Digital signature is a term with confusing reference. It is sometimes taken to be a 'subset' of electronic signatures.[1][2][3][4] But some people use the term to describe something equivalent to an electronic signature. The U.S. Electronic Signatures in Global and National Commerce Act of 2000 uses electronic signature rather than digital signature to avoid confusing the legal concept with a class of encryption technologies. Electronic signature means an electronic sound, symbol, or process, logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.[5]
Digital signature is more typically used as a narrower term encompassing only cryptographic signatures. But even within digital signature, there are checksum-like mechanisms such as message authentication codes, file integrity hashes and digital pen pad devices, as well as crytpgraphically based signature protocols which ensure (if keys have not been compromised and have been properly used) that none other than the claimed signer of some document or record could have done so.
Many have been proposed, some have been found to be flawed and should no longer be used. Some are covered by patents, some were covered by patents which have expired, and some are free of patent license requirements, though there is more than a little disagreement on this point amongst those with commercial interests.
These digital signatures use asymmetric key algorithms and often use public key infrastructure (PKI) schemes in which the public key used in the signature scheme is tied to a user by a digital identity certificate issued by a certificate authority, usually run by a third party commercial firm. PKI systems attempt to unbreakably bind user information (name, address, phone number, ...) to a public key; the underlying idea is closely akin to that of a notary endorsement. There are several digital signature schemes; most establish two complementary algorithms, one for signing and the other for checking the signature at some later time. The output of the signature process (in principle, these are bit strings, though they can be represented in many ways) is also called a digital signature.
The term electronic signature has had a distinct meaning in common law: it refers to any of several, not necessarily cryptographic, mechanisms for identifying the originator of an electronic message. Many electronic signatures employ digital signature technology to ensure the legal intent is also cryptographically secure. Electronic signatures found valid by courts in various jurisdictions have included cable and Telex addresses, as well as fax transmission of handwritten signatures on a paper document. It is said that this is the reason both the Uniform Electronic Transactions Act (U.S. state law), and the U.S. Federal Electronic Signatures in Global and National Commerce Act refer only to electronic signatures. As the security (and workability) of the digital signatures discussed in this article are quite different than all other kinds of electronic signatures, these legal usages present problems in practice.
[edit] Authentication
Public-key cryptosystems allow encryption of a message with a user's private key. The message itself need not be sent in ciphertext. If a hash of the document is generated and then encrypted, the document cannot be undetectably altered in any way without also changing the hash value, which, if quality algorithms are properly used, will be computationally infeasible (ie, in practice impossible). By decrypting the hash using the sender's public key, and checking the result against a newly generated hash of the alleged plaintext, the recipient can confirm (with high confidence) that the encryption was done with the sender's private key (and so presumably by the user who should have been the only person able to use that key), and that the message hasn't been altered since it was signed. No recipient can ever be absolutely certain the purported sender is indeed the signer -- ie, the person who used the private key -- since the cryptosystem might have been broken, the key copied, or the whole scheme evaded using social engineering.
The importance of high confidence in both the message integrity and sender authenticity is especially obvious in a financial context. For example, suppose a bank's branch office sends instructions to the central office in the form (a,b) where a is the account number and b is the amount to be credited to the account. A devious customer may deposit £100, observe the resulting transmission and repeatedly retransmit (a,b), getting a deposit each time and getting rich in the process. This is an example of a replay attack.
Integrity
Both parties will always wish to be confident that a message has not been altered during transmission. Encryption of the message makes it difficult for a third party to read it, but that third party may still be able to alter it, perhaps maliciously, without actually reading it. An example is the homomorphism attack: consider a bank which sends instructions from branch offices to the central office in the form (a,b) where a is the account number and b is the amount to be credited to the account. A devious customer may deposit £100, intercept the resulting transmission and then transmit (a,b3) to become an instant millionaire.
Public-key digital signature schemes rely on public-key cryptography. In public-key cryptography, each user has a pair of keys: one public and one private. The public key is distributed freely, but the private key is kept secret by the user; another requirement is that it should be computationally infeasible to derive the private key from the public key.
Generally, digital signature schemes include three algorithms:
A key generation algorithm
A signing algorithm
A verification algorithm
For example, consider a situation in which Bob sends a message to Alice and she wants to be certain it came from him. Bob sends his message to Alice, attaching a digital signature. The digital signature was generated using Bob's private key, and takes the form of a string of bits (normally represented as a string of characters (ie, digits and letters)). On receipt, Alice can then check whether the message really came from Bob by running the verification algorithm on the message together with the signature, using Bob's public key. If they match, then Alice can be confident the message really was from Bob, because quality digital signature algorithms are so designed that it is very difficult to forge a signature to match a given message (unless one has knowledge of the private key, which Bob must keep secret).
Hope these help...
2006-12-28 21:48:09
·
answer #1
·
answered by Vocal Prowess 4
·
0⤊
0⤋
Hi!
Digital signatures are used to identify DLL files (in OS). Every DLL has or should have a DS. Now, DS is used for a variety of other things. Many sites have Security Certificates (some sort of DS). Also, some applications, including e-government, health care, transportation, security, etc...
Each company involved in security has her own DS model the same way each standard in each industy has a DS model.
So, telling what DS is used where is used is kind of difficult!
Happy new year!
2006-12-28 21:52:09
·
answer #2
·
answered by Robintel 4
·
0⤊
0⤋