This description of digital signatures has been reprinted with permission from Chapter 4 of Online Law: The Spa's Legal Guide To Doing Business On The Internet (1996), written by Thomas J. Smedinghoff and the Information Technology Law Department of McBride Baker & Coles and published by Addison-Wesley Developers Press.

To order "Online Law" or other SPA publications, contact the SPA at 1730 M Street, N.W., Suite 700, Washington, D.C. 20036-4510, or call 1-800-388-7478, or visit SPA's home page at http://www.spa.org.

1. USING DIGITAL SIGNATURES.

(a) What is a Digital Signature?

A digital signature is an electronic substitute for a manual signature that serves the same functions as a manual signature and more. It is an identifier created by a computer instead of a pen. In more technical terms, a digital signature is the sequence of bits that results from using a one-way hash function to create a message digest of an electronic communication. The resulting message digest is then encrypted using a public-key algorithm and the sender's private key. A recipient who has the sender's public key can accurately determine (1) whether the sequence of bits was created using the private key that corresponds to the signer's public key, and (2) whether the communication has been altered since the sequence of bits was generated. Digital signatures look like an unintelligible string of alphanumeric characters. For example

is the digital signature for the following e-mail message:

October 30, 1995

Dear Order Department:

We commit to purchase 10,000 widgets at your price of $175 per hundred.

Ship to: Industrial Products Co.
55 Retail Drive
Chicago, Illinois 60061

Sincerely,

Purchasing Department,
Industrial Products Co.

A digital signature is not a digitized image of a handwritten signature or a typed signature such as "/s/john doe." Moreover, unlike a handwritten signature which is unique to the signer but is presumably consistent across all documents signed, a digital signature is unique for each document "signed." This is because a digital signature is derived from the document itself. As a result, any change to the document will produce a different digital signature.

A digital signature can serve the same purpose as a handwritten signature in that it may signify authorship, acknowledgment, or assent, among other things. However, digital signature also serves important information-security purposes that handwritten signatures cannot. A digital signature allows the recipient of a digitally signed communication to determine whether the communication was changed after it was digitally signed. That is, a digital signature provides assurance about the source and integrity of the communication. Because a digital signature provides assurances as to integrity, it is to this extent superior to a handwritten signature.

(b) How is an Electronic Communication Digitally Signed?

Before a sender can digitally sign an electronic communication, the sender must first create a public-private key pair. The private key is kept confidential by the sender and is used for the purpose of creating digital signatures. The public key is disclosed generally by posting the key in online databases, repositories, or anywhere else the recipient of the digitally signed communication can access it.

To digitally sign an electronic communication, the sender runs a computer program that creates a message digest (or hash value) of that communication. The program then encrypts the resulting message digest using the sender's private key. The encrypted message digest is the digital signature. The sender then attaches the digital signature to the communication and sends both to the intended recipient. A digitally signed communication might look like this:

Subject: Order

Author: rqz@ipc.com

October 30, 1995

The digital signature process can be made very easy. With a user-friendly interface, the sender can digitally sign a communication simply by clicking on buttons with a mouse. No special technical expertise is needed. The sender should, however, appreciate the legal effects and consequences of digitally signing an electronic communication.

(c) Verifying a Digital Signature.

When a recipient gets a digitally signed communication, the recipient's computer runs a computer program containing the same cryptographic algorithm and hash function the sender used to create the digital signature. The program automatically decrypts the digital signature (the encrypted message digest) using the sender's public key. If the program is able to decrypt the digital signature, the recipient knows that the communication came from the purported sender, that is, the recipient has verified its authenticity. This is because only the sender's public key will decrypt a digital signature encrypted with the sender's private key.

The program then creates a second message digest of the communication and compares the decrypted message digest with the digest the recipient created. If the two message digests match, the recipient knows that the communication has not been altered or tampered with, that is, the recipient has verified its integrity.

(d) Prerequisites for the Use of Digital Signatures.

The effectiveness of the digital signature process depends upon the reliable association of a public-private key pair with an identified person. The discussion thus far has made one critical assumption: that the public-private key pair of the sender does, in fact, belong to the sender. Any assurance of authenticity would be worthless if the public key used to decrypt a digital signature belonged to an impostor and not the purported sender.

Paper signature usually have an intrinsic association with a particular person because they are that person's own handwriting. However, public-private key pairs used to create digital signatures have no intrinsic association with anyone in particular -- they are nothing more than large numbers. When a recipient obtains the public key actually for a digitally signed communication, how can he or she verify that the public key actually belongs to the purported sender? An impostor could have generated the public-private key pair and entered that public key in a public database under the purported sender's name.

