|by Nischal Dahal|
|Published on: Jan 8, 2005|
|The electronic transaction act popularly known as the cyber law has just been introduced in Nepal. This law basically aims to give legal status for the electronic documents. In ordinary documents, the authentication of many legal, financial and other documents is determined by the presence or the absence of an authorized handwritten signature. But, for the computerized message systems to replace the physical transport of paper and ink documents, a method must be found to allow documents to be signed in a way so that no one can replicate the signature. The method of devising the method of creating the digital signature is the most complex and sensitive step in authenticating the document. Generally, an encryption mechanism is used to authenticate the sender of the message. Creating electronic signatures may involve the use of cryptography in two ways: symmetric (or shared private key) cryptography or asymmetric (public key/private key) cryptography. The latter is used in producing digital signatures, discussed further below.
Shared Symmetric Key Cryptography
In shared symmetric key approaches, the user signs a document and verifies the signature using a single key (consisting of a long string of zeros and ones) that is not publicly known, or is secret. Since the same key does these two functions, it must be transferred from the signer to the recipient of the message. This situation can undermine confidence in the authentication of the user's identity because the symmetric key is shared between sender and recipient and therefore is no longer unique to one person. Since the symmetric key is shared between the sender and possibly many recipients, it is not private to the sender and hence has lesser value as an authentication mechanism. This approach offers no additional cryptographic strength over digital signatures. Further, digital signatures avoid the need for the shared secret.
Public/Private Key (Asymmetric) Cryptography - Digital Signatures
To produce a digital signature, a user has his or her computer generate two mathematically linked keys -- a private signing key that is kept private, and a public validation key that is available to the public. The private key cannot be deduced from the public key. In practice, the public key is made part of a "digital certificate," which is a specialized electronic file digitally signed by the issuer of the certificate, binding the identity of the individual to his or her private key in an unalterable fashion. The whole system that implements digital signatures and allows them to be used with specific programs to offer secure communications is called a Public Key Infrastructure.
A "digital signature" is created when the owner of a private signing key uses that key to create a unique mark (the signature) on an electronic document or file. The recipient employs the owner's public key to validate that the signature was generated with the associated private key. This process also verifies that the document was not altered. Since the public and private keys are mathematically linked, the pair is unique: only the public key can validate signatures made using the corresponding private key. If the private key has been properly protected from compromise or loss, the signature is unique to the individual who owns it, that is, the owner cannot repudiate the signature. In relatively high-risk transactions, there is always a concern that the user will claim someone else made the transaction. With public key technology, this concern can be mitigated. To claim he did not make the transaction, the user would have to feign loss of the private key. By creating and holding the private key on a smart card or an equivalent device, and by using a biometric mechanism (rather than a PIN or password) as the shared secret between the user and the smart card for unlocking the private key to create a signature, this concern can be mitigated. In other words, combining two or three distinct electronic signature technology approaches in a single implementation can enhance the security of the interaction and lower the potential for fraud to almost zero. Furthermore, by establishing clear procedures for a particular implementation of digital signature technology, so that all parties know what the obligations, risks, and consequences are, agencies can also strengthen the effectiveness of a digital signature solution.
The reliability of the digital signature is directly proportional to the degree of confidence one has in the link between the owner's identity and the digital certificate, how well the owner has protected the private key from compromise or loss, and the cryptographic strength of the methodology used to generate the public-private key pair. The cryptographic strength is affected by key length and by the characteristics of the algorithm used to encrypt the information.
The Nepalese cyber law has recognized the asymmetric cryptography and the hash function cryptography. The law also has a provision of an official called the controller who has the authority of controlling all the mechanisms regarding the digital signature on the behalf of the government. The major jobs assigned to the controller by the law are:
•Licensing and monitoring the authenticating mechanism
•Setting the standards of the digital signatures
•Setting the basic methods of electronic transactions
•Creating and updating the database of the data that law has defined to be publicly known
The governmental agencies have to be really aware of the fast changing technologies that may be the threat to the transactional security. The traditional way of thinking and implementation may not work in this case because the computer technologies are said to be the fastest emerging and changing technology of the world.