E-Signature Strategies
Download
Report
Transcript E-Signature Strategies
E-signature Strategies
Alan S. Kowlowitz
Strategic Policies,
Acquisitions and e-Commerce
NYS Office for Technology
Outline of Class
Overview of Electronic Signatures and
Records Act (ESRA)
Explanation of ESRA’s definition of an esignature
Available approaches to electronic signing
Guidance on selecting an e-signature
approach
Records management implications of esigned e-records
Overview of Electronic
Signatures and Records Act
(ESRA)
ESRA Chapter 4, Laws of 1999:
State Technology Law, Article 1
E-records and e-signatures given the same
legal validity as paper records and ink
signatures
OFT Electronic Facilitator overseeing
implementation
Use of e-signatures and records is voluntary
– Govt. must accept hard copies unless otherwise
provided by law
ESRA Chapter 4, Laws of 1999:
State Technology Law, Article 1
E-signatures and records can’t be used for:
– Negotiable instruments
– Instruments recordable under Art. 9 of the RPL
(e.g., deeds)
– Other instruments whose possession confers title
– Documents affecting life and death (Wills, Trusts,
Do-not-resuscitate orders, Powers of attorney,
Health care proxies)
ESRA Amended by Chapter 314
Laws of New York, 2002
Amends and expands the definition of
“electronic signature” to comport with the
federal E-Sign Law
– Authorizes the use of various e-signature
approaches in NYS
OFT retains its role as “electronic facilitator”
and regulator of e-signature/record
Adopted into law on August 6, 2002
Final regulations published in May 2003
Revised ESRA Guidelines in process
ESRA Definition of an Esignature
ESRA Definition of an E-signature
an electronic sound, symbol, or process,
attached to or logically associated with an
electronic record and executed or adopted by
a person with the intent to sign the record.
– Affords the greatest possible flexibility in selecting
an appropriate e-signature solution
– Sets some parameters on what constitutes an esignature under ESRA
ESRA Definition of an E-signature
“[A]n electronic sound, symbol, or
process...”
– A wide range of “digital objects” may serve as an
e-signature
» Can be as simple a set of keyboarded characters or as
sophisticated as an encrypted hash of a e-record’s
contents
– Allows a process to serve as an e-signature
» Recorded events of accessing a system are associated
with the content to be signed to create a record of the
signer’s actions and intent
ESRA Definition of an E-signature
“[A]ttached to or logically associated with
...”
– An e-signature is attached to or logically
associated with an e-record during transmission
and storage
» Can be part of the record or maintained separately but
associated to the record through a database, index,
embedded link or other means
» Link between e-record and e-signature must be
Created at signing and maintained during any
transmission
Retained as long as a signature is needed which
may be the record’s full legal retention period
ESRA Definition of an E-signature
“[E]xecuted or adopted by a person with
intent to sign the record.”
– E-signature must express the same intent as a
handwritten one
– Must identify an individual who will convey intent
– Practices that may help avoid confusion:
» Allow the signer to review the record to be signed
» Inform the signer that a signature is being applied
» Format an e-record to contain accepted signature
elements
» Express signer’s intent in the record or a certification
» Require the signer to indicate assent affirmatively
» Record and retain date, time, and the signer intent
Example of a signature certification statement from the
Department of Tax and Finance International Fuel Tax
Agreement (IFTA) report (return) filing application.