The solution to this problem is to enlist a third party, trusted by both the sender and recipient, to perform the tasks necessary to associate a person or entity on one end of the transaction with the key pair used to create the digital signature on the other. Such a trusted third party is called a certification authority.

2. CERTIFICATION AUTHORITIES.

(a) Function and Role.

A certification authority (CA) is a trusted third person or entity that ascertains the identity of a person, called a subscriber, and certifies that the public key of a public-private key pair used to create digital signatures belongs to that person.

The certification process generally works in the following way. The subscriber:

1. Generates his or her own public/private key pair;

2. Visits the CA and produces proof of identity, such as a driver's license and passport or any other proof required by the CA; and

3. Demonstrates that he or she holds the private key corresponding to the public key (without disclosing the private key).

These three steps in the certification process are likely to vary somewhat from CA to CA. For example, one CA may require a subscriber to appear in person before the CA as part of the second step of establishing the subscriber's identity. Another CA may be willing to rely on a third party, such as a notary, to establish the subscriber's identity.

Once the certification authority has verified the association between an identified person and a public key, the certification authority then issues a certificate. A certificate is a computer-based record that attests to the connection of a public key to an identified subscriber. A certificate identifies the certification authority issuing it and the subscriber identified with the public key. The certificate also contains the subscriber's public key and possibly other information, such as an expiration date for the public key. To provide assurance as to the authenticity and integrity of the certificate, the certification authority attaches its own digital signature to the certificate.

The certification authority then notifies the subscriber that the certificate has been issued so as to give the subscriber an opportunity to review the contents of the certificate before it is made public. It is important that the subscriber be given an opportunity to double-check the accuracy of the contents of the certificate because the subscriber may be bound by any communication digitally signed with the private key that corresponds to the public key contained in the certificate or held liable for misrepresentations to the certification authority.

If the subscriber finds that the certificate is accurate, the subscriber may publish the certificate, or direct the CA to do so, making it available to third parties who may wish to communicate with the subscriber. A certificate is published by being recorded in one or more repositories or circulated by any other means so as to make it accessible to all intended correspondents. A repository is an electronic database of certificates -- the equivalent of a digital Yellow Pages. A repository is generally available online and may be maintained by the certification authority or by anyone providing repository services. Repositories are generally accessible to anyone.

Repositories contain other important information as well as certificates. If a private key is compromised or lost, such as through loss of the medium on which it is stored or accidental deletion, it is generally necessary to suspend or revoke the corresponding certificate so that others will know not to rely on communications digitally signed with that key. This information is also posted in the repository.

Once a certificate has been published, the subscriber may then append the certificate to any electronic communication. If the recipient wants to verify the connection between the sender and his public key, the recipient can look to the attached certificate for some assurance.

(b) Who Can Be a Certification Authority?

Certification authorities may include federal and state governmental entities, private persons or entities licensed to act as certification authorities by a state, and private persons or entities acting as certification authorities for commercial purposes. For example, the U.S. Postal Service has announced large-scale plans to offer services designed to facilitate electronic commerce, including functioning as an all-purpose certification authority. The USPS may be well suited to function as a certification authority: In transactions between companies or individuals, it is an objective third party with an established reputation for credibility. Through its nationwide network of post offices, the USPS can register public keys for applicants who appear in person. This will enable the USPS to provide an added level of security, such as photographs and fingerprinting, to ensure that each registered public key corresponds to a real person, not an alias or an assumed identity.

The Los Angeles Superior Court has established a limited-purpose certification authority in connection with an electronic filing and retrieval system that will rely on digital signatures to assure the authenticity and integrity of electronic court filings. The court will act as certification authority for its own personnel. Private parties authorized by the court will act as the certification authority for attorneys and litigants.

A number of private commercial certification authorities are also currently operating. These include the Net Market Company, an affiliation of shopkeepers on the Internet, and VeriSign, Inc., which issues certificates and provides related services to corporations and individuals for use in digitally signing documents for any purpose. Value-added networks may also serve as a limited local certification authority function for subscribers to their network.

(c) Verifying a Certification Authority's Digital Signature.

To provide assurances as to the authenticity of a certificate it issues, a certification authority digitally signs each such certificate itself. Anyone can verify the authenticity and integrity of a certificate issued by a certification authority by verifying the certification authority's digital signature using the certification authority's public key.

