Digital Signatures
•
What is a digital signature?
•
How is a digital signature used for authentication?
•
How long do digital signatures remain valid?
•
What is the legal status of documents signed with digital signatures?
•
Can using digital signatures help detect altered documents and transmission
errors?
* My
PIN does not appear to work.
* When
I try to download my Digital ID I get the message "private key not
found".
--------------------------------------
What
is a digital signature?
A
digital signature functions for electronic documents like a handwritten
signature does for printed documents. The signature is an unforgeable piece of
data that asserts that a named person wrote or otherwise agreed to the document
to which the signature is attached.
A
digital signature actually provides a greater degree of security than a
handwritten signature. The recipient of a digitally signed message can verify
both that the message originated from the person whose signature is attached
and that the message has not been altered either intentionally or accidentally
since it was signed. Furthermore, secure digital signatures cannot be
repudiated; the signer of a document cannot later disown it by claiming the
signature was forged.
In
other words, digital signatures enable "authentication" of digital
messages, assuring the recipient of a digital message of both the identity of
the sender and the integrity of the message.
--------------------------------------
How
is a digital signature used for authentication?
Suppose
Alice wants to send a signed message to Bob. She creates a message digest by
using a hash function on the message. The message digest serves as a
"digital fingerprint" of the message; if any part of the message is
modified, the hash function returns a different result. Alice then encrypts the
message digest with her private key. This encrypted message digest is the
digital signature for the message.
Alice
sends both the message and the digital signature to Bob. When Bob receives
them, he decrypts the signature using Alice's public key, thus revealing the
message digest. To verify the message, he then hashes the message with the same
hash function Alice used and compares the result to the message digest he
received from Alice. If they are exactly equal, Bob can be confident that the
message did indeed come from Alice and has not changed since she signed it. If
the message digests are not equal, the message either originated elsewhere or
was altered after it was signed.
Note
that using a digital signature does not encrypt the message itself. If Alice
wants to ensure the privacy of the message, she must also encrypt it using
Bob's public key. Then only Bob can read the message by decrypting it with his
private key.
It
is not feasible for anyone to either find a message that hashes to a given
value or to find two messages that hash to the same value. If either were
feasible, an intruder could attach a false message onto Alice's signature.
Specific hash functions have been designed to have the property that finding a
match is not feasible, and are therefore considered suitable for use in
cryptography.
One
or more Digital IDs can accompany a digital signature. If a Digital ID is
present, the recipient (or a third party) can check the authenticity of the
public key.
--------------------------------------
How
long do digital signatures remain valid?
Normally,
a key expires after some period of time, such as one year, and a document
signed with an expired key should not be accepted. However, there are many
cases where it is necessary for signed documents to be regarded as legally
valid for much longer than two years; long-term leases and contracts are
examples. By registering the contract with a digital time-stamping service at
the time it is signed, the signature can be validated even after the key expires.
If
all parties to the contract keep a copy of the time-stamp, each can prove that
the contract was signed with valid keys. In fact, the time-stamp can prove the
validity of a contract even if one signer's key gets compromised at some point
after the contract was signed. Any digitally signed document can be
time-stamped, assuring that the validity of the signature can be verified after
the key expires.
--------------------------------------
What
is the legal status of documents signed with digital signatures?
If
digital signatures are to replace handwritten signatures they must have the
same legal status as handwritten signatures, i.e., documents signed with
digital signatures must be legally binding. NIST has stated that its proposed
Digital Signature Standard should be capable of "proving to a third party
that data was actually signed by the generator of the signature. "
Furthermore, U.S. federal government purchase orders will be signed by any such
standard; this implies that the government will support the legal authority of
digital signatures in the courts. Some preliminary legal research has also
resulted in the opinion that digital signatures would meet the requirements of
legally binding signatures for most purposes, including commercial use as
defined in the Uniform Commercial Code (UCC). A GAO (Government Accounting
Office) decision requested by NIST also opines that digital signatures will
meet the legal standards of handwritten signatures.
However,
since the validity of documents with digital signatures has never been
challenged in court, their legal status is not yet well-defined. Through such
challenges, the courts will issue rulings that collectively define which
digital signature methods, key sizes, and security precautions are acceptable
for a digital signature to be legally binding.
Digital
signatures have the potential to possess greater legal authority than
handwritten signatures. If a ten page contract is signed by hand on the tenth
page, one cannot be sure that the first nine pages have not been altered.
However, if the contract was signed with digital signatures,a third party can
verify that not one byte of the contract has been altered.
Currently,
if two people want to digitally sign a series of contracts, they might first
sign a paper contract in which they agree to be bound in the future by any
contracts digitally signed by them with a given signature method and minimum
key size.
Several
efforts are underway to legislate the legality and use of digital signatures.
Utah has implemented laws qualifying digital signatures. Similar legislation is
under way in California and New York, with other states following.
--------------------------------------
Can
using digital signatures help detect altered documents and transmission errors?
A
digital signature is superior to a handwritten signature in that it attests to
the contents of a message as well as to the identity of the signer. As long as
a secure hash function is used, there is no way to take someone's signature
from one document and attach it to another, or to alter the signed message in
any way. The slightest change in a signed document will cause the digital
signature verification process to fail. Thus, authentication allows people to
check the integrity of signed documents. Of course, if a signature verification
fails, it may be unclear if there was an attempted forgery or simply a
transmission error.
--------------------------------------
My
PIN does not appear to work.
If
possible, use the "copy" and "paste" commands from the Edit
menu to copy your PIN from the E-mail you received and paste it into the field
on the page you use to get your Digital ID. If copying and pasting does not
work with your software, and you must type the PIN, makesure:
the
PIN includes 16 or 32 characters
the
characters include only the numerals 0 (zero) through 9 and the letters A
through F
there
are no spaces before, after, or within the PIN
--------------------------------------
When
I try to download my Digital ID I get the message "private key not
found".
When
you retrieve your Digital ID, we automatically check to make sure that the
private key created in your hard drive during enrollment matches the public key
in your Digital ID. In order for these to match, you must be using the same web
browser, in the same directory, on the same computer as you were when you
requested the Digital ID.
--------------------------------------