1 / 60

E-signature Strategies

E-signature Strategies. Alan S. Kowlowitz Strategic Policies, Acquisitions and e-Commerce NYS Office for Technology. Outline of Class. Overview of Electronic Signatures and Records Act (ESRA) Explanation of ESRA’s definition of an e-signature Available approaches to electronic signing

rico
Download Presentation

E-signature Strategies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. E-signature Strategies Alan S. Kowlowitz Strategic Policies, Acquisitions and e-Commerce NYS Office for Technology

  2. Outline of Class • Overview of Electronic Signatures and Records Act (ESRA) • Explanation of ESRA’s definition of an e-signature • Available approaches to electronic signing • Guidance on selecting an e-signature approach • Records management implications of e-signed e-records

  3. Overview of Electronic Signatures and Records Act (ESRA)

  4. ESRA Chapter 4, Laws of 1999: State Technology Law, Article 1 • E-records and e-signatures given the same legal validity as paper records and ink signatures • OFT Electronic Facilitator overseeing implementation • Use of e-signatures and records is voluntary • Govt. must accept hard copies unless otherwise provided by law

  5. ESRA Chapter 4, Laws of 1999: State Technology Law, Article 1 • E-signatures and records can’t be used for: • Negotiable instruments • Instruments recordable under Art. 9 of the RPL (e.g., deeds) • Other instruments whose possession confers title • Documents affecting life and death (Wills, Trusts, Do-not-resuscitate orders, Powers of attorney, Health care proxies)

  6. ESRA Amended by Chapter 314 Laws of New York, 2002 • Amends and expands the definition of “electronic signature” to comport with the federal E-Sign Law • Authorizes the use of various e-signature approaches in NYS • OFT retains its role as “electronic facilitator” and regulator of e-signature/record • Adopted into law on August 6, 2002 • Final regulations published in May 2003 • Revised ESRA Guidelines in process

  7. ESRA Definition of an E-signature

  8. ESRA Definition of an E-signature an electronic sound, symbol, or process, attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the record. • Affords the greatest possible flexibility in selecting an appropriate e-signature solution • Sets some parameters on what constitutes an e-signature under ESRA

  9. ESRA Definition of an E-signature • “[A]n electronic sound, symbol, or process...” • A wide range of “digital objects” may serve as an e-signature • Can be as simple a set of keyboarded characters or as sophisticated as an encrypted hash of a e-record’s contents • Allows a process to serve as an e-signature • Recorded events of accessing a system are associated with the content to be signed to create a record of the signer’s actions and intent

  10. ESRA Definition of an E-signature • “[A]ttached to or logically associated with ...” • An e-signature is attached to or logically associated with an e-record during transmission and storage • Can be part of the record or maintained separately but associated to the record through a database, index, embedded link or other means • Link between e-record and e-signature must be • Created at signing and maintained during any transmission • Retained as long as a signature is needed which may be the record’s full legal retention period

  11. ESRA Definition of an E-signature • “[E]xecuted or adopted by a person with intent to sign the record.” • E-signature must express the same intent as a handwritten one • Must identify an individual who will convey intent • Practices that may help avoid confusion: • Allow the signer to review the record to be signed • Inform the signer that a signature is being applied • Format an e-record to contain accepted signature elements • Express signer’s intent in the record or a certification • Require the signer to indicate assent affirmatively • Record and retain date, time, and the signer intent

  12. Example of a signature certification statement from the Department of Tax and Finance International Fuel Tax Agreement (IFTA) report (return) filing application.

  13. Available Approaches to Electronic Signing

  14. E-signature Approaches • Most e-signature approaches involve a number of technologies, credentials, and processes • More accurate to think of a range of approaches to e-signing rather than an array of stand-alone technologies • Approaches provide varying levels of security, authentication, and record integrity • Can combine techniques from various approaches to increase the strength of the above-mentioned attributes

  15. Click Through or Click Wrap • Person affirms intent or agreement by clicking a button • ID information collected, authentication process (if any) and security procedures can vary greatly • Commonly used for low risk, low value consumer transactions

  16. Personal Identification Number (PIN) or Password (“shared secret”) • Person enters ID information, PIN and/or password • System checks that the PIN and/or password is associated with the person • Authentication is the first part of a process that involves an affirmation of intent • If over the Internet, the PIN and/or password is often encrypted using Secure Sockets Layer (SSL)

  17. Digitized Signature and Signature Dynamics • Digitized Signature • A graphical image of a handwritten signature often created using a digital pen and pad  • The entered signature is compared with a stored copy; if the images are comparable, the signature is valid • Signature Dynamics • Variation on a digitized signature • Each pen stroke is measured (e.g. duration, pen pressure, size of loops, etc), creating a metric • The metric is compared to a reference value created earlier, thus authenticating the signer

