Signature and Authentication
Signature, electronic signature and digital signature are not same things – they are all signatures and their purpose is authentication.
Authentication is generally the process used to confirm the identity of a person or to prove the integrity of specific information. More specifically, in the case of a message, authentication involves determining its source and providing assurance that the message has not been modified or replaced in transit.
In today's commercial environment, establishing a framework for the authentication of computer-based information requires a familiarity with concepts and professional skills from both the legal and computer security fields. Combining these two disciplines is not an easy task.
The historical legal concept of "signature" is broader. It recognizes any mark made with the intention of authenticating the marked document.
In a digital setting, today's broad legal concept of "signature" may well include markings as diverse as digitized images of paper signatures, typed notations such as "/s/ John Smith," or even addressing notations, such as electronic mail origination headers.
From an information security viewpoint, these simple "electronic signatures" are distinct from the "digital signatures", although "digital signature" is sometimes used to mean any form of computer- based signature.
From the information security point of view, "digital signature" means the result of applying certain specific technical processes to specific information.
With some legal and institutional infrastructure, digital signature technology can be applied as a robust computer-based alternative to traditional signatures.
Signatures and the Law
A signature is not part of the substance of a transaction, but rather of its representation or form. Signing writings serve the following general purposes:
- Evidence: A signature authenticates a writing by identifying the signer with the signed document. When the signer makes a mark in a distinctive manner, the writing becomes attributable to the signer.
- Ceremony: The act of signing a document calls to the signer's attention the legal significance of the signer's act, and thereby helps prevent inconsiderate engagements.
- Approval: In certain contexts defined by law or custom, a signature expresses the signer's approval or authorization of the writing, or the signer's intention that it have legal effect.
- Efficiency and logistics: A signature on a written document often imparts a sense of clarity and finality to the transaction and may lessen the subsequent need to inquire beyond the face of a document. Negotiable instruments, for example, rely upon formal requirements, including a signature, for their ability to change hands with ease, rapidity, and minimal interruption.
Understanding Digital Signature
Signature Generation
Signature Verification
Signature Verification
How Digital Signature Technology Works
Digital signatures are created and verified by cryptography, the branch of applied mathematics that concerns itself with transforming messages into seemingly unintelligible forms and back again.
Digital signatures use what is known as "public key cryptography," which employs an algorithm using two different but mathematically related “keys”:
• one for creating a digital signature or transforming data into a seemingly unintelligible form, and
• another key for verifying a digital signature or returning the message to its original form.
Computer equipment and software utilizing two such keys are often collectively termed an "asymmetric cryptosystem."
The complementary keys of an asymmetric cryptosystem for digital signatures are arbitrarily termed as the private key and the public key.
• Private key is known only to the signer and used to create the digital signature.
• Public key is ordinarily more widely known and is used by a relying party to verify the digital signature.
If many people need to verify the signer's digital signatures, the public key must be available or distributed to all of them, perhaps by publication in an on-line repository or directory where it is easily accessible.
Although the keys of the pair are mathematically related, if the asymmetric cryptosystem has been designed and implemented securely it is "computationally infeasible to derive the private key from knowledge of the public key. Thus, although many people may know the public key of a given signer and use it to verify that signer's signatures, they cannot discover that signer's private key and use it to forge digital signatures. This is sometimes referred to as the principle of "irreversibility."
Hash Function
Another fundamental process, termed a "hash function," is used in both creating and verifying a digital signature.
A hash function is an algorithm which creates a digital representation or "fingerprint" in the form of a "hash value" or "hash result" of a standard length which is usually much smaller than the message but nevertheless substantially unique to it.
Any change to the message invariably produces a different hash result when the same hash function is used.
In the case of a secure hash function, sometimes termed a "one-way hash function," it is computationally infeasible to derive the original message from knowledge of its hash value. Hash functions therefore enable the software for creating digital signatures to operate on smaller and predictable amounts of data, while still providing robust evidentiary correlation to the original message content, thereby efficiently providing assurance that there has been no modification of the message since it was digitally signed.
Thus, use of digital signatures usually involves two processes, one performed by the signer and the other by the receiver of the digital signature:
Digital signature creation uses a hash result derived from and unique to both the signed message and a given private key. For the hash result to be secure, there must be only a negligible possibility that the same digital signature could be created by the combination of any other message or private key.
Digital signature verification is the process of checking the digital signature by reference to the original message and a given public key, thereby determining whether the digital signature was created for that same message using the private key that corresponds to the referenced public key.
Public Key Certificates
- To verify a digital signature, the verifier must have access to the signer's public key and have assurance that it corresponds to the signer's private key. However, a public and private key pair has no intrinsic association with any person; it is simply a pair of numbers. Some convincing strategy is necessary to reliably associate a particular person or entity to the key pair.
- For this purpose, a prospective signer might issue a public statement, such as: "Signatures verifiable by the following public key are mine." However, others doing business with the signer may for good reason be unwilling to accept the statement, especially where there is no prior contract establishing the legal effect of that published statement with certainty. A party relying upon such an unsupported published statement in an open system would run a great risk of trusting a phantom or an imposter, or of attempting to disprove a false denial of a digital signature ("non-repudiation") if a transaction should turn out to prove disadvantageous for the purported signer.
The solution to these problems is the use of one or more trusted third parties to associate an identified signer with a specific public key. That trusted third party is known as a "certification authority“.
To associate a key pair with a prospective signer, a certification authority issues a certificate, an electronic record which lists a public key as the "subject" of the certificate, and confirms that the prospective signer identified in the certificate holds the corresponding private key. The prospective signer is termed the "subscriber.”
এত বড় পোস্ট? সাবাস !
উত্তরমুছুনভালো ভালো
উত্তরমুছুনএই মন্তব্যটি লেখক দ্বারা সরানো হয়েছে।
উত্তরমুছুনnice
উত্তরমুছুনWow. Thanks for pointing out the difference between all the three terms i.e Signature, electronic signature and digital signature. The basic idea behind each of them is same but the way of generation actually varies. The whole process of generation is also explained in detail. Thanks a lot for providing this excellent detail.
উত্তরমুছুনe signatures