SlideShare a Scribd company logo

Electronic Document & Electronic Signatures

Michele Martoni
Michele Martoni

Joint International Doctoral degree in Law, Science and Technology http://www.last-jd.eu

1 of 75
Download to read offline
Electronic Document & Signatures Joint International Doctoral degree in Law, Science and Technology http://www.last-jd.eu Michele Martoni Contract Professor at the University of Bologna Ph.D. in IT Law | Lawyer December 10, 2012, Bologna
0. Roadmap 1) Electronic Identification 2) Identity theft and Data Value (Social Engineering, OSINT, Phishing, Uncorrected sharing of personal data - email, social network, cloud computing services, etc.) 3) Technical Introduction 4) Document and Signing 5-6) Regulatory Framework (UE and Italian) slide 2
1. Electronic Identification • Is there a way for remote certification of our identity ? Yes ! • Is there a way to certify the integrity of an electronic document ? Yes ! • We have technologies. We have norms. But we need to be aware of the correct use ! • the risk is to use and to share our informations in a way that allow the “abuse” of these by third person slide 3
2. Identity theft & Identity fraud • Identity theft is a form of stealing someone's identity in which someone pretends to be someone else by assuming that person's identity. • Identity theft is not always detectable by the individual victims, according to a report done for the FTC. Identity fraud is often but not necessarily the consequence of identity theft. (1) http://en.wikipedia.org/wiki/Identity_theft (2) Federal Trade Commission, 2006, Identity Theft Survey Report slide 4
2.1. Social Engineering • Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information (also personal). • All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases. These biases, sometimes called bugs in the human hardware, are exploited in various combinations to create attack techniques. (1) http://en.wikipedia.org/wiki/Social_engineering_(security) slide 5
2.2. Phishing • Phishing is a technique of fraudulently obtaining private information. • Typically, the phisher sends an e-mail that appears to come from a legitimate business—a bank, or credit card company—requesting "verification" of information and warning of some dire consequence if it is not provided. • The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company logos and content—and has a form requesting everything from a home address to an ATM card’s PIN code. slide 6
2.3. Personal data sharing Ex. Facebook’s Statement of Rights and Responsabilities Art. 2. Sharing Your Content and Information You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application setting. In addition: For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it. (1) http://www.facebook.com/legal/terms slide 7
3. Technical Introduction • The correct classification of the electronic signatures institute requires to start its examination from the essence of this technology. • Electronic signatures could be complex and modern applications of cryptography slide 8
3. Technical Introduction • We can distinguish: – Cryptography – Cryptanalysis • The run between cryptography and cryptanalysis has led to the development of increasingly sophisticated techniques. • We can distinguish: – Steganography – Cryptography slide 9
3.1. Steganography • physical occultation of the message • the message is physically “invisible” • high risk of prejudice in case of interception slide 10
3.2. Cryptography • semantic occultation of the content of the message • the message is “visible” but not “understandable” • key management become a priority slide 11
3.3. Symmetric cryptography • The symmetric cryptography, also known as private key encryption or secret key, is that particular cryptographic technique that involves the use of a single key for the encryption operation and for the deciphering slide 12
3.3. Symmetric cryptography • Ex. Transpositional method slide 13
3.3.1. Key Exchange Diffie, Hellman, Merkle (Stanford, 1976) slide 14
3.4. RSA Algorithm Shamir, Rivest, Adleman (Boston, MIT, 1977) slide 15
3.4.1. Asymmetric cryptography • The asymmetric encryption (public-key cryptography) instead contemplates the use of a pair of keys, a public key and a private key. The principle of this technique requires that what is encrypted with one key can only be decrypted with the other key of the pair slide 16
3.4.2. Cryptographic keys • One key (Kpriv) to encrypt • One other key (Kpub) to decrypt • Two different key but interconnected • Private key (Kpriv) known only by holder • Public key (Kpub) known by everyone slide 17
3.4.3. Chypertext ( KPUBBob) Alice Bob (KPUBAlice) ( KPUBBob) (KPRIVAlice) ( KPRIVBob) • Secrecy of content yes • Authentication no slide 18
3.4.4. Signed text ( KPRIVAlice) Alice Bob (KPUBAlice) Dear Bob, ( KPUBBob) (KPRIVAlice) I love you … ( KPRIVBob) Alice • Secrecy of content no • Authentication yes slide 19
3.4.5. Signed Cyphertext ( KPRIVAlice) ( KPUBBob) Alice Bob (KPUBAlice) Dear Bob, ( KPUBBob) (KPRIVAlice) I love you … ( KPRIVBob) Alice • Secrecy of content yes • Authentication yes slide 20
3.4.6. Hash Function • The problem of encryption by public key infrastructure is the time necessary for mathematic operations of encryptions • Hash Function is an algorithm that turns a variable-sized amount of text into a fixed-sized output (hash value or digest). slide 21
4. Document and Signing • Original concept of document • Original concept of signing (1) Martoni M., in Cyber Law, Suppl. 17 (december 2008), Italy, p. 138, Kluwer Law International slide 22
slide 23
5. U.E. Regulatory Framework • Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31999L0093:en:HTML slide 24
5.1. Directive Scope • to facilitate the use of electronic signatures • to contribute to their legal recognition • to ensure the proper functioning of the internal market • It does not cover aspects related to the conclusion and validity of contracts or other legal obligations slide 25
5.2. Definitions|Electronic Signatures • data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication slide 26
5.2. Definitions|Advanced E.S. • an electronic signature which meets the following requirements: – (a) it is uniquely linked to the signatory; – (b) it is capable of identifying the signatory; – (c) it is created using means that the signatory can maintain under his sole control; and – (d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable slide 27
5.2. Definitions|Signatory • a person who holds a signature- creation device and acts either on his own behalf or on behalf of the natural or legal person or entity he represents slide 28
5.2. Definitions|Sign.-creation data • unique data, such as codes or private cryptographic keys, which are used by the signatory to create an electronic signature slide 29
5.2. Definitions|Sign.-creation device • means configured software or hardware used to implement the signature-creation data slide 30
5.2. Definitions|Secure ... device • a signature-creation device which meets the requirements laid down in Annex III slide 31
5.2. Definitions|Secure ... device Annex III 1. Secure signature-creation devices must, by appropriate technical and procedural means, ensure at the least that: (a) the signature-creation-data used for signature generation can practically occur only once, and that their secrecy is reasonably assured; (b) the signature-creation-data used for signature generation cannot, with reasonable assurance, be derived and the signature is protected against forgery using currently available technology; (c) the signature-creation-data used for signature generation can be reliably protected by the legitimate signatory against the use of others. 2. Secure signature-creation devices must not alter the data to be signed or prevent such data from being presented to the signatory prior to the signature process. slide 32
5.2. Definitions|Certificate • an electronic attestation which links signature-verification data to a person and confirms the identity of that person slide 33
5.2. Definitions|Qualified Certificate • a certificate which meets the requirements laid down in Annex I and is provided by a certification-service- provider who fulfils the requirements laid down in Annex II slide 34
5.2. Definitions|Annex I Qualified certificates must contain: (a) an indication that the certificate is issued as a qualified certificate; (b) the identification of the certification-service- provider and the State in which it is established; (c) the name of the signatory or a pseudonym, which shall be identified as such; (d) provision for a specific attribute of the signatory to be included if relevant, depending on the purpose for which the certificate is intended; slide 35
5.2. Definitions|Annex I (e) signature-verification data which correspond to signature-creation data under the control of the signatory; (f) an indication of the beginning and end of the period of validity of the certificate; (g) the identity code of the certificate; (h) the advanced electronic signature of the certification-service-provider issuing it; (i) limitations on the scope of use of the certificate, if applicable; and (j) limits on the value of transactions for which the certificate can be used, if applicable. slide 36
5.2. Definitions|Annex II Certification-service-providers must: (a) demonstrate the reliability necessary for providing certification services; (b) ensure the operation of a prompt and secure directory and a secure and immediate revocation service; (c) ensure that the date and time when a certificate is issued or revoked can be determined precisely; slide 37
5.2. Definitions|Annex II (d) verify, by appropriate means in accordance with national law, the identity and, if applicable, any specific attributes of the person to which a qualified certificate is issued; (e) employ personnel who possess the expert knowledge, experience, and qualifications necessary for the services provided, in particular competence at managerial level, expertise in electronic signature techology and familiarity with proper security procedures; they must also apply administrative and management procedures which are adequate and correspond to recognised standards; slide 38
5.2. Definitions|Annex II (f) use trustworthy systems and products which are protected against modification and ensure the technical and cryptographic security of the process supported by them; (g) take measures against forgery of certificates, and, in cases where the certification-service-provider generates signature-creation data, guarantee confidentiality during the process of generating such data; slide 39
5.2. Definitions|Annex II (h) maintain sufficient financial resources to operate in conformity with the requirements laid down in the Directive, in particular to bear the risk of liability for damages, for example, by obtaining appropriate insurance; (i) record all relevant information concerning a qualified certificate for an appropriate period of time, in particular for the purpose of providing evidence of certification for the purposes of legal proceedings. Such recording may be done electronically; (j) not store or copy signature-creation data of the person to whom the certification-service-provider provided key management services; (k) before entering into a contractual relationship with a person seeking a certificate to support his electronic signature inform that person by a durable means of communication of the precise terms and conditions regarding the use of the certificate, including any limitations on its use, the existence of a voluntary accreditation scheme and procedures for complaints and dispute settlement. Such information, which may be transmitted electronically, must be in writing and in redily understandable language. Relevant parts of this information must also be made available on request to third-parties relying on the certificate; slide 40
5.2. Definitions|Annex II (l) use trustworthy systems to store certificates in a verifiable form so that: - only authorised persons can make entries and changes, - information can be checked for authenticity, - certificates are publicly available for retrieval in only those cases for which the certificate- holder's consent has been obtained, and - any technical changes compromising these security requirements are apparent to the operator. slide 41
5.2. Definitions|Annex IV Recommendations for secure signature verification During the signature-verification process it should be ensured with reasonable certainty that: (a) the data used for verifying the signature correspond to the data displayed to the verifier; (b) the signature is reliably verified and the result of that verification is correctly displayed; slide 42
5.2. Definitions|Annex IV (c) the verifier can, as necessary, reliably establish the contents of the signed data; (d) the authenticity and validity of the certificate required at the time of signature verification are reliably verified; (e) the result of verification and the signatory's identity are correctly displayed; (f) the use of a pseudonym is clearly indicated; and (g) any security-relevant changes can be detected. slide 43
Summary Electronic Advanced Signature Signature Electronic Signature Signature Secure Signature Device Creation Device Creation Device Qualified Certificate Certificate Certificate slide 44
5.3. Market Access 1. Member States shall not make the provision of certification services subject to prior authorisation. slide 45
