Security of Digital Signatures - Literature review Example

? Full Paper Executive Summary Information security is an absolute essential for business and organizations. Organizations maintaining, storing processing customer data must comply with the laws and regulations of regulators in different regions. Likewise, information security has three fundamental dimensions i.e. Confidentiality, Integrity and Availability. If any one of these factors is breached, information cannot be secured. Likewise, in this report, we have addressed digital signatures, as they are considered to be addressing integrity, confidentiality and non-repudiation of information that is exchanged digitally. We will discuss the history of cryptography as it was initially the first concept that derived digital signatures and encryption algorithms. Moreover, we will discuss the nature, privacy and implementation of digital signatures. Furthermore, we will discuss new tools, techniques, methods and standards that are used along with the drawbacks associated with digital signatures. Introduction and History Even today, where every technology interrelated to Information technology involves the ‘.com’ phenomenon; Internet is relatively an evolving field, which is constantly changing. Extensive use of computing technology has aid different scale organizations to achieve targets. Every now and then, there is a news of a major security breach resulting in an invasion of personal privacy data such as credit card details, emails and vice versa. In spite of securing the networks, workstations and data centers, with the most updated and advanced security modules, there is still a probability of a new threat to break into the network and void data integrity. In addition, hackers and cyber criminals are exploring efficient codes day by day to advance the hacking tools, in order to breach in to classified information, banks and website customer details, steal emails etc. In the end, the mission critical data are compromised, resulting in severe losses for organizations. In this report we will focus on digital signatures and their importance as well as the history, current state, and challenges that still need to be overcome. The concept for safeguarding messages with cryptography has a brief history, as Julius Caesar is considered to be one of the first cryptographic system inventors (Strauss,). Likewise, the system was utilized for transmitting military messages to generals. However, there is one issue that has prevented cryptography to be used globally and i.e. The problem of key management. In the scope of cryptography, keys are numerical values that are the inputs of algorithms that are used for modifying information to make it encapsulated and secure, and to make it visible only to the people possessing the required key to decrypt the message and make it visible. Accordingly, the key management concept incorporates safeguards keys and protects them from unauthorized use, as they will only be visible to users only when and where they required. Similarly, the origin of digital signatures came over 100 years ago when people started using Morse code along with the telegraph for electronically exchanging contracts. Likewise, a validated version of electronic signatures emerged from the New Hampshire Supreme Court in the year 1869 (The history of electronic signature laws, n.d), as it states: "It makes no difference whether [the telegraph] operator writes the offer or the acceptance in the presence of his principal and by his express direction, with a steel pen an inch long attached to an ordinary pen holder, or whether his pen be a copper wire a thousand miles long. In either case the thought is communicated to the paper by the use of the finger resting upon the pen; nor does it make any difference that in one case common record ink is used, while in the other case a more subtle fluid, known as electricity, performs the same office." However, another invention followed that facilitated electronic signatures to be used in everyday life involved in the digital exchange of data or messages. Likewise, in the late 1980’s, some of the organizations and individuals started using Fax machines for delivering timely information or document (The history of electronic signature laws, n.d). Even today, fax machines are considered as a fundamental way of sending and receiving documents worldwide for businesses. However, from the first assignment of sending a document via fax machines, immediately there was a discussion associated with electronic signature integrity and validity. Besides, a handwritten signature can send via digital transmission travelling from one of many wires and connections prior to the final destination (The history of electronic signature laws, n.d). Likewise, the communication path and link do not have any control nor traceable and hence cannot be considered as a valid signature. However, they were not safe at this point but the organizations were keen to explore the options to make the digital signature safe and secure. Soon the governments ruled the digital signature similar to the validity of two or more parties located in a single room and consequently, the fax became the standard globally (The history of electronic signature laws, n.d). Nature, Privacy and Implementation Digital signatures comprise of a hash message that specifically recognize the message sender and ensures that the message is not modified or replaced during or prior to transmission. Likewise, any user on the computer network will review the signature to evaluate the data authenticity and integrity (Digital signature standard. 