Introduction to electronic signatures and digital certificates

Below is a summary I prepared awhile back for an Arizona Health-e Connection committee of which I was a member. This provides an introduction to the concept of digital certificates, though at a very basic level. I visited several websites to obtain the information needed to prepare the summary. As a caveat, I am not a technical expert in this area so I cannot attest to complete accuracy.


Electronic Signature:
There may be some confusion concerning the difference between electronic signatures and digital signatures. The most significant difference is that electronic signatures do not require the use of digital certificates.

An electronic signature is comparable to a seal or an electronic version of signature stamp. It is any legally recognized electronic means that indicates that a person adopts the contents of an electronic message. When recognized under the law, electronic signatures have the same legal consequences as the more traditional forms of executing documents. The electronic signature shows that the user has applied that symbol to indicate intent to sign. It is important that the electronic symbol be related specifically to the party who is signing, that there is proof the symbol was applied with the intent to sign, that the data being signed can be proven to be the original data, and be such that all parties to a signature are allowed to have independent copies. An electronic signature actually displays an image of you handwriting signature or a visual mark within the document to illustrate your consent towards a document’s contents and uniquely identifies you as a signer. It is permanently attached to a document like a handwritten signature on paper. It does not work well for multiply signed documents because of validation check steps that detect any changes (including a new signature) to the document. Some of the laws that apply to electronic signatures include: The U.S. E-Signature Act of 2000, Uniform Electronic Transactions Act (UETA), and FDA 21 CFR part II.

Digital Signature:
An electronic signature may incorporate a digital signature if it uses cryptographic methods to assure both message integrity and authenticity (non-repudiation.) The message integrity mechanisms will readily detect any changes in a digitally signed document. All current cryptogenic digital signature schemes require that the recipient have a way to obtain the sender’s public key (digital certificate) with assurances (trust) that the public key and sender identity belong together. The message integrity measures must assure that neither the attestation nor the value of the public key can be surreptitiously changed.

Digital signatures are created by hashing data (a cryptographic process) to produce a large number that uniquely identifies the contents in such a manner that any change would no longer produce the same number. This is a counter-measure to Man in the Middle attacks. That number is then encrypted with a person’s encryption key to prove that it belongs to the same person associated with the key. Public Key Cryptography uses two encryption keys that are mathematically related to one another yet one key cannot be derived from an analysis of the other key. This is often called asymmetric encryption because the key used to encrypt (private key) is not the same key that is used to decrypt (public key.) The public key can safely be given to others so they can use that key to decrypt information encrypted with the associated private key. It is critical to keep private key private. This may require technical and/or physical privacy protections. Private keys are stored on disc, servers, or smart cards.
Certificates
In cryptography, a public key certificate is an electronic document that uses a digital signature to bind together a public key with an identity-includes information such as name, organization, address, etc. The certificate can be used to verify that a public key belongs to an individual. In a typical public key infrastructure (PKI) scheme, the signature will contain information about the certificate authority (CA) that issued the certificate. The most common use of certificates is for HTTPS-based web sites. A web site operator obtains a certificate by applying to a certificate provider (CA.) The certificate provider requests contact email address for the website from a public domain name registrar and checks that the published address and email address match. The CA is also known as a Trusted Third Party (TTP.) It is critical to note for health information exchange purposes that the level of trust is determined by the policies and procedures for identity proofing followed by the CA.

A future post will discuss use of digital certificates for health IT purposes in more detail. Having a grasp of this information is essential if one is to understand the current controversies and activity at the national level concerning health information exchange, the Nw-HIN, The Direct Project, and Providers Directories.



Sources:

http://www.wikipedia.com/
www.esignform.com/ElectronicSignatures.jsp
www.silanis.com/resource-center/articles/electronic-signatures-vs-digital-signatures.html