This information might take the form of: 1. An encryption key, a large binary number of 56 or more digits, Because humans can not easily remember such numbers, nor key them in accurately , the encryption key will normally be stored on an information storage device such as a smart card, a memory stick or the hard disk of the signatory’s computer. 2. Biometric data, such as signatory’s fingerprint, Retina scanning or iris scanning.1 The retina is a thin layer of cells at the back of the eyeball of vertebrates and some cephalopods; it is the part of the eye which converts light into nervous signals.2 3 It has been known as the “retinal vascular pattern” since 1930s that human being has a unique pattern of blood vessels.4 No two retinal vascular patterns are the same, hence, they provide a means of reliable personal identification. Moreover, the pattern of retinal blood vessels changes very little. 1 Internet Law Text and Materials, Second Edition Chris Reed, 2004 , Cambridge, page 145 http://www.britannica.com/eb/article-9063313?query=retina&ct= 3 http://en.wikipedia.org/wiki/Retina 4 Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 41 2 5 For scanning a retina, use a camera to look through the “pupil” and scan the user’s retina which is takes around 10 seconds.6 Retina scan has been improved which users can scan from the distance and which are not affected by the subject of wearing contact lenses. Iris Scan An iris scan is one of the most currently used methods of biometric authentication. Using a small camera, an iris scan system examines both irises of the individual's eyes. It then takes advantage of small details in the iris stromal pattern in order to attempt positive identification of an individual. 5 6 Ibid Ibid. 7 The texture of the iris arise form “complex fibrous structure known as the trabecular meshwork , which forms during the latter stages of gestation and all but finishes developing prior to birth. Its function is to drain the aqueous humor from the eye.”8 Iris in each person is unique, even between identical twins, and the patterns in the iris do not change.9 A camera will capture an image of the iris of users who place themselves in front of the devices. Some techniques will omit the image of some part of eye such as eye lashes and pupil. Signal processing techniques10 are applied to iris image to encode data. The users may use iris scanning device up to two feet away. It is understood that iris scanning is accurate biometric method. Neither contact lenses nor any wearing spectacles can affect the iris scanning device. Face Recognition: Facial recognition system us the primary means which human can identify one another, hence photographs of people appear on many documents such as passport. Computer system has been developed to help specialist to identify people from their facial photograph. In other word, a facial recognition system is a computer-driven application for automatically 7 http://www.cl.cam.ac.uk/users/jgd1000/sampleiris.jpg Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 42 9 "Biometric-Advanced Identity Verification", Julian Ashbourn (2000), p. 52, Springer-Verlag London Ltd. 10 Gabor Filters 8 identifying a person from a digital image. These systems typically work with capturing an image of person face and search it on a database. One of the strongest advantage of facial recognition is that can be formed from a distance without requiring the subjects to wait for a long time or even without get notice of them. However as Lorna Brazell argued: “Many people have expressed civil liberties concerns over the potential use of facial recognition cameras placed inconspicuously or surreptitiously, and this raises a concern as to whether a person's facial recognition-based electronic signature could be captured from them without their consent or knowledge.”11 Face Recognition12 11 12 Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 44 http://bias.csr.unibo.it/research/biolab/bio_tree.html Fingerprints or Handprints Since then one of the most useful and successful biometric products is fingerprints. As Anderson stated in his book, more than 70 per cent of fingerprint products have been sailed for biometric technology.13 Fingerprints “afford an infallible”14 means of personal identification, because the ridge arrangement on every finger of every human being is unique and does not alter with growth or age. Moreover, if a finger is damaged, it will normally heal in such a way that the fingerprint is restored. For this reason, a person's fingerprint can be used as a method to identify people. Fingerprint is an imprint made by the pattern ridges on the ends of the fingers and thumbs.15 There are three basic fingerprint patterns: Arch, Loop and Whorl. Fingerprints can be accomplished be a scanner. Recently IBM Co, has installed a fingerprint scanner to their laptop products which define their owners. Modern scanner is a very small device which can be attached to a computer or integrated into a keyboard. They are very easy to use, hence their common use as a means of providing electronic signatures. R. Anderson, "Security Engineering", (2001) John Wiley & Sons, Inc. p. 265 . http://www.britannica.com/eb/article-9034291?query=fingerprint&ct= 15 http://www.britannica.com/eb/article-9034291?query=fingerprint&ct= and http://en.wikipedia.org/wiki/Fingerprint 13 14 16 Hand/finger geometry Unlike fingerprints, the human hand isn't unique. One can use finger length, thickness, shape, size and other details and curvature for the purposes of verification but not for identification. 17 The of this method is that hand geometry data is easier to collect and furthermore, hand geometry can be combined with other biometrics, such as fingerprint. The system consists of an acquisition device that captures the top view and side view of a user's right hand as he places it on the flat surface of the device. This system makes three-dimensional information based on the hand’s geometry. 