5.3. Market Access 2. Without prejudice to the provisions of paragraph 1, Member States may introduce or maintain voluntary accreditation schemes aiming at enhanced levels of certification-service provision. All conditions related to such schemes must be objective, transparent, proportionate and non-discriminatory. Member States may not limit the number of accredited certification-service-providers for reasons which fall within the scope of this Directive. 3. Each Member State shall ensure the establishment of an appropriate system that allows for supervision of certification-service-providers which are established on its territory and issue qualified certificates to the public. slide 46
5.3. Market Access [...] 7. Member States may make the use of electronic signatures in the public sector subject to possible additional requirements. Such requirements shall be objective, transparent, proportionate and non- discriminatory and shall relate only to the specific characteristics of the application concerned. Such requirements may not constitute an obstacle to cross-border services for citizens. slide 47
5.4. Legal Effects 1. Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure-signature-creation device: (a) satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data; and (b) are admissible as evidence in legal proceedings. slide 48
5.4. Legal Effects 2. Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is: - in electronic form, or - not based upon a qualified certificate, or - not based upon a qualified certificate issued by an accredited certification-service-provider, or - not created by a secure signature-creation device. slide 49
5.5. Liability 1. As a minimum, Member States shall ensure that by issuing a certificate as a qualified certificate to the public or by guaranteeing such a certificate to the public a certification-service-provider is liable for damage caused to any entity or legal or natural person who reasonably relies on that certificate: (a) as regards the accuracy at the time of issuance of all information contained in the qualified certificate and as regards the fact that the certificate contains all the details prescribed for a qualified certificate; (b) for assurance that at the time of the issuance of the certificate, the signatory identified in the qualified certificate held the signature- creation data corresponding to the signature-verification data given or identified in the certificate; (c) for assurance that the signature-creation data and the signature- verification data can be used in a complementary manner in cases where the certification-service-provider generates them both; (d) unless the certification-service-provider proves that he has not acted negligently. slide 50
5.5. Liability 2. As a minimum Member States shall ensure that a certification-service- provider who has issued a certificate as a qualified certificate to the public is liable for damage caused to any entity or legal or natural person who reasonably relies on the certificate for failure to register revocation of the certificate unless the certification-service-provider proves that he has not acted negligently. 3. Member States shall ensure that a certification-service-provider may indicate in a qualified certificate limitations on the use of that certificate. provided that the limitations are recognisable to third parties. The certification-service-provider shall not be liable for damage arising from use of a qualified certificate which exceeds the limitations placed on it. 4. Member States shall ensure that a certification-service-provider may indicate in the qualified certificate a limit on the value of transactions for which the certificate can be used, provided that the limit is recognisable to third parties. The certification-service-provider shall not be liable for damage resulting from this maximum limit being exceeded. slide 51
5.6. International Aspects 1. Member States shall ensure that certificates which are issued as qualified certificates to the public by a certification-service-provider established in a third country are recognised as legally equivalent to certificates issued by a certification- service-provider established within the Community if some conditions are realized. slide 52
6. Italian Regulatory Framework • D.Lgs. 82/2005, Codice dell’Amministrazione Digitale (CAD) http://www.digitpa.gov.it/cad • D.P.C.M. 30/03/2009, Regole tecniche in materia di generazione, apposizione e verifica delle firme digitali e validazione temporale dei documenti informatici http://www.digitpa.gov.it/sites/default/files/normativa/DPCM_30-mar-09_0.pdf slide 53
6.1. Definitions|Electronic Document • The informatics representation of acts, fact or data, legally relevant • i.e. file slide 54
6.2. Definitions|Analogical Document • The “non” informatics representation of acts, fact or data, legally relevant • i.e. paper document slide 55
6.3. Definitions|Copy and Duplicate 1. informatics copy of analogical document: the electronic document with contents identical to the analogical document that inspired • for example transcription with word processor of paper (hand-written) notes or oral notes slide 56
6.3. Definitions|Copy and Duplicate 2. informatics copy image of analogical document: the electronic document with contents and forms identical to the analogical document that inspired • for example scan of paper document slide 57
6.3. Definitions|Copy and Duplicate 3. informatics copy of electronic documents: the electronic document with content identical to that of the document from which it is drawn on computer with different sequence of binary values • for example file translated in a different format (from .doc to .pdf) slide 58
6.3. Definitions|Copy and Duplicate 4. duplicate: the electronic document obtained by storing, on the same device or on different devices, the same sequence of binary values of the original document • for example “cut & paste” slide 59
6.4. Definitions|Electronic Signature • l'insieme dei dati in forma elettronica, allegati oppure connessi tramite associazione logica ad altri dati elettronici, utilizzati come metodo di identificazione informatica • the set of data in electronic form attached to or logically associated with other electronic data, used as a method of informatics identification (authentication) slide 60
6.5. Definitions|Advanced E.S. • insieme di dati in forma elettronica allegati oppure connessi a un documento informatico che consentono l’identificazione del firmatario del documento e garantiscono la connessione univoca al firmatario, creati con mezzi sui quali il firmatario può conservare un controllo esclusivo, collegati ai dati ai quali detta firma si riferisce in modo da consentire di rilevare se i dati stessi siano stati successivamente modificati • set of data in electronic form attached to or associated with an electronic document that enable identification of the signatory of the document and provide the unique connection to the signatory, created using means that the signatory can maintain exclusive control, linked to the data to which that signature refers to allow to detect whether the data have been subsequently modified slide 61
6.6. Definitions|Qualified E.S. • un particolare tipo di firma elettronica avanzata che sia basata su un certificato qualificato e realizzata mediante un dispositivo sicuro per la creazione della firma • a particular type of advanced electronic signature that is based on a qualified certificate and created by a secure device for the creation of signature slide 62
6.6.1. Certification Authority • The digital signature technology ensure that in the process of sign was used the private key connected to the public key used for verification. • The certification of the key has the different function to connect the public key to an identified person. • The certification, in the case of the digital signature, is the result of the informatics procedure, applied to the public key and detectable by the validation systems, that ensures the correspondence between public key and subject holder to whom it belongs, it identifies the period of validity of that key and the expiry date of the certificate slide 63
6.6.1. Certification Authority • Simple C.A. • Qualified C.A. • Accredited C.A. – Different qualities – Different procedures to become C.A. – Different level of the certification services slide 64
6.6.2. Electronic Certificate • Electronic Certificates – electronic certificates are now defined such as electronic certificates that connect the identity of the holder to the data used to verify electronic signatures • Qualified Certificates – qualified certificates are electronic certificates comply with the requirements envisaged in Annex I of the Directive and issued by certification meets the requirements provided in Annex II of the Directive slide 65
6.6.3. Signature Device • Signature Device • Secure Signature Device slide 66
6.7. Definitions|Digital Signature • un particolare tipo di firma elettronica avanzata basata su un certificato qualificato e su un sistema di chiavi crittografiche, una pubblica e una privata, correlate tra loro, che consente al titolare tramite la chiave privata e al destinatario tramite la chiave pubblica, rispettivamente, di rendere manifesta e di verificare la provenienza e l'integrità di un documento informatico o di un insieme di documenti informatici • a particular type of advanced electronic signature based on a qualified certificate and a system of cryptographic keys, one public and one private, related to each other, which allows the holder using the private key and the recipient using the public key, respectively, to make manifest and verify the origin and integrity of an electronic document or a set of electronic documents slide 67
Summary • Electronic Signature – Electronic Signature • Advanced Electronic Signature – Qualified Electronic Signature » Digital Signature » [other] – [other] • [other] • Electronic Certificate – Electronic Certificate – Electronic Qualified Certificate – Certification Authority • Signature Device – Signature Device – Secure Signature Device • Certification Authority – Certification Authority – Qualified Certification Authority – Accredited Certification Authority slide 68
Summary slide 69
6.8. Legal Effects • Art. 20.1 bis CAD – L'idoneità del documento informatico a soddisfare il requisito della forma scritta e il suo valore probatorio sono liberamente valutabili in giudizio, tenuto conto delle sue caratteristiche oggettive di qualità, sicurezza, integrità ed immodificabilità, fermo restando quanto disposto dall’articolo 21. – The suitability of the electronic document to satisfy the requirement of written form and its probative value can be freely evaluated in judgment, in view of its objective characteristics of quality, safety, integrity and immutability, subject to the provisions of Article 21. slide 70
6.8. Legal Effects • Art. 21.1 CAD – Il documento informatico, cui è apposta una firma elettronica, sul piano probatorio è liberamente valutabile in giudizio, tenuto conto delle sue caratteristiche oggettive di qualità , sicurezza, integrità e immodificabilità. – The electronic document, which is signed with a electronic signature, in terms of evidence is freely estimated in judgment, in view of its objective characteristics of quality, safety, integrity and immutability. slide 71
6.8. Legal Effects • Art. 21.2 CAD – Il documento informatico sottoscritto con firma elettronica avanzata, qualificata o digitale, formato nel rispetto delle regole tecniche di cui all'articolo 20, comma 3, che garantiscano l'identificabilità dell'autore, l'integrità e l'immodificabilità del documento, ha l'efficacia prevista dall'articolo 2702 del codice civile. L'utilizzo del dispositivo di firma si presume riconducibile al titolare, salvo che questi dia prova contraria. – The electronic document signed with an advanced electronic signature, qualified or digital, format in compliance with the technical rules [...], to ensure the identification of the author, integrity and immutability of the paper, has the effectiveness of Article 2702 of the Italian Civil Code. The use of the signature device is assumed due to the owner, unless he proves otherwise. slide 72
6.8. Legal Effects • Art. 21.2 bis CAD – Salvo quanto previsto dall’articolo 25, le scritture private di cui all’articolo 1350, primo comma, numeri da 1 a 12, del codice civile, se fatte con documento informatico, sono sottoscritte, a pena di nullità, con firma elettronica qualificata o con firma digitale. – Except as provided in Article 25, the private documents referred to in Article 1350, first paragraph numbers from 1 to 12, of the Civil Code, if done with electronic documents are signed, under penalty of nullity, with qualified electronic signature or with digital signature. slide 73
6.9. Time Stamping • The result of the informatics procedure which is attributed to one or more electronic documents, a date and a time enforceable against third parties • The timestamp has another important function. It allows to extend the value of the certificate of digital signature beyond the normal period of validity. This is on condition that the signature is associated with a timestamp, enforceable against third parties, at an earlier time than the suspension, expiration or revocation of the certificate. slide 74
Thank you Michele Martoni Contract Professor at the University of Bologna Ph.D. In IT Law Lawyer michele.martoni@unibo.it | www.unibo.it www.michelemartoni.it