Available Approaches to
Electronic Signing
E-signature Approaches
Most e-signature approaches involve a
number of technologies, credentials, and
processes
– More accurate to think of a range of approaches to
e-signing rather than an array of stand-alone
technologies
Approaches provide varying levels of security,
authentication, and record integrity
– Can combine techniques from various approaches
to increase the strength of the above-mentioned
attributes
Click Through or Click Wrap
Person affirms intent or agreement by clicking
a button
ID information collected, authentication
process (if any) and security procedures can
vary greatly
Commonly used for low risk, low value
consumer transactions
Personal Identification Number (PIN) or
Password (“shared secret”)
Person enters ID information, PIN and/or
password
System checks that the PIN and/or password
is associated with the person
Authentication is the first part of a process
that involves an affirmation of intent
If over the Internet, the PIN and/or password
is often encrypted using Secure Sockets
Layer (SSL)
Digitized Signature and Signature
Dynamics
Digitized Signature
– A graphical image of a handwritten signature often created
using a digital pen and pad
– The entered signature is compared with a stored copy; if the
images are comparable, the signature is valid
Signature Dynamics
– Variation on a digitized signature
– Each pen stroke is measured (e.g. duration, pen pressure,
size of loops, etc), creating a metric
– The metric is compared to a reference value created earlier,
thus authenticating the signer
Shared Private Key
Also known as “symmetric cryptography”
E-record is signed and verified using a single
cryptographic key
The key is shared between the sender and
recipient(s)
– Not really "private" to the sender
A private key can be made more secure by
incorporating other security techniques
– Smart cards or other hardware tokens in which the
private key is stored
Public/Private Key
Digital Signatures
Also know as Asymmetric Cryptography
Key Pair: Two mathematically related keys
• One key used to encrypt a message that can only
be decrypted using the other key
• Cannot discover one key from the other key
Private Key: Kept secret and used to create a Digital
Signature
– Public Key: Often made part of a “digital certificate”and
used to verify a digital signature by a receiving party
Often used within a Public Key Infrastructure (PKI)
– Certification Authority(CA) binds individuals to private keys
and issues and manages certificates
Digital Signatures
Public/Private Key Cryptography
Encrypt message digest with Private Key
Validate message digest with Public Key
Bob
Alice
Hi Alice
Sincerely,
##!FV
Bob
Certificate
Hi Alice
Sincerely,
Bob
12345
Hash
algorithm
=
+
=
12345
Hi Alice
Hash
algorithm
Sincerely,
Bob
##!FV
Encrypts digest with Bob’s Private Key
##!FV
+
=
=
12345
12345
Decrypts digest with Bob’s Public Key
Biometrics
Person’s unique physical characteristic are measured
and converted into digital form or profile
– Voice patterns, fingerprints, and the blood vessel patterns
present on the retina
Measurements are compared to a stored profile of
the given biometric
If the measurements and stored profile match, the
software will accept the authentication
Can provide a high level of authentication
Smart Card
Not a separate e-signature approach in itself
– It can facilitate various e-signature approaches
A plastic card containing an embedded chip
– Can generate, store, and/or process data
Data from the card's chip is read by software
– After a PIN, password or biometric identifier is
entered
More secure than a PIN alone
– Both physical possession of the smart card and
knowledge of the PIN is necessary
Can be used to overcome concerns with
shared secret approach to e-signature
Additional Factors
Each general approach to e-signing (e.g.
PINs and passwords vs. digital signatures)
varies in terms of:
– Identifying the signer
– Attributing a signature
– Securing the integrity of both the record and the
signature
Each can increase security and reduce risk
– Often independent of the technology selected
Signer identification or registration
Method or process used to identify and
authorize a signer to use an e-signature
– Independent of the e-signature or e-record
technology
– Critical component of any e-signature
solution
– The stronger the identification method the
more assurance that the appropriate
person signed
Signer identification or registration
Methods
Self-identification as part of the signing process
Comparison of user supplied information with a
trusted data source
Acceptance of a previously conducted and trusted
process where individuals personally presented
themselves and proof of identities
Separate identification process to authorize the use
of an e-signature where individuals personally
present themselves and proof of identities
Signer Authentication
Policy, process and procedures used to
authenticate the signer
Establish a link or association between the
signer and the information and method used
to sign
The strength of the authentication system,
can protect against fraud and repudiation
Signer Authentication
Methods
Something that only the individual knows: A
secret (e.g., password or Personal Identification
Number (PIN))
Something the individual possesses: A token (e.g.,
ATM card, cryptographic key or smart card)
Something the individual is: A biometric (e.g.,
characteristics such as a voice pattern or fingerprint)
Two factor authentication: often includes use of
hardware device such as a smart card
Signature attests to the record’s
integrity
E-signature approaches provide varying levels of
protection against unauthorized access or tampering
with the signed e-record
– Systems that manage signed e-records can provide
protection if they have controls
– Controls may be needed to ensure that the integrity of the
signed e-record is not compromised during transmission
– Added security is provided by approaches in which signature
validation ensures that the e-record has not been modified
» Digital signatures
Selecting an E-signature
Approach
A business decision
not just a technical one
Is an e-signature needed or
desirable?
