Ask the Expert

Authentication controls for systems using e-signatures

Can you recommend any authentication controls surrounding systems using e-signatures? The type of system we would prefer would be one that relies on user identification through password/login control.

    Requires Free Membership to View

The security of an e-signature, or digital signature, depends on how secure the underlying encryption method used to create it was.

Digital signatures have two requirements. They need to be created by the sender and verified by the receiver. They are created using the private key of a public key pair, also called an asymmetric encryption system. Asymmetric encryption uses two keys -- one public and one private -- that are mathematically related but can't be derived from each other. The private key is secret, meaning kept by the user, while the public key is freely available to anyone. It could be on a public server, or stored on a public key infrastructure (PKI).

To create an e-signature, the sender uses their private key to encrypt the message. The receiver then uses the sender's public key to decrypt the message and verifies that it matches the sent message. Since each sender has its own unique private key, this system proves the message was sent by that sender.

It sounds like you are trying to protect the sender's private key, which can be vulnerable depending on where it's stored. If it's on a user's laptop, and that laptop is lost or stolen, the key could be compromised. To protect your e-signature systems, use two authentication controls. You can use any standard user ID and password scheme to protect the device holding the private key. A malicious user who stole the laptop, or accessed the desktop, with the private key would have to have the user ID and password to log on.

This was first published in March 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: