Electronic Signatures' Strategies - New York Association of Local ...

dashingincestuousSecurity

Feb 22, 2014 (3 years and 7 months ago)

87 views

E
-
signature Strategies

Alan S. Kowlowitz

Strategic Policies,

Acquisitions and e
-
Commerce

NYS Office for Technology



Outline of Class



Overview of Electronic Signatures and
Records Act (ESRA)


Explanation of ESRA’s definition of an e
-
signature


Available approaches to electronic signing


Guidance on selecting an e
-
signature
approach


Records management implications of e
-
signed e
-
records

Overview of Electronic
Signatures and Records Act
(ESRA)

ESRA
Chapter 4, Laws of 1999:
State Technology Law, Article 1


E
-
records and e
-
signatures given the same
legal validity as paper records and ink
signatures


OFT Electronic Facilitator overseeing
implementation


Use of e
-
signatures and records is voluntary


Govt. must accept hard copies unless otherwise
provided by law

ESRA
Chapter 4, Laws of 1999:
State Technology Law, Article 1


E
-
signatures and records can’t be used for:


Negotiable instruments


Instruments recordable under Art. 9 of the RPL
(e.g., deeds)


Other instruments whose possession confers title


Documents affecting life and death (Wills, Trusts,
Do
-
not
-
resuscitate orders, Powers of attorney,
Health care proxies)

ESRA Amended by Chapter 314
Laws of New York, 2002


Amends and expands the definition of
“electronic signature” to comport with the
federal E
-
Sign Law


Authorizes the use of various e
-
signature
approaches in NYS


OFT retains its role as “electronic facilitator”
and regulator of e
-
signature/record


Adopted into law on August 6, 2002


Final regulations published in May 2003


Revised ESRA Guidelines in process

ESRA Definition of an E
-
signature

ESRA Definition of an E
-
signature



an electronic sound, symbol, or process,
attached to or logically associated with an
electronic record and executed or adopted by
a person with the intent to sign the record.


Affords the greatest possible flexibility in selecting
an appropriate e
-
signature solution


Sets some parameters on what constitutes an e
-
signature under ESRA

ESRA Definition of an E
-
signature


“[A]n electronic sound, symbol, or
process...”


A wide range of “digital objects” may serve as an
e
-
signature

»
Can be as simple a set of keyboarded characters or as
sophisticated as an encrypted hash of a e
-
record’s
contents



Allows a process to serve as an e
-
signature

»
Recorded events of accessing a system are associated
with the content to be signed to create a record of the
signer’s actions and intent

ESRA Definition of an E
-
signature


“[A]ttached to or logically associated with
...”


An e
-
signature is attached to or logically
associated with an e
-
record during transmission
and storage

»
Can be part of the record or maintained separately but
associated to the record through a database, index,
embedded link or other means

»
Link between e
-
record and e
-
signature must be


Created at signing and maintained during any
transmission


Retained as long as a signature is needed which
may be the record’s full legal retention period

ESRA Definition of an E
-
signature


“[E]xecuted or adopted by a person with
intent to sign the record.”


E
-
signature must express the same intent as a
handwritten one


Must identify an individual who will convey intent


Practices that may help avoid confusion:

»
Allow the signer to review the record to be signed

»
Inform the signer that a signature is being applied

»
Format an e
-
record to contain accepted signature
elements

»
Express signer’s intent in the record or a certification

»
Require the signer to indicate assent affirmatively

»
Record and retain date, time, and the signer intent


Example of a signature certification statement from the
Department of Tax and Finance International Fuel Tax
Agreement (IFTA) report (return) filing application.







Available Approaches to
Electronic Signing

E
-
signature Approaches



Most e
-
signature approaches involve a
number of technologies, credentials, and
processes


More accurate to think of a range of approaches to
e
-
signing rather than an array of stand
-
alone
technologies


Approaches provide varying levels of
security, authentication, and record integrity


Can combine techniques from various approaches
to increase the strength of the above
-
mentioned
attributes

Click Through or Click Wrap


Person affirms intent or agreement by clicking
a button


ID information collected, authentication
process (if any) and security procedures can
vary greatly


Commonly used for low risk, low value
consumer transactions

Personal Identification Number (PIN) or
Password (“shared secret”)



Person enters ID information, PIN and/or
password


System checks that the PIN and/or password
is associated with the person


Authentication is the first part of a process
that involves an affirmation of intent