Note, however, that anyone who wants to verify authenticity has the same problem with the CA's public key as he or she has with any other public key. How does the person know whether the public key really belongs to the CA? The answer is that the CA has its public key certified by another, higher-level CA, which acts as a certification authority for it. That higher-level CA then digitally signs the certificate it has issued, verifying the connection between the lower-level CA and the lower-level CA's public key. The lower-level CA may then make the certificate for its key available to anyone who seeks to verify the lower-level CA's digital signature.

The higher-level CA, in turn, needs to have its connection to a public key certified to an even higher-level CA, and so on and on. This process of higher and higher CAs certifying public keys is often referred to as chaining certificates.

Of course, the chain has to stop somewhere. Where it stops will depend on the importance of a communication to the recipient. Depending on the nature of the electronic communication, the recipient may not bother to verify the sender's signature, much less the lowest level CA's signature. If the communication is of greater importance, the recipient may trace the certificates up the chain until reaching a certificate issued by a CA he or she knows and trusts.

3. PROTECTING THE PARTIES TO THE TRANSACTION.

(a) Certification Practice Statements.

Unless they are subject to state licensure and regulation, certification authorities generally do not adhere to any uniform standard or procedures for verifying the identities of persons for whom they issue certificates. Thus a digital signature is only as reliable as the certification authority is trustworthy in performing its functions. Consequently, a party needs some way to gauge how much reliance it should place on a digital signature supported by a certificate a particular CA issued. For example, if a certification authority verifies identity based on any single piece of identification, the third party might be more cautious in its reliance than it would if the certification authority requires the subscriber to appear in person with a driver's license and passport and to be fingerprinted.

To help recipients of a digitally signed communication gauge their level of risk, the particular procedure a certification authority follows in issuing certificates may be stated in a certification practice statement. A certification practice statement may also include information about the practices the CA follow in its operations and about the details of the security of its system.

Certification practice statements may serve an important function for a certification authority as well. A certification authority that follows its announced practices may be able to avoid a claim that it was negligent in failing to do more to connect a user to a public key.

(b) Certificate Revocation Lists.

With public-key cryptography, each person has to keep his or her private key confidential and secure. This is easier than two people trusting each other to keep a key secret, as in conventional cryptography; nevertheless, the security of private keys is a problem. It is inevitable that someone's key will be lost or compromised, either through carelessness or a successful cryptanalytic attack. In addition, there are times -- such as when a person dies; a company goes out of business; or an employee quits, is fired or transferred to a new position -- when a key may no longer be needed or used. Thus, there will be times when a key needs to be revoked before it expires.

A key is revoked by revoking its certificate. The problem is how to notify people that they should no longer rely on a key. The solution to this problem is the certificate revocation list or CRL. A CRL is simply a database of certificates of keys that have been revoked before their expiration date. A CRL may be part of the repository maintained by the certification authority. If a private key is lost, compromised, or no longer used for any other reason, the corresponding public key and its certificate would be placed on the CRL. Before relying on a public key, a person should verify its status by checking the CRL.

(c) Certificate Expiration.

It is possible for a cryptographic key to be compromised even though its holder conscientiously safeguarded it. With a little luck and a lot of motivation, keys can be broken through what is known as a brute-force attack. In a brute-force attack, every possible key is tried until one decrypts the ciphertext. The longer the key length, the longer it takes to try all the possible keys. For example, for a key that is 56 bits long, it would take approximately 10 hours to find the key. For a key that is 128 bits long, it would take 5.4 x 10¹⁸ years to find the key.

Thus, one way to guard against a successful brute-force attack is to use a long key. Another is to change keys periodically.

As with revoked keys, there must be some way to let people know when a key expires. This can be done simply by including a validity period in the certificate for a public key. Anyone who then consults the certificate for that key will know whether it has expired.

Once a key and its certificate expire, the use simply creates a new key pair and has the public key certified.

Encryption keys generally expire after a relatively short time; this raises the question of how a digital signature can be verified after the public key has expired. For example, if a company enters into a twenty-year lease, how can the integrity of the digitally signed lease be verified when the corresponding certificate has already expired?

One solution is to have the digital signature date/time stamped. The date/time-stamped version of the digital signature could be used years later to enforce the original contract. The date/time stamp would establish the date and time at which the document was signed, and thus establish that at such time there was a valid certificate connecting the signer to the public key.