際際滷

際際滷Share a Scribd company logo

CPE (4) - Understanding Digital Signature & Law

Download as PPT, PDF
Mamunur Rahman, CISA
Mamunur Rahman, CISA

It is about digital signature

1 of 17
Download to read offline
March 11, 2008 ISACA Dhaka Chapter CPE Session on Legal Aspects of Electronic Signatures By Mamunur Rahman, CISA, Engineer IT Auditor (Consultant), Audit & Internal Control Div., Dhaka Bank Ltd.
Objectives & Synopsis of this Session Legal Aspects of a Signature Basic Attributes Types & Forms Review of Digital Signature Process Flow How it works Applying the Law thru Digital Signature Mapping the Law to Process Familiarization with ICT Act 2006 Signature Issues Cyber Crimes & Processes
Types & Forms of Signatures Manuscript The mark of a cross The use of a printed name The use of a lithographed name The use of a stamp Digital marks by human action (telex, facsimile, e-mail) Electronic Typing a name into an e-mail or electronic document Clicking the I accept or I agree icon Using a personal identification number (PIN) Using a scanned signature Using a biometric measurement Using a digital signature (more accurately, a hash cryptographic signature)
Definition of a Signature This is an information, in an recognized form, associated with a record and executed or adopted by a person with the intent to sign the record. Primary purpose evidence that the signatory approves and adopts the contents of the document content of the document shall be binding Secondary purpose authenticate the identity of the person content of the document has not been altered subsequently to the affixing of the signature Record keeping purpose
Electronic Signature An electronic sound, symbol, or process, attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record. (1) The sender cannot later disavow the message, (2) the receiver cannot forge the message or signature, and (3) the receiver can prove to others that the contents of the message are genuine and originated with the sender. Forms: 1. Sound 2. Symbol (e.g., scanned signature; name & desig as e-mail footer) 3. Process (e.g., digital signature, end-user license agr. clickwrap, etc)
Digital Signature A form of Electronic Signature. It employs an asymmetric cryptographic algorithm. Each party must have a pair (private key, public key) unique to it. Mapping the Law to Process: 1. Senders approval/consent by using his private key in encryption 2. Authentication by senders identification (certificate evaluation) 3. Senders consent/approval as non-repudiation 4. Transmission confidentiality by encryption 5. Content extraction confidentiality by the privacy of recipients private key 6. Integrity by comparing the message digest (hash value)
D. Envelope D.Signature Non-repu Confidentiality Digital Signature Process Flow
Safety: Manuscript vs. Electronic A manuscript signature is under the total physical control of the individual, but it is not necessarily reliable: Variability of the signature Signature may be obtained as a result of unconscionable conduct - fraud instigated by a third party - undue influence by a third party A signature may also be forged The number of people involved in the chain of a digital signature: Key generating company Registration authority Certification authority will issue a certificate Security of the entire structure is, in essence, predicated on ensuring the private key is kept secure
ICT Act 2006
Summary of the Act Electronic Signature Legal Protection of Electronic Transactions Certificate Authority Language Issue Law for Cyber Crimes Cyber Tribunal & Trial Process Penalty for Crimes Redemption of ISP Wherever a Bangladeshi citizen performs crimes from whatever place, he/she will be brought under this law & the trial process will apply it for him/her.
Chapter-2: Electronic Sig. & Record 5. Authentication of electronic records by electronic signature 6. Recognition of electronic records 7. Recognition of electronic signature 8. Use of electronic records & electronic signature in govt. offices 9. Preservation of electronic records 11. No govt. office will be bound to accept electronic records/docs 12. Govt. can specify everything about electronic sig.
Chapter-4: Secure Electronic Records & Secure Electronic Signature 16. Secure Electronic Record: If a security measure is taken to protect the record. 17. Secure Electronic Signature: If it confirms that a. it was the senders own, b. it had the clue to identify the sender, and c. only the sender had the control over its creation & attaching.
Chapter-5: Controller & Certificate Issuing Authority 20. Recognition of Foreign Certificate Authority 21. Controllers Responsibility for Repository of Issued Certificates 22. License for Issuing Digital Certificate
Chapter-8: Crime, Investigation, Trial & Penalty 54. Crime If a person in a computer system or computer network without the permission of the owner or custodian of it intrudes or helps others for the purpose of making harms to it or its users in whatsoever form, and/or stealing/damaging data stored in it willingly, his act will be treated as a crime under this Act. Penalty A maximum of 10 years in jail, or 10 lac taka, or both.
Chapter-8: 55. Unauthorized change of computer source code Max of 3 years in jail, or 3 lac taka, or both. 56. Hacking Max of 10 years in jail, or 1 crore taka, or both. 57. Publishing, in any electronic form, any information that is fictitious, obscene or dishonoring Max of 10 years in jail, or 1 crore taka, or both. 63. Breach of Confidentiality Max of 2 years in jail, or 1 crore taka, or both. 66. Committing crimes by using computers The penalty already prescribed by other Acts for the actual crime performed using the computer. 66. Crimes committed by companies Board directors, MD, Secretary & staff directly concerned with the crime, unless they prove their unawareness or preventing efforts.
Cyber Tribunal 68. Govt. will form this in consultation with Supreme Court. This tribunal will conduct the trial process only by this Act Redemption of ISP 79. The third party ISP will not be held responsible for making the availability of information/data, if it can be proved that the concerned crime is committed without its awareness or it tried to prevent this at its level best.
An authentic English text will be published. If translation creates any sort of conflict/confusion, Bangla will take over. Next Step: Software Piracy, Forensic Audit Thanking you, questions welcome.

