Digital Signatures

Digital Signatures

It provides a method for employing digital signatures, which enable the recipient of the information to verify the authenticity of the information’s origin, that the information is intact.  Thus, digital signatures provide authentication and data integrity.  It also provides non-repudiation, which means that it prevents the sender from claiming that he or she did not actually send the information.

A digital signature serves the same purpose as a handwritten signature.  It is superior to a handwritten signature.  It is nearby impossible to counterfeit, it attests to the contents of the information as well as the identity of the signer.

The basic manner in which digital signatures are created is illustrated below.  You encrypt it with your private key.  If the information can be decrypted with your public key, then it must have originated with you.  Its actual use usually involves two processes.  One performed by the signer and the other by the receiver.

Digital Signature Creation

This consists of the following stages:

• The signer first creates the message that he is desirous of digitally signing.
• He then uses a hash function to compute the hash result of the message.
• He then uses his private key to digitally sign the message digest.
• The signer then sends the original message and the digitally signed message digest to the receiver.

In the illustration above, the original message has been highlighted in bold and begins with the words Dear Mr.Akash and ends with the words Asian School of Cyber Laws.  The digitally signed message digest begins with iOA and ends with =sKWD and is deemed to be the digital signature of Asian School of Cyber Laws for this message.

Digital Signature verification

This consists of the following stages:

• The receiver receives the original message and the digitally signed message digest from the sender.
• The receiver computes the message digest from the original message using the same hash function as used by the sender (SHA1 in this case).  He them compares the message digest computed by him to the message digest send to him by the sender.  If they are the same it implies that the message has not been altered unauthorizedly.
• The receiver then verifies whether the private key of the sender was actually used to sign the message digest. 
• He does this using the public key of the sender.

The verification software will confirm the digital signature as verified it.

• the signer’s private key was used to digitally sign the message.  If the signer’s public key is used to verify the signature.  The signer’s public key will only verify a digital signature created with the signer’s private key; and
• the message was unaltered.  If the hash result computed by the verifier is identical to the hash result extracted from the digital signature during the verification process.

A digital signature has many legal purposes:

·         Signer authentication: The digital signature cannot be forged, unless the signer loses control of the private key, such as by divulging it or losing the media or device in which it is contained.

• Message authentication: The digital signature also identifies the signed message, with far greater certainty and precision than paper signatures.  It shows whether the message is the same as when it was signed.
• Affirmative act: A digital signature requires the signer to use the signer’s private key.  The signer is consummating, a transaction with legal consequences.
• Efficiency: The digital signature is genuinely the signer’s.  Compared to paper methods such as checking, specimen signature cards methods so tedious and labor-intensive.  Digital standards yield a high degree of assurance without adding greatly to the resources required for processing.

Digital signatures have been accepted in several national and international standards developed in co-operation with and accepted by many corporations, banks and government agencies.  The malfunction is extremely remote and is far less than the risk of undetected forgery or alteration on paper or of using other less secure electronic signature techniques.

Security has become an essential component of information technology.  It will often depend, to a large extent, on the type and location of the IT equipment.

The potential security threats and risks will have to be carefully assessed in every situation and it is absolutely vital that all concerned are made aware of the threats and risks that affect them.

Threats to information systems may arise from intentional or unintentional acts and may come from internal or external sources.  International threats made with criminal intent, to Confidentiality and Integrity.  “Availability” security functions will only be addressed if they have an effect on “Confidentiality” and/or “Integrity”.

CONFIDENTIALITY (SECRECY)

Information is only disclosed for those “users” (persons, entities or processes) who are authorized to have access to it.

INTEGRITY

Information is modified only by those “users” who have the right to do so.  The accuracy and completeness of the data and information is also guaranteed.

AVAILABILITY

Information and other IT resources can be assessed by authorized “users” when needed.

THREAT

A “Threat” is a potential undesirable incident RISK.

A “risk” is the estimated probability that the “threat” will be activated.

Information Classification

To classify the information according to the appropriate level of availability.  E.g.”open”, “confidential” or “secret”.

The classification should be carried out by the management or by the ‘information owner”.

All systems especially the “Identification and Authorization system”, “Information Classification” system and “Application systems” must be fully documented.

IT-security policy should be documented in a “Security Handbook”. The chapter on IT Security should have separate sections for each user category. Eg. “Management”, “System Administrators”, “End-Users” etc.

Information Processing

It involves the following types of operation –

• READ/CREATE/MODIFY/DELETE information
• TRANSPORT (in one way or another) of information
• STORE information to keep it some where.

Simplest ways of “transporting” information is between the keyboard, the memory and the hard disk in a PC.  “Transport” of a diskette from one place to another.  Information can also be “transported” using a “Local

Area Network” (LAN) and/or a “Wide Area Network” (WAN).  Insecure “transport” affects both confidentiality and integrity.  A special kind of “transport” is “Electronic Emission”.

STORE INFORMATION

            Once the information has been “stored” on some kind of media (diskettes, tapes etc), it may become the target of unauthorized activities, which will have an effect on the confidentiality and/or integrity of the information.

As well as knowledge of computer architecture, the Investigator also needs to be familiar with a number of important IT-security functions if he is to be able to give advice on prevention methods and conduct investigations.

Success in information security work depends first and foremost on developing good basic working, practices and establishing procedures to ensure that they are maintained.  It is also important to create a security-conscious atmosphere and establish a disciplined approach.

If confidential information is to be handled, the people chosen for the job are absolutely reliable.  They should be security screened.  Access to information should be restricted to that which the individual “needs to know” to do his job.  Sensitive material should be split into sections.  Each section can be handled by a different member of staff; no member of staff should have access to all the information.

