eSignature Legitimacy for Security in Canada

How to eSign a document: eSignature legitimacy for Security in Canada

digital signatures rely on a symmetric key cryptography so before we talk about digital signatures let's quickly remind ourselves how a symmetric key cryptography works with asymmetric key cryptography there's a pair of mathematically related keys if you encrypt a message with one of the keys than the other key and only the other key can be used to decrypt it this is Albert and this is Sheila if Sheila wants Albert to send her a secret message she needs an asymmetric a pair of keys a computer program can generate these for her she sends Albert a copy of one of the keys and she keeps the other key to herself instead of sending Albert a key she could put a key in a public place for him to go and fetch himself it doesn't matter if someone else gets a copy of the public key Albert uses the public key to encrypt his message when Albert has encrypted the message he sends a Sheila the ciphertext only Sheila can decrypt the ciphertext because only Sheila has the matching key the private key truth be told most people don't need to worry about what's really going on because the whole process is taken care of behind the scenes my programs built into web browsers or email applications but what do asymmetric keys have to do with digital signatures well it so happens that it doesn't matter which one of the pair of keys is made public and which one is kept private if you encrypt a message with either one than the other and only the other can be used to decrypt it as long as she doesn't change her mind later Sheila can decide which one of the keys will be private and which one will be public this is the crucial feature of asymmetric key cryptography that makes digital signatures possible now let's think about why we even need digital signatures this is Carol and this is Bob Bob's builder carol has a leaky roof and she asks Bob to fix it Carol agrees to pay Bob a thousand pounds to fix her roof Bob agrees to start work on Monday and have it finished by Wednesday Carol writes details of the agreement on a piece of paper and she signs it and she sends it to Bob in the post no computers here Bob signs the piece of paper and sends a copy back to Carol in the post Carol sends Bob the money bob writes a note to carol to say he's got the money he signs this receipt and he sends it to Carol in the post on Monday Bob doesn't turn up he's gone on holiday for a week to spend the money on Thursday it rains all day and all of Carol's furniture is destroyed poor Carol Carol says it's Bob's fault but Bob denies ever having agreed to do the work Carol takes Bob to court the judge looks at the contract and the receipt which Bob signed Bob is ordered to pay the money back to Carol and to give her some more money for new furniture and Bob is sent to jail where he belongs once upon a time not so long ago if you wanted proof that a document was sent to you by a particular person it needed a handwritten signature on it only written signatures were legally binding but these days it's possible to put a digital signature on a document this is Jack and this is Jill Jack wants to send a document to Jill by email no paper this time now let's be clear there's nothing secret about the document neither of them care if somebody else reads it Jill just wants to be sure that it definitely came from Jack and that nobody else has made any changes to it on the way before his document is sent some software on Jack's computer prepares the digital signature the purpose of this software is to create something called a hash of the document these days most computers do this using an algorithm called sha-256 which was invented by the USA's National Security Agency sha-256 takes a copy of the document text and subjects it to a sequence of complex mathematical calculations and other transformations remember as far as the computer is concerned the document consists of binary ones and zeros the result is called a hash value it's also referred to as a digest of the document the hashing process has been designed so that even the tiniest difference in the original document would result in a completely different hash value this part of the signing process is not encryption because the transformations done by sha-256 are practically impossible to reverse you can't take a hash value and use it to work out what was in the original document like baking a cake hashing is a one-way process but if you were to apply the same process to the same document you would get exactly the same hash some software on Jack's computer now encrypts the hash using Jack's private key and the encrypted hash is embedded in the original document the document now has a digital signature Jack sends Jill a copy of the signed document he also sends her a copy of the public key alternatively he can put the public key on a website for Jill to go and fetch Jill's computer decrypt the digital signature using Jack's public key if she can decrypt it she knows it came from jack Jill's computer then uses sha-256 to calculate the hash value again using the text of the document if the hash value that Jill's computer calculates the same as the hash value that was sent by Jack she can be pretty sure that it hasn't been tampered with since it was created remember Jack and Jill really don't care if someone else has seen the signed document it's not a secret and it doesn't matter if someone else gets a hold of Jack's public key Jill simply wants to be sure that the document was sent by Jack of course anyone else could have been pretending to be jack from the start a criminal could create a document hash it with sha-256 and generate an asymmetric pair of keys using their computer so how can Jill be really sure that she's communicating with jack well that's where digital certificates come in for a fee Jack can apply for a digital certificate to a well known and well trusted organization called a certification Authority certification authorities include companies like Verisign global sign and Symantec to name but a few as part of the application process Jack's computer generates an asymmetric pair of keys and he sends the public key to the certification Authority along with various details about himself the certification Authority carefully checks that Jack is who he says he is then they send them a special type of file called a digital certificate this contains details about Jack along with information about the certification Authority and an expiry date bound to this digital certificate is jack's public key jack still has the corresponding private key which never left his computer Jack must of course keep his private key safe so now when Jack sends a signed document to Jill he can also send her a copy of the whole certificate or put it in a public place for her to go and get this means that when Jill wants to decrypt something that Jack is encrypted she can inspect this certificate first and if she's happy to trust it she can use the public key within the public key that has been guaranteed by the certification authority to belong to Jack essentially the certification authority is vouching for Jack needless to say applying to a certification Authority for a digital certificate is itself a very secure process anything the certification authority sent to Jack was digitally signed by them using their own digital certificate and this was provided by an even higher certification authority in the year 2000 a law was passed in the UK called the Electronic Communications Act this law made digital signatures legally binding and this has allowed businesses to thrive on the web since then we've seen the rise of crypto currencies like a Bitcoin a cryptocurrency is fundamentally a secure list of who paid who how much updating this list depends on digital signatures to summarize digital signatures rely on a symmetric key cryptography a documents contents are hashed to create a digest for example using sha-256 the digest is encrypted by the sender using their private key the digest is then embedded in the document which can be sent the recipient decrypt the digest using the sender's public key the recipient also calculates a hash from the documents contents using the same hash algorithm if the recalculated digest matches the decrypted digest it can be assumed that the document hasn't been tampered with since it was sent a digital certificate is issued by a certification Authority which guarantees the sender's identity the digital certificate contains a public key along with other information about the sender and an expiry date