  18. Shared Private Key • Also known as “symmetric cryptography” • E-record is signed and verified using a single cryptographic key • The key is shared between the sender and recipient(s) • Not really "private" to the sender • A private key can be made more secure by incorporating other security techniques • Smart cards or other hardware tokensin which the private key is stored

  19. Public/Private KeyDigital Signatures • Also know as Asymmetric Cryptography • Key Pair: Two mathematically related keys • One key used to encrypt a message that can only be decrypted using the other key • Cannot discover one key from the other key • Private Key: Kept secret and used to create a Digital Signature • Public Key: Often made part of a “digital certificate”and used to verify a digital signature by a receiving party • Often used within a Public Key Infrastructure (PKI) • Certification Authority(CA) binds individuals to private keys and issues and manages certificates

  20. Bob Alice Certificate Hash algorithm = 12345 Hash algorithm = 12345 Hi Alice Hi Alice Hi Alice Sincerely, Bob Sincerely, Bob Sincerely, Bob + = + = 12345 ##!FV ##!FV ##!FV 12345 Encrypts digest with Bob’s Private Key Decrypts digest with Bob’s Public Key Digital SignaturesPublic/Private Key Cryptography • Encrypt message digest with Private Key • Validate message digest with Public Key

  21. Biometrics • Person’s unique physical characteristic are measured and converted into digital form or profile • Voice patterns, fingerprints, and the blood vessel patterns present on the retina • Measurements are compared to a stored profile of the given biometric • If the measurements and stored profile match, the software will accept the authentication • Can provide a high level of authentication

  22. Smart Card • Not a separate e-signature approach in itself • It can facilitate various e-signature approaches • A plastic card containing an embedded chip • Can generate, store, and/or process data   • Data from the card's chip is read by software • After a PIN, password or biometric identifier is entered • More secure than a PIN alone • Both physical possession of the smart card and knowledge of the PIN is necessary • Can be used to overcome concerns with shared secret approach to e-signature

  23. Additional Factors • Each general approach to e-signing (e.g. PINs and passwords vs. digital signatures) varies in terms of: • Identifying the signer • Attributing a signature • Securing the integrity of both the record and the signature • Each can increase security and reduce risk • Often independent of the technology selected

  24. Signer identification or registration • Method or process used to identify and authorize a signer to use an e-signature • Independent of the e-signature or e-record technology • Critical component of any e-signature solution • The stronger the identification method the more assurance that the appropriate person signed

  25. Signer identification or registrationMethods • Self-identification as part of the signing process • Comparison of user supplied information with a trusted data source • Acceptance of a previously conducted and trusted process where individuals personally presented themselves and proof of identities • Separate identification process to authorizethe use of an e-signature where individuals personally present themselves and proof of identities

  26. Signer Authentication • Policy, process and procedures used to authenticate the signer • Establish a link or association between the signer and the information and method used to sign • The strength of the authentication system, can protect against fraud and repudiation

  27. Signer AuthenticationMethods • Something that only the individual knows: A secret (e.g., password or Personal Identification Number (PIN)) • Something the individual possesses: A token (e.g., ATM card, cryptographic key or smart card) • Something the individual is: A biometric (e.g., characteristics such as a voice pattern or fingerprint) • Two factor authentication:often includes use of hardware device such as a smart card

  28. Signature attests to the record’s integrity • E-signature approaches provide varying levels of protection against unauthorized access or tampering with the signed e-record • Systems that manage signed e-records can provide protection if they have controls • Controls may be needed to ensure that the integrity of the signed e-record is not compromised during transmission • Added security is provided by approaches in which signature validation ensures that the e-record has not been modified • Digital signatures

  29. Selecting an E-signature Approach A business decision not just a technical one

  30. Is an e-signature needed or desirable? • Review requirements and risks • Creating and maintaining signed e-records may require more resources than unsigned ones • Consider the following questions: • Is there a legal requirement for a signature? • Statute of Frauds requires certain contracts to be signed • Specific laws and regulations require signatures • Is there a business need for a signature? • Document that the signer attested to information’s accuracy, agreed to conditions, and/or reviewed contents • Higher risk transactions may need the protection against fraud or repudiation provided by e-signatures

  31. Business Analysis and Risk Assessment • ESRA regs § 540.4 (c) require govt. entities to conduct and document a business analysis and risk assessment: • identifying and evaluating various factors relevant to the selection of an electronic signature for use or acceptance in an electronic transaction. Such factors include, but are not limited to, relationships between parties to an electronic transaction, value of the transaction, risk of intrusion, risk of repudiation of an electronic signature, risk of fraud, functionality and convenience, business necessity and the cost of employing a particular electronic signature process.