Recommended

Evolution of Cryptography and Cryptographic techniques
Evolution of Cryptography and Cryptographic techniquesEvolution of Cryptography and Cryptographic techniques
Evolution of Cryptography and Cryptographic techniquesMona Rajput
 
Making Sense Of Cryptography
Making Sense Of CryptographyMaking Sense Of Cryptography
Making Sense Of Cryptographymarkjhouse
 
Analysis of Cryptography Techniques
Analysis of Cryptography TechniquesAnalysis of Cryptography Techniques
Analysis of Cryptography Techniqueseditor1knowledgecuddle
 
Summer report crypto
Summer report cryptoSummer report crypto
Summer report cryptoGaurav Shukla
 
[IJET-V1I6P12] Authors: Manisha Bhagat, Komal Chavan ,Shriniwas Deshmukh
[IJET-V1I6P12] Authors: Manisha Bhagat, Komal Chavan ,Shriniwas Deshmukh[IJET-V1I6P12] Authors: Manisha Bhagat, Komal Chavan ,Shriniwas Deshmukh
[IJET-V1I6P12] Authors: Manisha Bhagat, Komal Chavan ,Shriniwas DeshmukhIJET - International Journal of Engineering and Techniques
 
Phd T H E S I Sproposal
Phd T H E S I SproposalPhd T H E S I Sproposal
Phd T H E S I Sproposalguest6caaab
 
Study, analysis and formulation of a new method for integrity protection of d...
Study, analysis and formulation of a new method for integrity protection of d...Study, analysis and formulation of a new method for integrity protection of d...
Study, analysis and formulation of a new method for integrity protection of d...ijsrd.com
 
Watermarking
WatermarkingWatermarking
WatermarkingPushkar Dutt
 

More Related Content

What's hot

CRYPTOLOGY AND INFORMATION SECURITY - PAST, PRESENT, AND FUTURE ROLE IN SOCIETY
CRYPTOLOGY AND INFORMATION SECURITY - PAST, PRESENT, AND FUTURE ROLE IN SOCIETYCRYPTOLOGY AND INFORMATION SECURITY - PAST, PRESENT, AND FUTURE ROLE IN SOCIETY
CRYPTOLOGY AND INFORMATION SECURITY - PAST, PRESENT, AND FUTURE ROLE IN SOCIETYijcisjournal
 
