Electronic and Digital Signatures

1
Electronic and Digital Signatures

• Richard Warner

2
What Is An Electronic Signature?

• Anelectronic signature consists of some string
  of symbols or characters manifested by electronic
  means, executed by a party with an intent to
  authenticate a writing. Examples the senders
  name typed at the end of an e-mail message, a
  digital image of a handwritten signature attached
  to an electronic document, a PIN number, and so
  on.
• The expression digital signature is usually
  used to refer to a special kind of electronic
  signature.

3
The Need to Sign Electronically

• There is good reasons to have electronic
  documents signed in a way that allows them to
  serve the purposes of written documents.
• Cost it is a lot cheaper to use electronic
  documents.
• Checking example It costs about 1.10 to
  process a paper check.
• It costs about .10 to process an electronic
  transfer.
• There are billions to be saved.

4
The Need for Legal Clarification

• There is legal uncertainty about the status of
  electronic signatures
• Illinois, for example, has 3000 statutory
  sections requiring a signed writing. Does an
  electronic record with an electronic signature
  satisfy these requirements?

5
What Is A Digital Signature?

• A digital signature is an electronic signature
  that uses a special kind of encryption program.
  Here is a sample program.
• The message The British are coming!
• The encryption instructions replace every
  letter with the letter that follows it in the
  alphabet.
• This yields Uif Csjujti bsf dpnjoh!

6
Asymmetric Encryption

• Digital signatures use a special kind of
  encryption called asymmetric encryption (or
  public key encryption).
• A key is just a sequence of numbers.
• You add it to the message you want to encrypt
  then you then apply the encryption program to the
  message plus the key.

7
Example
Example
Message
Key

Encrypted result
Message
Key

Encrypted result
Same message
Different key

Different encrypted result
Application of the encryption program

8
Private and Public Keys

• Asymmetric encryption uses two keys. The sender
  uses one to encrypt the recipient uses one to
  decrypt.
• The keys are referred to as the private and
  public keys.
• Private key is private in the sense that the key
  owner makes sure the public does not have access
  to it.
• The public key is public in the sense the owner
  makes it freely available to the public.
• An example is helpful.

9
How Does A Digital Signature Work?

• Suppose Alice wants to digitally sign an e-mail.
• She runs a hash function on the message. This
  turns the message into a sequence of letters and
  numbers, called the message digest. Each message
  is associated with a unique message digest.
• Asymmetric encryption is slow. It is not ideal
  for encrypting a whole message.
• So what you encrypt is the much shorter message
  digest.
• The point is not secrecy, but signature.

10
Signing the Message

• Alice runs the encryption program on the
  combination of the private key and the message
  digest.
• She attaches the result to the e-mail, and sends
  it to Bob.
• She may also attach the public key.
• This is the signature. To see why it works like
  a signature, consider what Bob does.

11
Bobs Response

• Bob runs the encryption program on the
  combination of the public key and the message
  digest.
• Doing so can only decrypt something encrypted
  with the private key, so, if decryption is
  successful, the recipient knows the message came
  from Aliceor, more exactly, someone in
  possession of Alices private key.
• We are assuming that Bob knows that the public
  key is Alices.
• This is the sense in which the message is signed.
  Like a handwritten signature, the digital
  signature indicates the message is from the
  undersigned.

12
More Than A Signature

• Bob then runs the hash function on the message
  itself. If the result matches the unencrypted
  message digest, Bob knows that the message was
  not altered in transmission.
• This is better than a signature, which does not
  do anything to indicate that the message was not
  altered in transmission.

13
Public Keys and Identity

• We assumed that Bob knows that the public key he
  uses is Alices. How does he know this?
• A certification authority verifies that the
  public key is Alices
• Alice has previously registered with the
  certification authority, at which time she
  provided proof of her identity.

14
Cost of Certification Authorities

• Certification authorities add cost and complexity
• When is the cost and complexity justified?
• When the benefits exceed the costs
• When is that?

15
Role of Handwritten Signatures

• Why do we use handwritten signatures?
• To avoid fraud
• to show that the signer at least saw the
  document
• to secure a signature with recognized legal
  consequences.
• Written documents ensure integrity (note not a
  function of the signature).
• Digital signatures make sense where they are
  needed
• To avoid fraud
• To ensure legal validity
• To ensure message integrity.

16
Fraud

• Where is there sufficiently likelihood of fraud?
• Typically not in an established relationship
  or, in the consumer use of the credit card system
  in online contracting.
• Digital signatures have not proven popular in
  consumer online contracting.
• You do see a significant use of digital
  signatures in in large value financial
  transactions, and in electronic payments systems.
  
• But used to establish identity, not to contract.

17
Digital Signature Risks

• Inadequate revocation lists
• In theory, CAs keep lists of revoked
  certificates in practice they do not. In
  addition, technology is inadequate to allow real
  time access to these lists
• Adequately protected private keys
• Private keys are often stored on hard drives

18
Statutory Treatment

• There are three types of statute
• First Any electronic symbol will do. Rhode
  Island Electronic signature" means an
  electronic identifier, created by a computer, and
  intended by the party using it to have the same
  force and effect as the use of a manual
  signature.
• Similar approaches in Colorado, Florida,
  Illinois, Indiana, Mississippi, New Hampshire,
  North Carolina, Texas, Virginia.

19
Statutory Treatment

• Second the California model of five
  requirements. A signature must be (1) unique to
  the person using it (2) capable of verification
  (3) under the sole control of the person using
  it (4) linked to the data in such a way that
  changes in the data invalidate the signature (5)
  in conformity with any other regulations adopted
  by the Secretary of State.

20
Statutory Treatment

• Third The Utah model. This approach refers
  explicitly to asymmetric encryption, sets up
  rules for certification authorities, and assigns
  risk in a variety of eventualities.

21
The E-Sign Statute

• The Federal E-Sign statute governs some aspects
  of electronic signatures
• An electronic sound, symbol, or process attached
  to or logically associated with a contract or
  other record, and executed or adopted by a person
  with the intent to sign the record. 15 USC
  Section 7006(5)

22
Illinois Commerce Security Act

• 15 USC section 7002(a)(2)(A)(ii) preempts state
  laws that that are not technology neutral
• Illinoiss Act favors public key encryption in
  sections 175/15 101 and 105 and is thus
  preempted
• Preexisting state legislation is clearly
  preempted under 15 USC 7002(a)(2)(B)

23
What Illinois May Still Do

• It may still require public key encryption for
  state procurement, 15 USC 7002(b)
• It may impose stricter state filing requirements
  than the Federal requirement this may include
  requiring public key encryption, 15 USC 7004(a)

24
Effect of E-Sign

• The effect may be a slower, more decentralized
  development of electronic signature
  infrastructure and business practices
• No Federal mandate for a particular technology,
  preemption of state mandates
• Business considerations may of course lead to a
  rapid development of a particular technology, but
  it looks like the opposite is happening