Review requirements and risks
– Creating and maintaining signed e-records may
require more resources than unsigned ones
Consider the following questions:
– Is there a legal requirement for a signature?
» Statute of Frauds requires certain contracts to be signed
» Specific laws and regulations require signatures
– Is there a business need for a signature?
» Document that the signer attested to information’s
accuracy, agreed to conditions, and/or reviewed contents
» Higher risk transactions may need the protection against
fraud or repudiation provided by e-signatures
Business Analysis and Risk
Assessment
ESRA regs § 540.4 (c) require govt. entities to
conduct and document a business analysis and risk
assessment:
– identifying and evaluating various factors relevant to the
selection of an electronic signature for use or acceptance in
an electronic transaction. Such factors include, but are not
limited to, relationships between parties to an electronic
transaction, value of the transaction, risk of intrusion, risk of
repudiation of an electronic signature, risk of fraud,
functionality and convenience, business necessity and the
cost of employing a particular electronic signature process.
Business Analysis and Risk
Assessment
Purpose:
– To identify and evaluate factors relevant to
selecting an e-signature approach
– Does not proscribe a method or set a standard
– Protects interest in the use of sound technology
and practices when transacting business
electronically
Business analysis and risk assessment
are two parts of an integrated process
Business Analysis
Possible components
–
–
–
–
–
–
Overview of the business process
Analysis of legal and regulatory requirements
Identification of standards or accepted practices
Analysis of those who will use e-signature
Determination of interoperability requirements
Determination of costs of alternatives
Business Analysis
Overview of business process and
transaction
Purpose and origins
Transactions place within the larger business
process
Services to be delivered and their value
Parties to the transaction and other
stakeholders
Transaction’s workflow
Business Analysis
Analysis of legal and regulatory
requirements
How the transaction must be conducted
Signature requirements
– Are they specifically required, what records need to be
signed, who must or can sign, do they need to be notarized
Records related requirements
–
–
–
–
–
What records must be produced
How long do they need to be retained,
Who must or can have access to the records
Specific formats proscribed for the creation, filing or retention
Confidentiality requirements
Importance of the parties’ identities to the transaction
Business Analysis
Identification of standards or accepted practices on
how e-transactions are conducted and e-signed
– May be key factor in selecting a solution
Analysis of parties to e-signed transaction
– Numbers
– Location
– Demographic characteristics
– Access to technology
– Accessibility requirements
– Prior business relationships
Business Analysis
Interoperability requirements
Compatibility with an existing technology
environment
Interoperability or consistency with
approaches used by partners
– Governmental or private
Leveraging an existing and proven solution
Business Analysis
Cost of alternative approaches
Hardware and software purchases
Implementing additional policies and
procedures
Personnel to implement policies,
procedures, or services
Training costs
Maintenance costs including help desk
and user support
Risk Assessment
E-signatures may serve a security function
– They usually include signer authentication
– Some approaches provide message
authentication and repudiation protection
Selection of an e-signature solution includes
identifying
– Potential risks involved in a signed e-transaction
– How e-signature approaches can address those
risks
Risk Assessment
Risk is the likelihood that a threat will exploit a
vulnerability, and have an adverse impact
– Threat is a potential circumstance, entity or event capable of
exploiting vulnerability and causing harm
– Vulnerability is a weakness that can be accidentally
triggered or intentionally exploited
– Impact refers to the magnitude of harm that could be caused
by a threat
– Likelihood that a threat will actually materialize
To assess risks an entity should identify and analyze
each of the above
Risk Assessment
Sources of threat
– Parties to the transaction
– Governmental entity staff
– Malicious third parties such as hackers or
crackers
Risk Assessment
Vulnerabilities
Repudiation
– Possibility that a party to a transaction denies that
it ever took place
Fraud
– Knowing misrepresentation of the truth or
concealment of facts to induce another to act to
his or her detriment
Intrusion
– Possibility that a third party intercepts or interferes
with a transaction
Loss of access to records
– For business and legal purposes
Risk Assessment
Potential Impacts
Financial
– Average dollar value of transactions
– Direct loss to the governmental entity, citizen or other entity
– Liability for the transaction
