News 

However, this will not be a lengthy exposition on the principles of cryptography or encryption. Rather, the emphasis will be more practical - on why digital signatures are important and how they can be used.

I, the undersigned

In medieval times people used elaborate wax seals to verify both the origin of documents and the fact that they hadn't been tampered with. In more recent times, our own particular signature in ink is accepted for official documents or transactions. But as we get ever more immersed in electronic transactions it is becoming more important that we agree new ways to put our own imprint on the transactions carried out in our name.

We can all envision a future when communications of every sort will be available pervasively and be carried out transparently (Microsoft's .NET being just one example). Whether it is buying a sandwich or a book, or issuing a command to turn on the home entertainment system in our networked home (as we swish up the long drive in our Net-connected car, hopefully having successfully opened the electronically-controlled gates), we will need to identify ourselves uniquely. At some point the need for personal verification will become increasingly necessary.

UK citizens in the digital economy

What is the government's position on the role of digital signatures? Only recently, at the end of August 2001, the government-appointed e-Envoy, Andrew Pinder, announced plans to examine the use of digital signatures in the UK. The idea was to develop a "coherent framework enabling citizens, business and Government alike, to realise the full benefits of the digital economy".

As part of the announcement, new Policy Working Groups have been set up to cover the use of digital signatures by citizens and by businesses, as well as the possible role of smart cards (these become involved because such cards are one way of making the technology of digital signatures easier to use).

"Digital signatures are fundamental to the development of trust in e-commerce and e-government," maintained Pinder, "but for a variety of reasons they are not yet in widespread use. The Policy Working Groups will address the barriers to wider take-up, and consider how the technology should best be used to enhance on-line privacy." Public consultation papers should be available by December 2001.

Whether this will prove to be the first step to significantly extend and formalise the concept of written signatures into the electronic business of the UK, or whether it is the brave talk of a bureaucratic panjandrum, remains to be seen. What is sure, however, is that digital signatures will underpin any serious growth of electronic commerce.

Where commerce meets privacy

The lack of a unified approach, however, to trust and privacy issues by the commercial giants of the hi-tech world was highlighted recently in a speech by HP's CEO, Carly Fiorina, given at a Colorado conference organized by the Progress & Freedom Foundation.

She acknowledged that the IT industry had not lived up to its responsibilities in setting such standards. "I think we in the technology industry have fallen in love with technology. And in the end it is not about the technology," she said. "Privacy and security, or trust, are vital to consumers, and that is what we should focus on. There is a role for legislation."

She may not be alone in believing that effective Internet privacy legislation could help revitalise online business, but the co-operation that would be required between rival companies has not yet been shown. Microsoft, in particular, has attracted criticism for its possible handling of personal data by its own Passport system.

A number of companies have consequently stepped into the commercial space and provide a number of third-party trust services. BT's Ignite, for example, which is a global affiliate of VeriSign, provides a number of trust services, including the provision of encryption and digital signatures for e-mails.

What exactly is a digital signature?

A brief definition would be that a digital signature is an electronic value that can verify the identity of the sender of a message. Furthermore, the system that supports the use of a signature can also detect whether the message has been tampered with or altered in any way, allowing the recipient(s) to verify its integrity and origin.

When it comes to explaining digital signatures in more detail, you have to dip your toes into the world of encryption and asymmetric cryptography. You become involved with the PKI (public key infrastructure) and the use of public and private "keys". These are complementary special codes that, when used together, can support an effective encryption scheme. Basically, a widely distributed public key is used to encrypt data for transmission and an equivalent private key - which is known only by the recipient and should not be shared - can be used to decode it.

In these terms, a digital signature is a code created with a private key and this same code allows the authentication of any signed information by a complementary process of signature verification. The value used, furthermore, can be unique to both the contents of the message and your private key.

Anyone who has access to your public key - which is intended to be made publicly available, remember - will be able to use it to verify your signature. Your signature is created by running the public key's partner secret key across the contents of the message.

PGP

A commonly-used system for encrypting and signing data at a personal level is PGP (Pretty Good Privacy). This software, which is available both as

ADVERTISEMENT

freeware and as a commercial version, was developed by Philip Zimmermann back in the early nineties.

