Digitalsignature

FromWikipedia,thefreeencyclopedia

Adigitalsignatureisamathematicalschemefordemonstratingtheauthenticityofadigitalmessageor
documents.Avaliddigitalsignaturegivesarecipientreasontobelievethatthemessagewascreatedbyaknown
sender,thatthesendercannotdenyhavingsentthemessage(authenticationandnonrepudiation),andthatthe
messagewasnotalteredintransit(integrity).
Digitalsignaturesareastandardelementofmostcryptographicprotocolsuites,andarecommonlyusedfor
softwaredistribution,financialtransactions,andinothercaseswhereitisimportanttodetectforgeryor
tampering.

Contents
1
2
3
4
5
6

Explanation
Definition
History
Howtheywork
Notionsofsecurity
Applicationsofdigitalsignatures
6.1 Authentication
6.2 Integrity
6.3 Nonrepudiation
7 Additionalsecurityprecautions
7.1 Puttingtheprivatekeyonasmartcard
7.2 Usingsmartcardreaderswithaseparatekeyboard
7.3 Othersmartcarddesigns
7.4 Usingdigitalsignaturesonlywithtrustedapplications
7.5 Usinganetworkattachedhardwaresecuritymodule
7.6 WYSIWYS
7.7 Digitalsignaturesversusinkonpapersignatures
8 Somedigitalsignaturealgorithms
9 Thecurrentstateofuselegalandpractical
10 Industrystandards
10.1 Usingseparatekeypairsforsigningandencryption
11 Seealso
12 Notes
13 References
14 Furtherreading

Explanation
Digitalsignaturesareoftenusedtoimplementelectronicsignatures,abroadertermthatreferstoanyelectronic
datathatcarriestheintentofasignature,[1]butnotallelectronicsignaturesusedigitalsignatures.[2][3]Insome
countries,includingtheUnitedStates,India,Brazil,SaudiArabia,[4]theEuropeanUnionandSwitzerland,[5][6]

electronicsignatureshavelegalsignificance.
Digitalsignaturesemployasymmetriccryptography.Inmanyinstancestheyprovidealayerofvalidationand
securitytomessagessentthroughanonsecurechannel:Properlyimplemented,adigitalsignaturegivesthe
receiverreasontobelievethemessagewassentbytheclaimedsender.Digitalsealsandsignaturesare
equivalenttohandwrittensignaturesandstampedseals.[7]Digitalsignaturesareequivalenttotraditional
handwrittensignaturesinmanyrespects,butproperlyimplementeddigitalsignaturesaremoredifficulttoforge
thanthehandwrittentype.Digitalsignatureschemes,inthesenseusedhere,arecryptographicallybased,and
mustbeimplementedproperlytobeeffective.Digitalsignaturescanalsoprovidenonrepudiation,meaningthat
thesignercannotsuccessfullyclaimtheydidnotsignamessage,whilealsoclaimingtheirprivatekeyremains
secretfurther,somenonrepudiationschemesofferatimestampforthedigitalsignature,sothatevenifthe
privatekeyisexposed,thesignatureisvalid.Digitallysignedmessagesmaybeanythingrepresentableasa
bitstring:examplesincludeelectronicmail,contracts,oramessagesentviasomeothercryptographicprotocol.