16 17 www.finger-scan.com http://biometrics.cse.msu.edu/hand_geometry.html By Arun Ross and Anil Jain Hand Geometry 18 As it was said above the human hand is not unique, it is question whether the data which are produced by hand is suitable for use as an electronic signatures. Moreover, another disadvantage of hand geometry is the large size of device in compare of than finger print device or iris scanning device and also , data may be affected by injured had or if the jewelry is worn. Voice / Voice Print A voice biometric is a numerical model of the qualities of a person sound, pattern and rhythm of an individual’s voice. A voice biometric or "voice print", is unique like a finger or palm print. Lorna Brazell has written: “Voice biometric products analyze the waveform dynamics of a short utterance by the subject which result from such features as the length of the vocal tract and the shape of the mouth and nasal cavities, together with regional accents and affectations.” The sound signal then converts to data for electronic signature. Voice biometric devices are easy to use and users feel more comfortable to use microphone than looking in to the iris scanning device. 18 http://bias.csr.unibo.it/research/biolab/bio_tree.html If the user suffers from cold or laryngitis or any other disease which change his voice, he has a problem with electronic signatures as the result of his voice. Furthermore, the voice of human changes over time, which affects the voice biometric device. Consequently, it may limit the useful of this technology for making electronic signatures. Vein Patterns Fast and accurate and robust personal identification is an increasingly important issue. Recent method of biometric has been discovered, which is analysis of vein pattern for purpose of identification. It is understood that the vein pattern in human hands are unique and do not change over the life-time. The devices using vein pattern biometrics are typically hand based and they use infra-red to scan the vein pattern in a person’s hand. These devices have just come to commercial market. Still it is too soon to say that these devices are suitable for electronic signatures. However, Companies integrated these devices into the mouse or keyboard which can scan the pattern of blood veins in the person's palm. 19 Ear Lobes The external part of the ear is using as a biometric identifier. It is based on the distinctive shape of each person’s ears and the structure of the largely cartilaginous, projecting portion of the outer ear. Facial Thermograms20 The human face can provide physiologic indicators of underlying health or disease or it can use for purpose of biometric identifier. An infrared camera is used to capture an image of the face. The camera detect heat pattern which created by the face vessels. Keystroke dynamics Keystroke dynamics is the process of analyzing the way users type by monitoring password and keyboard inputs and authenticating them based on habitual patterns in their typing rhythm. 19 Fujitsu Laboratories Ltd. today announced the development of highly precise biometric authentication technology that can verify a person's identity by recognizing the pattern of blood veins in the person's palm. http://pr.fujitsu.com/en/news/2002/08/28.html 20 Biometric recognition: techniques, applications and challenges , Anil K. Jain, Arun Ross, The problem with keystroke recognition is that “there are no known features or feature transformations which are dedicated solely to carrying discriminating information.”21 Net Nanny Software Inc has developed software for identifying and authenticating passwords typed on a normal computer keyboard which is incorporated in their program “BioPassword”. On this software the user provides a series of typing samples to learn the software to provide their unique typing rhythm.22 DNA matching or DNA fingerprinting or DNA typing One of the most important solutions to identify an individual is matching DNA samples. The technique was developed in 1984 by the British geneticist Alec Jeffreys at the University of Leicester.23 The process of taking this test takes some days or weeks. Two humans will have the vast majority of their DNA sequence in common.24 DNA typing test arises some issues such as privacy, the data collect from this test can be used not only to identify an individuals but also some information about his body. Most of these biometric technologies can produce advance electronic signatory and they can satisfy the Electronic Signatures Directive. Clearly, some of them are not suited for creating electronic signatures such as DNA typing. In practical, the usage of biometric may be limited by: 1. “Rejection due to personal reasons; 2. Cultural incompatibility; 3. Absence of the respective biometric; 4. Insufficiently unique characteristics of the respective biometric feature; 5. Abnormal characteristics of the respective biometric feature.”25 21 Keystroke Dynamics as a Biometric for Authentication, Fabian Monrose, Courant Institute of Mathematical Sciences, New York University, New York, NY., and Aviel D. Rubin, AT&T Labs Research, http://www.cs.jhu.edu/~fabian/papers/fgcs.pdf and see http://et.wcu.edu/aidc/BioWebPages/Biometrics_Keystroke.html 22 Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 48 23 http://www.britannica.com/eb/article-9030731?query=DNA%20matching&ct= and http://en.wikipedia.org/wiki/DNA_typing 24 http://en.wikipedia.org/wiki/DNA_typing For most of the business transaction, biometric method provides a quick and safe and easy means to create an electronic signature. The recipient of such data can be confident that document truly formed by signatory. As I said above, Several different methods exist to sign documents electronically. These electronic signatures vary from very simple methods such as a scanned image of handwritten signature in a word processing document to advanced methods which is fingerprint scanning or any other biometric methods. A question for using biometric method is how and where data of signatory will store for having securely verification. In order to enforce the signatory’s legal obligations, the recipient of the document needs to prove the signature, he will do so by producing the extrinsic evidence data: 1. The signature key or biometric data did in fact originate form the purported signatory. 