If over the Internet, the PIN and/or password
is often encrypted using Secure Sockets
Layer (SSL)

Digitized Signature and Signature
Dynamics



Digitized Signature


A graphical image of a handwritten signature often created
using a digital pen and pad



The entered signature is compared with a stored copy; if the
images are comparable, the signature is valid




Signature Dynamics


Variation on a digitized signature


Each pen stroke is measured (e.g. duration, pen pressure,
size of loops, etc), creating a metric


The metric is compared to a reference value created earlier,
thus authenticating the signer

Shared Private Key


Also known as “symmetric cryptography”


E
-
record is signed and verified using a single
cryptographic key


The key is shared between the sender and
recipient(s)


Not really "private" to the sender



A private key can be made more secure by
incorporating other security techniques



Smart cards or other hardware tokens

in which the
private key is stored

Public/Private Key

Digital Signatures



Also know as Asymmetric Cryptography


Key Pair:
Two mathematically related keys



One key used to encrypt a message that can only
be decrypted using the other key


Cannot discover one key from the other key


Private Key: Kept secret and used to create a Digital
Signature


Public Key: Often made part of a “digital certificate”and
used to verify a digital signature by a receiving party


Often used within a Public Key Infrastructure (PKI)


Certification Authority(CA) binds individuals to private keys
and issues and manages certificates


Bob

Alice


Encrypt message digest with Private Key


Validate message digest with Public Key

Hash

algorithm

Hi Alice

Sincerely,


Bob

=

12345

Encrypts digest with Bob’s Private Key

12345

##!FV

+

=

Hash

algorithm

Hi Alice

Sincerely,


Bob

=

12345

Decrypts digest with Bob’s Public Key

12345

##!FV

+

=

Hi Alice

Sincerely,


Bob

##!FV

Certificate



Digital Signatures



Public/Private Key Cryptography


Biometrics



Person’s unique physical characteristic are measured
and converted into digital form or profile


Voice patterns, fingerprints, and the blood vessel patterns
present on the retina


Measurements are compared to a stored profile of
the given biometric


If the measurements and stored profile match, the
software will accept the authentication


Can provide a high level of authentication

Smart Card


Not a separate e
-
signature approach in itself


It can facilitate various e
-
signature approaches


A plastic card containing an embedded chip



Can generate, store, and/or process data



Data from the card's chip is read by software


After a PIN, password or biometric identifier is
entered


More secure than a PIN alone


Both physical possession of the smart card and
knowledge of the PIN is necessary


Can be used to overcome concerns with
shared secret approach to e
-
signature

Additional Factors


Each general approach to e
-
signing (e.g.
PINs and passwords vs. digital signatures)
varies in terms of:


Identifying the signer


Attributing a signature


Securing the integrity of both the record and the
signature


Each can increase security and reduce risk


Often independent of the technology selected

Signer identification or registration


Method or process used to identify and
authorize a signer to use an e
-
signature


Independent of the e
-
signature or e
-
record
technology


Critical component of any e
-
signature
solution


The stronger the identification method the
more assurance that the appropriate
person signed


Signer identification or registration

Methods


Self
-
identification as part of the signing process


Comparison of user supplied information with a
trusted data source


Acceptance of a previously conducted and trusted
process where individuals personally presented
themselves and proof of identities


Separate identification process to authorize

the use
of an e
-
signature where individuals personally
present themselves and proof of identities


Signer Authentication




Policy, process and procedures used to
authenticate the signer


Establish a link or association between the
signer and the information and method used
to sign


The strength of the authentication system,
can protect against fraud and repudiation

Signer Authentication

Methods


Something

that

only

the

individual

knows
:

A

secret

(e
.
g
.
,

password

or

Personal

Identification

Number

(PIN))


Something

the

individual

possesses
:

A

token

(e
.
g
.
,

ATM

card,

cryptographic

key

or

smart

card)


Something

the

individual

is
:

A

biometric

(e
.
g
.
,

characteristics

such

as

a

voice

pattern

or

fingerprint)


Two

factor

authentication
:

often

includes

use

of

hardware

device

such

as

a

smart

card





Signature attests to the record’s
integrity


E
-
signature approaches provide varying levels of
protection against unauthorized access or tampering
with the signed e
-
record


Systems that manage signed e
-
records can provide
protection if they have controls


Controls may be needed to ensure that the integrity of the
signed e
-
record is not compromised during transmission


Added security is provided by approaches in which signature
validation ensures that the e
-
record has not been modified

»
Digital signatures

Selecting an E
-
signature
Approach

A business decision

not just a technical one

Is an e
-
signature needed or
desirable?