Cryptographysecurity 1222867498937700-9
Cryptographysecurity 1222867498937700-9Cryptographysecurity 1222867498937700-9
Cryptographysecurity 1222867498937700-9muthulx
 
Security everywhere digital signature and digital fingerprint v1 (personal)
Security everywhere digital signature and digital fingerprint v1 (personal)Security everywhere digital signature and digital fingerprint v1 (personal)
Security everywhere digital signature and digital fingerprint v1 (personal)Paul Yang
 

What's hot (7)

a
aa
a
 
CRYPTOLOGY AND INFORMATION SECURITY - PAST, PRESENT, AND FUTURE ROLE IN SOCIETY
CRYPTOLOGY AND INFORMATION SECURITY - PAST, PRESENT, AND FUTURE ROLE IN SOCIETYCRYPTOLOGY AND INFORMATION SECURITY - PAST, PRESENT, AND FUTURE ROLE IN SOCIETY
CRYPTOLOGY AND INFORMATION SECURITY - PAST, PRESENT, AND FUTURE ROLE IN SOCIETY
 
Networksecurity1 1
Networksecurity1 1 Networksecurity1 1
Networksecurity1 1
 
Digital Watermarking Report
Digital Watermarking ReportDigital Watermarking Report
Digital Watermarking Report
 
Digitalwatermarking
DigitalwatermarkingDigitalwatermarking
Digitalwatermarking
 
Cryptographysecurity 1222867498937700-9
Cryptographysecurity 1222867498937700-9Cryptographysecurity 1222867498937700-9
Cryptographysecurity 1222867498937700-9
 
Security everywhere digital signature and digital fingerprint v1 (personal)
Security everywhere digital signature and digital fingerprint v1 (personal)Security everywhere digital signature and digital fingerprint v1 (personal)
Security everywhere digital signature and digital fingerprint v1 (personal)
 

Viewers also liked

5 Info-Product Creation Tips to Increase Your Profits
5 Info-Product Creation Tips to Increase Your Profits5 Info-Product Creation Tips to Increase Your Profits
5 Info-Product Creation Tips to Increase Your ProfitsSecond Income Solutions
 
Digital resources management_information_outreach_CSE
Digital resources management_information_outreach_CSEDigital resources management_information_outreach_CSE
Digital resources management_information_outreach_CSESrijan Technologies
 
Opportunities beyond electronic resource management: An extension of the Core...
Opportunities beyond electronic resource management: An extension of the Core...Opportunities beyond electronic resource management: An extension of the Core...
Opportunities beyond electronic resource management: An extension of the Core...NASIG
 
Advanced Mechanisms for Delivering High-Quality Digital Content
Advanced Mechanisms for Delivering High-Quality Digital ContentAdvanced Mechanisms for Delivering High-Quality Digital Content
Advanced Mechanisms for Delivering High-Quality Digital ContentMikołaj Leszczuk
 
Documento informatico: profili giuridici
Documento informatico: profili giuridiciDocumento informatico: profili giuridici
Documento informatico: profili giuridiciMichele Martoni
 
PDF/Archive - Preserving Electronic Documents
PDF/Archive - Preserving Electronic DocumentsPDF/Archive - Preserving Electronic Documents
PDF/Archive - Preserving Electronic DocumentsBetsy Fanning
 
ELECTRONIC SIGNATURE_THE FUTURE IS NOW_ALAIN BENSOUSSAN LAW FIRM_presentation...
ELECTRONIC SIGNATURE_THE FUTURE IS NOW_ALAIN BENSOUSSAN LAW FIRM_presentation...ELECTRONIC SIGNATURE_THE FUTURE IS NOW_ALAIN BENSOUSSAN LAW FIRM_presentation...
ELECTRONIC SIGNATURE_THE FUTURE IS NOW_ALAIN BENSOUSSAN LAW FIRM_presentation...Market Engel SAS
 
Electronic signature
Electronic signatureElectronic signature
Electronic signatureSonu Mishra
 
E Signature Presentation
E Signature PresentationE Signature Presentation
E Signature Presentationbrettlieberman
 
E-Signature Vs. Digital Signature
E-Signature Vs. Digital Signature E-Signature Vs. Digital Signature
E-Signature Vs. Digital Signature Mahmoud Ezzat
 
SAP Document Management System Integration with Content Servers
SAP Document Management System Integration with Content Servers SAP Document Management System Integration with Content Servers
SAP Document Management System Integration with Content Servers Verbella CMG
 
What is documentation and its techniques
What is documentation and its techniquesWhat is documentation and its techniques
What is documentation and its techniquesSohail Sangi
 
Document Management System
Document Management SystemDocument Management System
Document Management SystemSidhartha Sahoo
 
Document Management With Workflow Presentation
Document Management With Workflow PresentationDocument Management With Workflow Presentation
Document Management With Workflow PresentationJohn Street
 
Principles of Documentation
Principles of DocumentationPrinciples of Documentation
Principles of DocumentationJEENA AEJY
 

Viewers also liked (20)

5 Info-Product Creation Tips to Increase Your Profits
5 Info-Product Creation Tips to Increase Your Profits5 Info-Product Creation Tips to Increase Your Profits
5 Info-Product Creation Tips to Increase Your Profits
 
Eden-Digital-Content-Creation
Eden-Digital-Content-CreationEden-Digital-Content-Creation
Eden-Digital-Content-Creation
 
Digital Content Creation: Where will the funding come from?
Digital Content Creation: Where will the funding come from?Digital Content Creation: Where will the funding come from?
Digital Content Creation: Where will the funding come from?
 
Digital resources management_information_outreach_CSE
Digital resources management_information_outreach_CSEDigital resources management_information_outreach_CSE
Digital resources management_information_outreach_CSE
 
Digital Content Creation
Digital Content CreationDigital Content Creation
Digital Content Creation
 
Opportunities beyond electronic resource management: An extension of the Core...
Opportunities beyond electronic resource management: An extension of the Core...Opportunities beyond electronic resource management: An extension of the Core...
Opportunities beyond electronic resource management: An extension of the Core...
 
Advanced Mechanisms for Delivering High-Quality Digital Content
Advanced Mechanisms for Delivering High-Quality Digital ContentAdvanced Mechanisms for Delivering High-Quality Digital Content
Advanced Mechanisms for Delivering High-Quality Digital Content
 
Documento informatico: profili giuridici
Documento informatico: profili giuridiciDocumento informatico: profili giuridici
Documento informatico: profili giuridici
 
Electronic Signature
Electronic SignatureElectronic Signature
Electronic Signature
 
PDF/Archive - Preserving Electronic Documents
PDF/Archive - Preserving Electronic DocumentsPDF/Archive - Preserving Electronic Documents
PDF/Archive - Preserving Electronic Documents
 
ELECTRONIC SIGNATURE_THE FUTURE IS NOW_ALAIN BENSOUSSAN LAW FIRM_presentation...
ELECTRONIC SIGNATURE_THE FUTURE IS NOW_ALAIN BENSOUSSAN LAW FIRM_presentation...ELECTRONIC SIGNATURE_THE FUTURE IS NOW_ALAIN BENSOUSSAN LAW FIRM_presentation...
ELECTRONIC SIGNATURE_THE FUTURE IS NOW_ALAIN BENSOUSSAN LAW FIRM_presentation...
 
