Digital signatures

Digital signatures are created by hashing data to produce a large number (or sequence of bytes) that uniquely identifies the contents (something like a DNA test for data) in such a manner that any change would no longer produce the same number. That number is then encrypted with a person's encryption keys to prove that it belongs to the person who is associated with the keys.

Public key cryptography

Public key cryptography is a form of encryption that uses two encryption keys that are mathematically related to one another, yet one key cannot be derived from an analysis of the other key. Public key cryptography is often called asymmetric encryption because the key used to encrypt is not the same key that is used to decrypt. Typically, these two keys are called the public key and the private key. The idea is that the public key is the encryption key you can safely give to others (hence it's public) so that they can use that key to decrypt anything you encrypt with the associated private key. Obviously, for this to work, it is absolutely critical that you keep the private key secure. Most private keys themselves are stored on disk, servers or smart cards using password-protected keystore to avoid the key being accessed without your consent. With Yozons, your private keys are encrypted while on disk and can only be accessed by providing your password or by logging in via a single sign-on (SSO) system.

Do you need a PKI to use digital signatures?

No, a PKI is a complex set of evolving standards and technologies designed to distribute the public keys of parties so that recipients can verify digital signatures that have been created with a party's private key. The problem of sharing, revoking, distributing and authenticating the digital certificates used by a PKI quite complex and expensive.

Do you need digital certificates to use a digital signature?

No. In fact, digital certificates themselves use digital signatures in their creation. Digital signatures only need some data, a hashing algorithm, and a private key to create them and a public key to verify them. Digital certificates, in fact, create a large headache because few people have them, they are expensive to acquire, they typically expire annually requiring that you acquire them repeated at additional costs, and if you lose them, they you have to revoke them, despite the fact that it's pretty rare that such revocations can be detected easily. Thus, once a digital certificate has been issued, it can be used even if you have lost control of your private key, so others will believe that documents signed with your stolen keys are still valid because the digital certificate check will come out okay. This is the reason why they expire so frequently, as a stopgap attempt to restrict the damage that can take place if your private key is lost. Unfortunately, stealing electronic data is hard to detect because, unlike house or car keys, if someone steals your private key, you will still be in possession of your private key, it just that others will also have them and can use them until the digital certificate expires.

Yozons Digital Notary and Signed & Secured

Digital Notary and Signed & Secured uses the same digital signature technology behind a PKI, but it's removed the need to annually distribute certificates, exchange keys, install special software or worry about keeping all users' computers secure. Instead of revoking a digital certificate (which are rarely checked by most applications) or waiting for a year to pass and have them become invalidated, access to an account can be stopped immediately, thus immediately preventing further use of your private keys.

Public Key Infrastructure (PKI)

PKI has been around for a long time, but it has not taken off except in a few high security niches. The reason is that PKIs are complex, very expensive and suffer interoperability issues. The costs and pains of creating, distributing and keeping digital certificates secure on thousands of computers has been too high to make it cost effective except in small, closed networks. In a PKI, it is important to train all users how to keep their certificates secure (even when they upgrade their computers, have them serviced, replace a hard drive or when a virus strikes), install special software on every computer, and then exchange the public keys of all parties involved. Needless to say, PKIs simply have failed to scale outside of specialty networks. PKIs are typically composed of an LDAP directory, a Certificate Authority (CA), a Registration Authority (RA), Certificate Revocation Lists (CRL) that can get unwieldy when they are checked, Online Certificate Status Protocl (OCSP) in order to check certificates in real-time, digital certificates (issued to all parties before they can use the PKI, with the CA's root certificates being distributed to all parties before as well), and special software that's designed to work with a given implementation of a PKI.

Digital certificates

In a PKI, someone determines if you can be trusted or not and issues you a digital certificate when they have determined that you can be trusted. Because there are so many parties who want to use digital signatures, it is hard to distribute the public keys of these parties. Instead, they simply distribute the CA's certificate, and then use the CA's private key to digitally sign your public key. Thus, applications that know about the CA certificate can trust your public key is valid if the CA digital signature validation is okay. Digital certificates typically have a specific lifetime (usually one year) and a specific purpose. Therefore, it is likely that a given person would have to keep many digital certificates for a single person handy, and they'd have to keep these certificates forever in order to validate signatures at a later date. Unfortunately, as new certificates are issued yearly, each person will also have to keep the multiple certificates for the other people over time.

RSA

RSA is a public key cryptosystem invented by Rivest, Shamir and Adleman (hence the R.S.A. initials) in 1977. It is the dominant top public key encryption algorithms used by businesses today. The RSA algorithm was patented in the United States by RSA Security, but that patent expired in 2000 and so the algorithm is now royalty free. Most systems rely on 1024 bit keys, whereas Yozons uses 2048 bit keys for added strength over time. The RSA algorithm relies on the complexity of factoring very large prime numbers. While it's an encryption algorithm, it's most widely used for digital signatures. Because RSA is comparatively slow for traditional encryption, when it is used, it's often paired with a symmetric encryption algorithm, such as AES, in which the data is encrypted using the faster AES, and then the much smaller AES key used is encrypted with the RSA algorithm.

DSA

DSA is the Digital Signature Algorithm and was adopted by the U.S. Federal Information Processig Standard (FIPS) for the Digital Signature Standard (DSS). However, RSA continues to be the de facto standard for digital signatures. DSA is considered to be far more vulnerable to attack than RSA because it is computationally intensive.

ElGamal

ElGamal is another public key cryptosystem, but is primarily used to establish common keys and not to encrypt messages. It was invented by Taher Elgamal and was never patented. It's biggest drawback is that the encrypted message becomes twice the size of the plaintext, so standard symmetric encryption is usually used and that key is then encrypted with ElGamal. It is based on the discrete logarithm problem. DSA is based in part of this algorithm.

SHA

SHA is the Secure Hashing Algorithm. It's not a type of encryption, but is a way of creating a small value out of very large data sets (the hash or message digest). Most digital signature systems employ SHA-1 in order to condense the size of a plaintext into a much smaller (160 bits or 20 bytes long) value that can then easily be encrypted using a signer's private key to create a digital signature. Note that secure hashing is a one-way algorithm in that you cannot ever retrieve the original data by analyzing the hashed value. However, any changes to the original data will result in a different hashed value, thus it creates a simple way of determining whether two sets of data are the same or not. Yozons makes use of SHA-1 for its digital signatures.

MD5

MD5 is another hashing algorithm created by Rivest of MIT and one of the creators of the RSA algorithm. It produces a 128 bit message digest, and while quite popular, it's generally not considered to create unique hashes of the same quality as SHA-1.

PGP

Pretty Good Privacy (PGP) is one of the most widely used encryption standards for email. It was created by Phil Zimmermann in 1991 and is defined by the OpenPGP Working Group of the IETF standard RFC 2440. PGP is excellent software, but it requires that all parties purchase and install supported software, generate their encryption keys, and then exchange those keys in a secure way. If you forget the password that protects your keys, you will forever lock yourself out from your own documents and data!

PGP supports digital signatures that ensure the validity of a message or a file, but does not support multiple, legal electronic signatures to be applied, nor does it allow you to send a document and request the other party to sign your document.

S/MIME

S/MIME is based on PKI so it suffers the same problems and high costs. Like PGP, it also just digitally signs the message and doesn't create legally enforcable electronic signatures. S/MIME is built into most email clients, including the ever popular Microsoft Outlook, but it's rarely used because of it's reliance on PKI. S/MIME was developed by RSA Security.