Digital signatures have two requirements. They need to be created by the sender and verified by the receiver. They...
are created using the private key of a public key pair, also called an asymmetric encryption system. Asymmetric encryption uses two keys -- one public and one private -- that are mathematically related but can't be derived from each other. The private key is secret, meaning kept by the user, while the public key is freely available to anyone. It could be on a public server, or stored on a public key infrastructure (PKI).
To create an e-signature, the sender uses their private key to encrypt the message. The receiver then uses the sender's public key to decrypt the message and verifies that it matches the sent message. Since each sender has its own unique private key, this system proves the message was sent by that sender.
It sounds like you are trying to protect the sender's private key, which can be vulnerable depending on where it's stored. If it's on a user's laptop, and that laptop is lost or stolen, the key could be compromised. To protect your e-signature systems, use two authentication controls. You can use any standard user ID and password scheme to protect the device holding the private key. A malicious user who stole the laptop, or accessed the desktop, with the private key would have to have the user ID and password to log on.
Related Q&A from Joel Dubin, past SearchSecurity.com expert
The security of RFID chips and smart cards may not be fully mature, but there are best practices to keep facilities safe. Identity and access ...continue reading
Picture passwords for mobile device security aren't a new idea, but they have been recently improved. Identity and access management expert Joel ...continue reading
Hacked smart cards are a large potential threat to enterprises that utilize them. Learn how to thwart smart card hackers.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.