Cryptography before the mid-1970’s used just one secret, known by both the enciphering and deciphering parties (Gladman et al). In the past, it was mostly used by diplomats, spies and the military but times have changed and it has become an indispensible part of electronic commerce and security. Some of the modern business applications of cryptography include secure messaging, e-commerce, online banking, secure storage, authentication, Digital Rights Management and Watermarking. Crucial to modern cryptography is the use of digital signatures, message digests and digital certificates.
Digital Signatures
Digital Signatures are a technology that gives 2 parties the ability to validate the authenticity of information that is transmitted electronically and also important documents. The Electronic Communications Act 2000 states that a digital signature is as legally binding as a hand written contract. Therefore, when a digital signature is added to a document, it provides assurance that the document’s sender is the person they claim to be. This eliminates the fear that sensitive data is disclosed to people for whom it is not intended (Grupe et al, 2003). The concept of how digital signatures work can be illustrated by the use of an example:
Alan is given 2 keys: a public key and a private key. The keys are used to encrypt information and only a person with the appropriate key can read that information. Either of the 2 keys can encrypt the data and the other can decrypt the data. Anyone can obtain Alan’s public key but the private key is kept by him.
Rishi, can encrypt a message using Alan’s public key. Alan then uses his private key to decrypt the message. This means that anybody could access Rishi’s message but they cannot decrypt it without Alan’s private key.
With the private key, Alan can place digital signatures on documents and other data. This places a ‘stamp’ (which is unique to Alan) on the document which is difficult to forge.
Message Digests
Following on from the idea of digital signatures, the signature can also be used to assure that any changes made to the data can be easily detected. This is by the use of a “Message Digest”. For example, Alan prepares a plaintext document which is a contract.
The plaintext document can be crunched down into just a few lines of code by a process called “hashing”. These lines are called the Message Digest (MD) and the same document will always produce the same MD. This means that if the document has been tampered with, a different MD will be produced, providing clear evidence that changes have been made. It should also be noted that it is not possible to convert a message digest back into the original plaintext document. Alan can then encrypt the message digest with his private key to create a digital signature.
This digital signature is appended to the document and this can then be sent to Rishi with the original plaintext document.
If Rishi can decrypt the signature file with Alan’s public key then this will prove that the document was signed by Alan as only he has the private key. Furthermore, if the hash algorithm produces the same message digest, then this proves that the signed data has not been changed. As a result of this, Alan cannot deny the document was sent by him. Following from this, Rishi can then create another Message Digest from the plaintext contract and if this is the same Message Digest that was just decrypted from Alan’s public key, then Rishi has bound his digital signature to the contract and now has a legally enforceable digitally signed contract. Rishi would also gain nothing by altering the contract as doing so would produce a different Message Digest to the contract Alan signed. Consequently, Alan would not be legally bound by it. The whole process is summarised in the diagram below.
Digital Certificates
Digital Certificates are used to instil extra confidence into being certain that a public key actually belongs to a particular person. They consist of 4 components: a public key, information on the key’s owner, a signature from a certification authority and information about the certificate including the period of validity and the serial number. It is method of authentication by vouching and merely binds the key to the information that is on the certificate; this can provide varying levels of assurance. Referring back to the previous example, the scenario can be expanded further to incorporate the use of digital certificates.
Supposing a digital certificate is created for Alan by a Certification Authority (CA), this means that Alan’s public key will be signed as well as some personal information about Alan. Now Rishi can check to make sure that his public key truly belongs to Alan. Firstly to verify the signature on the Alan’s certificate, the CA’s public key is used. After the certificate is decrypted, it is possible to check that Alan is trusted by the CA and that all of the certificate information relating to Alan’s identity is correct. Afterwards, Alan’s public key is taken from the certificate and is used to check Alan’s signature. If Alan’s public key successfully decrypts the signature then Rishi can be sure the signature was created using Alan’s private key, as the CA has certified the matching public key (www.youdzone.com).
Applications for Accountants
Digital signatures can improve internal controls and authenticity of data. All electronic and legally binding documents and records of transaction must be subject to a trustworthy process of authentication. As digital signatures are far more difficult to forge than handwritten signatures, this should mean that less extensive audit testing will be required. There are also a number of cost savings through using digital signatures. These come from reduced paper and communications costs, reduced transaction and administrative costs and elimination of process steps.
Accountants can use digital signatures to create paperless contracts and for financial reports. They can potentially be used for other human resources functions such as approval of holidays, payroll and supply chain transactions. As all documents are encrypted, then security is improved as even if vital documents containing sensitive information such as takeover plans are stolen, then this data cannot be read by people it is not intended for as they will not be able to decrypt it. It is clear to see that there are huge benefits of using digital signatures. The big 4 accounting firms have already started issuing digital signatures in partnership with private vendors such as Verisign (Grupe et al, 2003). I believe that eventually, every accounting department will follow suit and adopt the use of digital signatures.
