Digital signatures offer high-tech alternative

From...

By Meg Mitchell Moore

(IDG) -- There's no simple definition for "digital signature," but if there were, it might go something like this: a cryptographic method of communication that authenticates transactions taking place over the Internet. No problem, right?

Basically, the idea behind digital signatures is the same as your handwritten signature. You use it to authenticate the fact that you promised something that you can't take back later. A digital signature doesn't involve signing something with a pen and paper then sending it over the Internet. But like a paper signature, it attaches the identity of the signer to a transaction. Having a digital certificate is like using your driver's license to verify your identity. You may have obtained your license from Maryland, for example, but your Maryland license lets you drive in Nevada and Florida. Similarly, your digital certificate proves your online identity to anybody who accepts it.

How do I create a signature digitally?

Digital signatures require the use of public-key cryptography. If you are going to sign something digitally, you need to obtain both a public key and a private key. The private key is something you keep entirely to yourself. You sign the document using your private key÷which is really just a kind of code÷then you give the person (the merchant of the website where you bought something or the bank lending you money to buy a house) who needs to verify your signature your corresponding public key. He uses your public key to make sure you are who you say you are. The public key and private key are related, but only mathematically, so knowing the public key makes it possible to verify your signature without knowing your private key. In fact, it's nearly impossible to figure out your private key from your public key.

Where do I get a private key and a public key?

IDG.net INFOCENTER Darwin main page Ask Darwin Darwin live audio interviews Free daily newsletters Related IDG.net Stories Going global isn't as easy as it seems Turning browsers into buyers The truth about low prices Features Preparing for the worst Meet the hackers Tech me out at the ballgame: Fenway vs. PacBell Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

You need to obtain something called a digital certificate. For that, you go to a certificate issuer, which will give you a digital certificate that says, in effect, "Here is Mike, and here is his public key. Anything he signs with his corresponding private key is valid." When you buy something online and digitally sign the transaction, you provide the merchant with your digital certificate. If the merchant trusts the issuer of the certificate, he uses the certificate to verify your signature.

So that's my public key. Where do I get my private key? Often the authority that provides you with a digital certificate will also provide you with a private key. Certain computer systems will let you generate your own private key, but be careful! That is where the potential for fraud comes in. It's considered impossible to forge a digital signature the way one can forge a paper signature, but if you are careless with your private key÷leaving it unprotected on your desktop, for instance÷it's possible for you to compromise its integrity.

Who issues the certificates?

Certain organizations want to become authorities in issuing digital certificates. The U.S. Postal Service, for example, is in the process of unveiling a program to issue digital certificates. It's likely that banks and credit card companies will also be interested in doing the same.

What does this mean for the business world?

The implications for digital signatures and e-commerce are enormous. Here's a simple example. Let's say Mickey Mouse buys a pound of cheddar on www.cheese.com, then denies he bought it. The cheese merchant is stuck with the bill because there's no way to prove absolutely that Mickey made the purchase÷somebody else could have used Mickey's password or his credit card number.

Such repudiations end up costing merchants money, which makes them raise prices to cover the costs of fraud, which, in turn, hurts honest consumers. But if Mickey had used a digital signature when he made his purchase, the merchant could prove that Mickey bought the cheese.

Using digital signatures opens up opportunities in other areas as well: trading stocks, authorizing the transfer of medical records, applying for mortgages. All of the things that require a paper signature can potentially move online, making transactions smoother, faster, more secure and less expensive.

It all sounds so complicated. Isn't it easier just to do it the way we do it now?

Actually, the way we do things now is pretty complicated÷not just buying things on the Web, but traveling around it too. Imagine if you walked into a mall, and each store required that you use a different kind of currency÷dollars at Banana Republic, pesos at Sears. That would be unacceptable to you. But essentially that's what it's like today with websites that require passwords. You have a separate identity for each website you visit. Worse, you need to remember all of them, or save them on your computer, which is about as secure as walking around New York City with your wallet taped to your back. Digital signatures will allow us to have one single, verifiable identity that follows us around the Web.

So my digital signature will also become my password?

That's right. Let's go back to Mickey. When The New York Times asks him to choose a name and password for his free subscription, maybe he chooses "mmouse" with the password "cheese." At The Wall Street Journal's site, he calls himself "mickeythemouse" with the password "minnieforever." If Mickey had a digital signature, he could use that to identify himself to all of those sites.

Are digital signatures legally binding?

Yes. In June 2000 former President Clinton signed the Electronic Signatures in Global and National Commerce Act (E-Sign) into law. E-Sign gave digital signatures the same power as handwritten ones. But that monumental step didn't change the world as many of its backers thought it would.

Why not?

Because digital signature technology is grounded in the world of cryptography, it has a ways to go before it's really easy for the average consumer to use. Also, there are costs associated with digital signatures for both businesses and consumers. When these costs start to decline, adoption rates will likely rise. But it might be slow going, because the use of digital signatures involves a host of legal issues that will likely raise new questions.

Should my company buy a digital signature infrastructure today? In most cases your company spends a lot on your user ID-password infrastructure, and simply can't afford yet another security infrastructure. One option is to look for products (the Practical PKI Appliance from SingleSignOn.Net, for example) that provide support for both user ID-password authentication and digital signatures, all in one reusable package.