1 / 22

T-6 Electronic Signatures

T-6 Electronic Signatures. An Overview of the Technology and its Application. Overview & Scope. This presentation will give a basic overview of electronic signature technology and its applications.

urvi
Download Presentation

T-6 Electronic Signatures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. T-6 Electronic Signatures An Overview of the Technology and its Application

  2. Overview & Scope • This presentation will give a basic overview of electronic signature technology and its applications. • Electronic Signatures will also be compared to both other Biometrics technologies and to Digital Signatures • Due to the scope and limited time, the material will be covered at a high-level • Level will be nontechnical and Introductory

  3. What is an Electronic Signature • The dynamic capture and verification of a signature with its unique characteristics • The image of a signature, velocity and pen pressure, stroke directions, pauses, and other subtle factors, such as the direction one crosses a 't' and how long one waits before dotting an ‘i’, are encoded • Threshold can be set to take into account the normal variations in a person’s signature commensurate with the acceptable level of false positives • Biometric characteristics are then encoded and encrypted via 128 bit or better encryption scheme • Signature ‘bound’ to a document or transaction. Signatures typically can also be bound to specific sections of a document or transaction as can signatures from multiple individuals

  4. What its Not • Electronic signatures should not be confused with digital signatures • A digital signature is a form of cryptography that is used to ‘sign’ and encrypt a electronic document • Private key used by sender to encrypt the document. Public key used by receiver to decrypt a document • Private keys issued by Certificate Authorities • Security dependant on the impossibility of deriving the private key from the public key, as well as the use of a hash value to detect document tampering • Digital signatures make no use of biometrics or of a written signature. • Digital signatures vulnerable to spoofing, social engineering, bogus or hacked certificate authorities • Average person may have difficulty with accepting a digital signature as a real signature

  5. Enrolling • User must initially enroll into the system by creating a ‘signature card’ • Done by signing multiple times (usually 5 or more) in order to capture variations in the user’s signature • Signature Card may be stored on a server, smart card or device, such as a PDA • Signature Card typically can be updated on an ongoing basis with further signatures in order to take into account changes in a person’s signature

  6. Signature Capture • Sign using a stylus on a touch pad, PDA Screen, or tablet • Both signature image and biometric characteristics captured • Image and characteristics encoded via proprietary algorithms, then encrypted • Signature is bound to the document or transaction, with the signature image the visible manifestation

  7. Binding • Implemented by encrypting the state of the document or transaction at the time of the transaction (‘freezing’) and storing with the signature • Any attempt to modify the document or transaction will flag the signature as invalid • Any attempt to ‘lift’ the signature and use it elsewhere will flag the signature as invalid. • An invalid signature is typically represented by visually crossing out the signature

  8. Signature Verification • Signature verification software resides on signature server, chip or device • Freely downloadable viewers are typically available • Signature compared to signature card and flagged as invalid if the characteristics fall outside the preset thresholds • Verified signature can be used to kick off a business process or transaction • Verification success and failures are logged as part of the audit trail

  9. Additional Security • Typically create an encrypted audit trail • Some systems allow double ‘signing’ with the addition of a digital signature • Use of both smart card and signature server for double verification • Some systems have tamper-proofed their code to reduce the risk of creating a cracked trojan horse version of it • Other security layers can be added, such as placing the Signature Server behind a firewall

  10. Issues: Security • Concerns related to how easy it is to hack, counterfeit, modify, or misappropriate either the actual biometric or the document protected by the biometric • Of the various biometric methods, E-Signatures are perceived as one of the more vulnerable, however, the newer systems, analyze not only the signature image, but also velocity, directions, and pauses. The complete signature information as well as document state is stored using 128-bit or better encryption • A key vulnerability is the Signature Server • Smart Cards and PDA’s a possible answer • False Negatives and Positives also a risk. Setting the thresholds and number of signatures to enroll requires proper risk analysis

  11. Issues: Public Perception • Some biometric methods may leave the impression that the organization in question is overly paranoid • Some methods, such as retinal scanning, are sufficiently outside most people’s sense of what constitutes a valid form of identification that they must overcome the issues of acceptance and ‘street’ credibility • Some people feel anxious at the thought of placing their eye to an iris or retinal scanner due to a fear, however misplaced, that it could harm them • Some people view the capture and storage of biometric data as an invasion of privacy • Public relations and loss of business risk from false positives and false negatives