Digital Signatures
Digital Signatures are a technology that gives 2 parties the ability to validate the authenticity of information that is transmitted electronically and also important documents. The Electronic Communications Act 2000 states that a digital signature is as legally binding as a hand written contract. Therefore, when a digital signature is added to a document, it provides assurance that the document’s sender is the person they claim to be. This eliminates the fear that sensitive data is disclosed to people for whom it is not intended (Grupe et al, 2003). The concept of how digital signatures work can be illustrated by the use of an example:
Alan is given 2 keys: a public key and a private key. The keys are used to encrypt information and only a person with the appropriate key can read that information. Either of the 2 keys can encrypt the data and the other can decrypt the data. Anyone can obtain Alan’s public key but the private key is kept by him.
Rishi, can encrypt a message using Alan’s public key. Alan then uses his private key to decrypt the message. This means that anybody could access Rishi’s message but they cannot decrypt it without Alan’s private key.
With the private key, Alan can place digital signatures on documents and other data. This places a ‘stamp’ (which is unique to Alan) on the document which is difficult to forge.
Message Digests
Following on from the idea of digital signatures, the signature can also be used to assure that any changes made to the data can be easily detected. This is by the use of a “Message Digest”. For example, Alan prepares a plaintext document which is a contract.
The plaintext document can be crunched down into just a few lines of code by a process called “hashing”. These lines are called the Message Digest (MD) and the same document will always produce the same MD. This means that if the document has been tampered with, a different MD will be produced, providing clear evidence that changes have been made. It should also be noted that it is not possible to convert a message digest back into the original plaintext document. Alan can then encrypt the message digest with his private key to create a digital signature.
This digital signature is appended to the document and this can then be sent to Rishi with the original plaintext document.
If Rishi can decrypt the signature file with Alan’s public key then this will prove that the document was signed by Alan as only he has the private key. Furthermore, if the hash algorithm produces the same message digest, then this proves that the signed data has not been changed. As a result of this, Alan cannot deny the document was sent by him. Following from this, Rishi can then create another Message Digest from the plaintext contract and if this is the same Message Digest that was just decrypted from Alan’s public key, then Rishi has bound his digital signature to the contract and now has a legally enforceable digitally signed contract. Rishi would also gain nothing by altering the contract as doing so would produce a different Message Digest to the contract Alan signed. Consequently, Alan would not be legally bound by it. The whole process is summarised in the diagram below.
Digital Certificates
Digital Certificates are used to instil extra confidence into being certain that a public key actually belongs to a particular person. They consist of 4 components: a public key, information on the key’s owner, a signature from a certification authority and information about the certificate including the period of validity and the serial number. It is method of authentication by vouching and merely binds the key to the information that is on the certificate; this can provide varying levels of assurance. Referring back to the previous example, the scenario can be expanded further to incorporate the use of digital certificates.
Supposing a digital certificate is created for Alan by a Certification Authority (CA), this means that Alan’s public key will be signed as well as some personal information about Alan. Now Rishi can check to make sure that his public key truly belongs to Alan. Firstly to verify the signature on the Alan’s certificate, the CA’s public key is used. After the certificate is decrypted, it is possible to check that Alan is trusted by the CA and that all of the certificate information relating to Alan’s identity is correct. Afterwards, Alan’s public key is taken from the certificate and is used to check Alan’s signature. If Alan’s public key successfully decrypts the signature then Rishi can be sure the signature was created using Alan’s private key, as the CA has certified the matching public key (www.youdzone.com).
Applications for Accountants
Digital signatures can improve internal controls and authenticity of data. All electronic and legally binding documents and records of transaction must be subject to a trustworthy process of authentication. As digital signatures are far more difficult to forge than handwritten signatures, this should mean that less extensive audit testing will be required. There are also a number of cost savings through using digital signatures. These come from reduced paper and communications costs, reduced transaction and administrative costs and elimination of process steps.
Accountants can use digital signatures to create paperless contracts and for financial reports. They can potentially be used for other human resources functions such as approval of holidays, payroll and supply chain transactions. As all documents are encrypted, then security is improved as even if vital documents containing sensitive information such as takeover plans are stolen, then this data cannot be read by people it is not intended for as they will not be able to decrypt it. It is clear to see that there are huge benefits of using digital signatures. The big 4 accounting firms have already started issuing digital signatures in partnership with private vendors such as Verisign (Grupe et al, 2003). I believe that eventually, every accounting department will follow suit and adopt the use of digital signatures.
References:
Gladman et al, 1999, Digital Signatures, Certificates and Electronic Commerce
Grupe et al, 2003, Understanding Digital Signatures, The CPA Journal
What is a digital Signature?, available at: http://www.youdzone.com/signature.html [accessed 31 December 2008]