Digital signatures have two requirements. They need to be created by the sender and verified by the receiver. They...
are created using the private key of a public key pair, also called an asymmetric encryption system. Asymmetric encryption uses two keys -- one public and one private -- that are mathematically related but can't be derived from each other. The private key is secret, meaning kept by the user, while the public key is freely available to anyone. It could be on a public server, or stored on a public key infrastructure (PKI).
To create an e-signature, the sender uses their private key to encrypt the message. The receiver then uses the sender's public key to decrypt the message and verifies that it matches the sent message. Since each sender has its own unique private key, this system proves the message was sent by that sender.
It sounds like you are trying to protect the sender's private key, which can be vulnerable depending on where it's stored. If it's on a user's laptop, and that laptop is lost or stolen, the key could be compromised. To protect your e-signature systems, use two authentication controls. You can use any standard user ID and password scheme to protect the device holding the private key. A malicious user who stole the laptop, or accessed the desktop, with the private key would have to have the user ID and password to log on.
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ...continue reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ...continue reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.