Electronic signature
Electronic signatureElectronic signature
Electronic signature
 
E Signature Presentation
E Signature PresentationE Signature Presentation
E Signature Presentation
 
E-Signature Vs. Digital Signature
E-Signature Vs. Digital Signature E-Signature Vs. Digital Signature
E-Signature Vs. Digital Signature
 
SAP Document Management System Integration with Content Servers
SAP Document Management System Integration with Content Servers SAP Document Management System Integration with Content Servers
SAP Document Management System Integration with Content Servers
 
What is documentation and its techniques
What is documentation and its techniquesWhat is documentation and its techniques
What is documentation and its techniques
 
Documentation Types
Documentation TypesDocumentation Types
Documentation Types
 
Document Management System
Document Management SystemDocument Management System
Document Management System
 
Document Management With Workflow Presentation
Document Management With Workflow PresentationDocument Management With Workflow Presentation
Document Management With Workflow Presentation
 
Principles of Documentation
Principles of DocumentationPrinciples of Documentation
Principles of Documentation
 

Similar to Electronic Document & Electronic Signatures

Cgi whpr 35_pki_e
Cgi whpr 35_pki_eCgi whpr 35_pki_e
Cgi whpr 35_pki_emadunix
 
International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)irjes
 
Module 21 (cryptography)
Module 21 (cryptography)Module 21 (cryptography)
Module 21 (cryptography)Wail Hassan
 
Comparison of Various Encryption Algorithms and Techniques for improving secu...
Comparison of Various Encryption Algorithms and Techniques for improving secu...Comparison of Various Encryption Algorithms and Techniques for improving secu...
Comparison of Various Encryption Algorithms and Techniques for improving secu...IOSR Journals
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Cryptograpy Exam
Cryptograpy ExamCryptograpy Exam
Cryptograpy ExamLisa Olive
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYAdityaShukla141
 
Image Cryptography using Nearest Prime Pixels
Image Cryptography using Nearest Prime PixelsImage Cryptography using Nearest Prime Pixels
Image Cryptography using Nearest Prime Pixelsmuhammed jassim k
 
SEMINAR ON staganography
SEMINAR ON staganographySEMINAR ON staganography
SEMINAR ON staganographyKamonasish Hore
 
5 Cryptography Part1
5 Cryptography Part15 Cryptography Part1
5 Cryptography Part1Alfred Ouyang
 
Lesson2.9 m u2l6 secret keys
Lesson2.9 m u2l6 secret keysLesson2.9 m u2l6 secret keys
Lesson2.9 m u2l6 secret keysLexume1
 
CGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption MechanismCGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption MechanismAmit Singh
 
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...Petar Radanliev
 

Similar to Electronic Document & Electronic Signatures (20)

Public private key
Public private keyPublic private key
Public private key
 
Cgi whpr 35_pki_e
Cgi whpr 35_pki_eCgi whpr 35_pki_e
Cgi whpr 35_pki_e
 
cryptography
cryptographycryptography
cryptography
 
International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)
 
Module 21 (cryptography)
Module 21 (cryptography)Module 21 (cryptography)
Module 21 (cryptography)
 
Ccc brochure
Ccc brochureCcc brochure
Ccc brochure
 
Comparison of Various Encryption Algorithms and Techniques for improving secu...
Comparison of Various Encryption Algorithms and Techniques for improving secu...Comparison of Various Encryption Algorithms and Techniques for improving secu...
Comparison of Various Encryption Algorithms and Techniques for improving secu...
 
L017136269
L017136269L017136269
L017136269
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)
 
Cryptograpy Exam
Cryptograpy ExamCryptograpy Exam
Cryptograpy Exam
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
Image Cryptography using Nearest Prime Pixels
Image Cryptography using Nearest Prime PixelsImage Cryptography using Nearest Prime Pixels
Image Cryptography using Nearest Prime Pixels
 
SEMINAR ON staganography
SEMINAR ON staganographySEMINAR ON staganography
SEMINAR ON staganography
 
5 Cryptography Part1
5 Cryptography Part15 Cryptography Part1
5 Cryptography Part1
 
Lesson2.9 m u2l6 secret keys
Lesson2.9 m u2l6 secret keysLesson2.9 m u2l6 secret keys
Lesson2.9 m u2l6 secret keys
 
Fundamentals of cryptography
Fundamentals of cryptographyFundamentals of cryptography
Fundamentals of cryptography
 
digital stega slides
digital stega slidesdigital stega slides
digital stega slides
 
Cryptointro
CryptointroCryptointro
Cryptointro
 
CGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption MechanismCGI White Paper - Key Incryption Mechanism
CGI White Paper - Key Incryption Mechanism
 
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
 

More from Michele Martoni

Open Data Day 22-febbraio-2014
Open Data Day 22-febbraio-2014Open Data Day 22-febbraio-2014
Open Data Day 22-febbraio-2014Michele Martoni
 
ESPOSIZIONE IN RETE DELL’IDENTITÀ: ATTORI “NON PROTAGONISTI” | profili inform...
ESPOSIZIONE IN RETE DELL’IDENTITÀ: ATTORI “NON PROTAGONISTI” | profili inform...ESPOSIZIONE IN RETE DELL’IDENTITÀ: ATTORI “NON PROTAGONISTI” | profili inform...
ESPOSIZIONE IN RETE DELL’IDENTITÀ: ATTORI “NON PROTAGONISTI” | profili inform...Michele Martoni
 
Seminario firme elettroniche, PEC e CNS, Ravenna, Facoltà di Giurisprudenza
Seminario firme elettroniche, PEC e CNS, Ravenna, Facoltà di GiurisprudenzaSeminario firme elettroniche, PEC e CNS, Ravenna, Facoltà di Giurisprudenza
Seminario firme elettroniche, PEC e CNS, Ravenna, Facoltà di GiurisprudenzaMichele Martoni
 
ePharmacy e Sanità Elettronica
ePharmacy e Sanità ElettronicaePharmacy e Sanità Elettronica
ePharmacy e Sanità ElettronicaMichele Martoni
 
Open data-day-bologna-2013
Open data-day-bologna-2013Open data-day-bologna-2013
Open data-day-bologna-2013Michele Martoni
 
PEC, Firma digitale e Processo Civile Telematico
PEC, Firma digitale e Processo Civile TelematicoPEC, Firma digitale e Processo Civile Telematico
PEC, Firma digitale e Processo Civile TelematicoMichele Martoni
 
Open Data, Condivisione delle banche dati, Siti delle P.A.
Open Data, Condivisione delle banche dati, Siti delle P.A.Open Data, Condivisione delle banche dati, Siti delle P.A.
Open Data, Condivisione delle banche dati, Siti delle P.A.Michele Martoni
 
Siti web dedicati alla salute: profili etici e giuridici connessi alla diffus...
Siti web dedicati alla salute: profili etici e giuridici connessi alla diffus...Siti web dedicati alla salute: profili etici e giuridici connessi alla diffus...
Siti web dedicati alla salute: profili etici e giuridici connessi alla diffus...Michele Martoni
 
Firme elettroniche ed efficacia giuridica
Firme elettroniche ed efficacia giuridicaFirme elettroniche ed efficacia giuridica
Firme elettroniche ed efficacia giuridicaMichele Martoni
 

More from Michele Martoni (9)

Open Data Day 22-febbraio-2014
Open Data Day 22-febbraio-2014Open Data Day 22-febbraio-2014
Open Data Day 22-febbraio-2014
 
ESPOSIZIONE IN RETE DELL’IDENTITÀ: ATTORI “NON PROTAGONISTI” | profili inform...
ESPOSIZIONE IN RETE DELL’IDENTITÀ: ATTORI “NON PROTAGONISTI” | profili inform...ESPOSIZIONE IN RETE DELL’IDENTITÀ: ATTORI “NON PROTAGONISTI” | profili inform...
ESPOSIZIONE IN RETE DELL’IDENTITÀ: ATTORI “NON PROTAGONISTI” | profili inform...
 
