point
Menu
Magazines
Browse by year:
Sign On The Digital Line
Friday, October 1, 1999



“Sign on the dotted line, please.” We are all accustomed to hearing this phrase when purchasing a home, a car, or even groceries at the supermarket with a credit card. Whether a check is made out for ten dollars or for ten thousand dollars, it is worthless until it is signed. For hundreds of years, signatures have served as the glue that binds a person to a contract.
With all the hype about how e-commerce will revolutionize the world and put shopping malls out of business, not much attention has been given to how safe are electronic transactions. Today, many people are still afraid to enter their credit card numbers to purchase goods or services online, fearing that someone will intercept their credit card number over the Internet. This fear is understandable, as the transaction is signature-free - you cannot use a pen to sign an order form that appears on your screen. All you can do is click the mouse on the button that says, “Submit this order” - and anyone can do that, really. There’s no proof that you have pressed the button. If the credit card number and billing information are correct, the order will be fulfilled.
Most banks and Internet merchants will not hold you liable for a fraudulent transaction. However, with the increasing number and variety of electronic transactions, there needs to be a way to verify the identities of e-shoppers. The US Department of Commerce estimates that retail sales alone could reach $30 billion by next year; if even one percent of the retail Internet transactions are fraudulent, that amounts to $300 million in credit card theft.

Encryption
Several years ago, Netscape Communications incorporated a technology called Secure Sockets Layer (SSL) into its Navigator software. SSL allowed a user to communicate with a Web server by using encryption - encrypted information is scrambled in such a way so that only the sender and receiver can decipher the information. SSL allows companies to accept credit card numbers securely, and allows consumers to safely send information over the Internet. If you purchase anything from an Internet vendor or check your bank account information online, you will usually see a lock symbol displayed in your browser window - this indicates that your session is encrypted.
Encryption, however, doesn’t help once someone has intercepted your credit card number by conventional means (for example, by sifting through your trash) and uses it on the Internet.

Digital Certificates
If electronic commerce is to mature beyond buying simple goods and services online, there must be a method to verify an individual’s identity online. Digital certificates, part of an emerging technology known as Public Key Infrastructure (or PKI, for short), allow such verification to occur.
Issued by a certificate authority (CA), a digital certificate is an electronic object that contains information about you. By displaying this certificate on the Internet, you ensure recipients that you are who you claim to be.
A good conventional analogy to a digital certificate is your passport. Your passport contains information about you and was issued to you by the government, whose authority everyone trusts. If you ever present your passport as identification, it will be accepted without question. To fully understand the implications of being a trusted authority, try to cash some travelers checks at the bank and use your video rental card as identification! The bank will likely refuse to cash the checks because they don’t trust the issuer of the ID you are presenting. With a passport, the bank has a much greater assurance of your identity.
An additional security feature associated with a digital certificate is a private key, which bears a mathematical relation to your digital certificate and is related to your public key, which is stored inside your digital certificate. It is your private key that allows you to digitally sign a transaction. Usually, your private key is stored on a smartcard or some other secure device that you can carry with you.

Digital Signatures
When you digitally sign a transaction, you use your private key along with the original message (for example, “Transfer $10,000 from savings to checking.”) and perform a mathematical operation. The result of this mathematical operation is a long string of letters and numbers that represent the digital signature. Someone receiving the original message along with the digital signature can perform a similar operation with your digital certificate (not your private key!) to verify that the message came from you. The mathematical theory behind digital signatures is beyond the scope of this article, but it works!
The fundamental requirement for digital signatures is that your private key must be kept a secret! If someone is able to obtain your private key, he or she can digitally sign documents on your behalf. On the other hand, your digital certificate can be freely distributed, because it is used to verify your digital signature on a document, not to actually sign the documents.
A digital certificate can be valid for any interval of time – one year, for example. The certificate can be used to digitally sign multiple transactions until it expires or is revoked by the CA. If expiration or revocation occurs, the customer will need to reapply for a digital certificate from the CA.

Sign Online
Now that we have some understanding of digital signatures, let’s examine a couple of scenarios where their potential can be realized.
If you actively trade stocks using an online broker, you know the importance of your trading password. If someone ever obtained your trading password, they could easily adversely affect your net worth. If you were able to digitally sign your trades, electronic trading would become much safer. For every trade you submit, your broker could verify your digital signature and reject the order if the signature was invalid. There is no password to be intercepted or overheard.
Additionally, when you perform a stock trade, your broker always sends you a paper confirmation of the trade. If you’re an active trader, it becomes difficult for you to maintain all of the paper records. With digital signatures, your broker could email you a digitally signed trade confirmation.
The US Congress has recently enacted legislation giving digital signatures the same legal weight as conventional signatures. This has caught the attention of companies such as E*Trade. “E*Trade customers will soon be able to move their accounts forward in a fraction of the time currently required to manually process forms and contracts,” Christos M. Cotsakos, E*Trade’s chairman and chief executive, said in a statement. “It’s ridiculous for an all-electronic brokerage such as E*Trade to hold its customers hostage to paper,” he said.
Today, there is already software that supports digital signing. Both Netscape Messenger and Microsoft Outlook allow you to digitally sign messages with your private key before sending them. They also allow you to verify someone else’s signature if you have a copy of their digital certificate on your computer.
Digital signatures have the potential to make Internet-based transactions more secure than typical paper transactions, since conventional signatures can be forged or a signed document altered. A conventional signature also typically looks the same for each and every document. If you carry your private key on a smartcard that gets stolen, the thief might be able to digitally sign documents on your behalf. However, a smartcard can be protected with a personal identification number (PIN), just as an ATM card is protected with a PIN. Without the PIN, the card is useless.

The future of electronic commerce is an exciting one. As companies continue to adopt digital signature technology, business and consumer transactions will become safer and more efficient. Soon, we will all be able to use the Internet to conduct many of our simplest transactions. With digital signatures, they will be safer than ever.


Twitter
Share on LinkedIn
facebook