electronic document & electronic signatures

Download Electronic Document & Electronic Signatures

Post on 17-Jan-2015




3 download

Embed Size (px)


Joint International Doctoral degree in Law, Science and Technology http://www.last-jd.eu


  • 1. Electronic Document & SignaturesJoint International Doctoral degree inLaw, Science and Technology http://www.last-jd.eu Michele MartoniContract Professor at the University of Bologna Ph.D. in IT Law | LawyerDecember 10, 2012, Bologna

2. 0. Roadmap1) Electronic Identification2) Identity theft and Data Value (SocialEngineering, OSINT, Phishing, Uncorrectedsharing of personal data - email, socialnetwork, cloud computing services, etc.)3) Technical Introduction4) Document and Signing5-6) Regulatory Framework (UE and Italian)slide 2 3. 1. Electronic Identification Is there a way for remote certification of ouridentity ? Yes ! Is there a way to certify the integrity of anelectronic document ? Yes ! We have technologies. We have norms. Butwe need to be aware of the correct use ! the risk is to use and to share ourinformations in a way that allow the abuseof these by third personslide 3 4. 2. Identity theft & Identity fraud Identity theft is a form of stealingsomeones identity in which someonepretends to be someone else by assumingthat persons identity. Identity theft is not always detectable by theindividual victims, according to a reportdone for the FTC. Identity fraud is often butnot necessarily the consequence of identitytheft.(1) http://en.wikipedia.org/wiki/Identity_theft(2) Federal Trade Commission, 2006, Identity Theft Survey Report slide 4 5. 2.1. Social Engineering Social engineering, in the context of security, isunderstood to mean the art of manipulating peopleinto performing actions or divulging confidentialinformation (also personal). All social engineering techniques are based onspecific attributes of human decision-making knownas cognitive biases. These biases, sometimes calledbugs in the human hardware, are exploited invarious combinations to create attack techniques.(1) http://en.wikipedia.org/wiki/Social_engineering_(security) slide 5 6. 2.2. Phishing Phishing is a technique of fraudulently obtainingprivate information. Typically, the phisher sends an e-mail that appearsto come from a legitimate businessa bank, orcredit card companyrequesting "verification" ofinformation and warning of some direconsequence if it is not provided. The e-mail usually contains a link to a fraudulentweb page that seems legitimatewith companylogos and contentand has a form requestingeverything from a home address to an ATM cardsPIN code.slide 6 7. 2.3. Personal data sharing Ex. Facebooks Statement of Rights and Responsabilities Art. 2. Sharing Your Content and Information You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application setting. In addition: For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.(1) http://www.facebook.com/legal/termsslide 7 8. 3. Technical Introduction The correct classification of theelectronic signatures institute requiresto start its examination from theessence of this technology. Electronic signatures could becomplex and modern applications ofcryptography slide 8 9. 3. Technical Introduction We can distinguish: Cryptography Cryptanalysis The run between cryptography andcryptanalysis has led to the development ofincreasingly sophisticated techniques. We can distinguish: Steganography Cryptography slide 9 10. 3.1. Steganography physical occultation of the message the message is physically invisible high risk of prejudice in case ofinterceptionslide 10 11. 3.2. Cryptography semantic occultation of the content ofthe message the message is visible but notunderstandable key management become a priorityslide 11 12. 3.3. Symmetric cryptography The symmetric cryptography, alsoknown as private key encryption orsecret key, is that particularcryptographic technique that involvesthe use of a single key for theencryption operation and for thedeciphering slide 12 13. 3.3. Symmetric cryptography Ex. Transpositional method slide 13 14. 3.3.1. Key ExchangeDiffie, Hellman, Merkle (Stanford, 1976) slide 14 15. 3.4. RSA AlgorithmShamir, Rivest, Adleman (Boston, MIT, 1977)slide 15 16. 3.4.1. Asymmetric cryptography The asymmetric encryption (public-keycryptography) instead contemplatesthe use of a pair of keys, a public keyand a private key. The principle of thistechnique requires that what isencrypted with one key can only bedecrypted with the other key of thepair slide 16 17. 3.4.2. Cryptographic keys One key (Kpriv) to encrypt One other key (Kpub) to decrypt Two different key but interconnected Private key (Kpriv) known only byholder Public key (Kpub) known byeveryoneslide 17 18. 3.4.3. Chypertext( KPUBBob) AliceBob (KPUBAlice) ( KPUBBob) (KPRIVAlice)( KPRIVBob) Secrecy of content yes Authentication no slide 18 19. 