More Related Content

CPE (4) - Understanding Digital Signature & Law

  • 1. March 11, 2008 ISACA Dhaka Chapter CPE Session on Legal Aspects of Electronic Signatures By Mamunur Rahman, CISA, Engineer IT Auditor (Consultant), Audit & Internal Control Div., Dhaka Bank Ltd.
  • 2. Objectives & Synopsis of this Session Legal Aspects of a Signature Basic Attributes Types & Forms Review of Digital Signature Process Flow How it works Applying the Law thru Digital Signature Mapping the Law to Process Familiarization with ICT Act 2006 Signature Issues Cyber Crimes & Processes
  • 3. Types & Forms of Signatures Manuscript The mark of a cross The use of a printed name The use of a lithographed name The use of a stamp Digital marks by human action (telex, facsimile, e-mail) Electronic Typing a name into an e-mail or electronic document Clicking the I accept or I agree icon Using a personal identification number (PIN) Using a scanned signature Using a biometric measurement Using a digital signature (more accurately, a hash cryptographic signature)
  • 4. Definition of a Signature This is an information, in an recognized form, associated with a record and executed or adopted by a person with the intent to sign the record. Primary purpose evidence that the signatory approves and adopts the contents of the document content of the document shall be binding Secondary purpose authenticate the identity of the person content of the document has not been altered subsequently to the affixing of the signature Record keeping purpose
  • 5. Electronic Signature An electronic sound, symbol, or process, attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record. (1) The sender cannot later disavow the message, (2) the receiver cannot forge the message or signature, and (3) the receiver can prove to others that the contents of the message are genuine and originated with the sender. Forms: 1. Sound 2. Symbol (e.g., scanned signature; name & desig as e-mail footer) 3. Process (e.g., digital signature, end-user license agr. clickwrap, etc)
  • 6. Digital Signature A form of Electronic Signature. It employs an asymmetric cryptographic algorithm. Each party must have a pair (private key, public key) unique to it. Mapping the Law to Process: 1. Senders approval/consent by using his private key in encryption 2. Authentication by senders identification (certificate evaluation) 3. Senders consent/approval as non-repudiation 4. Transmission confidentiality by encryption 5. Content extraction confidentiality by the privacy of recipients private key 6. Integrity by comparing the message digest (hash value)
  • 8. Safety: Manuscript vs. Electronic A manuscript signature is under the total physical control of the individual, but it is not necessarily reliable: Variability of the signature Signature may be obtained as a result of unconscionable conduct - fraud instigated by a third party - undue influence by a third party A signature may also be forged The number of people involved in the chain of a digital signature: Key generating company Registration authority Certification authority will issue a certificate Security of the entire structure is, in essence, predicated on ensuring the private key is kept secure
  • 10. Summary of the Act Electronic Signature Legal Protection of Electronic Transactions Certificate Authority Language Issue Law for Cyber Crimes Cyber Tribunal & Trial Process Penalty for Crimes Redemption of ISP Wherever a Bangladeshi citizen performs crimes from whatever place, he/she will be brought under this law & the trial process will apply it for him/her.
  • 11. Chapter-2: Electronic Sig. & Record 5. Authentication of electronic records by electronic signature 6. Recognition of electronic records 7. Recognition of electronic signature 8. Use of electronic records & electronic signature in govt. offices 9. Preservation of electronic records 11. No govt. office will be bound to accept electronic records/docs 12. Govt. can specify everything about electronic sig.
  • 12. Chapter-4: Secure Electronic Records & Secure Electronic Signature 16. Secure Electronic Record: If a security measure is taken to protect the record. 17. Secure Electronic Signature: If it confirms that a. it was the senders own, b. it had the clue to identify the sender, and c. only the sender had the control over its creation & attaching.
  • 13. Chapter-5: Controller & Certificate Issuing Authority 20. Recognition of Foreign Certificate Authority 21. Controllers Responsibility for Repository of Issued Certificates 22. License for Issuing Digital Certificate
  • 14. Chapter-8: Crime, Investigation, Trial & Penalty 54. Crime If a person in a computer system or computer network without the permission of the owner or custodian of it intrudes or helps others for the purpose of making harms to it or its users in whatsoever form, and/or stealing/damaging data stored in it willingly, his act will be treated as a crime under this Act. Penalty A maximum of 10 years in jail, or 10 lac taka, or both.
  • 15. Chapter-8: 55. Unauthorized change of computer source code Max of 3 years in jail, or 3 lac taka, or both. 56. Hacking Max of 10 years in jail, or 1 crore taka, or both. 57. Publishing, in any electronic form, any information that is fictitious, obscene or dishonoring Max of 10 years in jail, or 1 crore taka, or both. 63. Breach of Confidentiality Max of 2 years in jail, or 1 crore taka, or both. 66. Committing crimes by using computers The penalty already prescribed by other Acts for the actual crime performed using the computer. 66. Crimes committed by companies Board directors, MD, Secretary & staff directly concerned with the crime, unless they prove their unawareness or preventing efforts.
  • 16. Cyber Tribunal 68. Govt. will form this in consultation with Supreme Court. This tribunal will conduct the trial process only by this Act Redemption of ISP 79. The third party ISP will not be held responsible for making the availability of information/data, if it can be proved that the concerned crime is committed without its awareness or it tried to prevent this at its level best.
  • 17. An authentic English text will be published. If translation creates any sort of conflict/confusion, Bangla will take over. Next Step: Software Piracy, Forensic Audit Thanking you, questions welcome.
AboutCopyright
息 2025 際際滷