  32. Business Analysis and Risk Assessment • Purpose: • To identify and evaluate factors relevant to selecting an e-signature approach • Does not proscribe a method or set a standard • Protects interest in the use of sound technology and practices when transacting business electronically • Business analysis and risk assessment are two parts of an integrated process

  33. Business Analysis • Possible components • Overview of the business process • Analysis of legal and regulatory requirements • Identification of standards or accepted practices • Analysis of those who will use e-signature • Determination of interoperability requirements • Determination of costs of alternatives

  34. Business AnalysisOverview of business process and transaction • Purpose and origins • Transactions place within the larger business process • Services to be delivered and their value • Parties to the transaction and other stakeholders • Transaction’s workflow

  35. Business AnalysisAnalysis of legal and regulatory requirements • How the transaction must be conducted • Signature requirements • Are they specifically required, what records need to be signed, who must or can sign, do they need to be notarized • Records related requirements • What records must be produced • How long do they need to be retained, • Who must or can have access to the records • Specific formats proscribed for the creation, filing or retention • Confidentiality requirements • Importance of the parties’ identities to the transaction

  36. Business Analysis • Identification of standards or accepted practices on how e-transactions are conducted and e-signed • May be key factor in selecting a solution • Analysis of parties to e-signed transaction • Numbers • Location • Demographic characteristics • Access to technology • Accessibility requirements • Prior business relationships

  37. Business AnalysisInteroperability requirements • Compatibility with an existing technology environment • Interoperability or consistency with approaches used by partners • Governmental or private • Leveraging an existing and proven solution

  38. Business AnalysisCost of alternative approaches • Hardware and software purchases • Implementing additional policies and procedures • Personnel to implement policies, procedures, or services • Training costs • Maintenance costs including help desk and user support

  39. Risk Assessment • E-signatures may serve a security function • They usually include signer authentication • Some approaches provide message authentication and repudiation protection • Selection of an e-signature solution includes identifying • Potential risks involved in a signed e-transaction • How e-signature approaches can address those risks

  40. Risk Assessment • Risk is the likelihood that a threat will exploit a vulnerability, and have an adverse impact • Threat is a potential circumstance, entity or event capable of exploiting vulnerability and causing harm • Vulnerability is a weakness that can be accidentally triggered or intentionally exploited • Impact refers to the magnitude of harm that could be caused by a threat • Likelihood that a threat will actually materialize • To assess risks an entity should identify and analyze each of the above

  41. Risk AssessmentSources of threat • Parties to the transaction • Governmental entity staff • Malicious third parties such as hackers or crackers

  42. Risk AssessmentVulnerabilities • Repudiation • Possibility that a party to a transaction denies that it ever took place • Fraud • Knowing misrepresentation of the truth or concealment of facts to induce another to act to his or her detriment • Intrusion • Possibility that a third party intercepts or interferes with a transaction • Loss of access to records • For business and legal purposes

  43. Risk AssessmentPotential Impacts • Financial • Average dollar value of transactions • Direct loss to the governmental entity, citizen or other entity • Liability for the transaction • Reputation and credibility • Relationship with the other involved party • Public visibility and perception of programs • History or patterns of problems or abuses • Consequences of a breach or improper transaction • Productivity  • Time criticality of transactions • Number of transactions, system users, or dependents • Backup and recovery procedures • Claims and dispute resolution procedures

  44. Risk Assessment Likelihood • Motivation and capability of threat • Nature of the vulnerability • Existence and effectiveness of controls • A threat is highly likely where: • Its source is highly motivated and capable • Controls are ineffective

  45. Risk AssessmentRisk Matrix High Risk =11-16 Medium Risk =8-10 Low Risk =4-7 Negligible Risk =1-3

  46. Select an E-signature Solution • Balance business concerns (e.g., user acceptance and ease of deployment) with risk reduction • Identify overriding concerns • An overriding factor might be compatibility with an existing standard or solution • Cost may be an overriding factor where risk is low

  47. Cost-Benefit Analysis • Can help entities decide on how to allocate resources and implement a cost-effective e-signature solution • Used to evaluate feasibility and effectiveness for each proposed solution to determine which are appropriate • Can be qualitative or quantitative • Demonstrates that a solution’s cost is justified by reducing risk • Cost-benefit analysis can encompass the following • Determining the impact of implementing the solution • Determining the impact of not implementing it • Estimating the costs of the implementation • Assessing costs and benefits against system and data criticality

  48. Documenting a Business Analysis and Risk Assessment • ESRA regulation requires that the BA and RA be documented • How, or in what detail is up to the governmental entity • Minimum documentation should cover • Process used including factors mentioned in the ESRA regulation • Result and decision reached including justification • The resulting documentation should be • Accurate and readily available • Clear and understandable to an outside audience • Retained as long as the e-signature solution is used

More Related