What apps are out there to help you?
What apps are out there to help you?
Digital signatures are unique identifiers, GSA's Richard Guida says.
By Patricia Daukantas
What's an electronic signature, and how do you make one? It depends.
The category of electronic signatures encompasses a broad range of technologies, from cryptographic software to biometric scanners, with widely different security, complexity and cost.
The terms electronic signature and digital signature sound similar but don't mean the same thing. A digital signature is a specific authentication method involving encryption. Other types of electronic signatures use smart cards, biometrics or shared secrets such as passwords.
Some vendors offer software-only signature applications based on public-key infrastructure technology. Others use smart cards or other types of tokens, which store digital certificates away from a computer's hard drive.
Biometric technologies authenticate a signature based on some unchanging personal characteristic, such as fingerprint or iris patterns or the exact motions a person makes while signing.
Like the Pretty Good Privacy public-domain encryption program long employed to protect e-mail, PKI uses pairs of mathematically related public and private keys, said Richard Guida, chairman of the PKI Working Group for the Chief Information Officers Council's Enterprise Interoperability and Emerging Information Technology Committee. PGP, however, works on a hierarchical trust model in which users know each other, said Michael Laurie, vice president of alliances for Silanis Technology Inc. of Dorval, Quebec.
Unlike PGP, PKI requires the use of digital certificates issued by a trusted third party known as a certificate authority. Each certificate, usually 5K to 10K in size, contains its owner's name plus a public key. PKI puts a digital signature on a document by creating a 50-character alphanumeric 'hash' unique to that document.
'It's like a fingerprint of that file,' Guida said.
The software then encrypts the first hash using the document author's private key, Guida said. The encrypted, or signed, hash is called the digital signature.
These hashes are attached to the document and sent to the recipient, whose software decrypts the signed hash with the public key from the certificate authority. If the newly decrypted hash matches the original hash, the recipient can be confident that the document hasn't changed.
Even the slightest change would alter the hash and be immediately apparent to other parties. But for PKI to be useful, it must be incorporated into an application, Laurie said.
For example, when e-mail with an attachedment is digitally signed, the software would hash and attach the signature on top of the entire e-mail. Once the attachment is separated from the e-mail and downloaded to the recipient's hard drive, however, it would lose the digital signature.
'In that sense, you have lost the ability to verify the integrity of the document,' Laurie said.
Silanis' $149 ApproveIt software ties the image of a physical signature with the act of digitally signing a document [GCN, Aug. 2, 1999, Page 24
Users who want to dip into the e-signing pool can download a free Silanis application from the Web, at www.onSign.com
, for digitally signing Microsoft Outlook 98 and Outlook 2000 messages or Microsoft Word 97 and Word 2000 documents.
But there is no trusted third party to administer such signatures. Anyone could fax any signature to the company for digitization without verification.
As important as the digital signature itself is an audit trail that proves the signer knew what was being signed and when it happened, said Kirk LeCompte, vice president of marketing and product management for PenOp Inc. of New York.
'It's the evidence attached to the document,' LeCompte said.Open sesame
PenOp's main product, the $169 PenOp Signature Series, provides two e-sign technologies. The user can sign on a digitizing pad or create a so-called signature stamp based on a password entry, voice recognition or fingerprint scan.
Communication Intelligence Corp. of Redwood Shores, Calif., has created a biometric application called Sign-On for handheld computers running Palm OS 3.3 or higher versions of the operating system or the Microsoft Windows Pocket PC OS. The $19.95 Sign-On captures the signature of a handheld device's user and requires it for log-on.
Among the smart card products available is NetSign from Litronic Inc. of Irvine, Calif. 'It makes the digital signature capability more robust and easier to move from machine to machine,' said Bill Holmes, Litronic's vice president of marketing.
The PKI-based NetSign stores users' private keys on a smart card rather than on a hard drive. System administrators can specify how many password attempts can be made with the smart card before barring further tries.
The $99 NetSign product includes one smart card, one reader, NetSign software and a voucher for a digital certificate from VeriSign Inc. of Mountain View, Calif.
Windows 2000 is ready to use smart cards and can detect a reader installed on a computer. PC makers are starting to integrate the readers into new machines, Holmes said.
Litronic also makes Profile Manager, a product for managing PKI and smart-card systems. Holmes said he recently went to a Microsoft Corp. smart card conference to demonstrate a proof-of-concept application combining an iris scanner with PKI and smart cards'three levels of authentication.
'What was really new was the integration of biometrics and PKI,' Holmes said. 'Very little work has been done in that area.'
Litronic also is experimenting with fingerprint, voice and signature recognition, because different biometrics might be appropriate for different applications, Holmes said.
Cyber-Sign Inc. of San Jose, Calif., makes the Cyber-Sign signature recognition product that uses a pressure-sensitive digitizing tablet [GCN
, May 10, 1999, Page 28]. The $850 Cyber-Sign stores a signature as a 3-D shape in which the third dimension represents the dynamic and presumably unique pressures the signer exerted on the pad.
AlphaTrust Corp. of Dallas provides a guaranteed electronic signature service for organizations that want to outsource a PKI e-signing system. The company also offers one- to three-year Digital ID certificates to individuals at a cost of $19.95 to $217.95.
Arcot Systems Inc. of Santa Clara, Calif., offers Arcot WebFort, a software-only PKI system that stores users' private keys in software tokens.
ILumin Corp. of Orem, Utah, recently announced a Digital Handshake system that allows multiple users to meet online in a virtual room where they exchange digital signatures to make a transaction binding.