Definition
Adigitalsignatureschemetypicallyconsistsofthreealgorithms
Akeygenerationalgorithmthatselectsaprivatekeyuniformlyatrandomfromasetofpossibleprivate
keys.Thealgorithmoutputstheprivatekeyandacorrespondingpublickey.
Asigningalgorithmthat,givenamessageandaprivatekey,producesasignature.
Asignatureverifyingalgorithmthat,giventhemessage,publickeyandsignature,eitheracceptsor
rejectsthemessage'sclaimtoauthenticity.
Twomainpropertiesarerequired.First,theauthenticityofasignaturegeneratedfromafixedmessageandfixed
privatekeycanbeverifiedbyusingthecorrespondingpublickey.Secondly,itshouldbecomputationally
infeasibletogenerateavalidsignatureforapartywithoutknowingthatparty'sprivatekey.Adigitalsignatureis
anauthenticationmechanismthatenablesthecreatorofthemessagetoattachacodethatactsasasignature.
Formally,adigitalsignatureschemeisatripleofprobabilisticpolynomialtimealgorithms,(G,S,V),
satisfying:
G(keygenerator)generatesapublickey,pk,andacorrespondingprivatekey,sk,oninput1n ,wheren
isthesecurityparameter.
S(signing)returnsatag,t,ontheinputs:theprivatekey,sk,andastring,x.
V(verifying)outputsacceptedorrejectedontheinputs:thepublickey,pk,astring,x,andatag,t.
Forcorrectness,SandVmustsatisfy
Pr[(pk,sk)G(1n ),V(pk,x,S(sk,x))=accepted]=1.[8]
Adigitalsignatureschemeissecureifforeverynonuniformprobabilisticpolynomialtimeadversary,A
Pr[(pk,sk)G(1n ),(x,t)AS(sk ,)(pk,1n ),xQ,V(pk,x,t)=accepted]<negl(n),
whereAS(sk ,)denotesthatAhasaccesstotheoracle,S(sk,),andQdenotesthesetofthequeriesonS
madebyA,whichknowsthepublickey,pk,andthesecurityparameter,n.Notethatwerequireanyadversary
cannotdirectlyquerythestring,x,onS.[9]

History

In1976,WhitfieldDiffieandMartinHellmanfirstdescribedthenotionofadigitalsignaturescheme,although
theyonlyconjecturedthatsuchschemesexisted.[10][11]Soonafterwards,RonaldRivest,AdiShamir,andLen
AdlemaninventedtheRSAalgorithm,whichcouldbeusedtoproduceprimitivedigitalsignatures[12](although
onlyasaproofofconcept"plain"RSAsignaturesarenotsecure[13]).Thefirstwidelymarketedsoftware
packagetoofferdigitalsignaturewasLotusNotes1.0,releasedin1989,whichusedtheRSAalgorithm.[14]
OtherdigitalsignatureschemesweresoondevelopedafterRSA,theearliestbeingLamportsignatures,[15]
Merklesignatures(alsoknownas"Merkletrees"orsimply"Hashtrees"),[16]andRabinsignatures.[17]
In1988,ShafiGoldwasser,SilvioMicali,andRonaldRivestbecamethefirsttorigorouslydefinethesecurity
requirementsofdigitalsignatureschemes.[18]Theydescribedahierarchyofattackmodelsforsignature
schemes,andalsopresentedtheGMRsignaturescheme,thefirstthatcouldbeprovedtopreventevenan
existentialforgeryagainstachosenmessageattack.[18]

Howtheywork
TocreateRSAsignaturekeys,generateanRSAkeypaircontainingamodulus,N,thatistheproductoftwo
largeprimes,alongwithintegers,eandd,suchthated1(mod(N)),whereistheEulerphifunction.The
signer'spublickeyconsistsofNande,andthesigner'ssecretkeycontainsd.
Tosignamessage,m,thesignercomputesmd (modN).Toverify,thereceiverchecksthatem(mod
N).
Asnotedearlier,thisbasicschemeisnotverysecure.Topreventattacks,onecanfirstapplyacryptographic
hashfunctiontothemessage,m,andthenapplytheRSAalgorithmdescribedabovetotheresult.This
approachcanbeprovensecureinthesocalledrandomoraclemodel.Mostearlysignatureschemeswereofa
similartype:theyinvolvetheuseofatrapdoorpermutation,suchastheRSAfunction,orinthecaseofthe
Rabinsignaturescheme,computingsquaremodulocomposite,n.Atrapdoorpermutationfamilyisafamilyof
permutations,specifiedbyaparameter,thatiseasytocomputeintheforwarddirection,butisdifficultto
computeinthereversedirectionwithoutalreadyknowingtheprivatekey("trapdoor").Trapdoorpermutations
canbeusedfordigitalsignatureschemes,wherecomputingthereversedirectionwiththesecretkeyisrequired
forsigning,andcomputingtheforwarddirectionisusedtoverifysignatures.
Useddirectly,thistypeofsignatureschemeisvulnerabletoakeyonlyexistentialforgeryattack.Tocreatea
forgery,theattackerpicksarandomsignatureandusestheverificationproceduretodeterminethemessage,
m,correspondingtothatsignature.[19]Inpractice,however,thistypeofsignatureisnotuseddirectly,butrather,
themessagetobesignedisfirsthashedtoproduceashortdigestthatisthensigned.Thisforgeryattack,then,
onlyproducesthehashfunctionoutputthatcorrespondsto,butnotamessagethatleadstothatvalue,which
doesnotleadtoanattack.Intherandomoraclemodel,thishashthensignformofsignatureisexistentially
unforgeable,evenagainstachosenplaintextattack.[11]
Thereareseveralreasonstosignsuchahash(ormessagedigest)insteadofthewholedocument.
Forefficiency
Thesignaturewillbemuchshorterandthussavetimesincehashingisgenerallymuchfasterthansigningin
practice.
Forcompatibility
Messagesaretypicallybitstrings,butsomesignatureschemesoperateonotherdomains(suchas,inthe

