Identification, trust and privacy: How biometrics can aid certification of digital signatures

Abstract

Public key infrastructure (PKI) enables the secure and private exchange of data using an unsecure public network, such as the Internet. The use of paired private and public keys, issued by a trusted third-party authority, enables documents to be transferred securely and for the sender to be authenticated. The use of biometrics offers the potential to enhance considerably the PKI model in restricting the use of your private key for encryption and decryption. The use of a fingerprint, for example, can provide a higher level of confidence than the traditional password/PIN model. This provides the additional level of individual or personal authentification should a group of people have access to one key. The authentification of data, or a document, is often physically remote from the owner, especially for Internet-based communications. Conversely, traditional biometric usage has been to identity the physical presence of a person, for example for secure entry, or the receipt of information, or the receipt of goods. Within the EU, the European Electronic Signature Standardisation Initiative (EESSI) has led to a plethora of standards covering PKI, electronic signature algorithms, electronic signature formats, time stamping, the provision of certification services, information security and the preservation of evidence. This paper illustrates how a legally compliant and secure framework for the verification and non-repudiation of digital technology can be established using PKI and biometric technologies. In particular, the legal requirements for digital signatures and their certification must be defined, especially with reference to biometric methods for certificate protection and access.

Keywords:

• identity
• electronic signature
• fingerprint

Acknowledgements

The author would like to thank Professor John Huntley for his input into earlier drafts of this paper and Laura Reid, the KTP associate at Serendipity Interactive Ltd.

Notes

From the Greek words ‘chrysos’, gold and ‘boula’ a mark or seal, probably derived from the Latin ‘bulla’ meaning mark or seal; although it is interesting to note that the word may also stem from the Greek ‘boulo’, to will something. The chrysobull, or golden bull, or gold seal was used also in imitation by the western ‘holy roman emperors’ and, of course in the authentication of Papal bulls.

The document seeks support from the Pope for the Scots in their struggle for independence from the English crown. The original copy of the document, sent to Pope Boniface in Rome has disappeared, or at least cannot be traced in the Vatican archives.

The Declaration was of course a declaration of independence and therefore a very public document. Sealing the document did not mean here closing or securing it so that breach of the seal would indicate breach of security.

See M. Hadfield, ‘Co-Op Goes Live with First Payment by Biometrics System’, Computer Weekly, 10 March 2006, available at: http://www.computerweekly.com/Articles/2006/03/10/214695/Co-opgoeslivewithfirstpaymentbybiometricssystem.htm; and see: http://www.midcounties.coop/live/welcome.asp?id=2149. The project was extended in July 2006: http://www.silicon.com/retailandleisure/0,3800011842,39160744,00.htm; http://www.computing.co.uk/computing/analysis/2158818/op-users-back-pay-touch. The intention to test was originally announced in late 2005, http://www.moneyexpert.com/News/Credit-Card/15073968/Fingerprint-payment-tested-in-UK.aspx

Sokratis K. Katsikas, Stefanos Gritzalis and Javier Lopez, eds., Public Key Infrastructures (Heidelberg: Springer, 2004), 274–86.

Invented by Ron Rivest for the 1978 article presenting the RSA cryptosystem. R. L. Rivest, A. Shamir and L. Adleman, ‘A Method for Obtaining Digital Signatures and Public-key Cryptosystems, Communications of the ACM 21, no. 2 (1978): 120–26.

The risks of two factor authentification are described by B. Schneier, ‘Two-Factor Authentication: Too Little, Too Late’, Communications of the ACM 48, no. 4 (2005): 136. See also: http://www.schneier.com/blog/archives/2005/03/the_failure_of.html

Bruce Schneier, ‘Biometrics: Truths and Fictions’, Crypto-Gram Newsletter, 15 August 1998, available at: www.counterpane.com/crypto-gram-9808.html

K.J. Pawan and M.Y. Siyal, ‘Novel Biometric Digital Signatures for Internet Based Applications’, Information Management & Computer Security 9, no. 5 (2001): 205–12.

Knowledge Transfer Partnerships are collaborations between universities and the private sector, they are Funded by UK Government organisations led by the Technology Strategy Board, available at http://www.ktponline.org.uk/academics/default.aspx

The Electronic Communications Act 2000 and the Electronic Communications Regulations 2002.

The UNCITRAL Model Law on International Trade Law (UNCILTRAL) Model Law on Electronic Signatures, various ISO standards, the EU Signatures Directive 1999/93/EC, and the documentation emanating from the European Telecommunications Standards Institute (ETSI) and the European Committee for Standardization (CEN).

See J. Ness, ‘Back to the Future’, Journal of the Law Society of Scotland 50 (2006); and S. Brynner and R. Mckay, ‘ARTL - Now and then?’ Journal of the Law Society of Scotland 52 (2007).

M. Wang, ‘The Impact of Information Technology Development on the Legal Concept – A Particular Examination on the Legal concept of “Signatures”’, International Journal of Law and Information Technology 15, no. 3 (2007):253–74.

L. Brazell, Electronic Signature Law and Regulation, 1st ed. (London: Sweet & Maxwell, 2004).