DIGITAL TRUST SCIENCE

Peer entity authentication

admin — Wed, 24 Feb 2010 22:35:10 +0000

Authentication is the provision of assurance of the claimed identity of an entity [ISO/IEC 10181-2]. In order to guaranty the success of an exchange and whether at the origin or at the receiving end of the message, exchanging parties must be authentified before the process is initiated. This allows answering two fundamental questions, often forgotten in the “traditional” electronic exchanges:

1- Is the recipient I’m about to send this information really the one I think he is?
Peer entity authentication: The corroboration that a peer entity in an association is the one claimed [ISO 7498-2]

2- Does this message really comes from the person it says it does?
Data origin authentication: The corroboration that the source of data received is as claimed [ISO 7498-2]

We offers you the tools to easily obtain guaranties (with full legal value) on your correspondents’ identity.

Document authentication

To ensure a document authentication, a signature should identify what is signed, making it impracticable to falsify or alter either the signed matter or the signature without detection. Again, the provides easy way to apply your electronic signature to any content attached to your envelope.

Signer authentication and document authentication are tools used to exclude impersonators and forgers and are essential ingredients of what is often called a ” non-repudiation service” in the terminology of the information security profession.

Technical standards

admin — Wed, 24 Feb 2010 19:38:02 +0000

The value of a legal evidence is ackwnoledged all the more if it also satisfies criteria of durability and portability. Because of the way the evidences are build (it binds the content and the exchanging parties identities with the event it relates to) and by complying to technology standards, provides you with the insurance that you will always be able to use your evidences in a court, at anytime, independantly from our service !

Below is a list of standards strictly followed :

CEN/ISSS – European Committee for Standardization/ Information Society Standardization System
CWA 14169 – Secure Signature-creation devices “EAL 4+”
CWA 14170 – Security requirements for signature creation applications
CWA 14171 – General guidelines for electronic signature verification
CWA 14365 – Guide on the Use of Electronic Signatures – Part 1: Legal and Technical Aspects

NIST – National Institute of Standards and Technology
FIPS Pub 186: Digital Signature Standard. 19 May 1994.
NIST – FIPS 140-1 Level 2 and 3 physical protection certification

Request for Comments (RFCs)
Housley, R., Polk, W., Ford, W. and D. Solo, “Internet X.509 Public Key Infrastructure: Certificate and CRL Profile”, RFC 3280, April 2002
Housley, R., “Cryptographic Message Syntax”, RFC 3852, July 2004
Housley, R., “Cryptographic Message Syntax (CMS) Algorithms”, RFC 3370, August 2002
Kaliski, B., “PKCS #7: Cryptographic Message Syntax, Version 1.5.”, RFC 2315, March 1998
CCITT. Recommendation X.209: Specification of Basic Encoding Rules for Abstract Syntax Notation One (ASN.1).1988

RSA Security – Public-Key Cryptography Standards (PKCS)
PKCS #1: RSA Cryptography Standard
PKCS #3: Diffie-Hellman Key Agreement Standard
PKCS #7: Cryptographic Message Syntax Standard
PKCS #10: Certification Request Syntax Standard
PKCS #11: Cryptographic Token Interface Standard

Digital certificate

admin — Tue, 16 Feb 2010 12:11:28 +0000

To verify an electronic signature, the verifier must have access to the signer’s public key and have assurance that it corresponds to the signer’s private key. However, a public and private key pair has no intrinsic association with any person; it is simply a pair of numbers. Some convincing strategy is necessary to reliably associate a particular person or entity to the key pair.

To associate a key pair with a prospective signer, a certification authority (using public key infrastructure ) issues a certificate, an electronic record which lists a public key as the “subject” of the certificate, and confirms that the prospective signer identified in the certificate holds the corresponding private key.

The following figure shows the structure of a digital certificate.

Different classes of certificates can be purchased that correspond to the level of checks made. There are 4 general classes of certificate:

Level 1 certificates: offer the lowest level of assurances and can be easily acquired. They are individual Certificates, whose validation procedures are based on assurances that the Subscriber’s distinguished name is unique and unambiguous within the Certification Authority’s Subdomain and that a certain e-mail address is associated with a public key. They are appropriate for digital signatures, encryption, and access control for non-commercial or low-value transactions where proof of identity is unnecessary.

Level 2 certificates: require additional personal information to be supplied and offer a medium level of assurances in comparison with the other classes.

Level 3 certificates: may be used for digital signatures, encryption, and access control, including as proof of identity, in high-value transactions. Class 3 individual Certificates provide assurances of the identity of the Subscriber based on the personal (physical) presence of the Subscriber before a person that confirms the identity of the Subscriber using, at a minimum, a well-recognized form of government-issued identification and one other identification credential.