Seminario firme elettroniche, PEC e CNS, Ravenna, Facoltà di Giurisprudenza
Seminario firme elettroniche, PEC e CNS, Ravenna, Facoltà di GiurisprudenzaSeminario firme elettroniche, PEC e CNS, Ravenna, Facoltà di Giurisprudenza
Seminario firme elettroniche, PEC e CNS, Ravenna, Facoltà di Giurisprudenza
 
ePharmacy e Sanità Elettronica
ePharmacy e Sanità ElettronicaePharmacy e Sanità Elettronica
ePharmacy e Sanità Elettronica
 
Open data-day-bologna-2013
Open data-day-bologna-2013Open data-day-bologna-2013
Open data-day-bologna-2013
 
PEC, Firma digitale e Processo Civile Telematico
PEC, Firma digitale e Processo Civile TelematicoPEC, Firma digitale e Processo Civile Telematico
PEC, Firma digitale e Processo Civile Telematico
 
Open Data, Condivisione delle banche dati, Siti delle P.A.
Open Data, Condivisione delle banche dati, Siti delle P.A.Open Data, Condivisione delle banche dati, Siti delle P.A.
Open Data, Condivisione delle banche dati, Siti delle P.A.
 
Siti web dedicati alla salute: profili etici e giuridici connessi alla diffus...
Siti web dedicati alla salute: profili etici e giuridici connessi alla diffus...Siti web dedicati alla salute: profili etici e giuridici connessi alla diffus...
Siti web dedicati alla salute: profili etici e giuridici connessi alla diffus...
 
Firme elettroniche ed efficacia giuridica
Firme elettroniche ed efficacia giuridicaFirme elettroniche ed efficacia giuridica
Firme elettroniche ed efficacia giuridica
 

