Document

advertisement
This information might take the form of:
1. An encryption key, a large binary number of 56 or more digits,
Because humans can not easily remember such numbers, nor key
them in accurately , the encryption key will normally be stored on an
information storage device such as a smart card, a memory stick or
the hard disk of the signatory’s computer.
2. Biometric data, such as signatory’s fingerprint, Retina scanning or iris
scanning.1
The retina is a thin layer of cells at the back of the eyeball of vertebrates
and some cephalopods; it is the part of the eye which converts light into
nervous signals.2
3
It has been known as the “retinal vascular pattern” since 1930s that human
being has a unique pattern of blood vessels.4
No two retinal vascular patterns are the same, hence, they provide a means
of reliable personal identification. Moreover, the pattern of retinal blood
vessels changes very little.
1
Internet Law Text and Materials, Second Edition Chris Reed, 2004 , Cambridge, page 145
http://www.britannica.com/eb/article-9063313?query=retina&ct=
3
http://en.wikipedia.org/wiki/Retina
4
Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 41
2
5
For scanning a retina, use a camera to look through the “pupil” and scan the
user’s retina which is takes around 10 seconds.6 Retina scan has been
improved which users can scan from the distance and which are not affected
by the subject of wearing contact lenses.
Iris Scan
An iris scan is one of the most currently used methods of biometric
authentication. Using a small camera, an iris scan system examines both
irises of the individual's eyes. It then takes advantage of small details in the
iris stromal pattern in order to attempt positive identification of an
individual.
5
6
Ibid
Ibid.
7
The texture of the iris arise form “complex fibrous structure known as the
trabecular meshwork , which forms during the latter stages of gestation and
all but finishes developing prior to birth. Its function is to drain the aqueous
humor from the eye.”8 Iris in each person is unique, even between identical
twins, and the patterns in the iris do not change.9
A camera will capture an image of the iris of users who place themselves in
front of the devices. Some techniques will omit the image of some part of
eye such as eye lashes and pupil. Signal processing techniques10 are applied
to iris image to encode data. The users may use iris scanning device up to
two feet away.
It is understood that iris scanning is accurate biometric method. Neither
contact lenses nor any wearing spectacles can affect the iris scanning device.
Face Recognition:
Facial recognition system us the primary means which human can identify
one another, hence photographs of people appear on many documents such
as passport. Computer system has been developed to help specialist to
identify people from their facial photograph. In other word, a facial
recognition system is a computer-driven application for automatically
7
http://www.cl.cam.ac.uk/users/jgd1000/sampleiris.jpg
Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 42
9
"Biometric-Advanced Identity Verification", Julian Ashbourn (2000), p. 52, Springer-Verlag London Ltd.
10
Gabor Filters
8
identifying a person from a digital image. These systems typically work
with capturing an image of person face and search it on a database.
One of the strongest advantage of facial recognition is that can be formed
from a distance without requiring the subjects to wait for a long time or even
without get notice of them.
However as Lorna Brazell argued: “Many people have expressed civil
liberties concerns over the potential use of facial recognition cameras placed
inconspicuously or surreptitiously, and this raises a concern as to whether a
person's facial recognition-based electronic signature could be captured from
them without their consent or knowledge.”11
Face Recognition12
11
12
Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 44
http://bias.csr.unibo.it/research/biolab/bio_tree.html
Fingerprints or Handprints
Since then one of the most useful and successful biometric products is
fingerprints. As Anderson stated in his book, more than 70 per cent of
fingerprint products have been sailed for biometric technology.13
Fingerprints “afford an infallible”14 means of personal
identification, because the ridge arrangement on every finger of
every human being is unique and does not alter with growth or age.
Moreover, if a finger is damaged, it will normally heal in such a way that
the fingerprint is restored. For this reason, a person's fingerprint can be used
as a method to identify people.
Fingerprint is an imprint made by the pattern ridges on the ends of
the fingers and thumbs.15 There are three basic fingerprint patterns: Arch,
Loop and Whorl.
Fingerprints can be accomplished be a scanner. Recently IBM Co, has
installed a fingerprint scanner to their laptop products which define their
owners. Modern scanner is a very small device which can be attached to a
computer or integrated into a keyboard.
They are very easy to use, hence their common use as a means of providing
electronic signatures.
R. Anderson, "Security Engineering", (2001) John Wiley & Sons, Inc. p. 265 .
http://www.britannica.com/eb/article-9034291?query=fingerprint&ct=
15
http://www.britannica.com/eb/article-9034291?query=fingerprint&ct= and
http://en.wikipedia.org/wiki/Fingerprint
13
14
16
Hand/finger geometry
Unlike fingerprints, the human hand isn't unique. One can use finger
length, thickness, shape, size and other details and curvature for the purposes
of verification but not for identification. 17 The of this method is that hand
geometry data is easier to collect and furthermore, hand geometry can be
combined with other biometrics, such as fingerprint.