  12. Issues: Public Perception (cont) • Requiring a signature is perceived as a normal request in a majority of situations and is rarely viewed as an invasion of privacy • Signing is mainstream, and as old as written language. A signature is recognized by everyone as a valid means of confirming agreement, identity, and receipt of a document • False negatives and false positives still a risk given the variability of the average person’s signature

  13. Issues: Religious Objections • Facial or hand scanning methods objectionable to some Christians due to the “Mark of the Beast” passage in the Book of Revelations. Other religious sects may also have religious objections • Risk of Freedom of Religion law suites if the use of some religiously unacceptable biometric method made mandatory • There are no religious objections to electronic signatures from any of the mainstream religions, as a signature does not violate any of their teachings

  14. Issues: Cost and Complexity • The high per-seat cost along with the complexity of implementation and use of some of biometric methods create a significant barrier to their widespread adoption • The per-seat cost can run under $500 and sometimes as low as $100 (If no customization required). The specialized hardware required is a simple pad and stylus • End-user training is minimal as the method is based on the intuitive concept of signing

  15. Issues: Legal • Some biometric methods break new legal ground with many of the precedents still to be set; such as who is liable for damages resulting from spoofing, false positives, and false negatives • As an electronic signature closely resemble written signature, it is likely to fall under the precedents for written signatures • Meet the requirements of the E-SIGN Bill, as well as other related national and international legislation • Though the issue of false positives and false negatives could prove thorny

  16. Applications: Access Control • Traditional User ID/Password combination vulnerable to either cracking or social engineering as are keypad codes • Physical keys and swipe cards can get lost or stolen • Electronic signatures provide more secure access control than traditional methods • More cost effective than many other biometric methods • Most systems work over LAN and WAN connections

  17. Applications: Time Entry • Traditional Time Entry systems can be subverted by having a buddy punching in another employee • Using the unique characteristics of an individual’s signature makes it all but impossible for a buddy to sign in another employee • Can be linked with access control

  18. Applications: Workflow • Excellent for automating processes that require sign-offs or legal signatures at various points • Save time and money by cutting out the requirement to print, fax, or courier • Meets needs for authentication, document integrity and nonrepudiation • Allows batch signing and distribution of documents • Easy storage and retrieval of e-signed documents • Verification of signature can be done at any time • Clear audit trail of when, who, where and why • Increases accountability of email

  19. Applications: E-Commerce/EDI • Meets needs for authentication, transaction integrity and nonrepudiation • User would electronically sign using a touch pad and stylus • Signature would be verified against the Signature Server, the transaction completed, and logged in the audit trail • Currently feasible for high-value B2B e-commerce and EDI • Some time yet before feasible for B2C; machines will need to ship with touch pads and have e-signature software bundled or integrated into the OS before one can expect consumers to adopt • For consumer use, initial verification of identity for enrolling is an issue • Customer resistance not an issue as people are used to signing when using their credit cards and may even feel more secure doing business online

  20. Applications: Smart Cards • Credit, debit, and ID cards vulnerable to forgery, counterfeiting and identity theft • Signatures and photos often not checked or only given a cursory glance • Conventional smart cards can be cracked, through bombardment with radiation or with code cracking software running on networked workstations • Counterfeit smart cards can be made to spoof a system • The combination of electronic signature stored on both a smart card and the signature server significantly reduce the risk of either being compromised or of a counterfeit smart card being successfully used • Smart credit or debit card would be swiped through a card reader then the customer would sign on a touch pad • Point of sale signature touch pads are becoming increasingly common, though currently only used to capture the signature image

  21. Applications Development • Typically there are SDKs available • Usually both COM and J2EE supported as are both desktop and Web-enabled applications • RDBMS, ERP, and CRM package support available in some SDKs • LAN and WAN support is typically provided • SDKs available that support PDA application development • Support for popular off-the-shelf applications is typically provided • User Profile Management Software in some cases allow for associating multiple biometric datasets to a given user (signature, finger print, etc.)

  22. Conclusion • Provides an optimum mix of security, ease of deployment and use, acceptability, and cost effectiveness • While not a universal solution for all biometrics applications, it is a good well-rounded solution for many applications • Therefore electronic signatures likely on the threshold of ubiquity

More Related