Electronic Document & Electronic Signatures

  • 1. Electronic Document & Signatures Joint International Doctoral degree in Law, Science and Technology http://www.last-jd.eu Michele Martoni Contract Professor at the University of Bologna Ph.D. in IT Law | Lawyer December 10, 2012, Bologna
  • 2. 0. Roadmap 1) Electronic Identification 2) Identity theft and Data Value (Social Engineering, OSINT, Phishing, Uncorrected sharing of personal data - email, social network, cloud computing services, etc.) 3) Technical Introduction 4) Document and Signing 5-6) Regulatory Framework (UE and Italian) slide 2
  • 3. 1. Electronic Identification • Is there a way for remote certification of our identity ? Yes ! • Is there a way to certify the integrity of an electronic document ? Yes ! • We have technologies. We have norms. But we need to be aware of the correct use ! • the risk is to use and to share our informations in a way that allow the “abuse” of these by third person slide 3
  • 4. 2. Identity theft & Identity fraud • Identity theft is a form of stealing someone's identity in which someone pretends to be someone else by assuming that person's identity. • Identity theft is not always detectable by the individual victims, according to a report done for the FTC. Identity fraud is often but not necessarily the consequence of identity theft. (1) http://en.wikipedia.org/wiki/Identity_theft (2) Federal Trade Commission, 2006, Identity Theft Survey Report slide 4
  • 5. 2.1. Social Engineering • Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information (also personal). • All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases. These biases, sometimes called bugs in the human hardware, are exploited in various combinations to create attack techniques. (1) http://en.wikipedia.org/wiki/Social_engineering_(security) slide 5
  • 6. 2.2. Phishing • Phishing is a technique of fraudulently obtaining private information. • Typically, the phisher sends an e-mail that appears to come from a legitimate business—a bank, or credit card company—requesting "verification" of information and warning of some dire consequence if it is not provided. • The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company logos and content—and has a form requesting everything from a home address to an ATM card’s PIN code. slide 6
  • 7. 2.3. Personal data sharing Ex. Facebook’s Statement of Rights and Responsabilities Art. 2. Sharing Your Content and Information You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application setting. In addition: For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it. (1) http://www.facebook.com/legal/terms slide 7
  • 8. 3. Technical Introduction • The correct classification of the electronic signatures institute requires to start its examination from the essence of this technology. • Electronic signatures could be complex and modern applications of cryptography slide 8
  • 9. 3. Technical Introduction • We can distinguish: – Cryptography – Cryptanalysis • The run between cryptography and cryptanalysis has led to the development of increasingly sophisticated techniques. • We can distinguish: – Steganography – Cryptography slide 9
  • 10. 3.1. Steganography • physical occultation of the message • the message is physically “invisible” • high risk of prejudice in case of interception slide 10
  • 11. 3.2. Cryptography • semantic occultation of the content of the message • the message is “visible” but not “understandable” • key management become a priority slide 11
  • 12. 3.3. Symmetric cryptography • The symmetric cryptography, also known as private key encryption or secret key, is that particular cryptographic technique that involves the use of a single key for the encryption operation and for the deciphering slide 12
  • 13. 3.3. Symmetric cryptography • Ex. Transpositional method slide 13
  • 14. 3.3.1. Key Exchange Diffie, Hellman, Merkle (Stanford, 1976) slide 14
  • 15. 3.4. RSA Algorithm Shamir, Rivest, Adleman (Boston, MIT, 1977) slide 15
  • 16. 3.4.1. Asymmetric cryptography • The asymmetric encryption (public-key cryptography) instead contemplates the use of a pair of keys, a public key and a private key. The principle of this technique requires that what is encrypted with one key can only be decrypted with the other key of the pair slide 16
  • 17. 3.4.2. Cryptographic keys • One key (Kpriv) to encrypt • One other key (Kpub) to decrypt • Two different key but interconnected • Private key (Kpriv) known only by holder • Public key (Kpub) known by everyone slide 17
  • 18. 3.4.3. Chypertext ( KPUBBob) Alice Bob (KPUBAlice) ( KPUBBob) (KPRIVAlice) ( KPRIVBob) • Secrecy of content yes • Authentication no slide 18
  • 19. 3.4.4. Signed text ( KPRIVAlice) Alice Bob (KPUBAlice) Dear Bob, ( KPUBBob) (KPRIVAlice) I love you … ( KPRIVBob) Alice • Secrecy of content no • Authentication yes slide 19
  • 20. 3.4.5. Signed Cyphertext ( KPRIVAlice) ( KPUBBob) Alice Bob (KPUBAlice) Dear Bob, ( KPUBBob) (KPRIVAlice) I love you … ( KPRIVBob) Alice • Secrecy of content yes • Authentication yes slide 20
  • 21. 3.4.6. Hash Function • The problem of encryption by public key infrastructure is the time necessary for mathematic operations of encryptions • Hash Function is an algorithm that turns a variable-sized amount of text into a fixed-sized output (hash value or digest). slide 21
  • 22. 4. Document and Signing • Original concept of document • Original concept of signing (1) Martoni M., in Cyber Law, Suppl. 17 (december 2008), Italy, p. 138, Kluwer Law International slide 22
  • 24. 5. U.E. Regulatory Framework • Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31999L0093:en:HTML slide 24
  • 25. 5.1. Directive Scope • to facilitate the use of electronic signatures • to contribute to their legal recognition • to ensure the proper functioning of the internal market • It does not cover aspects related to the conclusion and validity of contracts or other legal obligations slide 25
  • 26. 5.2. Definitions|Electronic Signatures • data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication slide 26
  • 27. 5.2. Definitions|Advanced E.S. • an electronic signature which meets the following requirements: – (a) it is uniquely linked to the signatory; – (b) it is capable of identifying the signatory; – (c) it is created using means that the signatory can maintain under his sole control; and – (d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable slide 27
  • 28. 5.2. Definitions|Signatory • a person who holds a signature- creation device and acts either on his own behalf or on behalf of the natural or legal person or entity he represents slide 28
  • 29. 5.2. Definitions|Sign.-creation data • unique data, such as codes or private cryptographic keys, which are used by the signatory to create an electronic signature slide 29
  • 30. 5.2. Definitions|Sign.-creation device • means configured software or hardware used to implement the signature-creation data slide 30
  • 31. 5.2. Definitions|Secure ... device • a signature-creation device which meets the requirements laid down in Annex III slide 31
  • 32. 5.2. Definitions|Secure ... device Annex III 1. Secure signature-creation devices must, by appropriate technical and procedural means, ensure at the least that: (a) the signature-creation-data used for signature generation can practically occur only once, and that their secrecy is reasonably assured; (b) the signature-creation-data used for signature generation cannot, with reasonable assurance, be derived and the signature is protected against forgery using currently available technology; (c) the signature-creation-data used for signature generation can be reliably protected by the legitimate signatory against the use of others. 2. Secure signature-creation devices must not alter the data to be signed or prevent such data from being presented to the signatory prior to the signature process. slide 32
  • 33. 5.2. Definitions|Certificate • an electronic attestation which links signature-verification data to a person and confirms the identity of that person slide 33
  • 34. 5.2. Definitions|Qualified Certificate • a certificate which meets the requirements laid down in Annex I and is provided by a certification-service- provider who fulfils the requirements laid down in Annex II slide 34
  • 35. 5.2. Definitions|Annex I Qualified certificates must contain: (a) an indication that the certificate is issued as a qualified certificate; (b) the identification of the certification-service- provider and the State in which it is established; (c) the name of the signatory or a pseudonym, which shall be identified as such; (d) provision for a specific attribute of the signatory to be included if relevant, depending on the purpose for which the certificate is intended; slide 35
  • 36. 5.2. Definitions|Annex I (e) signature-verification data which correspond to signature-creation data under the control of the signatory; (f) an indication of the beginning and end of the period of validity of the certificate; (g) the identity code of the certificate; (h) the advanced electronic signature of the certification-service-provider issuing it; (i) limitations on the scope of use of the certificate, if applicable; and (j) limits on the value of transactions for which the certificate can be used, if applicable. slide 36
  • 37. 5.2. Definitions|Annex II Certification-service-providers must: (a) demonstrate the reliability necessary for providing certification services; (b) ensure the operation of a prompt and secure directory and a secure and immediate revocation service; (c) ensure that the date and time when a certificate is issued or revoked can be determined precisely; slide 37
  • 38. 5.2. Definitions|Annex II (d) verify, by appropriate means in accordance with national law, the identity and, if applicable, any specific attributes of the person to which a qualified certificate is issued; (e) employ personnel who possess the expert knowledge, experience, and qualifications necessary for the services provided, in particular competence at managerial level, expertise in electronic signature techology and familiarity with proper security procedures; they must also apply administrative and management procedures which are adequate and correspond to recognised standards; slide 38
  • 39. 5.2. Definitions|Annex II (f) use trustworthy systems and products which are protected against modification and ensure the technical and cryptographic security of the process supported by them; (g) take measures against forgery of certificates, and, in cases where the certification-service-provider generates signature-creation data, guarantee confidentiality during the process of generating such data; slide 39
  • 40. 5.2. Definitions|Annex II (h) maintain sufficient financial resources to operate in conformity with the requirements laid down in the Directive, in particular to bear the risk of liability for damages, for example, by obtaining appropriate insurance; (i) record all relevant information concerning a qualified certificate for an appropriate period of time, in particular for the purpose of providing evidence of certification for the purposes of legal proceedings. Such recording may be done electronically; (j) not store or copy signature-creation data of the person to whom the certification-service-provider provided key management services; (k) before entering into a contractual relationship with a person seeking a certificate to support his electronic signature inform that person by a durable means of communication of the precise terms and conditions regarding the use of the certificate, including any limitations on its use, the existence of a voluntary accreditation scheme and procedures for complaints and dispute settlement. Such information, which may be transmitted electronically, must be in writing and in redily understandable language. Relevant parts of this information must also be made available on request to third-parties relying on the certificate; slide 40
  • 41. 5.2. Definitions|Annex II (l) use trustworthy systems to store certificates in a verifiable form so that: - only authorised persons can make entries and changes, - information can be checked for authenticity, - certificates are publicly available for retrieval in only those cases for which the certificate- holder's consent has been obtained, and - any technical changes compromising these security requirements are apparent to the operator. slide 41
  • 42. 5.2. Definitions|Annex IV Recommendations for secure signature verification During the signature-verification process it should be ensured with reasonable certainty that: (a) the data used for verifying the signature correspond to the data displayed to the verifier; (b) the signature is reliably verified and the result of that verification is correctly displayed; slide 42
  • 43. 5.2. Definitions|Annex IV (c) the verifier can, as necessary, reliably establish the contents of the signed data; (d) the authenticity and validity of the certificate required at the time of signature verification are reliably verified; (e) the result of verification and the signatory's identity are correctly displayed; (f) the use of a pseudonym is clearly indicated; and (g) any security-relevant changes can be detected. slide 43
  • 44. Summary Electronic Advanced Signature Signature Electronic Signature Signature Secure Signature Device Creation Device Creation Device Qualified Certificate Certificate Certificate slide 44
  • 45. 5.3. Market Access 1. Member States shall not make the provision of certification services subject to prior authorisation. slide 45
