Information Security and Electronic Signature Applications

Not: Bu araştırma TBD Eskişehir şubesi tarafından düzenlenen Biltek 2005 Kongresinde sunulmuştur. (Uluslararası Bilişim Kongresi, 10-12 Haziran 2005, Eskişehir) 

Information Security and Electronic Signature Applications

  Sezen Yeşil -Telecommunications Authority, Telecommunications Assistant ExpertDemirtepe, Ankara- 06430

  Özet. Günlük hayatımızda sayısal teknolojiye bağımlılık artıkça, güvenlikle ilgili tehditler de artmaktadır. Bu bildiride, bilgi güvenliği konuları genel olarak anlatılmakta ve bilgi güvenliğini sağlamak için kullanılan teknik araçlardan biri olan elektronik imza hukuki ve teknik yönleriyle ele alınmaktadır.

Abstract. As the dependence on digital technology increases in our lives, security threats increase as well. In this paper information security issues are described generally and electronic signature as one of the technical means to achieve information security is discussed in terms of technical and legal aspects.  

1. INTRODUCTION

One of the most striking technological developments of the last fifty years has been the emergence of digital technology as a powerful force in our lives. Within the past ten years, the Internet has become an important tool for communication in all sectors of society. Like telephone we do not have to have it to live, but we have come to rely on it. We depend on it for timely access to information, for private correspondence, and for commercial business applications of all kinds. Many of the services that we use today would not be possible without computers and networks and the digital technology on which they are based.  The explosion of digital electronics and interconnected devices presents many opportunities, but it also has a dark side. It is becoming easier for people to track where you are, to catalogue what web pages you visit, to study what you purchase at stores, and to observe what you read and watch online. As the Internet expands and issues regarding cyber attacks become more widespread, the number of incidents is increasing. There are the risks to business of loss of records, denial of service attacks and other hostile attack effects. Since it is easy to copy digital content and edit it, it is also easy to falsify information, including the modifying and forging official documents. Emerging computing applications including e-finance and e-commerce create complexity in the networked environment. From ATM machines to online banking, these capabilities offer convenience and cost savings, but they also introduce new opportunities for theft and fraud. Therefore; it is essential to maintain secure information storage and communication links in this new environment [3]. At stake are not only significant economic and financial interests but also public confidence in using communications networks for important transactions or for the exchange of sensitive information. If an acceptable level of security cannot be guaranteed, the Information Society will be unlikely to develop its full potential [10]. 

2. INFORMATION SECURITY

Information is defined as “an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected” in the standard ISO/IEC 17799:2000. Information security can be described by three parameters; confidentiality, integrity and availability. According to this standard, confidentiality is “ensuring that information is accessible only to those authorized to have access”; integrity is “safeguarding the accuracy and completeness of information and processing methods”; and availability is “ensuring that authorized users have access to information and associated assets when required.” [4] The concepts of computer, network, and data security in cyberspace are similar to issues in the real world; however, the mechanisms are different. There are three important differences. First, violations of security of all types of cyberspace can take place very rapidly. That means that by the time you understand what is happening to your information assets, it may be too late to prevent damage. Second, you do not have to be physically present at a location, or even in the same country, to commit a security violation in cyberspace. In cyberspace, the threat can come from anywhere on the network. It may be directed at a known target, the target may have been selected at random. Third, cyberspace provides a powerful but complex environment, in which the responsibility for security is divided among multiple players. If you are a user of computing and network services, there are a number of ways to protect yourself and your personal computer. However, you cannot control your internet service provider’s security policy or its implementation. Nor can you control your client's software, even if you are closely linked with their systems. Thus you need to assume a protective stance over your own assets, while being aware that the connections you are making with the outside world prevent you from eliminating all vulnerabilities on the network [10].  Unless security precautions are taken, there is a possibility of risks some of which are as follows; ·         Information destruction: The data stored on the computer could be deleted. It might be possible to recover it, but it could take time and the recovery might not be complete.  ·         Information theft and loss of privacy: You may or may not be aware of the theft immediately (or ever) and it is unlikely that you will know who took your data, what was taken, or what will be done with it. If a great deal of your personal information is taken, the thief might be able to steal your identity with unknowable, but probably serious, consequences.  ·         Loss of information integrity: The information on your computer could be modified without your knowledge. Depending on what kind of information you keep, the consequences could range from trivial to disastrous. If the data include enterprise financial records, customer information, order status, or personnel files, your business dealings could be adversely affected. ·         Loss of network integrity on other systems and/or networks: Although you may not be attacked directly in this case, other computers to which you have access may be attacked with trickle down consequences to you. If you are a financial institution, you may not be able to complete financial transactions during the recovery period.  ·         Keystroke capturing: Hidden software could be installed on your computer that would capture your keystrokes and send them to another computer. This could compromise your access to external sources, such as a protected web server, an e-mail server, financial transactions, or confidential information. Authentication tokens such as credit card numbers and passwords could be obtained by the thief and used in later transactions for his or her personal gain. ·         Denial-of-Access: You could be denied access to your own information, even though it has not been erased. It might appear in encrypted form, where only the intruder has the decryption key. The cost associated with recovering from any of these attacks is likely to be substantial, and the recovery process is likely to be inconvenient at the least. If you are the director of an enterprise with a critical dependence on your electronic data resources, an extremely malicious attack could lead to the demise of your enterprise [10]. There are many technical ways to achieve information security like use of firewalls, virus scanners, encryption and electronic signature.  