Review requirements and risks


Creating and maintaining signed e
-
records may
require more resources than unsigned ones


Consider the following questions:


Is there a legal requirement for a signature?

»
Statute of Frauds requires certain contracts to be signed

»
Specific laws and regulations require signatures



Is there a business need for a signature?

»
Document that the signer attested to information’s
accuracy, agreed to conditions, and/or reviewed contents

»
Higher risk transactions may need the protection against
fraud or repudiation provided by e
-
signatures

Business Analysis and Risk
Assessment



ESRA regs
§

540.4 (c) r
equire

govt. entities to
conduct and document a business analysis and risk
assessment:


identifying and evaluating various factors relevant to the
selection of an electronic signature for use or acceptance in
an electronic transaction. Such factors include, but are not
limited to, relationships between parties to an electronic
transaction, value of the transaction, risk of intrusion, risk of
repudiation of an electronic signature, risk of fraud,
functionality and convenience, business necessity and the
cost of employing a particular electronic signature process.

Business Analysis and Risk
Assessment


Purpose:


To identify and evaluate factors relevant to
selecting an e
-
signature approach



Does not proscribe a method or set a standard


Protects interest in the use of sound technology
and practices when transacting business
electronically


Business analysis and risk assessment
are two parts of an integrated process


Business Analysis



Possible components


Overview of the business process


Analysis of legal and regulatory requirements


Identification of standards or accepted practices


Analysis of those who will use e
-
signature


Determination of interoperability requirements


Determination of costs of alternatives

Business Analysis


Overview of business process and
transaction


Purpose and origins


Transactions place within the larger business
process


Services to be delivered and their value


Parties to the transaction and other
stakeholders


Transaction’s workflow


Business Analysis


Analysis of legal and regulatory
requirements


How the transaction must be conducted


Signature requirements


Are they specifically required, what records need to be
signed, who must or can sign, do they need to be notarized


Records related requirements


What records must be produced


How long do they need to be retained,


Who must or can have access to the records


Specific formats proscribed for the creation, filing or retention


Confidentiality requirements


Importance of the parties’ identities to the transaction

Business Analysis


Identification of standards or accepted practices on
how e
-
transactions are conducted and e
-
signed


May be key factor in selecting a solution


Analysis of parties to e
-
signed transaction


Numbers


Location


Demographic characteristics


Access to technology


Accessibility requirements


Prior business relationships

Business Analysis


Interoperability requirements


Compatibility with an existing technology
environment


Interoperability or consistency with
approaches used by partners


Governmental or private


Leveraging an existing and proven solution

Business Analysis


Cost of alternative approaches


Hardware and software purchases


Implementing additional policies and
procedures


Personnel to implement policies,
procedures, or services


Training costs


Maintenance costs including help desk
and user support

Risk Assessment


E
-
signatures may serve a security function


They usually include signer authentication


Some approaches provide message
authentication and repudiation protection


Selection of an e
-
signature solution includes
identifying



Potential risks involved in a signed e
-
transaction


How e
-
signature approaches can address those
risks

Risk Assessment


Risk

is the
likelihood

that a
threat

will exploit a
vulnerability
, and have an adverse
impact


Threat

is a potential circumstance, entity or event capable of
exploiting vulnerability and causing harm


Vulnerability

is a weakness that can be accidentally
triggered or intentionally exploited


Impact

refers to the magnitude of harm that could be caused
by a threat


Likelihood
that a threat will actually materialize


To assess risks an entity should identify and analyze
each of the above

Risk Assessment

Sources of threat



Parties to the transaction


Governmental entity staff


Malicious third parties such as hackers or
crackers

Risk Assessment


Vulnerabilities


Repudiation



Possibility that a party to a transaction denies that
it ever took place


Fraud


Knowing misrepresentation of the truth or
concealment of facts to induce another to act to
his or her detriment