Security measures will only be effective if staff is properly trained.  They understand the problem.  This can be achieved with in-house training.  Employees can be taught what to do to counter certain threats, what they should not do, whom they can call and where they can get help.  To encourage employees to report incidents so that steps can be taken to prevent any further damage. New or temporary employees should be given introductory training.

User responsibilities

User should be given specific guidelines about what they should do-and what they should not do.  These guidelines should be distributed in written form and signed for.  Specimen guidelines are given below

1. Do not use any computer equipment without permission
2. Do not try to access information unless you know you are authorized to do so
3. Do not alter any information on a computer system unless you know you are authorized to do so
4. Do not use a computer for personal matters
5. Do not leave a working computer unattended.
6. Make sure you know what to do in the event of a virus being discovered on the system
7. Keep your password and user ID confidential
8. Do not allow anyone else to use your password
9. Do not use anyone else’s password
10. Anything done on the system using your ID and password IS your responsibility.

All senior management should be sufficiently familiar with the computer systems in use.

The role of the system manager is crucial.  He must be of the highest degree of integrity and sufficiently computer literate.  Computer security manager to check on the system manager’s activities.

The only way of establishing how a problem has occurred, whether the origin is accidental or deliberate, is to examine the logging information stored on the computer.  Analysis of this information should show when, where and how the problem occurred.  In some cases, careful examination will also indicate who was responsible.  The logging capabilities of the particular system are fully understood and utilized.  If the logging functions on the system are inadequate, consideration should be given to acquiring suitable software.

User Identification and Authorization

The simplest systems rely on passwords only.  These give some measure of protection against casual browsing of information, but will rarely stop a determined criminal.

Passwords should

1. Be issued to an individual and kept confidential, they should not be shared with anyone.
2. Ideally be:

1. Alphanumeric and
2. at least six characters long

      iii.            Be changed regularly at least every 30 days

      iv.            Using a password history list, new passwords will be checked against the list and not accepted if    they have already been used.

        v.            Be removed immediately if an employee leaves the organization or gives notice of leaving

Biometric systems make use of specific personal characteristics of a specific person.  E.g. fingerprint, voice, keystroke characteristics or the “pattern” of the retina.  Biometric systems are still quite expensive (except for the keystroke system) and not very common.

Authorization

There must be a function and set of rules to control what object each user is allowed to access.  This is the Access Control system.

Most computer systems have some kind of log.  The desired level of protection will only be achieved if the various security measures are properly followed up with a log, which can be analysed as and when necessary.  A proper log will answer the questions.

-         WHO (user)

-         WHEN (time-date)

-         WHERE (place)

-         WHAT (event/activity)

-         ADDITIONAL (additional information depending on activity)

There are often many different types of logs e.g.

-         Systems log

-         Transaction log

-         Security system log

-         Database log

-         Application log

-         Technical log (mainly on mainframes)

Log information is one of the most important items for a computer crime investigator to look for.

Back-up

Modern computer systems are generally very liable, breakdowns and failures do occur and users can make mistakes, which lead to the accidental destruction of information.  It is necessary to set up procedures for making regular copies of the information on the computer system on some form of back up medium.  This medium can then be stored in a safe place until it is needed.

Valuable information several copies should be made and each copy stored in a different place in different buildings at least if not different cities.

                                 i.            Make sure that regular back up copies are made of both date and system files.

                               ii.            Take a full back up out of the cycle on a regular basis and archive it off site for an extended period.

                              iii.            Back-up tapes/diskettes should be kept in a safe place under lock and key and away from the computer in case of fire, flood or deliberate interference, preferably off site.

                              iv.            Periodically test the back-up to ensure that the information can actually be restored in an emergency, do not wait for disaster to strike to find the back-up system does not work.

Back-ups (including old back-ups) are another important source of information for an Investigator.

COMPUTER ARCHITECTURE

The main types of computer architecture are indicated below.  The specific threats and risks to which a particular system is exposed will depend on its architecture.  There are a number of threats, which can affect all systems irrespective of their architecture.

-         Microcomputers, i.e. stand-alone with no communication facilities

-         Network architectures and Mini-computers, architectures with microcomputers, which are connected to each other in a network configuration

-         Mainframes

-         Hand-held computers

There are a number of important architecture-independent security targets:

·         Members of staff, with certain responsibilities, powers, information

·         Media handling

·         Malicious programs

·         Electronic emission

Local Area Network (LAN)

If a personal computer (PC) is connected to a network, there are two other possibilities for interfering with data, in addition to the dangers of physical access to the machine.

Firstly, it becomes possible to access the information stored on the PC via the network.  Care should therefore be taken to ensure networking software is correctly configured and that only that information which is intended to be generally accessible is stored in directories, which can be accessed via a network.

Secondly, the danger of leaving a PC unattended is much greater: not only can the data on the PC itself be compromised, but there is also a risk that any data which the rightful user may be able to access over the network will also be compromised.

It is essential to keep a central record of activity, i.e. a log.  There should also be a procedure for examining the log, so that all suspicious events can be highlighted and investigated.

Wide Area Network (WAN)

Networks are connected either by cable, by microwave or satellite.  The latter are vulnerable to interception as are any radio transmissions unless the data is encrypted.  There are many standards, TCP/IP which is the standard packet-switching protocol used for the Internet.  The best way is to use Identification, Authentication and Cryptography as well as firewall and Intrusion Detection Systems (IDS)

Telecommunication companies can offer the use of dedicated lines – which means that these lines are not available for normal public use and are protected against intrusion, but they cost substantially more.  There are a number of encryption standards and devices ranging from small logical keys installed on sending and receiving equipment to higher levels of coding which use complicated mathematical cycles and algorithms.  The decision to be taken in the light of the value of transmitted data.