caseofRSA,numbersmoduloacompositenumberN).Ahashfunctioncanbeusedtoconvertan
arbitraryinputintotheproperformat.
Forintegrity
Withoutthehashfunction,thetext"tobesigned"mayhavetobesplit(separated)inblockssmallenough
forthesignatureschemetoactonthemdirectly.However,thereceiverofthesignedblocksisnotableto
recognizeifalltheblocksarepresentandintheappropriateorder.

Notionsofsecurity
Intheirfoundationalpaper,Goldwasser,Micali,andRivestlayoutahierarchyofattackmodelsagainstdigital
signatures:[18]
1.Inakeyonlyattack,theattackerisonlygiventhepublicverificationkey.
2.Inaknownmessageattack,theattackerisgivenvalidsignaturesforavarietyofmessagesknownbythe
attackerbutnotchosenbytheattacker.
3.Inanadaptivechosenmessageattack,theattackerfirstlearnssignaturesonarbitrarymessagesofthe
attacker'schoice.
Theyalsodescribeahierarchyofattackresults:[18]
1.Atotalbreakresultsintherecoveryofthesigningkey.
2.Auniversalforgeryattackresultsintheabilitytoforgesignaturesforanymessage.
3.Aselectiveforgeryattackresultsinasignatureonamessageoftheadversary'schoice.
4.Anexistentialforgerymerelyresultsinsomevalidmessage/signaturepairnotalreadyknowntothe
adversary.
Thestrongestnotionofsecurity,therefore,issecurityagainstexistentialforgeryunderanadaptivechosen
messageattack.

Applicationsofdigitalsignatures
Asorganizationsmoveawayfrompaperdocumentswithinksignaturesorauthenticitystamps,digitalsignatures
canprovideaddedassurancesoftheevidencetoprovenance,identity,andstatusofanelectronicdocumentas
wellasacknowledginginformedconsentandapprovalbyasignatory.TheUnitedStatesGovernmentPrinting
Office(GPO)publisheselectronicversionsofthebudget,publicandprivatelaws,andcongressionalbillswith
digitalsignatures.UniversitiesincludingPennState,UniversityofChicago,andStanfordarepublishingelectronic
studenttranscriptswithdigitalsignatures.
Belowaresomecommonreasonsforapplyingadigitalsignaturetocommunications:

Authentication
Althoughmessagesmayoftenincludeinformationabouttheentitysendingamessage,thatinformationmaynot
beaccurate.Digitalsignaturescanbeusedtoauthenticatethesourceofmessages.Whenownershipofadigital
signaturesecretkeyisboundtoaspecificuser,avalidsignatureshowsthatthemessagewassentbythatuser.
Theimportanceofhighconfidenceinsenderauthenticityisespeciallyobviousinafinancialcontext.For
example,supposeabank'sbranchofficesendsinstructionstothecentralofficerequestingachangeinthe
balanceofanaccount.Ifthecentralofficeisnotconvincedthatsuchamessageistrulysentfromanauthorized
source,actingonsucharequestcouldbeagravemistake.

