Cyber Law & Islamic Ethics DIGITAL SIGNATURE CICT3523

INTRODUCTION There are number of transactions require a signature in order to be legally effective. However, a ‘traditional manuscript signature is not feasible where the parties communicate through the Internet. Digital communication technology requires methods of signature which are very different from the manuscript signature.

There are two possibilities of signatures The incorporation of a scanned image of a manuscript signature into a word processing file, followed by the sending of that document as an e-mail attachment. The ‘signature’ of an electronic document by means of a mathematical process. This ‘electronic document’ is a set of number or code which represents text or other information. This is what we call digital signature.

WHAT IS A DIGITAL SIGNATURE FOR? For identification. Signature shows the identity of the signatory. That the signatory intended the signature to be his signature. That the signatory approves of and adopt the contents of the document.

For security and privacy purposes. The sender of the message will be ensured that the recipient is the intended person and nobody can read the message or change it. For privacy purposes- whereby many people do not want others to read the message. The integrity and privacy of information are protected.

For legality To enforce the signatory’s legal obligations, the recipient of the document needs to prove that the signatory has signed the document. The signature can prove that the signatory approves and adopt the contents of the document and it can create legal obligation on him.

Therefore, in order to encourage electronic transactions and curb forgeries and computer-generated fraud, digital signature Act has been legislated in a number of country including Malaysia. The law provides the legal infrastructure and makes digital signature effective and it gives a recognition to the digital signature

UNDERSTANDING THE TECHNOLOGIES ASPECTS OF DIGITAL SIGNATURE One form of digital signature that has been recognised is public key cryptography. Public key cryptography is based on asymmetric cryptosystem. It means a series of algorithms which provide a secure key pair.

There are two keys; Private key. the key of a key pair to create a digital signature. It should be known only to the subscriber (kept secret).

Public key. the key of a key pair used to verify a digital signature the public key is freely distributed to others.

Note Knowing a user’s public key does not give any information about private key. Thus, many people may know the public key but they cannot discover the private key and use it to forge digital signature.

THE PROCESS There are 2 process; one performed by the signer and other by the receiver of the digital signature. The digital signature creation. The signature itself is actually a ‘hash’ i.e a string of digits representing a combination of the document and a unique computer-generated code by the document’s signer using a private key. Digital Signature verification is the process of checking the digital signature by using public key.

EXAMPLE 1 Suppose that Shafiq wishes to send his message to ABC company. He wishes to make sure that only that company can read it. He looks up the company’s public key in the Key directory and uses it to encrypt the message. If the message is M and the public key is AB then the encrypted message is AB(M). The company receives the message and uses the private key to decode it. Let’s say the private key is SH. The process is SH[AB(M)]=M. If a third party intercepts the message, he cannot read it since he does not know the key that decode it. If he alters the message in some way then SH will no longer to decode the message since the altered message is no longer AB(M).

EXAMPLE 2 Suppose that ABC company wishes to make sure that Shafiq knows the message from them but they do not care if the whole world know its contents. He encodes the message with a private key. If the private key is SH, so the result is SH(M) is sent to Shafiq with the instructions to decode it using public key, AB. Anybody who knows the public key can decode it but Shafiq will know that ABC is the sender of the message because only that company knows the private key that created the message.

BENEFITS of DIGITAL SIGNATURE The digital Signature have no resemblance to handwritten signatures. They have a unique features as opposed to handwritten signature; Each of digital signature is unique meaning that if everyone in the world had a digital signature, the chances are extremely low any two would be the same.

The digital signature is interwoven with the document that is being signed in such a way that the signature cannot be cut and pasted onto another document. Trying to extract the signature from the document is futile and can be easily detected. Handwritten signature changes over time. Some people never sign their names the same way twice. It easily be forged. A digital signature will not cause the same difficulty because it never changes.

There is no chance that the signer denies that he did not send the message since the system will cause the authentication of the sender’s identity to be done when the message is decrypted using the sender’s public key.

THE LEGAL FRAMEWORK Malaysia has enacted the Digital Signature Act 1997 based on the State of Utah Law on digital signature. There are few reasons why the law should be enacted for this purpose. The main reasons are for regulatory and management purposes.

Certification Authorities Controller Subscriber Repository 4 PARTIES INVOLVED Certification Authorities Controller Subscriber Repository

1. Certification Authority (CA) In Malaysia, The CA is Digicert Sdn. Bhd. CA is trusted third party who provide the authentication of a sender’s identity to a third party in an e-commerce transaction. If the parties have not had previous dealings, however, the recipient will have no knowledge whether the public key does in fact correspond to the purported identity of the signatory. This is where the ID certificates come in.

ID certificate contains; CA issues a digital certificates of authenticity to signify the identity of a signer and the validity of an original signature. ID certificate contains; A copy of public key. A statement that the issuer of the certificate has checked the identity of the signatory, that the signatory does in fact process the signature data which corresponds to the public key, and the issuer has checked that the public key validates the identified person’s digital signature.

The Responsibilities Of The CA Must get a license from a controller to carry out business as CA. It is an offence if the CA operates without a license and the punishment is a fine of RM500,000 or imprisonment of 10 years or both. Must use a trustworthy system to issue certificate and to create a private key. Take all reasonable measures to check for proper identification of the subscriber to be listed in the certificate.

To make sure that the prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate and to make sure that the public key to be listed can be used to verify a digital signature affixed by the private key held by the subscriber. If the statement in the certificate turns out to be inaccurate, action can be brought against the CA.

2. The Controller of CA Controller is the authority responsible for the enforcement of the Act. Be appointed by the Minister concerned and they are public servants.

The Responsibilities Of The Controller Overall monitoring the activities of CA Issue a license to the CA Has power to investigate the activities of CA and conduct a prosecution against the CA Recognize a repository.

3. Subscriber Subscriber means a person who is the subject listed in a certificate, accept the certificate and holds a private key which corresponds to a public key listed in the certificate.

The Responsibilities Of Subscriber The subscriber rightfully holds the private key corresponding to the public key listed in the certificate All representations made by the subscriber to the CA are true. To notify the repository within a reasonable time of any facts that effect the validity of the certificate once it is issued.

4. Repository The controller will recognize the repository. For storing and retrieving certificates and other information relevant to digital signature. Once CA issues the certificate to the subscriber and the subscriber accepts it, the CA will publish a signed copy of the certificate in a recognized repository.

The Responsibilities Of Repository It would be from the repository that users of the public key would get the information of identification. Therefore, the Act does impose on them certain degree of liability. A repository will be liable for a loss incurred by a person if the person rely on the publication but the license has been suspended and revoked.

OTHER LEGAL ISSUES Digital signature has been recognized as an authentic signature under the Act and shall be legally binding as a document signed with a handwritten signature. Whether ISP would be affected or not? may not arise as the licensed CA is responsible to issue a certificate using a trustworthy system. The liability if any, may lie with the CA concerned.

PROBLEMS WITH DIGITAL SIGNATURE TECHNOLOGY The management of private key is difficult. It requires a person to remember the keys. It is impractical because for the key to be operative it would have to be long and complex. As a solution, storing in the computer or the smart card are the options. There is the possibility that the third party can access to it.

It can encourage e-commerce in Malaysia CONCLUSION Malaysia already legislated the law on digital signature namely Digital Signature Act 1998. It can encourage e-commerce in Malaysia