Ask the Expert

Authentication controls for systems using e-signatures

Can you recommend any authentication controls surrounding systems using e-signatures? The type of system we would prefer would be one that relies on user identification through password/login control.

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

The security of an e-signature, or digital signature, depends on how secure the underlying encryption method used to create it was.

Digital signatures have two requirements. They need to be created by the sender and verified by the receiver. They are created using the private key of a public key pair, also called an asymmetric encryption system. Asymmetric encryption uses two keys -- one public and one private -- that are mathematically related but can't be derived from each other. The private key is secret, meaning kept by the user, while the public key is freely available to anyone. It could be on a public server, or stored on a public key infrastructure (PKI).

To create an e-signature, the sender uses their private key to encrypt the message. The receiver then uses the sender's public key to decrypt the message and verifies that it matches the sent message. Since each sender has its own unique private key, this system proves the message was sent by that sender.

It sounds like you are trying to protect the sender's private key, which can be vulnerable depending on where it's stored. If it's on a user's laptop, and that laptop is lost or stolen, the key could be compromised. To protect your e-signature systems, use two authentication controls. You can use any standard user ID and password scheme to protect the device holding the private key. A malicious user who stole the laptop, or accessed the desktop, with the private key would have to have the user ID and password to log on.

This was first published in March 2006