Electronic signatures

1
Electronic signatures

• Ferenc Suba LLM, MA
• Chairman of the Board,
• CERT-Hungary, Theodore Puskás Foundation
• Vice-Chair of the Management Board,
• European Network and Information Security
  Agency

2
How does it work?

• Cryptography encode and decode a text with a
  key or keys
• Same key for both encryption and decoding in the
  symmetrical cryptography
• Different key (public and private keys) for
  coding and for decoding in the asymmetrical
  cryptography. The two keys are complimentary.
• Hash Function is an algorithm with creates a
  short message from the original text, a
  fingerprint. You are not able to create the
  original message if you know the hash created
  from it.
• Electronic signature is one of the asymmetrical
  ways of cryptography. It is used by the signer to
  sign the fingerprint of the document and this
  signed "fingerprint" is unique to both the
  document and the signer.

3
How does it work?

• SENDING
• Sender creates hash message from the original
  plaintext (hash function, fingerprint).
• Sender encrypts hash message with his own private
  key, in this way he proves that he was the only
  one to send such a message.
• Sender encrypts the plain text with receivers
  public key. The sender is sure the message can be
  decrypted/read only by the receiver.
• Sender sends both encrypted hash message and
  ciphertext by e-mail to the receiver.

4
How does it work?

• RECEIVING
• Receiver decrypts the ciphertext with his own
  private key. He gets the original message.
• Receiver creates hash message from the original
  plaintext (hash function).
• Receiver decrypts the received encrypted hash
  message by public key of the sender.
• Finally, the receiver compares the two hash
  messages. If those two are the same, everything
  is all right and the message was not modified. If
  they are not the same, somebody had to modify the
  message during its journey through the Internet.

5
PKI

• Public Key Infrastructure (PKI) is the basis for
  e-signatures
• PKI provides each user with a Private Key and a
  Public Key
• The Private Key not shared, used only by the
  signer
• The Public Key openly available, used by those
  that need to validate the signers digital
  signature.
• PKIs components Certificate Authority (CA),
  end-user software,, tools for managing, renewing,
  and revoking keys and certificates.

6
CA, CRL, RA

• Certification authorities trusted offices which
  administer keys.
• CA issues proof which proves identity of the user
  and his public key ( certificate).
• CRL Certificate Revocation List - the place
  where a CA stores the IDs of all the Digital
  Certificates that have been revoked.
• CA's form a hierarchy. The top of this hierarchy
  is the root CA. 
• Registration Authority An RA does the required
  identification for certain certificate data,
  which is then passed to the CA for issuing the
  Digital Certificate.

7
Certificate

• Certificates can contain
• public key and name of the key,
• date of expiration,
• name of the certification authority who issued
  the certificate,
• serial number (necessary for the evidence),
• digital signature of the certificate issuer.
• Certificates with different level of
  trustworthiness.
• Qualified Certificate Certificate issued by a
  CA with national accreditation
• Qualified Electronic Signature eSignature based
  on a Qualified Certificate.

8
Legal aspects

• What is a signature?
• Proof of authenticity
• Sign of willingness to undertake an obligation
• When is a contract binding?
• Meeting of the minds
• The objective vs. the subjective
• The formalistic approach
• Are electronic contracts binding?
• The electronic dimension

9
Electronic contracts

• A binding contract means an enforceable contract?
• Not all contracts are enforceable
• The legal vs. the economic view
• Can you prove that a contracts is binding?
• The burden of proof before the Courts
• What evidence can be submitted?
• Rules concerning weight of evidence
• Electronic contracts are binding!

10
Principles (techno legal)

• Properties of a digital signature
• Authenticity
• Integrity
• Confidentiality
• Non-repudiation

11
EU Directive on electronic signatures

• 1999/93/EC Directive on a community framework for
  electronic signatures
• Scope
• Regulation of certification service providers and
  their liability
• Not The formation and legal validity of
  contracts
• Liability of certificatio service providers and
  Not of users
• Technology neutral legislation

12
Definitions

• Electronic signature
• Advanced electronic signature
• Signature-creation device
• Secure signature-creation device
• Certificate
• Advanced certificate
• Signature-creation data
• Signature-verification data
• Certification-service-provider

13
Market access

• Provision of certification service shall not be
  subject to prior authorization
• Monitoring by local authorities is required and
  allowed
• EU co-operation on standards
• Internal promotion of the use of digital
  signatures through public sector
• Internal market principles with respect to the
  certification service market.

14
Legal effects of electronic signatures

• Advanced electronic signatures based on
  qualified certificates
• Satisfy legal requirements of a signature in
  relation to data in electronic form in the same
  manner as a hand-written signature satifies those
  requirements in relation to paper-based data
• Are admissable as evidence in court proceedings
• Other electronic signatures may not be
  discriminated against

15
Liability of certification service provider

• The issuer of a qualified certificate is liable
  for damages caused by reliance on
• The accuracy of the information in the
  certificate
• The assurance of the identity of the holder of
  the certificate
• The complementarity of the public and the private
  key
• Reversed burden of proof
• Liability for failed registration of revocation
• Limits on the use of the certificate and on value
  of transaction

16
Data retention

• According to Directive on data protection and
  Directive 97/66/EC Traffic data must be erased
  or made anonymous immediately after the
  telecommunications service is provided, unless
  they are necessary for billing purposes.
• Only appropriate, neccesary and appropriate
  restrictions are permitted.

17
Anonymous use and access

• Privacy vs. Non-accountability
• Re-mailers, Internet cafés, Dynamic IP-numbers
• Encryption technologies
• Art. 29 Data protection working party Anonymity
  is THE question!
• The Bonn declaration (July 1997) Off-line rights
  must also apply in on-line

18
The governance of PKI

• Ministry regulation (act, ministerial decrees)
• National Communications Authority root CA,
  accreditation and controll of CAs
• Standardisation Bodies standards
• Alliance of CAs best practice

19
PKI services

• Time stamping
• Digital archiving
• Digital recognition of delivery
• Electronic Invoice
• Digital transformation (turning paper into
  digital)

20
Use of PKI today

• - eGovernment mostly
• - Tax declaration
• - Company Registration
• - Excluded from
• - Marriage
• - Real estate

21
EU picture

• - Diverging rules (recognition of foreign
  certificates, accreditation of providers of
  certification services)
• - High standards, high costs
• - Other secure signature methods risk of
  unenforceable or voidable contract
• - Nov. 28 2008 Action Plan on e-signatures and
  e-identification (European Commission)
• - new e-barriers to cross-border markets

22

• Thank you for your attention!
• ferenc.suba_at_cert-hungary.hu
• PTA CERT-Hungary
• www.cert-hungary.hu
• Theodore Puskás Foundation
  www.neti.hu
• ENISA
• www.enisa.europa.eu

23
Questions

• What is the public key, private key, hashing?
• What is the CA, root CA?
• What is the legal effect of a digital signature?
• Can you use e-signature in marriage?