2007). However, a Digital Signature Algorithm (DSA) is used in this process that is considered to be an asymmetric cryptographic algorithm that constructs digital signatures in pairs of large numbers (Digital signature standard.2007). Moreover, the signature is matched by utilizing rules and parameters including signer identification and data integrity of the data. Moreover, a digital signature is composed of ‘Message Digest’ that is established by utilizing a special algorithm encrypted by the private key of the sender. Likewise, the receiver has the capability to reconstruct the message digest from the received message. At the same time, the public key of the sender is utilized for decrypting the digital signature for comparison between the two outputs that will ensure the integrity and confidentiality of the message along with sender authentication. Moreover, non-repudiation issues are also eliminated as the sender of the message is verified and cannot deny that the message is initiated from his end. Asymmetric cryptography is associated with two keys i.e. Public key and private key. The public key is associated with a status known as ‘Public’, as everyone can see it, whereas, the private key is associated with a status as ‘Private’, as only the owner of this key can access it. Likewise, the benefits of this method conclude to secure and say way of transferring the message without a breach of integrity and confidentiality between the two parties. The symmetric key algorithm is defined as “Symmetric algorithms use the same key for encryption and decryption (or the decryption key is easily derived from the encryption key), whereas asymmetric algorithms use a different key for encryption and decryption, and the decryption key cannot be derived from the encryption key. Symmetric algorithms can be divided into two types - stream ciphers and block ciphers. Stream ciphers encrypt a single bit of plaintext at a time, whereas block ciphers take a number of bits (typically 64 bits in modern ciphers), and encrypt them as a single unit” (Symmetric algorithms - types of symmetric algorithms - symmetric key algorithm, n.d). Some of the advantages that this technique shares are: It is relatively a simple process Parties at both ends of the network i.e. The receiver and the sender have the freedom to use the same encryption algorithm that is used publicly. Likewise, there is no requirement for developing and sharing algorithms that are undisclosed in nature. Moreover, there is a dependency for the security factor in the length of the key. DES is defined as a “Data Encryption Standard (DES) is a long-standing US encryption standard with symmetric-key encryption method standardized by ANSI in 1981 as ANSI X.3.92. DES uses a 56-bit key and uses the block cipher method, which breaks text into 64-bit blocks and then encrypts them. There are 72 quadrillion or more possible encryption keys that can be used in this algorithm. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key” (Data encryption standard.2007). The data encryption algorithm shares key length of 64 bits that is fixed as compared to all the other encryption algorithms that is 56 bits. As the DES is logically operational, hardware acceleration is easy as compared to other encryption techniques. RC5 or Rivest Cipher 5 were constructed by Ronald Rivest in the year 1994. The Rivest Cipher is a block cipher with a variable block size of (32, 64 or 128 bits), key size (0 to 2040 bits) and number of rounds (0 to 255). The novel recommended choice of parameters was in the form of a block size of 64 bits, a 128-bit key and 12 rounds. Significant feature of RC5 shares the usability of data-dependent rotations. One of the objectives of RC5 was to initiate studies and evaluation of cryptographic primordial. Moreover, RC5 includes various modular additions along with exclusive OR (XOR) s (Rivest cipher 6.2007). “Rivest Cipher 6 Security RC6, includes a symmetric key block cipher inherited from the RC5. It is proprietary of RSA Security designed by Ron Rivest, Matt Robshaw, Ray Sidney, and Yiqun Lisa Yin to meet the requirements of the Advanced Encryption Standard (AES) competition. The algorithm was one of the five finalists, and was also submitted to the NESSIE and CRYPTREC projects. RC6 proper has a block size of 128 bits and supports key sizes of 128, 192 and 256 bits, but, like RC5, it can be parameterized to support a wide variety of word-lengths key sizes and number of rounds. RC6 is very similar to RC5 in structure, using data-dependent rotations, and modular addition and XOR operations; in fact, RC6 could be viewed as interweaving two parallel RC5 encryption processes. However, RC6 does use an extra multiplication operation not present in RC5 in order to make the rotation dependent on every bit in a word, and not just the least significant few bits” (Rivest cipher 6. 