Intrusion



Possibility that a third party intercepts or interferes
with a transaction


Loss of access to records


For business and legal purposes


Risk Assessment


Potential Impacts



Financial


Average dollar value of transactions


Direct loss to the governmental entity, citizen or other entity


Liability for the transaction



Reputation and credibility



Relationship with the other involved party



Public visibility and perception of programs



History or patterns of problems or abuses



Consequences of a breach or improper transaction



Productivity




Time criticality of transactions



Number of transactions, system users, or dependents



Backup and recovery procedures



Claims and dispute resolution procedures


Risk Assessment

Likelihood


Motivation and capability of threat


Nature of the vulnerability


Existence and effectiveness of controls


A threat is highly likely where:


Its source is highly motivated and capable


Controls are ineffective


Risk Assessment

Risk Matrix

High Risk =11
-
16 Medium Risk

=8
-
10 Low Risk =4
-
7 Negligible Risk =1
-
3


Select an E
-
signature Solution


Balance business concerns (e.g., user
acceptance and ease of deployment) with risk
reduction


Identify overriding concerns


An overriding factor might be compatibility with an
existing standard or solution


Cost may be an overriding factor where risk is low


Cost
-
Benefit Analysis


Can help entities decide on how to allocate resources
and implement a cost
-
effective e
-
signature solution


Used to evaluate feasibility and effectiveness for each
proposed solution to determine which are appropriate


Can be qualitative or quantitative


Demonstrates that a solution’s cost is justified by reducing
risk


Cost
-
benefit analysis can encompass the following


Determining the impact of implementing the solution


Determining the impact of not implementing it


Estimating the costs of the implementation


Assessing costs and benefits against system and data
criticality

Documenting a Business Analysis and
Risk Assessment


ESRA regulation requires that the BA and RA be documented



How, or in what detail is up to the governmental entity


Minimum documentation should cover


Process used including factors mentioned in the ESRA
regulation


Result and decision reached including justification


The resulting documentation should be


Accurate and readily available


Clear and understandable to an outside audience


Retained as long as the e
-
signature solution is used

Signed E
-
records Management
Issues

Signed E
-
records Management
Issues


Same issues as with unsigned e
-
records


Focus is on the system and businesses processes
that produce the e
-
record


Preserving links between e
-
signed e
-
record’s
components is critical


Components provide evidence to support the
reliability and authenticity of the signed e
-
record


May actually constitute the e
-
signature itself

Signed E
-
records Management
Issues


Key challenges faced in maintaining e
-
signed e
-
records


Determining what needs to be retained to
constitute a valid signed e
-
record


Preserving the association between the
signed e
-
record’s various components over
time

Determining what needs to be retained


Cannot predict what the courts will require


Difficult to determine what information will be needed


BA/RA used to select approach can help determine
what needs to constitute the signed e
-
record


E
-
signature method will partially determine what will
be retained


Digital object: Maintain the ability to revalidate e
-
signatures


Signature process: Maintain adequate documentation of the
e
-
signature’s validity



Determining what needs to be retained


Digital object (encrypted hash, digitized signature,
signature dynamic, other biometric)


Evidence that the e
-
signature was electronically validated


Functionality and records needed to revalidated


Vary according to the technology or approach used

»
Digital signature: public key of the presumed signer
decrypted the message digest/hash and the hashes
matched

»
Biometric: biometric profile of the signature matched the
stored profile

Determining what needs to be retained


Signature is a process (PIN, password,
click wrap)


Signature does not exist as a discreet
object and can’t be revalidated


Adequate documentation that the e
-
signature was valid when it was created
must be retained


No court decisions on the validity of an e
-
signature

»
Can’t predict what the courts will require


Determining what needs to be retained


Regardless of e
-
signature approach, entities
should minimally retain documentation of the:


Signer’s identity


Process used to identify and authenticate the
person


Date and time an individual was authenticated


Signer’s intent


Date and time that the signing process was
completed



Preserving the association between a signed
record’s various components


Systems can manage signed e
-
records’ components


Must be accounted for when systems are planned


E
-
records with long retention periods may need to be
migrated to a new system or stored offline


Need to preserve the association of their various
components


Should be planned and well documented


Conducted in the normal course of business


Insure the records’ authenticity, integrity, and reliability

E
-
signature Strategies

Questions and Concerns

NYS Office for Technology

Strategic Policies, Acquisitions and e
-
Commerce

518
-
473
-
0224

NYECOM
@oft.state.ny.us


http://www.oft.state.ny.us/esra/esra.htm