Chapter 5 - Digital Signature

Download as pdf or txt
Download as pdf or txt
You are on page 1of 17

2023/4/20

CHAPTER 5

DIGITAL SIGNATURE

Chapter 5: Digital signature

5.1 Overview of E-contract

5.2 Security threats in the EC environment

5.3 Digital signature

1
2023/4/20

5.1.1. Definition and the characteristics

“A civil contract is an agreement between the


parties to establish, change or terminate civil rights
and/or obligations”
( Article 388; Section 7; Chapter XVII –
The Civil Code 2005)

Definition

“E-contracts mean contracts established in the form


of data messages provided for in this Law”
(Article 33 – Law on E-transactions)

2
2023/4/20

5.1.2. E-contract and traditional contract

Similarities:
 Both are contracts and only formed when the parties reach
the unity.
 Based on a specific legal basis
 Compliance with the principle of "freedom of contract,
but not contrary to law, public morals" and "voluntariness,
equality, goodwill, cooperation, honesty and uprightness“
 Adhere to the principal of implementing the contract

5.1.2. E-contract and traditional contract

Differences:
• The subjects involved in entering into the contract:

BUYER

CERTIFICATION NETWORK
AUTHORITY SUPPLIER

SELLER

3
2023/4/20

5.1.2. E-contract and traditional contract

 Signing method:
+ E-contract: signed by electronic means in the Internet
environment
+ Traditional contract: in the form of paper contract or
verbal contract in normal environment

5.1.2. E-contract and traditional contract

 Content of the contract:


+ Legal address
+ The right to access and change the information
+ E-payment method
+ The appearance of terms and conditions:
- Display without any link
- Display with a link
- Display at the bottom
- Display as dialog box

4
2023/4/20

5.1.3. E-contract classification

- Traditional contracts are posted on the website


- E-contracts are formed through automatic
transactions (through manipulation of click, type
and browse)
- Email contracts
- E-contracts use digital signature

5.2. Security threats in the EC environment

Phishing and
identity theft

Unwanted Hacking and


program cybervandalism

Malicious code
SECURITY Credit card
THREATS fraud/theft

5
2023/4/20

5.2. Security threats in the EC environment

Sniffing

DOS and DDOS


Insider attacks
attacks

SECURITY Poorly designed


Spoofing and
server and
spam websites THREATS client software

Malicious code

Malicious code (malware) includes a variety of


threats such as viruses, worms, Trojan horses and
bots
- A virus is a computer program that has the ability
to replicate or make copies to itself, and spread to
other files. Some major categories: macro viruses,
file-infecting viruses, script viruses.

6
2023/4/20

Malicious code

- A worm is a malware that is designed to spread


from computer to computer.
- A Trojan Horse appears to be benign, but then
does something other than expected. The Trojan
horse is not itself a virus, but is often a way for
viruses or other malicious code to be introduced
into a computer system.

Malicious code

- Bots (short for robots) are a type of malicious


code that can be convertly installed on your
computer when attached to the Internet. Once
installed, the bots responds to external command
sent by the attackers.

7
2023/4/20

Unwanted program

Some unwanted programs such as: adware,


browser parasites, spyware...
- Adware is typically used to call for pop-up ads to
display when the user visit certain sites. However,
it is not typically used for criminal activities.

Unwanted program

- A browser parasite is a program that can monitor


and change the settings of a user’s browser.
- Spyware is a program used to obtain information
such as user’s keystrokes, email... and even take
screenshots

8
2023/4/20

Phishing and identity theft

- Phishing is any deceptive, online attempt by a third


party to obtain confidential information for financial
gain.
- Phishing attacks do not involve malicious code but
instead rely on straightforward misreprentation and
fraud, so-called “social engineering” techniques.

Hacking and cybervandalism

- A hacker is an individual who intends to gain


unauthorized access to a computer system.
- Cracker: within the hacking community, a term
typically used to denote a hacker with criminal intent.
- Cybervandalism: intentionally disrupting, defacing
or even destroying a site.

9
2023/4/20

Credit card fraud/theft

The most frequent cause of stolen cards and card


information is the systematic hacking and looting of
a corporate server where the information on millions
of credit card purchases are stored.