2007). The procedure for implementing a digital signature comprises of two primary components i.e. the public key infrastructure (PKI) that utilize cryptography that produces two numerical digital keys (Public key and primary key) (Tidd & Heesacker, 2008). Likewise, the second primary component is the certificate authority (CA) that is considered as a third independent third party that issues the public key and private key along with a pair of digital ceritficates proxy of the message sender or originator. In an effective way, the certificate is incorporated with every message that is processed with the private key (Tidd & Heesacker, 2008). Moreover, along with this process, CA also ensures the identity of the private key owner along with verification of private key validity. The credentials of private key are revoked if the security of the key is compromised. Likewise, after verification and documentation of recipient and sender of the message, CA also ensures non-repudiation at all times (Tidd & Heesacker, 2008). The selection of the CA and the level of service required are both relevant factors for criticality of the information that needs to be exchanged. Likewise, the primary difference among the service levels that are offered by the CA is the determination required for verification and identification of a subscriber (Tidd & Heesacker, 2008). Therefore, after completion of verification and subscriber’s application process is completed, the required digital certificates are installed on the subscriber’s workstation or network that is interlinked with electronic mail and Internet browsers (Tidd & Heesacker, 2008). However, the administration, configuration and maintenance of these certificates is the responsibility of IT personnel (Tidd & Heesacker, 2008). New Measures & Outstanding Issues SSL VPN is a common method that is implemented in various organizations to enhance security. This protocol incorporates SSL and VPN. SSL is defined as “a set of security protocols invented by Netscape for protecting electronic financial transactions. ssl is an open specification that includes encryption software based on the rsa algorithm, and it is widely used by websites to prevent credit-card or other personal information being intercepted by snoopers. Although it is in itself extremely secure, ssl secures only the link between a user’s computer and a server at the end. Unlike a certificate signed with a digital signature, it says nothing at all about who the user is actually connected to, a fact that has largely been concealed from the users themselves, who are regularly assured that any site featuring ssl encryption is safe. Some clever crackers have managed to divert users invisibly away from bona-fide sites to a convincing ssl-enabled imitation, where they then proceed to steal their money in a secure but nonetheless illegal way” (Ssl.2003). Moreover, VPN is defined as “Virtual Private Network. vpns help solve an expensive problem for companies that want to set up their own private data networks. Instead of relying on costly leased lines to build their infrastructure, they use special encryption protocols in conjunction with tunnelling protocols such as pptp to broadcast data across public communications channels such as the internet. vpns are now widely used by companies with lots of remote workers, who need to give employees secure access to data on corporate lans across normal dial-up or broadband connections” (Vpn.2003).SSL VPN provides an efficient illustration of hashing algorithms along with encryption keys. SSL VPN operates on a web browser, in comparison to the Internet Protocol Security (IPsec) VPN that requires installation on a workstation. Moreover, web access is also provided for users to remotely access the Internet. SSL VPN encrypts the data by symmetric key algorithms that exchange and authenticate keys. The authentication process in SSL VPN use hashes and clear text passwords that are never exchanged. IPsec and SSL VPN both specify similar methods to negotiate encryption algorithms in order to transform data. Furthermore, SSL VPN does not only secure electronic transactions, but also secure email protocols, for example, SMTP, IMAP, POP3 and FTP. These seals ensure data privacy for consumers who provide data online. These security seals implements certain rules and policies when they are incorporated with any website. This gives customers some assurance of their personal data, as