Electronic Signatures Encryption Abu Dhabi Chamber of

Electronic Signatures & Encryption Abu Dhabi Chamber of Commerce and Industry February 20/21, 2001 John D. Gregory Ministry of the Attorney General (Ontario, Canada) E-Signatures & Encryption February 2001 1

Encryption z. What is encryption? z. What is encryption for? y. Confidentiality y. Signature y. Integrity of text z. Applicable law z. Legal advantages of encryption ypresumption of attribution ypresumption of integrity E-Signatures & Encryption February 2001 2

What is encryption? z Encryption is the transformation of text by a known process that permits the recreation of the original text by someone able to use the process. z Cryptography is the science or method of creating encryption z Algorithm is the mathematics of the encryption process z Key is the way of making the algorithm work with a particular text or for a particular person E-Signatures & Encryption February 2001 3

What is encryption? z. Secret key / single key / shared key cryptography ythe same key is used to encrypt and to decrypt the text ytraditional method of encryption yproblems of key distribution, especially if multiple users, expiring keys E-Signatures & Encryption February 2001 4

What is encryption? z. Public key / dual key / asymmetric cryptography y. Two mathematically-related keys (key pair) y. Text is encrypted with one key and decrypted only with the other key y. Knowing one key does not allow calculation of the other key y. One key is kept secret (private key), the other is available to anyone (public key) E-Signatures & Encryption February 2001 5

What is encryption? z. Public key infrastructure (PKI) yis ensemble of hardware, software, contracts and administrative practices designed to identify the holder of a valid key pair yfeatures (a) Certification Authority (CA) that follows published procedures and policy and: xissues keys (in some versions) xissues certificates about the holder of the key pair xmay perform or outsource other functions xmust be trusted by people relying on encryption E-Signatures & Encryption February 2001 6

What is encryption? z. Public Key Infrastructure (2) y. Other functions of a PKI: x. Registration authority - identifies keyholders x. Directory of keyholders x. Revocation and suspension - control lists x. Time-stamping y. The main participants of a PKI: x. Certification Authority / (admin functions) x. Keyholder / subscriber / holder of signing device/ “signatory” x. Person who wishes to rely on encryption (RP) E-Signatures & Encryption February 2001 7

What is encryption for? z. Confidentiality: y. Single key cryptography xonly the holder of key (but any holder) can read message encrypted by that key y. Dual key cryptography xonly holder of one key can read message encrypted by the other key xencrypt with public key, only holder of private key can read message - so secret except to the holder xuse certificate to confirm holder of private key E-Signatures & Encryption February 2001 8

What is encryption for? z. Signature: y. Single key cryptography xanyone who holds the key may be source of message y. Dual key cryptography (digital signature) xsign with private key, open with public key xonly holder of private key can be source xso long as key is private, source is reliable xuse certificate to identify source (= signer+-) E-Signatures & Encryption February 2001 9

What is encryption for? z. Integrity of text: ysingle key cryptography: no traditional role ydual key cryptography xhash text with agreed one-way hash function to create message digest (mathematical function) xencrypt digest with private key (= the signature) xtransmit plaintext and encrypted digest xrecipient hashes text, decrypts received digest xif digests match, text has not been altered E-Signatures & Encryption February 2001 10

What is encryption for? z. Issues for a PKI y. Policy Management Authority (PMA) xgovernance issues are not easy y. Identity certificates and role certificates xprivacy considerations, technical challenges y. Signature keys and confidentiality keys xkey recovery policies and practices y. Cross-certification, cross-recognition xstandards of interoperability E-Signatures & Encryption February 2001 11

Applicable law z. UNCITRAL Model Law and variants z. Authorizes use of electronic signatures yintention to sign ylink with signed document z. Authorizes use of electronic originals yintegrity must be shown z. No law prevents confidentiality (Canada) ysome obligation to preserve confidentiality ysome obligation to give access to records E-Signatures & Encryption February 2001 12

Applicable law z. Some laws on encrypted e-signatures y. Utah (1995) - the pioneer - regulated system y. Singapore (1998) optional but regulated y. Illinois (1998) optional and accredited y. EU (2000) standards-based, party autonomy y. Canada - Bill C-6 - for some functions z. NOT in: y. UNCITRAL ML on E-Signatures y. Uniform Electronic Transactions Act (US) y. Uniform Electronic Commerce Act (Canada) E-Signatures & Encryption February 2001 13

Legal effects of encryption z Presumption of attribution y. Who signed the document? y. Presumption is rebuttable - how easily? y. Consequences of rebuttal - negligence? y. EU - only “equivalent to handwritten” status z Presumption of integrity y. Clear technical basis for this presumption y. Almost irrebuttable in practice y. Debate: is this necessary for a good signature? Or is it an added benefit only? E-Signatures & Encryption February 2001 14

Legal effects of encryption z. Issue: technical reliability xhow trustworthy is the system? xwhat registration procedures? x. What management of keys by keyholders? z. Issue: variants in implementation xrole of CA may vary xcontent of certificate may vary xcommercial use of certificates may vary z. Issue: knowledge of legal standards xsome users may misjudge duties, effects z. Issue: fairness xpossible liability without avoidable fault E-Signatures & Encryption February 2001 15

Legal effects of encryption z Sources on encrypted signatures and law z http: //www. pkilaw. com z http: //www. state. ma. us/itd/legal/pki. htm z http: //www. ilpf. org/ y. Especially http: //www. ilpf. org/digsig/analysis_IEDSII. htm z Canadian federal government PKI: z http: //www. cio-dpi. gc. ca/pki-icp/index_e. asp E-Signatures & Encryption February 2001 16