Metaphors of locks are often used to explain the use of these values known as "keys". When a document is encrypted - or locked - it is done in a particular way that can be unencrypted, or unlocked, only by the special secret "key". So far so good. You write an e-mail, for example, you encrypt it and the recipient decodes it, using a particular key to reveal its true content from the apparent nonsense-text that would appear to onlookers.

The only counter-intuitive point is that you have to use the public key of the person you are communicating with when encoding, not your own. This is because the recipient has to decode the message, and if they had access to your secret (or private) key they could access all your private data. It makes sense that the recipient has his own "private key" to decrypt communication encrypted with their public key. That way he or she can make the public key freely available without compromising security.

Imagine padlocks being issued for general use. They can only be opened by a particular person; the one with the special unlocking mechanism, the master key. That is why people make their public key as widely available as possible - on their Web site for download, for example - so that as many people as possible will be able to securely communicate with them. Equally, their private key should be closely guarded.

Legal status

You may be surprised at the legal status a digital signature already has. In theory, to give one example, you could already buy a house over the Internet on the strength of an electronic signature.

Electronic signatures generally became legally admissible in the UK under the Electronic Communications Act 2000. More recently, in July, all 15 member EU states, including the UK, also implemented the EU Digital Signature Directive as law.

Effectively, digital signatures are now as legally binding as their handwritten equivalents.

A simple example

Here is a small example, from my own use, of how easy it is to encrypt and sign e-mail. Before we start, let's assume that both recipient and sender have PGP installed and have access to each other's public keys.

With the PGP Personal Security application installed, the necessary functions become easily integrated into Outlook, which is my own e-mail client. When I come to compose an e-mail there are now a few extra buttons sitting on the menu bar of the new e-mail. To choose to encrypt the message and to add a digital signature, I simply have to depress the two relevant buttons.

When I send the message, I will be prompted for a secret password phrase that I chose when I created my own keys. This is for generating the signature. I then have to specify a key to use for encryption, i.e. the public key for the person to whom the message is being sent. All done in a nice Windows interface, the user is presented with all the keys currently on the "keyring". Simply select the public key of the person, Mr Lance Freeman, in this example.

When you receive an encrypted e-mail - perhaps Mr Freeman is giving his official permission for some financial transaction - you simply have to select the "Decrypt" button sitting on the toolbar of the message. On entering your secret password phrase, all the gobbledygook text will be transformed into a sensible message. For example, you would see an e-mail like the following, with the converted text between the starred lines:

*** PGP Signature Status: good

*** Signer: Lance Freeman (Invalid)

*** Signed: 22/08/01 10:34:07

*** Verified: 13/09/01 12:48:46

*** BEGIN PGP DECRYPTED/VERIFIED MESSAGE ***

Some text or other, that was previously unreadable

Lance

*** END PGP DECRYPTED/VERIFIED MESSAGE ***

By the way, the "invalid" message does not refer to the status of the signature, which is "good". It refers to the fact that - as another level of security - the public key you have used has not been signed by the person themselves as being authentic (more of this next).

One more tip - text in the subject field is not encrypted with PGP.

Not to be confused with...

To finish, a couple of points that should not be confused with digital signatures.

As mentioned, another level of security can be provided by people signing their own public keys. Not only have you got the public key of a person, but they have personally verified that the public key is indeed their own.

You "sign" a key by means of your own private key. This fact can be detected in subsequent communications. Finicky, perhaps, but in the rather paranoid atmosphere that surrounds the use of encryption many people take this final stage of confirmation seriously.

Secondly, digital signatures are distinct from digital certificates, which are issued by registered certificate authorities to establish the credentials of someone doing a transaction over the Internet. For example, when downloading software from a vendor's Web site, you may be notified that a digital certificate exists to authenticate the process and reassure you about the particular piece of software you are about to accept onto your machine.

Digital Certificates can also be combined with digital signatures "to establish a hierarchy of trust via third parties" (I'm quoting Mr Pinder again here). Generally, they are intended to bolster trust in online transactions.

References

Download the PGP software

BT's Trust Services. These are provided by Ignite, which is an affiliate of VeriSign, and include "trust services for e-mail", including the provision of encryption and digital services.

The UK e-envoy The government's drive to get the UK online

PKI Online sources of information about PKI

The low-down on .NET Microsoft's framework for pervasive communication that will have digitally-based recognition of individuals at its heart.