1 / 16

Electronic Signatures & Encryption

Electronic Signatures & Encryption. Abu Dhabi Chamber of Commerce and Industry February 20/21, 2001 John D. Gregory Ministry of the Attorney General (Ontario, Canada). Encryption. What is encryption? What is encryption for? Confidentiality Signature Integrity of text

cayla
Download Presentation

Electronic Signatures & Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Electronic Signatures& Encryption Abu Dhabi Chamber of Commerce and Industry February 20/21, 2001 John D. Gregory Ministry of the Attorney General (Ontario, Canada) E-Signatures & Encryption February 2001

  2. Encryption • What is encryption? • What is encryption for? • Confidentiality • Signature • Integrity of text • Applicable law • Legal advantages of encryption • presumption of attribution • presumption of integrity E-Signatures & Encryption February 2001

  3. What is encryption? • Encryption is the transformation of text by a known process that permits the recreation of the original text by someone able to use the process. • Cryptography is the science or method of creating encryption • Algorithm is the mathematics of the encryption process • Key is the way of making the algorithm work with a particular text or for a particular person E-Signatures & Encryption February 2001

  4. What is encryption? • Secret key / single key / shared key cryptography • the same key is used to encrypt and to decrypt the text • traditional method of encryption • problems of key distribution, especially if multiple users, expiring keys E-Signatures & Encryption February 2001

  5. What is encryption? • Public key / dual key / asymmetric cryptography • Two mathematically-related keys (key pair) • Text is encrypted with one key and decrypted only with the other key • Knowing one key does not allow calculation of the other key • One key is kept secret (private key), the other is available to anyone (public key) E-Signatures & Encryption February 2001

  6. What is encryption? • Public key infrastructure (PKI) • is ensemble of hardware, software, contracts and administrative practices designed to identify the holder of a valid key pair • features (a) Certification Authority (CA) that follows published procedures and policy and: • issues keys (in some versions) • issues certificates about the holder of the key pair • may perform or outsource other functions • must be trusted by people relying on encryption E-Signatures & Encryption February 2001

  7. What is encryption? • Public Key Infrastructure (2) • Other functions of a PKI: • Registration authority - identifies keyholders • Directory of keyholders • Revocation and suspension - control lists • Time-stamping • The main participants of a PKI: • Certification Authority / (admin functions) • Keyholder / subscriber / holder of signing device/ “signatory” • Person who wishes to rely on encryption (RP) E-Signatures & Encryption February 2001

  8. What is encryption for? • Confidentiality: • Single key cryptography • only the holder of key (but any holder) can read message encrypted by that key • Dual key cryptography • only holder of one key can read message encrypted by the other key • encrypt with public key, only holder of private key can read message - so secret except to the holder • use certificate to confirm holder of private key E-Signatures & Encryption February 2001

  9. What is encryption for? • Signature: • Single key cryptography • anyone who holds the key may be source of message • Dual key cryptography (digital signature) • sign with private key, open with public key • only holder of private key can be source • so long as key is private, source is reliable • use certificate to identify source (= signer+-) E-Signatures & Encryption February 2001

  10. What is encryption for? • Integrity of text: • single key cryptography: no traditional role • dual key cryptography • hash text with agreed one-way hash function to create message digest (mathematical function) • encrypt digest with private key (= the signature) • transmit plaintext and encrypted digest • recipient hashes text, decrypts received digest • if digests match, text has not been altered E-Signatures & Encryption February 2001

  11. What is encryption for? • Issues for a PKI • Policy Management Authority (PMA) • governance issues are not easy • Identity certificates and role certificates • privacy considerations, technical challenges • Signature keys and confidentiality keys • key recovery policies and practices • Cross-certification, cross-recognition • standards of interoperability E-Signatures & Encryption February 2001

  12. Applicable law • UNCITRAL Model Law and variants • Authorizes use of electronic signatures • intention to sign • link with signed document • Authorizes use of electronic originals • integrity must be shown • No law prevents confidentiality (Canada) • some obligation to preserve confidentiality • some obligation to give access to records E-Signatures & Encryption February 2001

  13. Applicable law • Some laws on encrypted e-signatures • Utah (1995) - the pioneer - regulated system • Singapore (1998) optional but regulated • Illinois (1998) optional and accredited • EU (2000) standards-based, party autonomy • Canada - Bill C-6 - for some functions • NOT in: • UNCITRAL ML on E-Signatures • Uniform Electronic Transactions Act (US) • Uniform Electronic Commerce Act (Canada) E-Signatures & Encryption February 2001

  14. Legal effects of encryption • Presumption of attribution • Who signed the document? • Presumption is rebuttable - how easily? • Consequences of rebuttal - negligence? • EU - only “equivalent to handwritten” status • Presumption of integrity • Clear technical basis for this presumption • Almost irrebuttable in practice • Debate: is this necessary for a good signature? Or is it an added benefit only? E-Signatures & Encryption February 2001

  15. Legal effects of encryption • Issue: technical reliability • how trustworthy is the system? • what registration procedures? • What management of keys by keyholders? • Issue: variants in implementation • role of CA may vary • content of certificate may vary • commercial use of certificates may vary • Issue: knowledge of legal standards • some users may misjudge duties, effects • Issue: fairness • possible liability without avoidable fault E-Signatures & Encryption February 2001

  16. Legal effects of encryption • Sources on encrypted signatures and law • http://www.pkilaw.com • http://www.state.ma.us/itd/legal/pki.htm • http://www.ilpf.org/ • Especially http://www.ilpf.org/digsig/analysis_IEDSII.htm • Canadian federal government PKI: • http://www.cio-dpi.gc.ca/pki-icp/index_e.asp E-Signatures & Encryption February 2001

More Related