3. ELECTRONIC SIGNATURE

The recent scientific and technological upheaval and the increasing usage of the Internet have necessitated putting more reliable tools into effect in order to provide all electronic data safely. In this context, initiation of electronic signature applications will play a key role in securing reliable environment for all transactions taking place in electronic medium. 

3.1 Technical Aspects of Electronic Signature

An electronic signature is any unique set of letters, characters, symbols or code attached to an electronic document with the intention of identifying the sender. At the lower end of the e-signature security scale are formats such as email signatures and the simple attachment of signature images. Higher up the scale we find more secure formats such as pin numbers. At the upper end of the scale are formats using more complex technologies combining mathematical processes, encryption and controlled systems[1]. Although electronic signature is a generic term, it is also frequently referred to as a digital signature. Adoption of one approach over another is determined by the importance of the documents the organization wants to authenticate and secure [6].

3.1.1 Digitized Signatures

 A digitized signature is created by scanning in a handwritten signature. When someone wishesto sign an electronic document, they simply insert the image of their signature where appropriate. When the receiver views an electronic document or message, they immediately recognize the meaning of the digitized signature. Digitized signatures are one of the easiest mechanisms to use. However, digitized signatures should not be relied upon for any security services. They are generally used in conjunction with a stronger mechanism to add usability [5].

3.1.2 PINs and Passwords

 The traditional method for authenticating users has been to provide them with a personal identification number or secret password, which they must use when requesting access to a particular system. Password systems can be effective if managed properly, but they seldom are. Authentication that relies solely on passwords has often failed to provide adequate protection for computer systems for a number of reasons. If users are allowed to make up their own passwords, they tend to choose ones that are easy to remember and therefore easy to guess. If passwords are generated from a random combination of characters, users often write them down because they are difficult to remember. Where password-only authentication is not adequate for an application, it is often used in combination with other security mechanisms. PINs and passwords do not provide non-repudiation, confidentiality, or integrity [5].

3.1.3 Biometrics

 Biometric authentication relies on a unique physical characteristic to verify the identity of system users. Common biometric identifiers include fingerprints, written signatures, voice patterns, typing patterns, retinal scans, and hand geometry. The unique pattern that identifies a user is formed during an enrollment process, producing a template for that user. Biometric authentication devices tend to cost more than password or token-based systems, because the hardware required to capture and analyze biometric patterns is more complicated. However, biometrics provide a very high level of security because the authentication is directly related to a unique physical characteristic of the user which is more difficult to counterfeit [5].

3.1.4 Secret Key Electronic Signatures

 An electronic signature can be implemented using secret key message authentication codes (MACs). For example, if two parties share a secret key, and one party receives data with a MAC that is correctly verified using the shared key, that party may assume that the other party signed the data. This assumes, however, that the two parties trust each other. Thus, through the use of a MAC, in addition to data integrity, a form of electronic signature is obtained. Using additional controls, such as key notarization and key attributes, it is possible to provide an electronic signature even if the two parties do not trust each other [7]. Secret key electronic signatures are primarily used to achieve confidentiality, but may also be used for authentication, integrity and limited non-repudiation [5].

3.1.5 Public Key Electronic Signatures

 Another type of electronic signature called a digital signature is implemented using public key cryptography. Firstly, the data to be signed is compressed using a hash procedure to increase the speed of the process. Then, the user’s private key is used to encrypt the compressed data to generate the signature that is then attached to the document. The document (with digital signature attached) is then transmitted and the receiver can choose to authenticate the sender and authenticate the document by using the sender's public key. The receiver (relying party) can acquire the sender's public key from the Certification Authority. The Certification Authority, on request, will provide the public key and a digital certificate. Having verified the sender the public key is used on the document to recalculate the signature from the text of the document received. If the resulting signature matches the sender's attached signature it proves that the document has not been altered and therefore authenticates it. The process has now established;   ·         Integrity: The document has not been changed since it was signed by the sender ·         Authenticity: The document could only have been signed by the private key of the sender ·         Non-repudiation: The sender's identity is established in a digital certificate

Non-repudiation relies on two things; the digital signature (authenticates the document) and the digital certificate (authenticates the owner of the signature). The digital certificate can be described as the 'passport' that identifies people across the Internet. It contains the identity information by which signature owner can be identified, public key which corresponds to the private key and the Certification Authority issuing the certificate. Digital certificates are created, issued and managed by a Certification Authority (CA)[2]. CA is an authority that is formally recognized as providing authentication for the identity of an individual or organization. This CA concept exists in the real world as well; if you hold a national passport, your government presumably has authenticated your identity and the passport is the token that you can present to prove it [10]. 

3.2 Legal Aspects of Electronic Signature

 Historically, a signature is any mark made by persons with the intent that it be their signature. Signing a document serves the following abbreviated list of general purposes:  - Evidence: A signature authenticates a written document by identifying the signer with the signed document. When the signer makes a mark in a distinctive manner, the writing becomes attributable to the signer.    - Ceremony: The act of signing a document calls to the signer's attention the legal significance of the signer's act and thereby helps prevent poorly considered engagements.  - Approval: In certain contexts defined by law or custom, a signature expresses the signer's approval or authorization of the writing's content or the signer's intent that it have legal effect and force.  - Efficiency and logistics: A signature on a written document often imparts a sense of clarity and finality to the transaction and may lessen the subsequent need to inquire beyond the face of a document. Negotiable instruments, for example, rely upon formal requirements, including a signature, for their ability to change hands with ease, rapidity, and minimal interruption.  To achieve these characteristics in the electronic world, our "mark" must somehow be associated with us [6]. Having documents in electronic form permits rapid processing and transmission and improves overall efficiency. However, approval of a paper document has traditionally been indicated by a written signature. What is needed, therefore, is the electronic equivalent of a handwritten signature that can be recognized as having the same legal status as a handwritten signature [7]. In European Union the Electronic Signatures Directive, published in 1999 by the European Commission (8), recognised the need to promote eCommerce in Europe and the need to give a legal basis to electronic transactions. By providing a legal basis and recourse to the courts the Commission also achieved a basis for trust. All EU member states were obliged to implement the directive in their national legislation[3]. For example; in 1997 Italy, in 1998 Germany, in 2000 France, UK, Austria and Denmark, in 2001 Hungary, in 2002 Poland implemented electronic signature laws [1]. In 2000 former U.S. President Bill Clinton signed the Electronic Signatures in Global and National Commerce Act. His first signature was done by the traditional pen and ink method since the law that would be signed was necessary to legitimize what he would do next. Using a password the president then used a smart card encoded with a numerical string that was his digital signature. By this action, a major step forward was taken to advance the use of electronic signatures to complete transactions in a fully electronic environment. With the stroke of both pen and digital device, the keystone was set. This allows a new bridge to be built between a history of pen and paper as the exclusive safe harbor for official documents and our digital future where paper is a convenient viewer but no longer the only legally accepted medium for document-based information [6]. Electronic signature laws are also in force in other countries like Australia, Japan, Singapore, India, Israel and in Turkey too.  In Turkey Electronic Signature Act was published in the Official Gazette dated 15 January 2004 and entered into force after a period of six months from the date of publication. By virtue of this Law, besides the duty of supervision of electronic certificate service providers, Telecommunications Authority is given the duty of preparing and publishing secondary legislations including technical, jurisdictional and administrative issues on electronic signature and its implementations within a period of six months from the execution date of the Law with the collaboration of all sector actors. Telecommunications Authority published “Ordinance on the Procedures and Principles Pertaining to the Implementation of Electronic Signature Law” and “Communiqué on Processes and Technical Criteria Regarding Electronic Signatures” in 6 January 2005. In this respect, legal basis to electronic signatures has been established in Turkey now. According to the Law, electronic signature is defined as “data in electronic form that are attached to other electronic data or logically linked to that electronic data and used for authentication”. The most important part of the Law is stated in Article 5 as; “secure electronic signature shall have the same legal effect with that of handwritten signature.”  As defined in the provisions of the Article 4 secure electronic signature [8];  ·         is exclusively assigned to the owner of signature,·         is generated with the secure electronic  signature creation device which is kept under sole control of the signature owner,·         enables the identification of the signature owner based on the qualified electronic  certificate,·         enables to detect whether  signed electronic  data is altered or not subsequently A secure electronic signature can provide three attributes of trust; integrity, authentication and non-repudiation. When one uses secure electronic signature, he/she must be as careful as in the case of handwritten signature. In the Article 9 of the Law, where attributes of qualified electronic certificate are described, there must be an indication showing that the certificate is “qualified electronic certificate”. Only electronic certificate service providers (CSP- an interchangeable term for CA) who have notified and who are under the supervision scheme of the Telecommunications Authority can claim that they generate ‘qualified’ electronic certificates. When users want to purchase a qualified certificate, they must check whether the CSP is declared in the ‘CPSs’ link of Telecommunications Authority’s web site. Despite the benefits of electronic signature, there are some drawbacks like interoperability problems, cumbersome structure associated with public key infrastructure and legal inconsistencies associated with certification service providers. For the purpose of the technical standardization and legislative harmonization, Telecommunications Authority follows closely the studies of international institutions like ETSI, CEN, ISO and ITU. In the secondary legislations prepared by Telecommunications Authority, the standards of those organisations are referred to.In order to prevent legislative obsolescence in the face of new technologies, technical neutrality of the electronic signature legislations is very important. In the Directive 99/93/EC it is stated that “Rapid technological development and the global character of the Internet necessitate an approach which is open to various technologies and services capable of authenticating data electronically” [2]. Therefore, in Turkey this issue has been considered both in Electronic Signature Law and secondary legislations prepared by Telecommunications Authority. 