Integrity
Inmanyscenarios,thesenderandreceiverofamessagemayhaveaneedforconfidencethatthemessagehas
notbeenalteredduringtransmission.Althoughencryptionhidesthecontentsofamessage,itmaybepossibleto
changeanencryptedmessagewithoutunderstandingit.(Someencryptionalgorithms,knownasnonmalleable
ones,preventthis,butothersdonot.)However,ifamessageisdigitallysigned,anychangeinthemessageafter
signatureinvalidatesthesignature.Furthermore,thereisnoefficientwaytomodifyamessageanditssignatureto
produceanewmessagewithavalidsignature,becausethisisstillconsideredtobecomputationallyinfeasibleby
mostcryptographichashfunctions(seecollisionresistance).

Nonrepudiation
Nonrepudiation,ormorespecificallynonrepudiationoforigin,isanimportantaspectofdigitalsignatures.By
thisproperty,anentitythathassignedsomeinformationcannotatalatertimedenyhavingsignedit.Similarly,
accesstothepublickeyonlydoesnotenableafraudulentpartytofakeavalidsignature.
Notethattheseauthentication,nonrepudiationetc.propertiesrelyonthesecretkeynothavingbeenrevoked
priortoitsusage.Publicrevocationofakeypairisarequiredability,elseleakedsecretkeyswouldcontinueto
implicatetheclaimedownerofthekeypair.Checkingrevocationstatusrequiresan"online"checke.g.,
checkinga"CertificateRevocationList"orviathe"OnlineCertificateStatusProtocol".Veryroughlythisis
analogoustoavendorwhoreceivescreditcardsfirstcheckingonlinewiththecreditcardissuertofindifa
givencardhasbeenreportedlostorstolen.Ofcourse,withstolenkeypairs,thetheftisoftendiscoveredonly
afterthesecretkey'suse,e.g.,tosignaboguscertificateforespionagepurpose.

Additionalsecurityprecautions
Puttingtheprivatekeyonasmartcard
Allpublickey/privatekeycryptosystemsdependentirelyonkeepingtheprivatekeysecret.Aprivatekeycan
bestoredonauser'scomputer,andprotectedbyalocalpassword,butthishastwodisadvantages:
theusercanonlysigndocumentsonthatparticularcomputer
thesecurityoftheprivatekeydependsentirelyonthesecurityofthecomputer
Amoresecurealternativeistostoretheprivatekeyonasmartcard.Manysmartcardsaredesignedtobe
tamperresistant(althoughsomedesignshavebeenbroken,notablybyRossAndersonandhisstudents).Ina
typicaldigitalsignatureimplementation,thehashcalculatedfromthedocumentissenttothesmartcard,whose
CPUsignsthehashusingthestoredprivatekeyoftheuser,andthenreturnsthesignedhash.Typically,auser
mustactivatehissmartcardbyenteringapersonalidentificationnumberorPINcode(thusprovidingtwofactor
authentication).Itcanbearrangedthattheprivatekeyneverleavesthesmartcard,althoughthisisnotalways
implemented.Ifthesmartcardisstolen,thethiefwillstillneedthePINcodetogenerateadigitalsignature.This
reducesthesecurityoftheschemetothatofthePINsystem,althoughitstillrequiresanattackertopossessthe
card.Amitigatingfactoristhatprivatekeys,ifgeneratedandstoredonsmartcards,areusuallyregardedas
difficulttocopy,andareassumedtoexistinexactlyonecopy.Thus,thelossofthesmartcardmaybedetected
bytheownerandthecorrespondingcertificatecanbeimmediatelyrevoked.Privatekeysthatareprotectedby
softwareonlymaybeeasiertocopy,andsuchcompromisesarefarmoredifficulttodetect.

Usingsmartcardreaderswithaseparatekeyboard

EnteringaPINcodetoactivatethesmartcardcommonlyrequiresanumerickeypad.Somecardreadershave
theirownnumerickeypad.ThisissaferthanusingacardreaderintegratedintoaPC,andthenenteringthePIN
usingthatcomputer'skeyboard.Readerswithanumerickeypadaremeanttocircumventtheeavesdropping
threatwherethecomputermightberunningakeystrokelogger,potentiallycompromisingthePINcode.
Specializedcardreadersarealsolessvulnerabletotamperingwiththeirsoftwareorhardwareandareoften
EAL3certified.