3.4.4. Signed text( KPRIVAlice)AliceBob(KPUBAlice)Dear Bob,( KPUBBob)(KPRIVAlice) I love you ( KPRIVBob)Alice Secrecy of content no Authentication yesslide 19 20. 3.4.5. Signed Cyphertext ( KPRIVAlice)( KPUBBob) Alice Bob (KPUBAlice)Dear Bob, ( KPUBBob) (KPRIVAlice)I love you ( KPRIVBob)Alice Secrecy of content yes Authentication yesslide 20 21. 3.4.6. Hash Function The problem of encryption by publickey infrastructure is the time necessaryfor mathematic operations ofencryptions Hash Function is an algorithm that turnsa variable-sized amount of text into afixed-sized output (hash value ordigest). slide 21 22. 4. Document and Signing Original concept of document Original concept of signing(1) Martoni M., in Cyber Law, Suppl. 17 (december 2008), Italy, p. 138,Kluwer Law Internationalslide 22 23. slide 23 24. 5. U.E. Regulatory Framework Directive 1999/93/EC of the EuropeanParliament and of the Council of 13December 1999 on a Communityframework for electronic signatures http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31999L0093:en:HTMLslide 24 25. 5.1. Directive Scope to facilitate the use of electronicsignatures to contribute to their legal recognition to ensure the proper functioning of theinternal market It does not cover aspects related tothe conclusion and validity ofcontracts or other legal obligationsslide 25 26. 5.2. Definitions|Electronic Signatures data in electronic form which areattached to or logically associatedwith other electronic data and whichserve as a method of authentication slide 26 27. 5.2. Definitions|Advanced E.S. an electronic signature which meets thefollowing requirements: (a) it is uniquely linked to the signatory; (b) it is capable of identifying the signatory; (c) it is created using means that the signatorycan maintain under his sole control; and (d) it is linked to the data to which it relates insuch a manner that any subsequent change ofthe data is detectableslide 27 28. 5.2. Definitions|Signatory a person who holds a signature-creation device and acts either on hisown behalf or on behalf of the naturalor legal person or entity he represents slide 28 29. 5.2. Definitions|Sign.-creation data unique data, such as codes or privatecryptographic keys, which are used bythe signatory to create an electronicsignature slide 29 30. 5.2. Definitions|Sign.-creation device means configured software orhardware used to implement thesignature-creation dataslide 30 31. 5.2. Definitions|Secure ... device a signature-creation device whichmeets the requirements laid down inAnnex IIIslide 31 32. 5.2. Definitions|Secure ... deviceAnnex III1. Secure signature-creation devices must, by appropriate technical and procedural means, ensure at the least that:(a) the signature-creation-data used for signature generation can practically occur only once, and that their secrecy is reasonably assured;(b) the signature-creation-data used for signature generation cannot, with reasonable assurance, be derived and the signature is protected against forgery using currently available technology;(c) the signature-creation-data used for signature generation can be reliably protected by the legitimate signatory against the use of others.2. Secure signature-creation devices must not alter the data to be signed or prevent such data from being presented to the signatory prior to the signature process. slide 32 33. 5.2. Definitions|Certificate an electronic attestation which linkssignature-verification data to a personand confirms the identity of thatperson slide 33 34. 5.2. Definitions|Qualified Certificate a certificate which meets therequirements laid down in Annex I andis provided by a certification-service-provider who fulfils the requirementslaid down in Annex II slide 34 35. 5.2. Definitions|Annex IQualified certificates must contain:(a) an indication that the certificate is issued as aqualified certificate;(b) the identification of the certification-service-provider and the State in which it is established;(c) the name of the signatory or a pseudonym, whichshall be identified as such;(d) provision for a specific attribute of the signatory tobe included if relevant, depending on the purposefor which the certificate is intended; slide 35 36. 5.2. Definitions|Annex I(e) signature-verification data which correspond tosignature-creation data under the control of thesignatory;(f) an indication of the beginning and end of theperiod of validity of the certificate;(g) the identity code of the certificate;(h) the advanced electronic signature of thecertification-service-provider issuing it;(i) limitations on the scope of use of the certificate, ifapplicable; and(j) limits on the value of transactions for which thecertificate can be used, if applicable. slide 36


View more >