[Next] [Up] [Previous]
Next: Biometric User Authentication Up: Data authentication Previous: Data authentication

Digital Signatures

Note that in practice, a user could ``sign'' a digital document by encrypting it with their secret key and a traditional symmetric encryption method. The disadvantage to such a system is that the verification of the signature would require knowledge of the secret key, and would therefore render other documents vulnerable to forgery by the party verifying the signature. In order to overcome this, a technique called digital signatures has been developed that uses a newer form of cryptography called ``public key'' or ``asymmetric'' cryptography, where there are two keys that are mathematically related to each other. Generation of digital signatures requires knowledge of the secret key, but verification of signatures requires only knowledge of the public key. A digital signature for a document is then a ``string of bits'' that is derived from two pieces of information: the document itself, and the secret key of the signing party. The public key is distributed freely to anyone who wishes to verify signatures. The other key is a secret key known only by the party that is authorized to generate the signatures associated with that public key. For more information on public key cryptography, see [5]. To summarize, digital signatures have the following properties: In this way, the digital signature replicates the desirable features of a handwritten signature, and offers even stronger forms of authentication if the proper procedures are followed in the handling of secret information. For example, handwritten signatures can be verified only by experts practicing what can only be described as an inexact science. By contrast, the mathematical procedure for verifying digital signatures can be verified by any number of independent agents, and there is no room for disagreement among these agents. The numbers are either correct or they are not.

There are now at least two common methods of generating digital signatures. One is a proprietary technology of RSA Data Security, Inc., and is called the RSA digital signature, after it's inventors Rivest, Shamir, and Adleman. This technology is being deployed in a large number of applications, and has been licensed by nearly every big telecommunications and computer company in the U.S, including AT&T, Apple, IBM, Microsoft, Novell, and Sun Microsystems. The only serious competitor to RSA signatures is that of the Digital Signature Algorithm (DSA), which was proposed by NIST as a Federal Information Processing Standard called the Digital Signature Standard (DSS) [7]. There is some controversy surrounding the licensing of DSA, since the holders of the RSA and other patents claim that DSA is covered by their patents. NIST has declared that ``The Department of Commerce is not aware of any patents that would be infringed by this standard'' [7]. In the next few years this point will become moot anyway, as many if not all of the relevant patents will expire by the year 2000 anyway.

RSA and DSA signatures use similar kinds of calculations, and these can be performed by a number hardware and/or software solutions. They rely upon the notion of a ``Key Certification Authority'' (CA) that is responsible for issuing and/or certifying keys. The primary role of a key certification authority is to provide assurance that a user's public key is accurate. The CA need not be online to answer questions about the legitimacy of keys. Instead, when a user is issued (or chooses and registers) their public/private key pair, the CA simply issues a digital signature of these keys to certify that these should be recognizable as having been issued to the particular user. These credentials generally have expiration dates and may convey other information such as a role for which the user is certified. When a digital signature is generated by a user, the credentials for the keys used to create the digital signature may be included with the digital signature (but this need not be the case). A user may obtain multiple credentials for their public key, and there is no need for the user to obtain multiple public/private key pairs for multiple applications. In particular, there should be no need that the public/private key pair of a user cannot be used for signing health documents as well as their email or their bank card transactions. For a user that accesses a system held by a given hospital, they may get credentials for their public key from the hospital itself. In order to access the system in the role of a nurse, they may want to present credentials for the same keys that were issued by an accreditation agency for nurses.

In addition to basic key certification through digital signatures under the certification authority's own public key, a key certification authority can provide:

There is no reason to have secret user keys stored on the certification authority machine, and there are good reasons for them not to be stored there.

For a ``raw'' digital signature without certification credentials, we should expect the signature to only about 100-300 bytes, depending on the level of security chosen, but not depending on the size of the message. When a certificate chain is added to the signature, the credentials will grow to a size that is proportional to the length of the chain. It is therefore advantageous to set up key certification hierarchies that are not too deep.


[Next] [Up] [Previous]
Next: Biometric User Authentication Up: Data authentication Previous: Data authentication
Kevin S. McCurley
Sat Mar 11 16:00:15 MST 1995