Encryption and digital signatures

In the past many governments including those of the UK, USA, France, Germany, Israel and Russia have been strongly opposed to the use of strong encryption techniques because of the implications in the fight against terrorism, organised crime, fraud and drug trafficking. Because of the widespread development

In addition to this the continuing growth of use of the internet for e-commerce, e-mail and online banking have made encryption and digital signatures a necessity for security.

To be successful e-commerce needs an environment of trust and privacy. There are four requisites to achieve this:

* Authentication, this means that you can be certain who you are doing business with.

* Non-repudiation, this means that no one can deny having sent or received transaction data, establishing confidence that a contract entered into will be honoured. It is also important to know that a transmission has not been altered.

* Integrity, this is trust in fair and reputable business practices.

* Encryption, this is the process of scrambling a message in order to hide its content, thus providing confidentiality. Strong encryption is required to prevent hacking but also frustrates law enforcement agencies when they seek to unscramble messages.

Encryption is the scrambling of datafiles so that they are unreadable by anyone who does not have the key. With conventional encryption each pair of communication users shares the same key, but with public key encryption, pairs of related keys are utilised. Each user of the system has a public key and a private key. The maths of such a system means that even if a hacker has knowledge of a public key, it is not feasible that they could ascertain the value of the corresponding private key.

Public keys can be widely distributed but private keys must remain secret and should never be shared with any other party. All public key systems provide the means to calculate and verify digital signatures electronically. A digital signature contains the users identity and private encryption key which can be verified by anyone with the corresponding public key. In simple terms these work as follows:

* The sender of a message will use his/her private key to calculate the signature which will depend on the message content. The signature will be appended to the message and sent, with the message, to the recipient.

* The recipient of the message and signature will use the sender's public key to validate the signature. Even a single bit change to the message will render the signature invalid.

For this system to work, anybody using another's public key must be convinced of its authenticity, hence the need for public key certificates.

In 1999 the EC passed a directive `to facilitate the use of digital signatures and contribute to their recognition'. The directive required member states to establish a legal framework for digital signatures by July 2001. It sought to ensure that digital signatures are legally effective and also admissible as evidence in national courts of law. The directive created the concept of digital signatures which must be created by a secure signature creation device and be based on a qualified digital certificate. A digital certificate consists of a series of numbers representing an ID and a public key associated with that identity. The certificate is issued and signed by a Certification Authority (CAs), which is obliged to use due diligence to check that certificates are properly issued. Most EC states have implemented the directive, in the UK it has been implemented via the Electronic Communications Act 2000, which came fully into force in March 2002. Although the UK legislation is in place, the precise processes supporting digital signatures have not yet been settled. Outside of the EC, the USA, Australia and Canada have developed digital signature systems. It is imperative that there is international agreement on the development of digital signatures and their certification otherwise the global spread of e-commerce could be jeopardised.

In a recent lecture, Dr MacWilson from consultancy PricewaterhouseCoopers, referred to the compelling business case for the widespread adoption of digital signatures. He said that, "Systems based around digital signatures can significantly eliminate paperwork and boost the use of electronic records, they can also significantly reduce online fraud. They should enable enforceable online transactions since any specific transaction is tightly tied to one person."

He went on to say that, "Businesses using digital signatures should be more efficient as their online processes will be streamlined and thus more competitive, increasing their appeal to consumers and that digital signatures are essential enablers for the various e-commerce models: business-to-business (B2B), business-to-consumer (B2C) and government-to-business (G2B)."

Dr MacWilson was able to cite examples where the introduction of a digital signature-based system has created significant improvements in efficiency.

In the case of the European Commission, the shift to presenting all proposals, submissions and contracts in electronic form has resulted in a 70% reduction in the commission's annual (1.23 billion) paperwork bill.