Digital Signature by Rajan by wanghonghx


									             ICT Conference 2008,

Digital Signature & ETA 2063

             Government of Nepal
Ministry of Environment, Science & Technology
Office of Controller of Certification
Digital Signature

          Rajan R. Pant
  Office of Controller of Certification
Digital vs. Manual
We've been using paper forever.
 Why shouldn't I just continue
         with paper?
Paper is familiar, but paper is expensive to
buy to store and to dispose, requires lots
of filing cabinet space
Paper files are often misplaced
theft, fires and disgruntled or forgetful
employees can cause the loss of your
valuable paper records
    Why not just use faxes?
Everybody's got a fax these days.
Recipient’s Fax may have different
print a document just to fax it, which
wastes paper and your money
can be read or mistakenly picked up by
send the fax to more than one party, the
wasted time and phone charges add up
Overnight and second day delivery
 is pretty fast. Why not just use
      regular mail, courier?
The costs of printing, addressing an
envelope, paying postage and then waiting
for pickup and delivery are simply much
higher than using secure document
When the post office or courier office has
closed for the day, then ?.
Would you rather pay a little to send your
documents for signature in just 5 seconds,
or pay Rs. 10 to Rs. 3000 roundtrip to do
the same thing using a courier in a
172,800 seconds (two days!)?
          Email is free.

Why would I want to pay to send my
   business correspondence?
Using email is like sending your documents on a
postcard, but worse: lots of people and
computers you don't trust can read, copy and
archive your email while it moves across the
Internet and there's no way for you to detect it.

email was not designed for security, it is clogged
with spam, viruses and forged messages,
including making it easy for people to
impersonate you.
I don't think electronic signatures
prove the identity of the signer as
  well as handwritten signatures.
few people have signature cards on hand to
verify a handwritten signature, and fewer still are
trained to detect forgeries.

With the advent of high resolution printers,
scanners and copiers, it's very easy to make a
perfect copy of even the most complex
handwritten signature and include it on any

electronic signatures cannot be copied and used
on other documents. In the end, it is up to your
business processes to weigh the risks and
rewards on any transaction.
Aren't handwritten signatures
   more legal than Digital
Absolutely not. Various laws have
endorsed electronic signatures for years

And more countries are adopting it.
   Problems with paper-based
Recipient's Presence
Chances of modification
Quality of the pen or the paper can affect
how your handwritten signature appears.
Faxes are often hard to read and need to
be photocopy to store it.
Detection of fraud signature is problem
Tracking of document
Lost of paper may create the problem
Can't I just use an image of my
signature and be done with it?
Absolutely not!
Images of handwritten signatures make
fraud even easier because it's so easy to
copy an image and use it repeatedly on
other forged documents.

Digital signatures look nothing like your
handwritten signature.
Handwritten Signature
 Only electronic originals are legally binding
  because they can be checked using
  trusted software to determine if they are
  authentic or not
 What is Digital Signature ?

A digital signature is an electronic signature
produced by using the PKI method.
What is a digital signature?

With a digital signature it is possible to verify that the
recipient receives the message in its original form and
that the signer is who he or she claims to be.

The creator of the digital signature has a private key,
which is needed to sign the message. The recipient of
the message has signer's public key, which can be used
to verify the signature.

Digital signatures are based on the Public Key
Infrastructure (PKI) and the use of asymmetric
encryption methods and hash functions.
         Digital Signatures

– Pair of keys for every entity

      One Public key – known to everyone

      One Private key – known only to the possessor
        Digital Signatures

To digitally sign an electronic document
the signer uses his/her Private key.

To verify a digital signature the verifier
uses the signer’s Public key.
Digital Signature
•The message is encrypted with the sender’s private key
• Recipient decrypts using the sender’s public key

                     Document    Document

                      Digital     Digital               Digital
                     Signature   Signature             Signature
                        Signed Messages
Message                                                                                  Hash
                                                                    Using Hash function
       Message                 Sent
                         ENCRYPT           thru’ Internet
                                                     DECRYPT        on the message
                        Message +                                       Message
           +                                          Message +
                        signature                                             +
       signature                                      signature
                        with Receiver’s                                   Signature
                                                      with Receiver’s
                        Public Key                    Private Key                     COMPARE

        SIGN hash                                                                        Hash
        With Sender’s
        Private key
                                                                                      With Sender’s
          Sender                                                        Receiver      Public Key
What are digital signatures used
    for? Or its Advantages

Identification & Authentication

Data Integrity

Identification & Authentication

The identity of the signer of a transaction
is known and can be proven to third party

The signature is linked to the user.
           Data Integrity

The signature is linked to the data being
signed such that if the data is changed,
the signature is invalidated.

The signer cannot deny having signed the
transaction because the signature is linked
to the user and the data.
Why Does the Government need
      Digital Signature?


Securing Source Data Entry

Securing data Transfer
What kind of keys are used in creating
         digital signatures?

The public key encryption is used in creating
digital signatures. The public key encryption is
based on the use of key pairs (private/public).
    Public key Infrastructure
Each party is assigned a pair of keys –
    private – known only by the owner
    public - known by everyone
Information encrypted with the private key can
only be decrypted by the corresponding public
key & vice versa
Fulfils requirements of confidentiality, integrity,
authenticity and non-repudiability
No need to communicate private keys
Electronic mail system.
– Identity of the signer and the integrity of the
  signed information
Electronic funds transfer systems.
– It is often necessary to affix a time stamp to a
  document in order to indicate the date and
  time at which the document was executed or
  became effective electronic funds transfer
Electronic Data Interchange (EDI)
– Replacement of handwritten signatures, for
  instance, contracts between the government
  and its vendors could be negotiated
The distribution of software
– A digital signature could be applied to
  software after it has been validated and
  approved for distribution.
A variety of database applications to
provide integrity.
– For example, information could be signed
  when it was entered into the database. To
  maintain integrity, the system could also
  require that all updates or modifications to the
  information be signed.
Use of digital signature ensures:

 Verifies for accidental corruption
 Verifies for malicious modification
 Verifies for data authenticy - data
 authenticates to originate from source
 using public key
 Ensures confidentiality without a shared
 secret key.
Adequacy of security policies and implementation
Existence of adequate physical security
Evaluation of functionalities in technology as it
supports CA operations
CA's services administration processes and
Compliance to relevant CPS as approved and
provided by the Controller
Adequacy of contracts/agreements for all outsourced
CA operations
Adherence to Information Technology Act, 2063 the
rules and regulations there under, and guidelines
issued by the Controller from time-to-time
Thank you

To top