A low-down on... Digital Signatures

 

Gallery

Posted on 17 Sep 2001 at 17:07

Imagine padlocks being issued for general use. They can only be opened by a particular person; the one with the special unlocking mechanism, the master key. That is why people make their public key as widely available as possible - on their Web site for download, for example - so that as many people as possible will be able to securely communicate with them. Equally, their private key should be closely guarded.

Legal status

You may be surprised at the legal status a digital signature already has. In theory, to give one example, you could already buy a house over the Internet on the strength of an electronic signature.

Electronic signatures generally became legally admissible in the UK under the Electronic Communications Act 2000. More recently, in July, all 15 member EU states, including the UK, also implemented the EU Digital Signature Directive as law.

Effectively, digital signatures are now as legally binding as their handwritten equivalents.

A simple example

Here is a small example, from my own use, of how easy it is to encrypt and sign e-mail. Before we start, let's assume that both recipient and sender have PGP installed and have access to each other's public keys.

With the PGP Personal Security application installed, the necessary functions become easily integrated into Outlook, which is my own e-mail client. When I come to compose an e-mail there are now a few extra buttons sitting on the menu bar of the new e-mail. To choose to encrypt the message and to add a digital signature, I simply have to depress the two relevant buttons.

When I send the message, I will be prompted for a secret password phrase that I chose when I created my own keys. This is for generating the signature. I then have to specify a key to use for encryption, i.e. the public key for the person to whom the message is being sent. All done in a nice Windows interface, the user is presented with all the keys currently on the "keyring". Simply select the public key of the person, Mr Lance Freeman, in this example.

When you receive an encrypted e-mail - perhaps Mr Freeman is giving his official permission for some financial transaction - you simply have to select the "Decrypt" button sitting on the toolbar of the message. On entering your secret password phrase, all the gobbledygook text will be transformed into a sensible message. For example, you would see an e-mail like the following, with the converted text between the starred lines:

*** PGP Signature Status: good

*** Signer: Lance Freeman (Invalid)

*** Signed: 22/08/01 10:34:07

*** Verified: 13/09/01 12:48:46

*** BEGIN PGP DECRYPTED/VERIFIED MESSAGE ***

Some text or other, that was previously unreadable

Lance

*** END PGP DECRYPTED/VERIFIED MESSAGE ***

By the way, the "invalid" message does not refer to the status of the signature, which is "good". It refers to the fact that - as another level of security - the public key you have used has not been signed by the person themselves as being authentic (more of this next).

One more tip - text in the subject field is not encrypted with PGP.

Not to be confused with...

To finish, a couple of points that should not be confused with digital signatures.

As mentioned, another level of security can be provided by people signing their own public keys. Not only have you got the public key of a person, but they have personally verified that the public key is indeed their own.