Digital Signatures

A Brief Overview by Tim Sigmon August, 2000

Digital Signatures

 Legal concept of “signature” is very broad – any mark made with the intention of authenticating the marked document  Digital signatures are one of many types of

electronic signatures

 Example electronic signatures – loginid/password, PIN, card/PIN – digitized images of paper signatures – digitally captured signatures (UPS, Sears, etc.) – typed notations, e.g., “/s/ John Smith” – email headers

Digital Signatures (cont’d)

 “digital signature” means the result of using specific cryptographic processes  Digital signatures operate within a framework of hardware, software, policies, people, and processes called a Public Key Infrastructure (PKI)  Note: PKI also supports other security requirements; in particular,

confidentiality,

both during transmission (e.g., SSL) and for storage

Public Key Cryptography

 First, “secret key” or symmetric cryptography – same key used for encryption and decryption – orders of magnitude faster than public key cryptography  Public key technology solves the key exchange problem (no shared secrets!)  Public key and private key that are mathematically linked  Private key not deducible from public key  Confidentiality: one key encrypts, other decrypts  Digital signature: one key signs, other validates

Digital Signature example

Signed Email example

 (show example of sending/receiving digitally signed email using Netscape Messenger)  (uses S/MIME)

Problem: relying party needs to verify a digital signature

 To do this, must have an assured copy of the signer’s public key – signer’s identity must be assured – integrity of public key must be assured  Potential options for obtaining public keys – signer personally gives their public key to relying party – relying party obtains the desired public key by other “out of band” means that they trust, e.g., transitive relationships, signing parties, etc.

 But, what about strangers? what about integrity of the public key?

Public Key (or Digital) Certificates

 Purpose: validate both the integrity of a public key and the identity of the owner  How: bind identifying attributes to a public key (and therefore to the keyholder of the corresponding private key)  Binding is done (i.e., digitally signed) by a trusted third party (Certification Authority)  It is this third party's credibility that provides "trust"

X.509 v3 Certificates

 Subject’s/owner’s identifying info (e.g., name)  Subject’s/owner’s public key  Validity dates (not before, not after)  Serial number  Level of assurance  Certification Authority’s name and signature  Extensions

Example Certs

 (this is where I show and describe the contents of the actual certificates that were used to verify a digitally signed email message)

Distribution of Certificates

 since certs carry public info and are integrity protected, they can be distributed and shared by any and all means, e.g., – distribute via floppies or other removable media – publish on web sites – distribute via email (e.g., S/MIME) – directory lookups (e.g., LDAP, X.500)  distribution via directories is the ultimate solution  however, many important applications and uses of digital signatures can be implemented without the implementation or use of sophisticated directories

Trust and Certification Paths

 Relying party needs an assured copy of the issuing CA’s PK in order to validate a certificate containing the signer’s PK  In general, a chain of multiple certificates that ends at a trusted root may be needed  How to organize the CA’s?

– single top-down hierarchy (yikes!) – multiple hierarchies (Netscape/Microsoft disservice) – cross certifications (e.g., Federal BCA, Virginia’s BCA)  Revocation and CRLs (certificate revocation lists)

Where are we now?

 Technologies are still evolving but are very usable  Policies and legal standing exist but still developing (need case law) – Code of Virginia, Federal law – Uniform Electronic Transctions Act  Browsers/email already contain a lot of capability  Particular uses widely taking place, e.g., SSL  Some universities making more use, e.g., MIT  Federal government taking a leadership role  ITC/UVa project for deployment

DS efforts in Virginia

 Digital Signature Initiative (COTS workgroup) formed to pursue

pilot

deployments  UVa led development of a bridge certification architecture (modeled after federal bridge)  Pilot project sponsors – VIPNet, DIT, DGIF – DMV, DOT, DGS – Counties of Chesterfield, Fairfax, Wise – Cities of Norfolk, Charlottesville  http://www.sotech.state.va.us/cots – Virginia’s Council on Technology Services

Portals at UVa

A Status Report by Tim Sigmon August, 2000

Portal Definition

 problem: every person/group has a different definition  working definition: deliver information and services in an integrated, customized, and personalized manner  elements that we include: – authenticated access – customization - system presents info that is peculiar to the specific user – personalization - user controls certain aspects – break down organizational views/barriers

Background and Players

 discussions among ITC, Univ. Relations, Student Council, Student Affairs, ....

 JA-SIG conference and uPortal evaluation  development of “e-volving University” proposal  Reynolds and Sweeney presentation to Senior Cabinet  team is led by Nancy Tramontin and Debbie Mills

First Phase

 deliver first version of student portal by Jan., 2001  will not use uPortal (nor any other portal framework)  desired functionality – authenticated access (using existing passwords) – brief email stats and web-based email access – calendar that includes student events (not personal, yet) – course links – personal links (i.e., bookmarks) – personal reminders (?) – news, announcements, weather – important “fixed” links