|
One or more Digital IDs can accompany a digital signature. If a Digital ID is present, the recipient (or a third party) can check the authenticity of the public key.
A digital signature functions for electronic documents like a handwritten signature does for printed documents.
The signature is an unforgeable piece of data that asserts that a named person wrote or otherwise agreed to the document to which the signature is attached.
A digital signature actually provides a greater degree of security than a handwritten signature. The recipient of a digitally signed message can verify both that
the message originated from the person whose signature is attached and that the message has not been altered either intentionally or accidentally since it was signed.
Furthermore, secure digital signatures cannot be repudiated; the signer of a document cannot later disown it by claiming the signature was forged.
In other words, digital signatures enable "authentication" of digital messages, assuring the recipient of a digital message of both the identity of the
sender and the integrity of the message.
It is not feasible for anyone to either find a message that hashes to a given value or to find two messages that hash to the same value.
If either were feasible, an intruder could attach a false message onto Alice's signature. Specific hash functions have been designed to have the property
that finding a match is not feasible, and are therefore considered suitable for use in cryptography.
Normally, a key expires after some period of time, such as one year, and a document signed with an expired key should not be accepted.
However, there are many cases where it is necessary for signed documents to be regarded as legally valid for much longer than two years; long-term
leases and contracts are examples. By registering the contract with a digital time-stamping service at the time it is signed, the signature can be
validated even after the key expires.
If all parties to the contract keep a copy of the time-stamp, each can prove that the contract was signed with valid keys. In fact,
the time-stamp can prove the validity of a contract even if one signer's key gets compromised at some point after the contract was signed.
Any digitally signed document can be time-stamped, assuring that the validity of the signature can be verified after the key expires.
If digital signatures are to replace handwritten signatures they must have the same legal status as handwritten signatures, i.e., documents signed
with digital signatures must be legally binding. NIST has stated that its proposed Digital Signature Standard should be capable of "proving to a third
party that data was actually signed by the generator of the signature. " Furthermore, U.S. federal government purchase orders will be signed by
any such standard; this implies that the government will support the legal authority of digital signatures in the courts. Some preliminary legal
research has also resulted in the opinion that digital signatures would meet the requirements of legally binding signatures for most purposes,
including commercial use as defined in the Uniform Commercial Code (UCC). A GAO (Government Accounting Office) decision requested
by NIST also opines that digital signatures will meet the legal standards of handwritten signatures.
However, since the validity of documents with digital signatures has never been challenged in court, their legal status is not yet well-defined.
Through such challenges, the courts will issue rulings that collectively define which digital signature methods, key sizes, and security
precautions are acceptable for a digital signature to be legally binding.
A digital signature is created by running message text through a hashing algorithm. This yields a message digest.
The message digest is then encrypted using the private key of the individual who is sending the message, turning it into a digital signature.
The digital signature can only be decrypted by the public key of the same individual. The recipient of the message decrypts the digital
signature and then recalculates the message digest. The value of this newly calculated message digest is compared to the value of the
message digest found from the signature. If the two match, the message has not been tampered with. Since the public key of the sender
was used to verify the signature, the text must have been signed with the private key known only by the sender.
This entire authentication process will be incorporated into any security-aware application.
The problems of authentication and large network privacy protection were addressed theoretically in 1976 by Whitfield Diffie and Martin Hellman when
they published their concepts for a method of exchanging secret messages without exchanging secret keys. The idea came to fruition in 1977 with the
invention of the RSA Public Key Cryptosystem by Ronald Rivest, Adi Shamir, and Len Adleman, then professors at the Massachusetts Institute of Technology.
Rather than using the same key to both encrypt and decrypt the data, the RSA system uses a matched pair of encryption and decryption keys. Each key performs a one-way transformation upon the data. Each key is the inverse function of the other; what one does, only the other can undo.
The RSA Public Key is made publicly available by its owner, while the RSA Private Key is kept secret. To send a private message, an author
scrambles the message with the intended recipient's Public Key. Once so encrypted, the message can only be decoded with the recipient's Private Key.
Inversely, the user can also scramble data using their Private Key; in other words, RSA keys work in either direction. This provides the basis for the "digital signature,"
for if the user can unscramble a message with someone's Public Key, the other user must have used their Private Key to scramble it in the first place. Since only
the owner can utilize their own private key, the scrambled message becomes a kind of electronic signature -- a document that nobody else can produce.
Digital signatures have the potential to possess greater legal authority than handwritten signatures. If a ten page contract is signed
by hand on the tenth page, one cannot be sure that the first nine pages have not been altered. However, if the contract was signed with
digital signatures,a third party can verify that not one byte of the contract has been altered.
Currently, if two people want to digitally sign a series of contracts, they might first sign a paper contract in which they agree to be
bound in the future by any contracts digitally signed by them with a given signature method and minimum key size.
Several efforts are underway to legislate the legality and use of digital signatures. Utah has implemented laws qualifying digital signatures.
Similar legislation is under way in California and New York, with other states following.
A digital signature is superior to a handwritten signature in that it attests to the contents of a message as well as to the identity of the signer.
As long as a secure hash function is used, there is no way to take someone's signature from one document and attach it to another, or to alter the
signed message in any way. The slightest change in a signed document will cause the digital signature verification process to fail. Thus,
authentication allows people to check the integrity of signed documents. Of course, if a signature verification fails, it may be unclear if there was
an attempted forgery or simply a transmission error. | 
Домой | 
Заказ |
+A |
R |
-A |
|--|
|<-->|