identity theft is a debatable issue that is still rising. As the servers of these websites, contain all the personal information of the customer and most importantly credit card numbers due to e commerce transactions. Some of the seals are defined as each of them specifies their own rules and policies. ‘Truste’ was the first to introduce seals on e-commerce websites. It was established in July 1996 along with a pilot program by the electronic frontier foundation and commerce net consortium. However, it was launched on 1996, but the final release was in 1997. All the websites that are incorporated with ‘Truste’ must publish a privacy policy for the website (Moores & Dhillon 2003). The policy must include (Moores & Dhillon, 2003): What personal information is collected through the website How this information is utilized. How the website collected this information for example, in terms of cookies or some type of form. The personal information of the customers is shared with third parties or not? What security measures are applied to the personal data that is in the possession of the company? Similarly, after ‘truste’, in September 1997 ‘Web Trust’ was released. The American Institute of Certified Public Accountants (AICPA) launched it. Likewise, the next version 3.0 was released in November 2000. The requirements for incorporating this seal to the website are different as compared to ‘truste’ (Moores & Dhillon 2003). The requirements are (Moores &Dhillon 2003): If a website wants the seal of Web trust, ‘Licensed Chartered Public Accountants’ (CPA) will inspect the website to ensure compliance related to security, transaction integrity, business practices, confidentiality, availability and non-disclaimer. The website must publish its privacy processes and to ensure for the protection of customer personal information. Customers can also contribute for the data collection process. The processes for encryption techniques, disaster recovery procedures, security breaches are mandatory when the website is also incorporating with the ‘WebTrust’ Security principle. BBB online was established in 1998, and released in March 1999 by the Better Business Bureau (BBB). BBB online contains two seals named as reliability seal and privacy seal. The reliability seal is related to the certification of companies that only operates online and do not have a physical presence. The seal ensures that the particular online business is reliable and secure for the online customers. In contrast, the privacy seal focus on privacy statement and customer choice (Moores & Dhillon 2003). As per (Moores & Dhillon 2003), if the website wants to apply any one of the two seals of BBB online on their website they should: Respond efficiently to customer complains Publish a privacy statement on their website and list all issues in one document. Annual review is required for online transactions. There is a requirement of active and vibrant management of electronic signatures. Patently, this objective is a small one to be achieved. Likewise, few issues are associated with an employee who is linked with many organizational roles along with signing authority of more than one domain. Moreover, many people in the form of a group can be the signing authority for the same signature i.e. electronic invoice, digital job application, contract form etc. Furthermore, a sole record maybe incorporated with group of signed data segments (Managing electronic signatures – current challenges). In reality, there are many electronic business applications that are categorized as workflows associated with signed objects i.e. signatures. Besides all these challenges and issues, there are methods, tools and techniques that can be implemented to overcome them. One of the methods is to establish a legal infrastructure that can be trusted (Managing electronic signatures – current challenges). The idea of the legal infrastructure can be considered as the component of the legal system that represents the foundation and circumstances associated with legal actions or events (Managing electronic signatures – current challenges). Trust is considered to be a common devisor for assessing information technology based application and tools. Likewise, a deep dive in terms of detailed analysis of trust demonstrates that, from the legal aspect, it is mandatory to distinguish among a well-founded trust and un-founded trust and well founded mistrust and un-founded mistrust (Managing electronic signatures – current challenges). Consequently, standards that are deployed legally can be considered, as a new approach towards active and vibrant management of digital signatures. However, proactive approach of the laws and regulations contribute in critical areas, as the overall objective is not to impose legal laws but to actively participate in Information technology related tasks and activities (Managing electronic signatures – current challenges) Moreover, in this information age, electronic based business applications