Othersmartcarddesigns
Smartcarddesignisanactivefield,andtherearesmartcardschemeswhichareintendedtoavoidthese
particularproblems,thoughsofarwithlittlesecurityproofs.

Usingdigitalsignaturesonlywithtrustedapplications
Oneofthemaindifferencesbetweenadigitalsignatureandawrittensignatureisthattheuserdoesnot"see"
whathesigns.Theuserapplicationpresentsahashcodetobesignedbythedigitalsigningalgorithmusingthe
privatekey.Anattackerwhogainscontroloftheuser'sPCcanpossiblyreplacetheuserapplicationwitha
foreignsubstitute,ineffectreplacingtheuser'sowncommunicationswiththoseoftheattacker.Thiscouldallow
amaliciousapplicationtotrickauserintosigninganydocumentbydisplayingtheuser'soriginalonscreen,but
presentingtheattacker'sowndocumentstothesigningapplication.
Toprotectagainstthisscenario,anauthenticationsystemcanbesetupbetweentheuser'sapplication(word
processor,emailclient,etc.)andthesigningapplication.Thegeneralideaistoprovidesomemeansforboththe
userapplicationandsigningapplicationtoverifyeachother'sintegrity.Forexample,thesigningapplicationmay
requireallrequeststocomefromdigitallysignedbinaries.

Usinganetworkattachedhardwaresecuritymodule
Oneofthemaindifferencesbetweenacloudbaseddigitalsignatureserviceandalocallyprovidedoneisrisk.
Manyriskaversecompanies,includinggovernments,financialandmedicalinstitutions,andpaymentprocessors
requiremoresecurestandards,likeFIPS1402level3andFIPS201certification,toensurethesignatureis
validatedandsecure.[20]

WYSIWYS
Technicallyspeaking,adigitalsignatureappliestoastringofbits,whereashumansandapplications"believe"
thattheysignthesemanticinterpretationofthosebits.Inordertobesemanticallyinterpreted,thebitstringmust
betransformedintoaformthatismeaningfulforhumansandapplications,andthisisdonethrougha
combinationofhardwareandsoftwarebasedprocessesonacomputersystem.Theproblemisthatthe
semanticinterpretationofbitscanchangeasafunctionoftheprocessesusedtotransformthebitsintosemantic
content.Itisrelativelyeasytochangetheinterpretationofadigitaldocumentbyimplementingchangesonthe
computersystemwherethedocumentisbeingprocessed.Fromasemanticperspectivethiscreatesuncertainty
aboutwhatexactlyhasbeensigned.WYSIWYS(WhatYouSeeIsWhatYouSign)[21]meansthatthe
semanticinterpretationofasignedmessagecannotbechanged.Inparticularthisalsomeansthatamessage
cannotcontainhiddeninformationthatthesignerisunawareof,andthatcanberevealedafterthesignaturehas
beenapplied.WYSIWYSisanecessaryrequirementforthevalidityofdigitalsignatures,butthisrequirementis
difficulttoguaranteebecauseoftheincreasingcomplexityofmoderncomputersystems.ThetermWYSIWYS
wascoinedbyPeterLandrockandTorbenPedersentodescribesomeoftheprinciplesindeliveringsecureand
legallybindingdigitalsignaturesforPanEuropeanprojects.[21]

Digitalsignaturesversusinkonpapersignatures
Aninksignaturecouldbereplicatedfromonedocumenttoanotherbycopyingtheimagemanuallyordigitally,
buttohavecrediblesignaturecopiesthatcanresistsomescrutinyisasignificantmanualortechnicalskill,andto
produceinksignaturecopiesthatresistprofessionalscrutinyisverydifficult.
Digitalsignaturescryptographicallybindanelectronicidentitytoanelectronicdocumentandthedigitalsignature
cannotbecopiedtoanotherdocument.Papercontractssometimeshavetheinksignatureblockonthelast
page,andthepreviouspagesmaybereplacedafterasignatureisapplied.Digitalsignaturescanbeappliedto
anentiredocument,suchthatthedigitalsignatureonthelastpagewillindicatetamperingifanydataonanyof
thepageshavebeenaltered,butthiscanalsobeachievedbysigningwithinkandnumberingallpagesofthe
contract.