Reputation and credibility
– Relationship with the other involved party
– Public visibility and perception of programs
– History or patterns of problems or abuses
– Consequences of a breach or improper transaction
Productivity
– Time criticality of transactions
– Number of transactions, system users, or dependents
– Backup and recovery procedures
– Claims and dispute resolution procedures
Risk Assessment
Likelihood
Motivation and capability of threat
Nature of the vulnerability
Existence and effectiveness of controls
A threat is highly likely where:
– Its source is highly motivated and capable
– Controls are ineffective
Risk Assessment
Risk Matrix
High Risk =11-16 Medium Risk =8-10 Low Risk =4-7 Negligible Risk =1-3
Select an E-signature Solution
Balance business concerns (e.g., user
acceptance and ease of deployment) with risk
reduction
Identify overriding concerns
– An overriding factor might be compatibility with an
existing standard or solution
– Cost may be an overriding factor where risk is low
Cost-Benefit Analysis
Can help entities decide on how to allocate resources
and implement a cost-effective e-signature solution
– Used to evaluate feasibility and effectiveness for each
proposed solution to determine which are appropriate
– Can be qualitative or quantitative
– Demonstrates that a solution’s cost is justified by reducing
risk
Cost-benefit analysis can encompass the following
–
–
–
–
Determining the impact of implementing the solution
Determining the impact of not implementing it
Estimating the costs of the implementation
Assessing costs and benefits against system and data
criticality
Documenting a Business Analysis and
Risk Assessment
ESRA regulation requires that the BA and RA be documented
– How, or in what detail is up to the governmental entity
Minimum documentation should cover
– Process used including factors mentioned in the ESRA
regulation
– Result and decision reached including justification
The resulting documentation should be
– Accurate and readily available
– Clear and understandable to an outside audience
– Retained as long as the e-signature solution is used
Signed E-records Management
Issues
Signed E-records Management
Issues
Same issues as with unsigned e-records
– Focus is on the system and businesses processes
that produce the e-record
Preserving links between e-signed e-record’s
components is critical
– Components provide evidence to support the
reliability and authenticity of the signed e-record
– May actually constitute the e-signature itself
Signed E-records Management
Issues
Key challenges faced in maintaining esigned e-records
– Determining what needs to be retained to
constitute a valid signed e-record
– Preserving the association between the
signed e-record’s various components over
time
Determining what needs to be retained
Cannot predict what the courts will require
– Difficult to determine what information will be needed
BA/RA used to select approach can help determine
what needs to constitute the signed e-record
E-signature method will partially determine what will
be retained
– Digital object: Maintain the ability to revalidate e-signatures
– Signature process: Maintain adequate documentation of the
e-signature’s validity
Determining what needs to be retained
Digital object (encrypted hash, digitized signature,
signature dynamic, other biometric)
– Evidence that the e-signature was electronically validated
– Functionality and records needed to revalidated
– Vary according to the technology or approach used
» Digital signature: public key of the presumed signer
decrypted the message digest/hash and the hashes
matched
» Biometric: biometric profile of the signature matched the
stored profile
Determining what needs to be retained
Signature is a process (PIN, password,
click wrap)
– Signature does not exist as a discreet
object and can’t be revalidated
– Adequate documentation that the esignature was valid when it was created
must be retained
– No court decisions on the validity of an esignature
» Can’t predict what the courts will require
Determining what needs to be retained
Regardless of e-signature approach, entities
should minimally retain documentation of the:
– Signer’s identity
– Process used to identify and authenticate the
person
– Date and time an individual was authenticated
– Signer’s intent
– Date and time that the signing process was
completed
Preserving the association between a signed
record’s various components
Systems can manage signed e-records’ components
– Must be accounted for when systems are planned
E-records with long retention periods may need to be
migrated to a new system or stored offline
– Need to preserve the association of their various
components
– Should be planned and well documented
– Conducted in the normal course of business
– Insure the records’ authenticity, integrity, and reliability
E-signature Strategies
Questions and Concerns
NYS Office for Technology
Strategic Policies, Acquisitions and e-Commerce
518-473-0224
[email protected]
http://www.oft.state.ny.us/esra/esra.htm