Go Premium for a chance to win a PS4. Enter to Win


digital signatures

Posted on 2013-06-07
Medium Priority
Last Modified: 2013-06-18
Can anyone explain the concept of digital signatures to me? Are they solely related to email communications or can other software make use of them (if so where else are they used)? We have an internal procedure for emailing our payroll department with claims forms (i.e. mileage claims from staff, requests for reimbursements etc). Our payroll department has suggested using digital certificates for submitting such claim forms. It is not something I have dealt with before. From a security perspective if they are looking to implement such as process, what would you want assurances from on its configuration to ensure the process is tamper (fraudulent amendment) free? What benefits do digital certificates bring in this area, i.e. why is it likely hey are configuring such an approach? What would auditors likely be wanting assurances on from the configuration of a digital signature system? If you could provide a bit of a management freindly low tech checklist of assurances we should be getting from the use of digital signatures that would be most helpful. Please keep answers relatively low tech management freindly.

What can go wrong with digital signatures?
What would a poorly designed system using digital signatures look like?
Are they pretty fool proof?
What are some best practices for the use of digital signatures?
Question by:pma111
  • 2
LVL 33

Accepted Solution

Dave Howe earned 2000 total points
ID: 39229424
Digital signatures as most commonly seen are actually "cryptographic hashes" and a side effect of PKI - by taking a hash of some given data, then encrypting the hash with a private key, you can send the encrypted hash to someone who has your public key, at the same time as the data. by calculating the hash and decrypting the encrypted hash, they can compare the "as sent" hash to the "as received" hash and ensure no tampering has taken place (or the hash would change)

That is ok, as far as it goes, but all it really shows is that the data was "digitally signed" by someone who had the private key - that's great for some things (and adobe pushed it heavily for their acrobat pdf solution, which appends both a cryptographic hash *and* a scanned image of a signature when "digitally signing") but fails to show intent - just possession of a file or other token (such as a pkcs#15 smartcard)

note that there is no requirement that a "digital signature" actually *be* a cryptographic signature. if you created a webform that had a page that said "to confirm your identity and the intent to submit your expenses claim, please enter your username and password for Active Directory here; note that this constitutes a digital contract signature and is legally binding. if you are not 100% certain you wish to do this, hit [this button] to go back and confirm your claim details" then that would be a digital signature - not a cryptographic one, but one that is legal in most jurisdictions (as a digital signature requires only a clear statement of intent, not a specific form)

getting back to CS though; you can produce your own cryptographic "detached" signatures for anything using either the ssl standard or the openpgp standard - free packages there would be openssl or gnu privacy guard.

 signatures are used a *lot* for java applets, dotnet assemblies, and windows drivers - almost all of those carry a digital signature, and ones that don't cause an error message. Those are examples of "good" usage.

  any poorly designed system would be one where the "signed" document could be submitted by anyone other than the asserted signer, or submitted without his knowledge (robotic autosignature software has been shown to lack the required intent to sign in court)

Note that, if you are talking email, that almost all email clients have digital signature software built in! you just need to generate and install the required s/mime certificate+key pairs on each user's profile, and they can send signed and receive encrypted mails using that. this is called (in MS Outlook terms) a "digital ID"

protecting those with a password (which must be typed on use) can satisfy the "intent" requirement, but really its down to how well you train the staff then, not to use their digital signature capability without an actual intent :)

Author Comment

ID: 39237438
Thanks Dave, are you talking about impersination here:

"any poorly designed system would be one where the "signed" document could be submitted by anyone other than the asserted signer, or submitted without his knowledge (robotic autosignature software has been shown to lack the required intent to sign in court)"

I.e. signing a document as someone else? They are signing PDF documents. Any idea how to "lock this down"? Is that the main concern in this area, impersination? It is the PDF that is signed, its emailed to their line manager, who then also adds their digital signature before sending that to the finance dept for processing.
LVL 33

Expert Comment

by:Dave Howe
ID: 39237675
Not necessarily impersonation. Situations that don't constitute impersonation are where more than one user has the same key (a generic one) hence no one individual is directly identified by the signature (although confusingly, that *is* a legally binding signature; the core of digital signature law is intent, not technical specifics) or where the signature is applied by a machine *possibly* without the specific knowledge of the individual.

Imagine a distiller-like pdf device that lets you "print" word documents into digitally signed PDFs. if that distiller didn't require a deliberate individual act, then that printer could get "shared" to the network (and anyone generate signed documents with it) or an app could print to it mistakenly, and generate a signed document the individual didn't even know existed.

For the scheme you present to be legally binding, you would need to establish that the signature was made by the individual as a deliberate act - an email (which could be sent by anyone) isn't going to wash in court unless you can establish that the user's signing key was under the control of that individual and password protected (so that no other user could hop on their pc while they weren't at their desks and forgot to seal their machine)

The property I am pushing for here is non-repudation - where a digital signature cannot be disclaimed by the purported signer with the assertion that they didn't know.

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question