Somedigitalsignaturealgorithms
RSAbasedsignatureschemes,suchasRSAPSS
DSAanditsellipticcurvevariantECDSA
ElGamalsignatureschemeasthepredecessortoDSA,andvariantsSchnorrsignatureandPointcheval
Sternsignaturealgorithm
Rabinsignaturealgorithm
PairingbasedschemessuchasBLS
Undeniablesignatures
Aggregatesignatureasignatureschemethatsupportsaggregation:Givennsignaturesonnmessages
fromnusers,itispossibletoaggregateallthesesignaturesintoasinglesignaturewhosesizeisconstantin
thenumberofusers.Thissinglesignaturewillconvincetheverifierthatthenusersdidindeedsignthen
originalmessages.
Signatureswithefficientprotocolsaresignatureschemesthatfacilitateefficientcryptographicprotocols
suchaszeroknowledgeproofsorsecurecomputation.

Thecurrentstateofuselegalandpractical
Alldigitalsignatureschemessharethefollowingbasicprerequisitesregardlessofcryptographictheoryorlegal
provision:
1.Qualityalgorithms
Somepublickeyalgorithmsareknowntobeinsecure,aspracticalattacksagainstthemhaving
beendiscovered.
2.Qualityimplementations
Animplementationofagoodalgorithm(orprotocol)withmistake(s)willnotwork.
3.Users(andtheirsoftware)mustcarryoutthesignatureprotocolproperly.
4.Theprivatekeymustremainprivate
Iftheprivatekeybecomesknowntoanyotherparty,thatpartycanproduceperfectdigital
signaturesofanythingwhatsoever.
5.Thepublickeyownermustbeverifiable
ApublickeyassociatedwithBobactuallycamefromBob.Thisiscommonlydoneusingapublic

keyinfrastructure(PKI)andthepublickeyuserassociationisattestedbytheoperatorofthe
PKI(calledacertificateauthority).For'open'PKIsinwhichanyonecanrequestsuchan
attestation(universallyembodiedinacryptographicallyprotectedidentitycertificate),thepossibility
ofmistakenattestationisnontrivial.CommercialPKIoperatorshavesufferedseveralpublicly
knownproblems.Suchmistakescouldleadtofalselysigned,andthuswronglyattributed,
documents.'Closed'PKIsystemsaremoreexpensive,butlesseasilysubvertedinthisway.
Onlyifalloftheseconditionsaremetwilladigitalsignatureactuallybeanyevidenceofwhosentthemessage,
andthereforeoftheirassenttoitscontents.Legalenactmentcannotchangethisrealityoftheexistingengineering
possibilities,thoughsomesuchhavenotreflectedthisactuality.
Legislatures,beingimportunedbybusinessesexpectingtoprofitfromoperatingaPKI,orbythetechnological
avantgardeadvocatingnewsolutionstooldproblems,haveenactedstatutesand/orregulationsinmany
jurisdictionsauthorizing,endorsing,encouraging,orpermittingdigitalsignaturesandprovidingfor(orlimiting)
theirlegaleffect.ThefirstappearstohavebeeninUtahintheUnitedStates,followedcloselybythestates
MassachusettsandCalifornia.Othercountrieshavealsopassedstatutesorissuedregulationsinthisareaaswell
andtheUNhashadanactivemodellawprojectforsometime.Theseenactments(orproposedenactments)
varyfromplacetoplace,havetypicallyembodiedexpectationsatvariance(optimisticallyorpessimistically)with
thestateoftheunderlyingcryptographicengineering,andhavehadtheneteffectofconfusingpotentialusersand
specifiers,nearlyallofwhomarenotcryptographicallyknowledgeable.Adoptionoftechnicalstandardsfor
digitalsignatureshavelaggedbehindmuchofthelegislation,delayingamoreorlessunifiedengineeringposition
oninteroperability,algorithmchoice,keylengths,andsoonwhattheengineeringisattemptingtoprovide.

