
Authentication

• The strength of a credential depends on
• Our trust in the issuer of the credential.
• Our ability to verify the credentials
  association with the person presenting it.

9
Electronic Authentication

• Some electronic authentication credentials are
  more worthy of our trust than others
  
• User ID and Password/PIN can be guessed or stolen
  if written down
  
• Biometrics are difficult to forge, but false
  negatives can be an issue

10
Electronic Signatures

• Special software may be required to enable a
  document to be electronically signed.
  
• There are dozens of vendors that offer plug-ins
  for MS Word, MS Excel, Acrobat.
  

11
Electronic Signatures

• Some products support electronic signing
  out-of-the-box
  
• MS Outlook supports digital signing and
  encryption of email
  
• Acrobat STD/PRO supports application and
  verification of various types of electronic
  signatures

12
Electronic Signatures

• Most electronic signature products are capable of
  verifying a signature.
  
• Verification includes the ability to detect when
  a document has been altered after being signed.
  

13
Electronic Signatures

• Many electronic signature products also offer
  document management capabilities
  
• Configurable access to document viewing and
  signing
  
• Maintain a history of signatures for a given
  document
  
• Capture and storage of an image of the signed
  doc
  
• Time stamping
• Reporting mechanisms
• Encryption support

14
Examples of Electronic Signatures

• Typed name on an electronic form
• Clicking I agree to terms of a contract
• Preceded by presentation of a credential, like
  user ID/password.
  
• Digitized signature captured with a signature pad
  and stylus
  
• In addition to digitized image, many can capture
  characteristics of signature (pressure, speed,
  etc.).
  
• Digital Signature

15
Electronic Signatures in Colorado Government

• State of Colorado Leave/Absence Request and
  Authorization form
  
• Typed name on form
• AG opinion in Rules system (in development)
• Login with user id/password
• Apply previously captured image of signature to
  document
  
• Campaign finance report filing
• Login with user id/password
• Typed name on form

16
Digital Signatures

• Digital signatures are the most sophisticated
  form of electronic signature, and the most
  costly.
  
• They provide the capability to
• Verify the identity of the signer to a very high
  degree
  
• Ensure the integrity of a document (that is,
  detect when the contents have been altered after
  signing)
  

17
Digital Signatures

• Digital signatures make use of a cryptographic
  key issued to the signer. This key is used to
  digitally sign a document.
  
• The key is usually acquired through a third party
  that vouches for the identity of the signer.
  
• The key must be kept secure by the owner (for
  example, password protected).
  
• The key is referred to as the private key.

18
Digital Signatures

• A digital signature can be electronically
  verified by the relying party.
  
• Verification establishes
• who signed the document
• that the document contents have not been altered
  since the signing
  

19
Digital Signatures

• Why assume the cost and complexities
• of digital signatures?
• Business requirements specify any of the
  following
  
• The identity of the signer must be verified to a
  high degree (authentication is critical).
  
• The integrity of the documents or data is
  essential.
  
• Non-repudiation of the signature must be
  supported.

20
Digital Certificates

• Problem how can we be sure of the identity of a
  digital signer?
  
• Solution we verify the signature with an
  electronic credential called a digital
  certificate.
  

21
What is a Digital Certificate?
An electronic file containing information about
the owner, and digitally signed by an entity that
vouches for the owners identity.

• Evidence that the owner is who they say they are
• Analogous to a passport
• Mathematically linked to the owners private key
  (more about this in a moment)
  

22
Digital Certificates

• Usually issued by a trusted third party, a
  certification authority (CA), who vouches for the
  identity of the owner.
  
• Only as good as your trust in the CA and its
  certificate approval (vetting) process.
  

23
Digital Certificates
Contents of a Digital Certificate

• Owners name
• Dates of validity
• Name of Issuer (CA)
• Digital Signature of the CA
• Valid reasons for use (signing, encryption)
• Public key that is mathematically associated with
  the owners private key
  

24
Digital Certificates
CA
The CA is indirectly vouching for the identity of
the owner of the private key
associated by verified trust
Certificate
Tom Jones
associated by mathematics
private key (used to sign)
public key
25
Digital Certificates

• Certificates are classified by the level or
  "class" of the approval process (verification of
  the owners identity).
  
• For Example
• VeriSign class 1 email address only
• VeriSign class 2 name, address, phone number,
  SS
  
• VeriSign class 3 face-to-face meeting with CA
• There are no industry wide standards for these
  levels!

26
Summary

• Authentication credentials vary in reliability
  and form.
  
• Electronic signatures can take many forms to
  match your security requirements.
  
• While complex and costly, digital signatures
  offer the highest degree of security.

27
Thank you for listening

• Any Questions?

28
Contact Information

• Colorado Secretary of State
• Division of Licensing and Enforcement
• UETA Program
• 1700 Broadway, Suite 300
• Denver, CO 80202
• 303 894-2200

• Barbara Groth ext. 6423
• Barbara.Groth_at_sos.state.co.us
• Phil Gehlich ext. 6624
• Phil.Gehlich_at_sos.state.co.us