The system consists of an acquisition device that captures the top view and
side view of a user's right hand as he places it on the flat surface of the
device. This system makes three-dimensional information based on the
hand’s geometry.
16
17
www.finger-scan.com
http://biometrics.cse.msu.edu/hand_geometry.html By Arun Ross and Anil Jain
Hand Geometry 18
As it was said above the human hand is not unique, it is question whether the
data which are produced by hand is suitable for use as an electronic
signatures.
Moreover, another disadvantage of hand geometry is the large size of device
in compare of than finger print device or iris scanning device and also , data
may be affected by injured had or if the jewelry is worn.
Voice / Voice Print
A voice biometric is a numerical model of the qualities of a person sound,
pattern and rhythm of an individual’s voice. A voice biometric or "voice
print", is unique like a finger or palm print. Lorna Brazell has written:
“Voice biometric products analyze the waveform dynamics of a short
utterance by the subject which result from such features as the length of the
vocal tract and the shape of the mouth and nasal cavities, together with
regional accents and affectations.” The sound signal then converts to data for
electronic signature.
Voice biometric devices are easy to use and users feel more comfortable to
use microphone than looking in to the iris scanning device.
18
http://bias.csr.unibo.it/research/biolab/bio_tree.html
If the user suffers from cold or laryngitis or any other disease which change
his voice, he has a problem with electronic signatures as the result of his
voice. Furthermore, the voice of human changes over time, which affects the
voice biometric device. Consequently, it may limit the useful of this
technology for making electronic signatures.
Vein Patterns
Fast and accurate and robust personal identification is an increasingly
important issue. Recent method of biometric has been discovered, which is
analysis of vein pattern for purpose of identification. It is understood that the
vein pattern in human hands are unique and do not change over the life-time.
The devices using vein pattern biometrics are typically hand based and they
use infra-red to scan the vein pattern in a person’s hand. These devices have
just come to commercial market. Still it is too soon to say that these devices
are suitable for electronic signatures. However, Companies integrated these
devices into the mouse or keyboard which can scan the pattern of blood
veins in the person's palm. 19
Ear Lobes
The external part of the ear is using as a biometric identifier. It is based on
the distinctive shape of each person’s ears and the structure of the largely
cartilaginous, projecting portion of the outer ear.
Facial Thermograms20
The human face can provide physiologic indicators of underlying health or
disease or it can use for purpose of biometric identifier. An infrared camera
is used to capture an image of the face. The camera detect heat pattern which
created by the face vessels.
Keystroke dynamics
Keystroke dynamics is the process of analyzing the way users type by
monitoring password and keyboard inputs and authenticating them based on
habitual patterns in their typing rhythm.
19
Fujitsu Laboratories Ltd. today announced the development of highly precise biometric authentication
technology that can verify a person's identity by recognizing the pattern of blood veins in the person's palm.
http://pr.fujitsu.com/en/news/2002/08/28.html
20
Biometric recognition: techniques, applications and challenges , Anil K. Jain, Arun Ross,
The problem with keystroke recognition is that “there are no known features
or feature transformations which are dedicated solely to carrying
discriminating information.”21
Net Nanny Software Inc has developed software for identifying and
authenticating passwords typed on a normal computer keyboard which is
incorporated in their program “BioPassword”. On this software the user
provides a series of typing samples to learn the software to provide their
unique typing rhythm.22
DNA matching or DNA fingerprinting or DNA typing
One of the most important solutions to identify an individual is matching
DNA samples. The technique was developed in 1984 by the British
geneticist Alec Jeffreys at the University of Leicester.23 The process of
taking this test takes some days or weeks.
Two humans will have the vast majority of their DNA sequence in
common.24
DNA typing test arises some issues such as privacy, the data collect from
this test can be used not only to identify an individuals but also some
information about his body.
Most of these biometric technologies can produce advance electronic
signatory and they can satisfy the Electronic Signatures Directive. Clearly,
some of them are not suited for creating electronic signatures such as DNA
typing.
In practical, the usage of biometric may be limited by:
1. “Rejection due to personal reasons;
2. Cultural incompatibility;
3. Absence of the respective biometric;
4. Insufficiently unique characteristics of the respective biometric
feature;
5. Abnormal characteristics of the respective biometric feature.”25
21
Keystroke Dynamics as a Biometric for Authentication, Fabian Monrose, Courant Institute of
Mathematical Sciences, New York University, New York, NY., and Aviel D. Rubin, AT&T Labs Research, http://www.cs.jhu.edu/~fabian/papers/fgcs.pdf and see
http://et.wcu.edu/aidc/BioWebPages/Biometrics_Keystroke.html
22
Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 48
23
http://www.britannica.com/eb/article-9030731?query=DNA%20matching&ct= and
http://en.wikipedia.org/wiki/DNA_typing
24
http://en.wikipedia.org/wiki/DNA_typing
For most of the business transaction, biometric method provides a quick and
safe and easy means to create an electronic signature. The recipient of such
data can be confident that document truly formed by signatory.
