TypewriterFrom The Urbach Letter – March 2007

Return to Archive

Keeping it RealContract Signature

For the longest time, I scoffed at the idea of the paperless office. Never thought it'd live up to all the hype. I liked the permanence and "security" of paper checks and statements and records. Well, the world is definitely changing. Most of us have become much more comfortable with online services, banking, electronic records and billing, and important documents attached to email. More and more, people are doing business over the Internet. The need to exchange signed paper documents has been a drag on commerce, so clever strategies have been developed to verify an electronic document is original, genuine, and authorized.

This is the final installment in the "Keeping Secrets" article series. Here are links for Part One and Part Two and Part Three.

Even if you're not all that interested in securing your documents and communications, there's another aspect to public key cryptography that'll likely be a very important part of doing business in the near future: digital signatures and authentication.

Before we go too much further, I should remind you that I'm far from an expert on this topic. The waters get deep very fast. People get Ph.D.'s in this stuff. Multiple Ph.D.'s actually. I'm just a guy who understands the common business applications and does a (hopefully) decent job of explaining the essentials to other businesspeople. So if you, Doctor Doctor Cryptanalyst are reading this, please don't write to me that I said XYZ, when it's really WXYZ. I know. But there was no time to do the W stuff!

Contract SignatureWhat makes digital signatures so much better than an ink pen on paper? Well that blue ink squiggle on the paper document you just received in your postal mailbox may belong to the other person you're doing the deal with… or it may not. Only a forensic handwriting expert could tell for sure. Even then, how would you know if somebody altered the document after it was signed? Or if whole pages were added or deleted?

A digital signature on the other hand will ensure the document came from the right person (and nobody else), that it has not been altered in any way whatsoever, and if it's encrypted too, that no other person has been able to intercept and read it in transit.

Here's how it works. Do you remember what I said about public key cryptosystems? If you want to send a secret message to someone, you look up their openly published public key and use that key to encode your document. Once you've done that, only your recipient's corresponding private key can decrypt the message.

Now, what would happen if instead you used your private key to encrypt the document? Well, in that case, ONLY your published public key could unlock it. PGP software automates all of this.

Contract SignatureHowever, it's actually not necessary to encrypt your whole document in order to prove it came from you and you alone. Instead, we use something called a one-way hash function to crunch your original document or file down to a very small unique item called a message digest. PGP takes this digest and binds it to your public key.

There's no way for a wrong-doer to detach your digital sig from one document and attach it to another. Also, the slightest change to the original document file will generate a totally different message digest -- and the received file will be flagged as altered.

Does all this sound too complicated? Even if it does, that shouldn't bother you too much. The PGP software does all the heavy lifting for you. You don't have to know what's happening behind the curtain.

We'll that's it. It's time for me to bring this very high altitude flight over the world of encryption in for a landing. Next month we'll depart for a totally different destination.

Return to Archive

(c) Copyright 2002-2010 Victor Urbach
This article may be reprinted with permission and attribution