Industrystandards
Someindustrieshaveestablishedcommoninteroperabilitystandardsfortheuseofdigitalsignaturesbetween
membersoftheindustryandwithregulators.TheseincludetheAutomotiveNetworkExchangeforthe
automobileindustryandtheSAFEBioPharmaAssociationforthehealthcareindustry.

Usingseparatekeypairsforsigningandencryption
Inseveralcountries,adigitalsignaturehasastatussomewhatlikethatofatraditionalpenandpapersignature,
likeintheEUdigitalsignaturelegislation
(http://europa.eu/legislation_summaries/information_society/l24118_en.htm).[5]Generally,theseprovisionsmean
thatanythingdigitallysignedlegallybindsthesignerofthedocumenttothetermstherein.Forthatreason,itis
oftenthoughtbesttouseseparatekeypairsforencryptingandsigning.Usingtheencryptionkeypair,aperson
canengageinanencryptedconversation(e.g.,regardingarealestatetransaction),buttheencryptiondoesnot
legallysigneverymessagehesends.Onlywhenbothpartiescometoanagreementdotheysignacontractwith
theirsigningkeys,andonlythenaretheylegallyboundbythetermsofaspecificdocument.Aftersigning,the
documentcanbesentovertheencryptedlink.Ifasigningkeyislostorcompromised,itcanberevokedto
mitigateanyfuturetransactions.Ifanencryptionkeyislost,abackuporkeyescrowshouldbeutilizedto
continueviewingencryptedcontent.Signingkeysshouldneverbebackeduporescrowedunlessthebackup
destinationissecurelyencrypted.

Seealso
21CFR11
Blindsignature
Detachedsignature

Digitalcertificate
DigitalsignatureinEstonia
Digitalsignaturesandlaw
Electroniclabnotebook
Electronicsignature
eSign(India)
GNUPrivacyGuard
GlobalTrustCenter
PAdES
Publickeyinfrastructure
Serverbasedsignatures

Notes
1.USESIGNActof2000(http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?
dbname=106_cong_public_laws&docid=f:publ229.106.pdf)
2.StateofWI(http://enterprise.state.wi.us/home/strategic/esig.htm)
3.NationalArchivesofAustralia(http://www.naa.gov.au/recordkeeping/er/Security/6glossary.html)9,
2014/http://www.naa.gov.au/recordkeeping/er/Security/6glossary.htmlArchived
(https://web.archive.org/web/November)November9,2014attheWaybackMachine
4.TheInformationTechnologyAct,2000(PDF).|first1=missing|last1=inAuthorslist(help)
5.Turner,Dawn."MajorStandardsandComplianceofDigitalSignaturesAWorldWideConsideration".
Cryptomathic.Retrieved7January2016.
6.JA,Ashiq."RecommendationsforProvidingDigitalSignatureServices".Cryptomathic.Retrieved7January
2016.
7.RegulatoryCompliance:DigitalsignaturesandsealsarelegallyenforceableESIGN(ElectronicSignaturesin
GlobalandNationalCommerce)Act(http://www.arx.com/industries/engineering/regulatorycompliance/)
8.Pass,def135.1
9.Goldreich'sFoC,vol.2,def6.1.2.Pass,def135.2
10."NewDirectionsinCryptography",IEEETransactionsonInformationTheory,IT22(6):644654,Nov.1976.
11."SignatureSchemesandApplicationstoCryptographicProtocolDesign
(http://theory.lcs.mit.edu/~cis/theses/annaphd.pdf)",AnnaLysyanskaya,PhDthesis,MIT,2002.
12.Rivest,R.A.ShamirL.Adleman(1978)."AMethodforObtainingDigitalSignaturesandPublicKey
Cryptosystems"(PDF).CommunicationsoftheACM21(2):120126.doi:10.1145/359340.359342.
13.Forexampleanyinteger,r,"signs"m=reandtheproduct,s1s2,ofanytwovalidsignatures,s1,s2ofm1,m2isa
validsignatureoftheproduct,m1m2.
14."TheHistoryofNotesandDomino".developerWorks.Retrieved17September2014.
15."Constructingdigitalsignaturesfromaonewayfunction.",LeslieLamport,TechnicalReportCSL98,SRI
International,Oct.1979.
16."Acertifieddigitalsignature",RalphMerkle,InGillesBrassard,ed.,AdvancesinCryptologyCRYPTO'89,
vol.435ofLectureNotesinComputerScience,pp.218238,SpringVerlag,1990.
17."Digitalizedsignaturesasintractableasfactorization."MichaelO.Rabin,TechnicalReportMIT/LCS/TR212,
MITLaboratoryforComputerScience,Jan.1979
18."Adigitalsignatureschemesecureagainstadaptivechosenmessageattacks.",ShafiGoldwasser,SilvioMicali,
andRonaldRivest.SIAMJournalonComputing,17(2):281308,Apr.1988.
19."ModernCryptography:Theory&Practice",WenboMao,PrenticeHallProfessionalTechnicalReference,New
Jersey,2004,pg.308.ISBN0130669431
20.PrivateServerHSMOverview(http://www.arx.com/products/privateserverhsm/overview/)
21.Landrock,PeterPedersen,Torben(1998)."WYSIWYS?Whatyouseeiswhatyousign?".Information
SecurityTechnicalReport3(2):5561.