2. The linking of the information to the document could not have been affected by a third party.26 The solution is likely to be combination of biometric systems with digital signature. However, the signature key or biometric data needs to be kept secret , to prevent third parties from affecting the messages which are apparently signed by the signatory. Encryption Digital signatures are the most effective means and workable means of establishing the level of the trust required between parties to business transaction. They are provided by “public key” cryptography. 25 Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 49 and "Use of Biometrics for User Verification in Electronic Signature Smartcards", B Sturif 2000. In Smart Card Programming and Security-Proceedings of the International Conference on Research in Smart Cards (Esmart) (Cannes, France, September 2001), pp. 220-228. 26 Internet Law Text and Materials, Second Edition Chris Reed, 2004 , Cambridge, page 145 “Cryptography” means hidden writing and the art and science of hiding the meaning of a communication from unintended recipients and also the science of transforming readable text into cipher text and back again. Lorna Brazell stated: “cryptography is not the only means of securing the confidentiality of data or messages. Steganography involves hiding not just the contents of the message, but the fact that there is a message at all.”27 Cryptography is art which is going to back thousands of years ago. Since now there are hundreds if different enciphering method has been know and the only secure encryption method is known with the invention of the computer. The method is really very simple. Sender and receiver of the message both have a key which tells them, for each letter of the message , how to translate it. Cryptography is an important instrument for achieving secure electronic signatures. There are a number of ways that cryptography can work in an electronic environment. The two common forms of cryptography are private key encryption and public key encryption which they have known as symmetric and asymmetric encryption method. In both of them a complex series of rules is applied to produce the cipher.28 The basic nature of encryption in both models is that the author of an electronic document can sign his electronic document by using a secret cryptography key. In each method, “the algorithm calculates the transposition of each letter of the plaintext based upon a number which is called the key.”29 Private Key encryption: Private Key encryption was the only available option prior to the advent of Public Key encryption in 1976. In private key encryption, both parties use the same key to encrypt and to decrypt messages. It is necessary for both sides to know and agree the key in advance hence, when using this form of encryption, it is essential that the sender and receiver have a way to exchange secret keys in a secure manner. 27 Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 49 Angel J, “Why use Digital Signatures for Electronic Commerce?”, 1999 (2) The Journal of Information, Law and Technology (JILT). http://www.law.warwick.ac.uk/jilt/99-2/angel.html 29 Electronic Signatures law and Regulation , Lorna Brazell, 2003, Page 49 28 If someone knows the secret key and can figure out, communications will be insecure and this means that all subsequent encrypted messages could be read.30 There are two methods of breaking symmetric encryption. The risk of loss of key which means all the encrypted messages could be read and they key can be bused for one exchange of message. Public key encryption Public key is more secure than private key which it does not have the weakness of private key. The secret keys do not have to be transmitted or revealed to anyone thus, here is no need for one party to know the other’s private key in order to exchange encryption message. On this method, encrypting is very easy but decrypting without the key is extremely difficult, hence cracking the public key encryption may take a couple of weeks. The public key can be used by anyone to encrypt a message. Only the owner of the secret key can decrypt it. The message can be encrypted using one key and can then encrypted using the other. The keys are generated from using a large number. Thus, if two parties want to send information to each other, they exchange their public keys. The public keys could also be retrieved from a database which is open to the public. When X sends to Y a message, X enciphers the message using the public key of Y. Only Y can decipher the message using his secret key. This means that X can encode a message with his own secret key, which Y can decode by using the public key of X. On first sight, this seems a silly method, because everybody has access to the public key of X and can thus decrypt and read the message. This is, indeed, true. On the other hand, Y can be sure that the message can only originate from X, since he is the only one who knows the secret key. Without having contacted X before, Y can trust on the authenticity of a message. It is on this technology of sharing a public key that digital signatures are based. The key pair can be generated by the user himself by running specific cryptography software. Even the recent versions of the most popular Internet communication software such as MS 30 Ibid Internet Explorer and Netscape Communicator, allow the user to create his own key pair. The recipient of the message can check the identity of the author by decrypting the information with a public key of the presumed author Messages signed with the private key can be validated with the public key, but the public key can not be used to create a signature for a new message. However, in order to check the validity of an electronic signature, the recipient’s needs to know both the public key of the signatory and the encryption system used to form the signature. Digital Signatures