  • 46. 5.3. Market Access 2. Without prejudice to the provisions of paragraph 1, Member States may introduce or maintain voluntary accreditation schemes aiming at enhanced levels of certification-service provision. All conditions related to such schemes must be objective, transparent, proportionate and non-discriminatory. Member States may not limit the number of accredited certification-service-providers for reasons which fall within the scope of this Directive. 3. Each Member State shall ensure the establishment of an appropriate system that allows for supervision of certification-service-providers which are established on its territory and issue qualified certificates to the public. slide 46
  • 47. 5.3. Market Access [...] 7. Member States may make the use of electronic signatures in the public sector subject to possible additional requirements. Such requirements shall be objective, transparent, proportionate and non- discriminatory and shall relate only to the specific characteristics of the application concerned. Such requirements may not constitute an obstacle to cross-border services for citizens. slide 47
  • 48. 5.4. Legal Effects 1. Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure-signature-creation device: (a) satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data; and (b) are admissible as evidence in legal proceedings. slide 48
  • 49. 5.4. Legal Effects 2. Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is: - in electronic form, or - not based upon a qualified certificate, or - not based upon a qualified certificate issued by an accredited certification-service-provider, or - not created by a secure signature-creation device. slide 49
  • 50. 5.5. Liability 1. As a minimum, Member States shall ensure that by issuing a certificate as a qualified certificate to the public or by guaranteeing such a certificate to the public a certification-service-provider is liable for damage caused to any entity or legal or natural person who reasonably relies on that certificate: (a) as regards the accuracy at the time of issuance of all information contained in the qualified certificate and as regards the fact that the certificate contains all the details prescribed for a qualified certificate; (b) for assurance that at the time of the issuance of the certificate, the signatory identified in the qualified certificate held the signature- creation data corresponding to the signature-verification data given or identified in the certificate; (c) for assurance that the signature-creation data and the signature- verification data can be used in a complementary manner in cases where the certification-service-provider generates them both; (d) unless the certification-service-provider proves that he has not acted negligently. slide 50
  • 51. 5.5. Liability 2. As a minimum Member States shall ensure that a certification-service- provider who has issued a certificate as a qualified certificate to the public is liable for damage caused to any entity or legal or natural person who reasonably relies on the certificate for failure to register revocation of the certificate unless the certification-service-provider proves that he has not acted negligently. 3. Member States shall ensure that a certification-service-provider may indicate in a qualified certificate limitations on the use of that certificate. provided that the limitations are recognisable to third parties. The certification-service-provider shall not be liable for damage arising from use of a qualified certificate which exceeds the limitations placed on it. 4. Member States shall ensure that a certification-service-provider may indicate in the qualified certificate a limit on the value of transactions for which the certificate can be used, provided that the limit is recognisable to third parties. The certification-service-provider shall not be liable for damage resulting from this maximum limit being exceeded. slide 51
  • 52. 5.6. International Aspects 1. Member States shall ensure that certificates which are issued as qualified certificates to the public by a certification-service-provider established in a third country are recognised as legally equivalent to certificates issued by a certification- service-provider established within the Community if some conditions are realized. slide 52
  • 53. 6. Italian Regulatory Framework • D.Lgs. 82/2005, Codice dell’Amministrazione Digitale (CAD) http://www.digitpa.gov.it/cad • D.P.C.M. 30/03/2009, Regole tecniche in materia di generazione, apposizione e verifica delle firme digitali e validazione temporale dei documenti informatici http://www.digitpa.gov.it/sites/default/files/normativa/DPCM_30-mar-09_0.pdf slide 53
  • 54. 6.1. Definitions|Electronic Document • The informatics representation of acts, fact or data, legally relevant • i.e. file slide 54
  • 55. 6.2. Definitions|Analogical Document • The “non” informatics representation of acts, fact or data, legally relevant • i.e. paper document slide 55
  • 56. 6.3. Definitions|Copy and Duplicate 1. informatics copy of analogical document: the electronic document with contents identical to the analogical document that inspired • for example transcription with word processor of paper (hand-written) notes or oral notes slide 56
  • 57. 6.3. Definitions|Copy and Duplicate 2. informatics copy image of analogical document: the electronic document with contents and forms identical to the analogical document that inspired • for example scan of paper document slide 57
  • 58. 6.3. Definitions|Copy and Duplicate 3. informatics copy of electronic documents: the electronic document with content identical to that of the document from which it is drawn on computer with different sequence of binary values • for example file translated in a different format (from .doc to .pdf) slide 58
  • 59. 6.3. Definitions|Copy and Duplicate 4. duplicate: the electronic document obtained by storing, on the same device or on different devices, the same sequence of binary values of the original document • for example “cut & paste” slide 59
  • 60. 6.4. Definitions|Electronic Signature • l'insieme dei dati in forma elettronica, allegati oppure connessi tramite associazione logica ad altri dati elettronici, utilizzati come metodo di identificazione informatica • the set of data in electronic form attached to or logically associated with other electronic data, used as a method of informatics identification (authentication) slide 60
  • 61. 6.5. Definitions|Advanced E.S. • insieme di dati in forma elettronica allegati oppure connessi a un documento informatico che consentono l’identificazione del firmatario del documento e garantiscono la connessione univoca al firmatario, creati con mezzi sui quali il firmatario può conservare un controllo esclusivo, collegati ai dati ai quali detta firma si riferisce in modo da consentire di rilevare se i dati stessi siano stati successivamente modificati • set of data in electronic form attached to or associated with an electronic document that enable identification of the signatory of the document and provide the unique connection to the signatory, created using means that the signatory can maintain exclusive control, linked to the data to which that signature refers to allow to detect whether the data have been subsequently modified slide 61
  • 62. 6.6. Definitions|Qualified E.S. • un particolare tipo di firma elettronica avanzata che sia basata su un certificato qualificato e realizzata mediante un dispositivo sicuro per la creazione della firma • a particular type of advanced electronic signature that is based on a qualified certificate and created by a secure device for the creation of signature slide 62
  • 63. 6.6.1. Certification Authority • The digital signature technology ensure that in the process of sign was used the private key connected to the public key used for verification. • The certification of the key has the different function to connect the public key to an identified person. • The certification, in the case of the digital signature, is the result of the informatics procedure, applied to the public key and detectable by the validation systems, that ensures the correspondence between public key and subject holder to whom it belongs, it identifies the period of validity of that key and the expiry date of the certificate slide 63
  • 64. 6.6.1. Certification Authority • Simple C.A. • Qualified C.A. • Accredited C.A. – Different qualities – Different procedures to become C.A. – Different level of the certification services slide 64
  • 65. 6.6.2. Electronic Certificate • Electronic Certificates – electronic certificates are now defined such as electronic certificates that connect the identity of the holder to the data used to verify electronic signatures • Qualified Certificates – qualified certificates are electronic certificates comply with the requirements envisaged in Annex I of the Directive and issued by certification meets the requirements provided in Annex II of the Directive slide 65
  • 66. 6.6.3. Signature Device • Signature Device • Secure Signature Device slide 66
  • 67. 6.7. Definitions|Digital Signature • un particolare tipo di firma elettronica avanzata basata su un certificato qualificato e su un sistema di chiavi crittografiche, una pubblica e una privata, correlate tra loro, che consente al titolare tramite la chiave privata e al destinatario tramite la chiave pubblica, rispettivamente, di rendere manifesta e di verificare la provenienza e l'integrità di un documento informatico o di un insieme di documenti informatici • a particular type of advanced electronic signature based on a qualified certificate and a system of cryptographic keys, one public and one private, related to each other, which allows the holder using the private key and the recipient using the public key, respectively, to make manifest and verify the origin and integrity of an electronic document or a set of electronic documents slide 67
  • 68. Summary • Electronic Signature – Electronic Signature • Advanced Electronic Signature – Qualified Electronic Signature » Digital Signature » [other] – [other] • [other] • Electronic Certificate – Electronic Certificate – Electronic Qualified Certificate – Certification Authority • Signature Device – Signature Device – Secure Signature Device • Certification Authority – Certification Authority – Qualified Certification Authority – Accredited Certification Authority slide 68
  • 69. Summary slide 69
  • 70. 6.8. Legal Effects • Art. 20.1 bis CAD – L'idoneità del documento informatico a soddisfare il requisito della forma scritta e il suo valore probatorio sono liberamente valutabili in giudizio, tenuto conto delle sue caratteristiche oggettive di qualità, sicurezza, integrità ed immodificabilità, fermo restando quanto disposto dall’articolo 21. – The suitability of the electronic document to satisfy the requirement of written form and its probative value can be freely evaluated in judgment, in view of its objective characteristics of quality, safety, integrity and immutability, subject to the provisions of Article 21. slide 70
  • 71. 6.8. Legal Effects • Art. 21.1 CAD – Il documento informatico, cui è apposta una firma elettronica, sul piano probatorio è liberamente valutabile in giudizio, tenuto conto delle sue caratteristiche oggettive di qualità , sicurezza, integrità e immodificabilità. – The electronic document, which is signed with a electronic signature, in terms of evidence is freely estimated in judgment, in view of its objective characteristics of quality, safety, integrity and immutability. slide 71
  • 72. 6.8. Legal Effects • Art. 21.2 CAD – Il documento informatico sottoscritto con firma elettronica avanzata, qualificata o digitale, formato nel rispetto delle regole tecniche di cui all'articolo 20, comma 3, che garantiscano l'identificabilità dell'autore, l'integrità e l'immodificabilità del documento, ha l'efficacia prevista dall'articolo 2702 del codice civile. L'utilizzo del dispositivo di firma si presume riconducibile al titolare, salvo che questi dia prova contraria. – The electronic document signed with an advanced electronic signature, qualified or digital, format in compliance with the technical rules [...], to ensure the identification of the author, integrity and immutability of the paper, has the effectiveness of Article 2702 of the Italian Civil Code. The use of the signature device is assumed due to the owner, unless he proves otherwise. slide 72
  • 73. 6.8. Legal Effects • Art. 21.2 bis CAD – Salvo quanto previsto dall’articolo 25, le scritture private di cui all’articolo 1350, primo comma, numeri da 1 a 12, del codice civile, se fatte con documento informatico, sono sottoscritte, a pena di nullità, con firma elettronica qualificata o con firma digitale. – Except as provided in Article 25, the private documents referred to in Article 1350, first paragraph numbers from 1 to 12, of the Civil Code, if done with electronic documents are signed, under penalty of nullity, with qualified electronic signature or with digital signature. slide 73
  • 74. 6.9. Time Stamping • The result of the informatics procedure which is attributed to one or more electronic documents, a date and a time enforceable against third parties • The timestamp has another important function. It allows to extend the value of the certificate of digital signature beyond the normal period of validity. This is on condition that the signature is associated with a timestamp, enforceable against third parties, at an earlier time than the suspension, expiration or revocation of the certificate. slide 74
  • 75. Thank you Michele Martoni Contract Professor at the University of Bologna Ph.D. In IT Law Lawyer michele.martoni@unibo.it | www.unibo.it www.michelemartoni.it