References

Goldreich,Oded(2001),FoundationsofcryptographyI:BasicTools,Cambridge:Cambridge
UniversityPress,ISBN9780511546891
Goldreich,Oded(2004),FoundationsofcryptographyII:BasicApplications(1.publ.ed.),
Cambridge[u.a.]:CambridgeUniv.Press,ISBN9780521830843
Pass,Rafael,ACourseinCryptography(PDF),retrieved31December2015

Furtherreading
J.KatzandY.Lindell,"IntroductiontoModernCryptography"(Chapman&Hall/CRCPress,2007)
StephenMason,ElectronicSignaturesinLaw(3rdedition,CambridgeUniversityPress,2012)
LornaBrazell,ElectronicSignaturesandIdentitiesLawandRegulation(2ndedn,London:Sweet&
Maxwell,2008)
DennisCampbell,editor,ECommerceandtheLawofDigitalSignatures(OceanaPublications,2005).
M.H.MSchellenkens,ElectronicSignaturesAuthenticationTechnologyfromaLegalPerspective,
(TMCAsserPress,2004).
JeremiahS.Buckley,JohnP.Kromer,MargoH.K.Tank,andR.DavidWhitaker,TheLawof
ElectronicSignatures(3rdEdition,WestPublishing,2010).
DigitalEvidenceandElectronicSignatureLawReview(http://journals.sas.ac.uk/deeslr/)Freeopen
source
OpenCertificateSigningserver
(https://trust1t.atlassian.net/wiki/display/OCSPublic/01.+Digital+signatures+in+PDF)OpensourcePDF
Signing(EU,ETSI)
DigitalSignatures:ManagingKeysInASecuredEnvironment
(http://www.arx.com/products/privateserverhsm/pkiapplications/)
TheEuropeanCourtofHumanRightsAddsDigitalSignaturestoitsSharePointPlatform
(http://www.arx.com/learn/casestudies/governmentcs/digitalsignatureseuropeancourtforhuman
rights/)
HowtoChooseaHardwareSecurityModule
(http://www.arx.com/files/DOCUMENTS/How_to_Choose_an_HSM.pdf)
Howtoapplyfordigitalsignature(http://digitalsignaturestore.com/index.php?)
Retrievedfrom"https://en.wikipedia.org/w/index.php?title=Digital_signature&oldid=705058306"
Categories: Publickeycryptography Electronicdocuments Keymanagement Notary
Thispagewaslastmodifiedon15February2016,at07:12.
TextisavailableundertheCreativeCommonsAttributionShareAlikeLicenseadditionaltermsmay
apply.Byusingthissite,youagreetotheTermsofUseandPrivacyPolicy.Wikipediaisaregistered
trademarkoftheWikimediaFoundation,Inc.,anonprofitorganization.