Spoofing and spam websites

Spoofing a website is also called “pharming”,


which involves redirecting a web link to an address
different from the intended one, with the site
masquerading as the intended destination.

10
2023/4/20

DOS and DDOS attacks

- DOS (Denial of service) attacks: typically cause a


website to shut down, making it impossible for users
to access the site.
- A DDOS (Distributed denial of service) attack uses
numerous computers to attack the target network
from numerous launch points.

Sniffing

A sniffer is a type of eavesdropping program that


monitors information traveling over a network.
When used for criminal purposes, it can be
damaging and very difficult to detect.

11
2023/4/20

Insider attacks

Some of the largest disruptions to services,


destruction to sites, and diversion of customer credit
data and personal information have come from
insiders – once trusted employees.

Poorly designed server and client software

The increase in complexity and size of software


programs, coupled with demands for timely delivery
to markets, has contributed to an increase in software
flaws or vulnerabilities in Internet and PC software.

12
2023/4/20

5.3. Digital signature

“Digital signature means a type of e-signature created by


transformation of a data message using an asymmetric
cryptosystem whereby the person having the initial data
message and public key of the signer may accurately
determine:
a/ Whether such transformation is created with a private key
corresponding to the public key in the same key pair;
b/ Whether the data message has been altered since the
transformation.”

Chữ ký số
“ Chữ ký số là một dạng chữ ký điện tử, được tạo ra bằng sự
biến đổi một thông điệp dữ liệu sử dụng hệ thống mật mã
không đối xứng theo đó người có được thông điệp dữ liệu ban
đầu và khóa công khai của người ký có thể xác định được
chính xác:
a)Việc biến đổi nêu trên được tạo ra bằng đúng khóa bí mật
tương ứng với khóa công khai trong cùng một cặp khóa
b)Sự toàn vẹn nội dung của thông điệp dữ liệu kể từ khi thực
hiện việc biến đổi nêu trên”

13
2023/4/20

The characteristics

• Message integrity: provides assurance that the message


has not been altered
• Nonrepudiation: prevents the user from denying he or
she sent the message
• Authentication: provides verification or the identity of
the person (or computer) sending the message
• Confidentiality: gives assurance that the message was
not read by others.

E-CERTIFICATE

An e-certificate means a data message issued by


an e-signature certification service - providing
organization in order to verify that the certified
agency, organization or individual is the person
having made the e-signature.

14
2023/4/20

E-CERTIFICATE

Content of e-certificate:
1. The name of the certification authority.
2. The name of the subscriber.
3. The serial number of the digital certificate.
4. The term of validity of the digital certificate.
5. The public key of the subscriber.
6. The digital signature of the certification authority.

E-CERTIFICATE

Content of e-certificate:
7. Restrictions on purposes and scope of use of the
digital certificate.
8. Restrictions on legal liability of the certification
authority.
9. Other necessary contents as prescribed by the
Ministry of Post and Telematics.

15
2023/4/20

2.3. Signing process

Original message

Hash
Private key

Summary Digital signature


(Hash value) Encrypt

Attach to
first message

Digitally signed
message

2.3. Signing process

1. The sender creates an original message.


2. The sender applies a hash function, producing a hash
digest (hash value).
3. Hash digest is encrypted by the sender’s private key,
digital signature is created.
4. Digital signature is attached to the original message,
and the sender encrypts the signed message again using
the receiver’s public key.
5. The result of this double encryption is sent over the
Internet.

16
2023/4/20

VERIFY
Digitally signed
message

Public key seperate

Message
decrypt Digital
signature
Hash

Can Summary Summary


1 2
decrypt?

Similitary?
Message integrity
Right sender
Message has been alterd

Verifying process

1. The receiver uses his private key to decrypt digital


envelope.
2. The receiver separates the digitally signed message into
original message and digital signature.
3. Hash function is applied to original message, producing
hash value 1; digital signature is decrypted by the sender’
public key, producing hash value 2.
4. The receiver compares 2 hash values to check the
integrity of the original message.

17

You might also like