Problem solve Get help with specific problems with your technologies, process and projects.

Authentication controls for systems using e-signatures

In this Ask the Expert Q&A, Joel Dubin, our identity and access management expert examines various authentication controls for systems using e-signatures, and weighs the pros and cons of each.

Can you recommend any authentication controls surrounding systems using e-signatures? The type of system we would prefer would be one that relies on user identification through password/login control.
The security of an e-signature, or digital signature, depends on how secure the underlying encryption method used to create it was.

Digital signatures have two requirements. They need to be created by the sender and verified by the receiver. They are created using the private key of a public key pair, also called an asymmetric encryption system. Asymmetric encryption uses two keys -- one public and one private -- that are mathematically related but can't be derived from each other. The private key is secret, meaning kept by the user, while the public key is freely available to anyone. It could be on a public server, or stored on a public key infrastructure (PKI).

To create an e-signature, the sender uses their private key to encrypt the message. The receiver then uses the sender's public key to decrypt the message and verifies that it matches the sent message. Since each sender has its own unique private key, this system proves the message was sent by that sender.

It sounds like you are trying to protect the sender's private key, which can be vulnerable depending on where it's stored. If it's on a user's laptop, and that laptop is lost or stolen, the key could be compromised. To protect your e-signature systems, use two authentication controls. You can use any standard user ID and password scheme to protect the device holding the private key. A malicious user who stole the laptop, or accessed the desktop, with the private key would have to have the user ID and password to log on.

This was last published in March 2006

Dig Deeper on PKI and digital certificates

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.