As I said above, Several different methods exist to sign documents
electronically. These electronic signatures vary from very simple methods
such as a scanned image of handwritten signature in a word processing
document to advanced methods which is fingerprint scanning or any other
biometric methods.
A question for using biometric method is how and where data of signatory
will store for having securely verification.
In order to enforce the signatory’s legal obligations, the recipient of the
document needs to prove the signature, he will do so by producing the
extrinsic evidence data:
1. The signature key or biometric data did in fact originate form the
purported signatory.
2. The linking of the information to the document could not have been
affected by a third party.26
The solution is likely to be combination of biometric systems with digital
signature. However, the signature key or biometric data needs to be kept
secret , to prevent third parties from affecting the messages which are
apparently signed by the signatory.
Encryption
Digital signatures are the most effective means and workable means of
establishing the level of the trust required between parties to business
transaction. They are provided by “public key” cryptography.
25
Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 49 and "Use of Biometrics for
User Verification in Electronic Signature Smartcards", B Sturif 2000. In Smart Card Programming and
Security-Proceedings of the International Conference on Research in Smart Cards (Esmart) (Cannes,
France, September 2001), pp. 220-228.
26
Internet Law Text and Materials, Second Edition Chris Reed, 2004 , Cambridge, page 145
“Cryptography” means hidden writing and the art and science of hiding the
meaning of a communication from unintended recipients and also the
science of transforming readable text into cipher text and back again. Lorna
Brazell stated: “cryptography is not the only means of securing the
confidentiality of data or messages. Steganography involves hiding not just
the contents of the message, but the fact that there is a message at all.”27
Cryptography is art which is going to back thousands of years ago. Since
now there are hundreds if different enciphering method has been know and
the only secure encryption method is known with the invention of the
computer. The method is really very simple. Sender and receiver of the
message both have a key which tells them, for each letter of the message ,
how to translate it.
Cryptography is an important instrument for achieving secure electronic
signatures. There are a number of ways that cryptography can work in an
electronic environment.
The two common forms of cryptography are private key encryption and
public key encryption which they have known as symmetric and asymmetric
encryption method. In both of them a complex series of rules is applied to
produce the cipher.28
The basic nature of encryption in both models is that the author of an
electronic document can sign his electronic document by using a secret
cryptography key. In each method, “the algorithm calculates the
transposition of each letter of the plaintext based upon a number which is
called the key.”29
Private Key encryption:
Private Key encryption was the only available option prior to the advent of
Public Key encryption in 1976. In private key encryption, both parties use
the same key to encrypt and to decrypt messages. It is necessary for both
sides to know and agree the key in advance hence, when using this form of
encryption, it is essential that the sender and receiver have a way to
exchange secret keys in a secure manner.
27
Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 49
Angel J, “Why use Digital Signatures for Electronic Commerce?”, 1999 (2) The Journal of Information,
Law and Technology (JILT). http://www.law.warwick.ac.uk/jilt/99-2/angel.html
29
Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 49
28
If someone knows the secret key and can figure out, communications will be
insecure and this means that all subsequent encrypted messages could be
read.30
There are two methods of breaking symmetric encryption. The risk of loss
of key which means all the encrypted messages could be read and they key
can be bused for one exchange of message.
Public key encryption
Public key is more secure than private key which it does not have the
weakness of private key. The secret keys do not have to be transmitted or
revealed to anyone thus, here is no need for one party to know the other’s
private key in order to exchange encryption message. On this method,
encrypting is very easy but decrypting without the key is extremely difficult,
hence cracking the public key encryption may take a couple of weeks.
The public key can be used by anyone to encrypt a message. Only the owner
of the secret key can decrypt it. The message can be encrypted using one
key and can then encrypted using the other. The keys are generated from
using a large number. Thus, if two parties want to send information to each
other, they exchange their public keys. The public keys could also be
retrieved from a database which is open to the public. When X sends to Y a
message, X enciphers the message using the public key of Y. Only Y can
decipher the message using his secret key.
This means that X can encode a message with his own secret key, which Y
can decode by using the public key of X. On first sight, this seems a silly
method, because everybody has access to the public key of X and can thus
decrypt and read the message. This is, indeed, true. On the other hand, Y can
be sure that the message can only originate from X, since he is the only one
who knows the secret key. Without having contacted X before, Y can trust
on the authenticity of a message. It is on this technology of sharing a public
key that digital signatures are based. The key pair can be generated by the
user himself by running specific cryptography software. Even the recent
versions of the most popular Internet communication software such as MS
30
Ibid
Internet Explorer and Netscape Communicator, allow the user to create his
own key pair.
The recipient of the message can check the identity of the author by
decrypting the information with a public key of the presumed author
Messages signed with the private key can be validated with the public key,
but the public key can not be used to create a signature for a new message.
However, in order to check the validity of an electronic signature, the
recipient’s needs to know both the public key of the signatory and the
encryption system used to form the signature.
Digital Signatures
Download