have blossomed because of the boom in electronic business that is still on the rise. Similarly, XML Extensible Markup language that is a W3C recommendation is also widely adopted for e business application development (Managing electronic signatures – current challenges). Likewise, for accomplishing document markup, electronic business XML language (e business XML) has capabilities of messaging along with advanced support for securing information via XML encryption, XML digital signatures and Security Assertion Markup language (SAML) (Managing electronic signatures – current challenges). As per the discussion, XML provides a diverse environment for deploying signatures, as compare to other markup languages that does not allow integration of security controls for ensuring integrity and confidentiality of messages (Managing electronic signatures – current challenges). Likewise, XML also allow to reuse previously coded text units, however, there are challenges that can be associated with deployment of signatures in an environment that is technically evolving such as storage limitations, archive timings, data modification requirements, signature entitlement and methods used for using digital signatures (Managing electronic signatures – current challenges). Furthermore, all these factors will be applied to operating systems, network architecture and application architecture as well. Moreover, there is an element of risk that is associated with un-founded trust level in case of divided signing. In addition, mistrust issues can also occur due to complex methods that are utilized for achieving normalized signature data that lays the foundation for a term called ‘hashing’ that is used to convert signature data back to encrypted form (Managing electronic signatures – current challenges). Issues associated with un-founded mistrust have been focused on the implementation of information standards that requires a redesign of the solution apart from the impartiality of the technical platform (Managing electronic signatures – current challenges). On the other hand, information standards demonstrate methods but do not provide solutions associated with managing documentations. In general, information standards can be utilized for content management, messaging, and advances in terms of security, however, a challenge still lies in its deployment (Managing electronic signatures – current challenges). Conclusion As fax machines were initially introduced for sending documents virtually, business were concerned about its integrity and authenticity, as they travel from numerous connections where they can be changed easily sue to lack of security and administration. This was the originating factor where the world learned to introduce digital signatures. Likewise, leading from a cryptographic concept, asymmetric and symmetric key algorithms are discussed. Moreover, other newly established standards and algorithms were also discussed such as Data Encryption Standard and Rivest Cipher 5 is also briefly discussed. Furthermore, new implementation techniques, methods and technologies such as secure socket layer, Virtual Private networks, and different data privacy seals were also thoroughly discussed along with the purpose. In addition, digital signature outstanding issues were also discussed that incorporates well-founded trust and un-founded trust and well founded mistrust and un-founded mistrust. Moreover, enhanced security support and challenges for newly developed markup language known as electronic business XML language (e business XML) were also discussed. References Digital signature standard.(2007). Network Dictionary, , 150-150. Data encryption standard.(2007). Network Dictionary, , 133-133. Leeuw, K. M. M. d., & Bergstra, J. The history of information security: A comprehensive handbook Amsterdam ; Elsevier, c2007. Moores, T. T., & Dhillon, G. (2003). Do privacy seals in E-commerce really work? Communications of the ACM, 46(12), 265-271. Managing electronic signatures – current challenges Retrieved 5/14/2012, 2012, from http://scholar.googleusercontent.com/scholar?q=cache:Mh2ZoVlbJRsJ:scholar.google.com/&hl=en&as_sdt=0,5 Moores, T. T., & Dhillon, G. (2003). Do privacy seals in E-commerce really work? Communications of the ACM, 46(12), 265-271. Rivest cipher 6.(2007). Network Dictionary, , 415-415. Symmetric algorithms - types of symmetric algorithms - symmetric key algorithm Retrieved 5/14/2012, 2012, from http://www.encryptionanddecryption.com/algorithms/symmetric_algorithms.html Ssl.(2003). Essential Internet, , 189-190. Strauss, C. Practical electrical network automation and communication systems Oxford ; Newnes, 2003. Tidd, R.,R., & Heesacker, G. (2008). Digital signatures and certificates. CPA Journal, 78(5), 60-61. The history of electronic signature laws | thinking outside the box! Retrieved 5/13/2012, 2012, from http://www.isaacbowman.com/the-history-of-electronic-signature-laws Vpn. (2003). Essential Internet, . 215-215. Read More