Digital Signatures - Security & Controls
IT Governance Institute, Fred Piper, Simon Blake-Wilson and John Mitchell
Some kind of authentication mechanism has been with us since the time of the ancient Sumerians, the inventors of writing. While hand-written signatures or personal seals met the commercial needs of the time, in today's digital age, a more appropriate mechanism is needed for a fast, high-volume, online global economy. We already have replaced physical signatures with electronic authentication methods but they are often based on symmetric systems that create an onerous key management overhead and - because both parties possess the same secret - can be repudiated in court. When properly implemented, digital signatures based on public key infrastructures provide trustworthy transactions, hard to repudiate and with much less key management overhead. Nevertheless in doing so we transfer some of the past problems to the new challenges of properly managing certification services.
This research project was sponsored by the Information Systems Audit and Control Foundation, its London Chapter and my own organisation, S.W.I.F.T., Brussels, Belgium. The authors are Prof. Dr. Fred Piper of Royal Holloway University of London, Dr. Simon Blake-Wilson of Certicom in Canada, and Dr. John Mitchell of UK based LHS Business Control. Professor Piper has had a distinguished academic and commercial career, specialising in the application of mathematics and cryptography for business problems. Simon Blake-Wilson, a cryptographic mathematician at Certicom is involved in a number of cryptographic standards efforts and Dr. John Mitchell is an international authority on the control of computer systems.
While the use of digital signatures for securing electronic transactions is already proven, its impact has so far been limited to highly secure environments. With the growth in new ways of paying for goods and services, the use of digital signatures is bound to expand in retail commerce and the larger public but will also be more pervasive in those domains where it is already being used. We at S.W.I.F.T. have implemented digital signatures with its public key infrastructure since the early nineties to support key management in the banking industry but in our next generation infrastructure, notably SWIFTNet PKI, we have made digital signatures into a basic pervasive component providing the highest level of security. In parallel, these same technologies are becoming an accepted standard for retail e-commerce and home banking. The differentiation between these two paths of development is less on technology but more on contracts, policies, standards and the degree of liability accepted by the service providers.
While there are some similarities between handwritten and digital signatures, there are also marked differences. There is a greater need for their audit, control and management. Anyone can see that a paper document either has a manual signature or doesn't, and can try to guess whether a court will accept it as genuine or fraudulent. In addition there is physical contact with the instrument bearing the signature and between the parties in the exchange process. However, the same cannot be said for a digitally signed document. Virtual transactions with digital signatures are far more complex, need a greater level of management and control to compensate for the absence of the natural controls in the physical world. The cost of getting things wrong can be very high. An understanding of digital signatures is crucial.
While there are publications covering the technical aspect of digital signatures, this is one of the first that also addresses other related matters such as legal, audit and control issues related to the technology. As such, this book should be of interest not only to IT and audit professionals, but anyone who will be involved in business and finance today and into the 21st Century.
Erik Guldentops, CISA