3.3 Electronic Signature Applications

 Digital signatures are already in broad use. Secured socket layer (SSL), a technology that uses digital certificates, is found in hundreds of Web sites providing security for electronic transactions. For instance, The U.S. Department of Defense and NASA both use digital signatures for a number of internal transactions and transactions with commercial suppliers [6]. Estonia has a national identification card that can be used for electronic identification and giving digital signatures. Over 360,000 ID-cards have been issued as of 13 January 2004 [3].  Applications in which digital signing techniques are used can be listed as follows [9]; • Electronic mail security: Electronic mail is needed to sign digitally, especially in cases where sensitive information is being transmitted and security services such as authentication, integrity and non-repudiation are desired. Signing an e-mail message assures all recipients that the sender of the information is the person who he or she claims to be, thus authenticating the sender. • Financial transactions: This encompasses a number of areas in which money is being transferred directly or in exchange for services and goods. One area of financial transactions which could benefit especially from the use of digital signatures is Electronic Funds Transfer (EFT). Digitally signing EFTs are a way of providing security services such as authentication, integrity and non-repudiation. Secure Electronic Transaction (SET) is the most important protocol relating to ecommerce. SET introduced a new concept of digital signature called dual signatures. A dual signature is generated by creating the message digest of two messages: order digest and payment digest. The SET protocol for payment processing utilises cryptography to provide confidentiality of information, ensure payment integrity and identity authentication. • Electronic filing: Contracting requirements expect certain mandated certificates to be submitted from contractors. This requirement is often filed through the submission of a written form and usually requires a handwritten signature. If filings are digitally signed and electronically filed, digital signatures may be used to replace written signatures and to provide authentication and integrity services. • Software protection: Digital signatures are also used to protect software. By signing the software, the integrity of the software is assured when it is distributed. The signature may be verified when the software is installed to ensure that it was not modified during the distribution process. Any recipient can verify that the program remains virus-free. • Signing and authenticating: Signing is the process of using the sender’s private key to encrypt the message digest of a document. Anyone with the sender’s public key can decrypt it. A person who wants to sign the data has only to encrypt the message digest to ensure that the data originated from the sender. Authentication is provided when the sender encrypts the hash value with the sender’s private key. This assures the receiver that the message originated from the sender. Digital signatures can be used in cryptography-based authentication schemes to sign either the message being authenticated or the authentication challenge used in the scheme. The X.509 strong authentication is an example of an authentication scheme that utilises digital signatures.