A 4th class (Qualified certificates), like the ones automatically provided with the electronic ID card, is used for very high quality signatures.

Qualified certificate

admin — Tue, 16 Feb 2010 12:02:43 +0000

The requirements for qualified certificates are defined by the european directive 1999/93/EC (annex I, dir.) as follow:

1- the indication that the certificate is issued as a qualified certificate;

2- the identification of the Certification Authority and the State (European or foreigner) in which it is established;

3- the name (or pseudonym) of the signatory, to identify her/him;

4- signature-verification data which correspond to signature-creation data under the control of the signatory;

5- the indication of the period of validity of the certificate;

6- the identity code of the certificate; and

7- the advanced electronic signature of the certification-service-provider (Certification Authority).

Qualified signature

admin — Tue, 16 Feb 2010 11:40:51 +0000

A qualified electronic signature is an advanced electronique signature , based on a qualified certificate and created by a secure-signature-creation device.

The European Directive defines the qualified electronic signature as follow:
“[..] Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure-signature-creation device:

1- satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data; and

2- are admissible as evidence in legal proceedings. [..]”

The qualified signature may also contain other elements, such as the provision for a specific attribute of the signatory, there can be a limitation on the scope of use of the certificate, such as stipulation that contracts can only be signed with specific countries such as the United States. Additionally, there can be limits on the value of transactions for which the certificate can be used, such as the ability to sign contracts up to a maximumof $10,000 USD.

This type of digital signature has a strong juridical value. A strong digital signature is very useful for business: you are sure of the identity of the signatory, the content of the text, the confidentiality of your business, and the elements you would have in any eventual legal action. No hacker can read the text, modify it, or take the place of the signatory. The judge can’t make decisions on the juridical value of this qualified signature: it is fixed by the law and nobody can refute it. This kind of electronic signature has a high value, but it must be used in a correct way and thus the signatory has some duties to perform.

Duties of a qualified electronic signature user

Keeping duty.
The signatory has to keep the smart-card and the other tools necessary for a digital signature safe to avoid unauthorized use. If you don’t secure your signature tools you are responsible for their unauthorized use!

Information duties.
You have to inform your Certification Authority about the limits of the signature, consisting of its use and/or value limits before the smart-card is given out. You have also to inform your Certification Authority as soon as possible about any loss of value in the digital signature, on every circumstance it depends. Here are a few examples of a loss of value: the signatory was one of your employees and now she is retired, the smart-card was stolen from the strong-box with the pin code, or the signatory society had gone bankrupt. In all these cases, if you don’t inform the Certification Authority you are responsible for any unauthorized use. There are other good examples of information duties: let’s say your subordinate can sign contracts for up to $10,000 USD and he has a strong digital signature. You didn’t indicate this value limit to the Certification Authority, so no limit is written into the qualified certificate. The subordinate signs a contract for more than a million dollars. Can you say this contract is void? No, because you didn’t inform your Certification Authority and consequently the Certification Authority didn’t inform its third parties, such as its commercial partners. You can only mitigate your losses with the subordinate, and not with the organization that entered into the contract with you.

Update duties.
No key is safe forever, because technology improves and develops such that a good quality algorithm now becomes a low quality algorithm over time. Moreover every mathematical key can be decrypted in a certain time. The digital signature is safe only during its validity period, which is set much shorter than the time an hacker needs to decrypt it. When the validity period is gone the digital signature is no longer safe and the Certification Authority won’t warrant it any longer. You have to update your digital signature when the validity period is gone, and this update means the receipt of a completely new key. If you continue to use your strong digital signature after the end of the validity period, it loses its juridical value, effectively becomes a weak electronic signature.

Digital signature creation

admin — Tue, 16 Feb 2010 11:13:12 +0000

Digital signature creation uses a hash result derived from and unique to both the signed message and a given private key. For the hash result to be secure, there must be only a negligible possibility that the same digital signature could be created by the combination of any other message or private key.

Digital signature verification
Digital signature verification is the process of checking the digital signature by reference to the original message and a given public key, thereby determining whether the digital signature was created for that same message using the private key that corresponds to the referenced public key.

Hash
A hash function is an algorithm which creates a digital representation or “fingerprint” in the form of a “hash value” or “hash result” of a standard length which is usually much smaller than the message but nevertheless substantially unique to it.

