Basics about Digital Signatures

The affixing of the signature should be an affirmative act which serves the ceremonial and approval. Optimally, a signature and its creation and verification processes should provide the greatest possible assurance of both signer authenticity and document authenticity, with the least possible expenditure of resources.

Signatures must have the following attributes: Signer authentication, Document authentication, Affirmative action and Efficiency. [1] A signature should indicate who signed a document, message or record, and should be difficult for another person to produce without authorization.  A signature should identify what is signed, making it impracticable to falsify or alter either the signed matter or the signature without detection.

Digital Signatures as a Tool of Security

Use of digital signatures usually involves two processes, one performed by the signer and the other by the receiver of the digital signature.  Digital signature creation uses a hash result derived from and unique to both the signed message and a given private key. For the hash result to be secure, there must be only a negligible possibility that the same digital signature could be created by the combination of any other message or private key. Digital signature verification is the process of checking the digital signature by reference to the original message and a given public key, thereby determining whether the digital signature was created for that same message using the private key that corresponds to the referenced public key.[2]

 Stages of Development: From Electronic Signatures to Digital Signatures

The world witnessed development from Technological Exclusivity to Technological Neutrality and finally to Hybrid.[3] The first mandated the utilization of only the digital signature, and no other form of e-signature. The second reversed the first and took an open-minded attitude toward allowance of any type of e-signature. The third adopted a moderate position between the two extremes of the first and second, recognizing many  forms of e-signatures but granting preferred status to the digital signature. In 1995, the U.S. State of Utah became the first jurisdiction in the world to enact an electronic signature law.[4]

Table – 1: Authentication Legislations: Categorisation on Basis of Approach

S.No.

 

Approach Characteristics Country adopting Approach
1. Prescriptive Approach The legislation delineate specific PKI schemes for digital signatures and typically have general applicability Argentina, Germany, Italy, and Malaysia
2. Two-Tier Approach/

Hybrid Approach

The legislation accepts all or most electronic authentication mechanisms on a technologically-neutral basis, and grants these mechanisms a basic set of legal benefits. Singapore, Hong Kong,

EU Directive

The legislation creates a class of approved technologies whose use is invested with a broader array of legal benefits and obligations. The legislation may define these technologies – sometimes referred to as qualified technologies – by reference to general criteria, by reference to the specific techniques of asymmetric cryptography, or by reference to a schedule of technologies approved by statute or regulation.
3. Minimalist Approach  Purely minimalist approach to granting legal recognition to electronic signatures, foreging any effort to legislate detailed standards for the use of different authentication techniques Australia,

Canada,

U.K., U.S.A.

 Characteristics of Digital Signatures

From an information security viewpoint, the simple electronic signatures are distinct from the digital signatures. The most advanced and widely used form of e-signature is the digital signature, which is founded on the public key cryptographic method.  Due to the mathematical basis of public key cryptography, a digital signature is simply a stream of digits that appears unintelligible to the human observer; however, it actually possesses a significant amount of information. Most common digital signature algorithms provide integrity via a mechanism known as a hash function. A hash function reduces  a set of bits of arbitrary length to a fixed  length known as a hash result  (or simply  a hash).[5]

A handwritten signature is biologically linked to a specific individual, but cryptographic authentication systems bind signatures to individuals through technical and procedural mechanisms. The force of protection provided to digital signatures is often established through statutory evidentiary presumptions. These presumptions are not insurmountable, but merely clarify that the validity of the signature is presumed unless the party seeking to show that it is not valid can meet a burden of proof to rebut the presumption. Unlike informal signatures, the challenger would have to prove the forgery affirmatively.

Digital signatures exacerbate the problem of technological obsolescence. They make the most common coping technique – conversion to new formats during transition periods – impossible unless the original signer can resign under the new format – a solution which is always burdensome and often impossible. From a digital signature perspective, a change to a document format is indistinguishable from a change to the document content, and will result in an unverifiable signature.[6]

Nonetheless, digital signatures have important limitations, the most significant being their temporary nature.[7] Digital signatures will probably never be used for treaty authentication, signing bills into law, or other ceremonial or historical occasions.

[1] Information Security Committee & American Bar Association, “Digital Signature Guidelines”, 7-8 (American Bar Association, 1996).

[2] Id, 11.

[3] The three generations co-exist at the same time in different countries i.e. different countries have adopted different approaches.

[4]Utah Digital Signature Act, 1995 gave legal recognition to digital signatures using PKI technology only.

[5] In doing so, a hash function must possess three important characteristics- it  must  be computationally infeasible to derive another meaningful message that would  result  in  the  same  hash  value; it  must  be  computationally  infeasible  to derive  the  original message  from the  hash value ; and it should be identical for a given algorithm  and  a  given  input. See Randy V.  Sabet , “International Harmonization in Electronic Commerce and Electronic  Data  Interchange: A  Proposed  First  Step  Toward Signing on the  Digital Dotted Line”  46 The American  Universiy  Law  Review 511   (1996) at  522-523.

[6] David Fillingham, “A Comparison of Digital and Handwritten Signatures”  Paper for MIT 6.805/STS085: Ethics and Law on the Electronic Frontier, Fall 1997 available  at http://groups.csail.mit.edu/mac/classes/6.805/student-papers/fall97-papers/fillingham-sig.html (accessed on 20th May,2018).

[7] Id.

Image from here

Bhumika Sharma

She is currently a Research Scholar, (PhD) at Himachal Pradesh University, Shimla. She finds peace in research and writing on a variety of social issues. She believes in the power of education and awareness to deal with various problems.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.