4. CONCLUSION

In this paper information security issues and electronic signatures are discussed. It is stated that there are risks such as information theft, loss of privacy, loss of information integrity, keystroke capturing and denial of access. Precautions must be taken against such risks. For information security assurance there are some technical means like firewalls, virus scanners, encryption and electronic signatures. This paper discusses only electronic signatures like digitized signatures, pins and passwords, biometrics and digital signatures.  Electronic signatures, which can be used in electronic mail security, financial transactions, electronic filing, software protection, signing and authentication, will play a key role in securing reliable environment for all transactions taking place in electronic medium such that it provides integrity, authenticity and non-repudiation. In order to provide a legal basis to electronic signatures, electronic signature laws are in force in many countries as well as in Turkey. By virtue of the Electronic Signature Law, legislative issues like notification and supervision of electronic certificate service providers and technical issues including the definition of technical parameters are given under the responsibility of the Telecommunications Authority. Telecommunications Authority published necessary secondary legislations. Therefore, as of 6 January 2005 required legal basis has been completed in Turkey In order to increase user confidence in the digital technologies, security tools are very important. However, knowledge of these tools has lagged behind. So security awareness must be established. Nowadays electronic signature has been a hot issue in Turkey because of the new release of secondary legislations. This is a good opportunity to develop awareness of information security and electronic signature usage. This opportunity must be converted into benefit. Governments, organizations, and individuals all have a part to play in achieving the information security in our country.  

References

1. Dumortier, Kelm, Nilsson, Skouma, Eecke, 2003)J. Dumortier, S. Kelm, H. Nilsson, G. Skouma, P.V. Eecke, “Legal and Market Aspects of Electronic Signatures”, Study for European Commission, icri, Katholieke Universiteit Leuven, Last retrieved: 31 December 2004, Web address: http://europa.eu.int/information_society/eeurope/2005/all_about/security/electronic_sig_report.pdf , Oct 2003
2. (EC,1999)EC, Direktive 99/93/EC, “Electronic Signatures Directive”, Last retrieved: 5 April 2005, Last retrieved: 14 April 2005, Web address: http://europa.eu.int/eur-lex/pri/en/oj/dat/2000/l_013/l_01320000119en00120020.pdf, 1999
3. (EU, 2003)“eEuropa+ Progress Report”, Last retrieved: 31 December 2004, Web address:  http://europa.eu.int/information_society/eeurope/2005/doc/all_about/benchmarking/eeuropeplus_progress_report.pdf, 2003 
4. (ISO,2000)ISO/IEC 17799:2000, “Code of Practice for Information Security Management”, 2000
5. (Kuhn, Hu, Polk, Chang, 2001)D.R. Kuhn, V.C. Hu, W. T. Polk, S.J.Chang, Introduction to Public Key Technology and the Federal PKI Infrastructure, NIST National Institute of Standards and Technology, Special Publication 800-32, 2001
6. (Minihan, 2001)J.Minihan, “Electronic signature technologies: A tutorial”, Information Management Journal, Last retrieved: 5 April 2005, Web address: http://www.findarticles.com/p/articles/mi_qa3937/is_200110/ai_n8959672, Oct 2001
7. (NIST, 1996)NIST, National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce, An Introduction to Computer Security: The NIST Handbook, Special Publication 800-12
8. (Parliament, 2004)Electronic Signature Act, Turkish Official Gazette No: 25355, 15.01.2004, http://rega.basbakanlik.gov.tr, For unofficial English version of the law; http://www.tk.gov.tr/eng/duzenmaineng2.html
9. (Rhee, 2003)M. Y. Rhee, Internet Security, Cryptographic Principles, Algorithms and Protocols, John Wiley & Sons Ltd, 2003
10. (Sadowsky, Dempsey, Greenberg,Mack, Schwartz, 2003)G. Sadowsky, J. X. Dempsey, A. Greenberg, B. J. Mack, A. Schwartz, Information Technology Security Handbook, The International Bank for Reconstruction and Development/ The World Bank, 2003


[1] http://www.certificationeurope.com/. Last retrieved 24 March 2005. 
[2] http://www.certificationeurope.com/. Last retrieved 24 March 2005. 
[3] http://www.certificationeurope.com/. Last retrieved 24 March 2005.