Any change to the message invariably produces a different hash result when the same hash function is used. In the case of a secure hash function, sometimes termed a “one-way hash function,” it is computationally infeasible to derive the original message from knowledge of its hash value. Hash functions therefore enable the software for creating digital signatures to operate on smaller and predictable amounts of data, while still providing robust evidentiary correlation to the original message content, thereby efficiently providing assurance that there has been no modification of the message since it was digitally signed.

Advanced signature

admin — Tue, 16 Feb 2010 11:00:41 +0000

The European Directive defines the advanced electronic signature as follow:

In order to be considered as advanced electronic signature, a digital signature must be:

1- Uniquely linked to the signatory

2- Capable of identifying the signatory

3- Created using means under the sole control of the signatory

4- Linked to the data to which it relates

An advanced electronic signature has more significant value than an electronic signature: it guarantees the integrity of the text, as well as the authentication.

However, the advanced electronic signature does not yet offer all the guaranties expected as regards to the protection of the signature creation data (data used by the signatory to create an electronic signature). This is why the EC introduced in the directive the qualified digital signature , reinforcing therfore the advanced signature by raising the quality and the control over its creation even further.

Digital signature and legal aspects

admin — Tue, 16 Feb 2010 10:35:37 +0000

People who do business on the Internet require security and trust in electronic commerce and communication. You can’t see the person you are speaking with, you can’t see the documents that prove one’s identity, and you can’t even know if the web site you are connected to belongs to the organisation it says it does.

Directive 1999/93/EC of the European Parliament and the council of December 13, 1999

To answer these juridical necessities, the European Union adopted a community framework for electronic signatures some time ago (directive 1999/93/EC of the European Parliament and the council of December 13, 1999) that has been implemented in various European countries. The European directive is used for business in which European partners (persons or societies) or public administrations are involved. It also means that if an American organization enters into an electronic contract with a European society it has to respect European requirements to ensure the contract is valid.

The directive 1999/99/EC defines, in article 5, the electronic signature as follow:

“[..] Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is:

1- in electronic form, or

2- not based upon a qualified certificate, or

3- not based upon a qualified certificate issued by an accredited certification-service-provider, or

4- not created by a secure signature-creation device. [..]”

Nevertheless, it remains essential to guaranty a signature’s effectiveness to ensure its value. This is why this very same european directive also draws the contours of stronger electronic signatures, admissible as evidence in legal proceedings: the advanced electronic signature and the even more legally admissible qualified digital signature (also called a secure digital signature or strong digital signature).

Electronic signature

admin — Tue, 16 Feb 2010 10:24:26 +0000

Data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication (Article 2 of 93/1999/EC).

How Digital Signature Technology Works

Digital signature technology generally surpasses paper technology in all these attributes. To understand why, one must first understand how digital signature technology works.

Digital signatures are created and verified by cryptography, the branch of applied mathematics that concerns itself with transforming messages into seemingly unintelligible forms and back again. Digital signatures use what is known as “public key cryptography,” which employs an algorithm using two different but mathematically related “keys;” one for creating an electronic signature (in other words transforming data into a seemingly unintelligible form), and another key for verifying a digital signature or returning the message to its original form.

Even so this is the most commonly accepted way to produce an electronic signature, it is not the only one. evidencecube supports all known types of electronic signature: its technology-dependent architecture ensure the compatibility of the service to future digital signature implementations.

The legislation

admin — Mon, 15 Feb 2010 09:21:05 +0000

“[..] The formal requirements for legal transactions, including the need for signatures, vary in different legal systems, and also vary with the passage of time. There is also variance in the legal consequences of failure to cast the transaction in a required form. The statute of frauds of the common law tradition, for example, does not render a transaction invalid for lack of a “writing signed by the party to be charged,” but rather makes it unenforceable in court, a distinction which has caused the practical application of the statute to be greatly limited in case law.

During this century, most legal systems have reduced formal requirements, or at least have minimized the consequences of failure to satisfy formal requirements. Nevertheless, sound practice still calls for transactions to be formalized in a manner which assures the parties of their validity and enforceability. [..]

Although the basic nature of transactions has not changed, the law has adapted to advances in technology. The legal and business communities continue developing rules and practices which use new technology to achieve and surpass the effects historically expected from paperforms. [..]”

Extract from the American Bar Association website ( http://www.abanet.org )

In 1999, The EC submitted a proposal to its members states through the European Directive 1999/93/EC regarding the electronic signature which was retranscribed by them over the following years.

Similarily, the American Electronic Signatures in Global and National Commerce Act (E-Sign) in June 2000 was designed to support the growth of e-business by mandating that electronic signatures (whether in interstate or foreign commerce) are given the same legal weight as traditional formats.

In other words, laws and legislations have been adapted around the world to give the electronic signature the same value as the hand-written signature.