Digital Signatures: Security & Controls 


Digital Signatures - Security & Controls

Executive Summary

IT Governance Institute, Fred Piper, Simon Blake-Wilson and John Mitchell

For thousands of years, businesses and societies have been built on human interaction. In the earliest civilisations, people could only communicate by physical interaction. They always knew with whom they were dealing, because they recognised their features and voice. The message from one person to another could not be tampered with, because it was delivered directly to the recipient. To ensure the message was not overheard, those involved could separate themselves from any potential "snoopers"
or speak in a special language or code known only to the participants.

As written forms of communication became more common in business, different methods of ensuring the identity and authenticity of messages were required. The concept of a "signature" developed, whereby a unique identifier attached to a message would identify the sender. Preventing a message from being tampered with, or intercepted during transit, led to the development of secure forms of delivery such as postal services and, less commonly, the use of codes (and later cryptography) to protect messages.

Even with the mainstream adoption of other forms of business communication, such as the telephone, in the 20th century people continued to rely on the trusted methods of communication, written and physical. Today, still many of our laws and business practices are built on the assumption that significant business communications will always be recorded in writing, and that only these forms of transactions can truly be trusted.

The twin revolutions of the Internet and eBusiness will fundamentally transform business and society in the 21st century. Electronic communication between people and organisations will become the norm in the new millennium and this communication will take place over the world's most open and least trusted communication medium, the Internet. In this new world, how can we be sure with whom we are dealing, and trust the integrity of the information provided to us? The answer lies with Digital Signatures.

Cryptographic technologies have been in use for many decades to protect sensitive electronic messages. However, with the recent mainstream adoption of "public key" cryptographic technologies, there now is a cost-effective method for the identification and authentication of people and messages over a network. These digital signature technologies will be central to the development of a trusted eBusiness environment in the 21st century.

There is still much to be done to develop a trusted environment for eBusiness over the Internet. Digital signatures rely on a public key infrastructure (PKI), in which certificate authorities act as trusted third-parties for identification and authentication. Standards to govern both public key technologies and PKI practices and procedures are required and perhaps most importantly the legal environment which underpins business needs to respond to these technological developments to ensure legal recognition of digital signatures.

This research report is designed to address all of the key issues associated with digital signatures which are relevant to the IT audit and control community. Why are digital signatures needed? For what are they used? How do they work? Are they ready for mainstream use? What issues have yet to be resolved? The reader is invited to participate in the development of a new global business environment for the 21st century.