PREMIUM SEARCH Search by job title, geography and build a list of executive contacts
Thanks to a measure approved by Congress and headed to President Clinton's desk for his signature, Web surfers and e-mail users will soon be able to put a legally binding digital version of their John Hancocks on virtually any document or transaction. No surprise, really. With the volume of e-commerce and business-to-business transactions skyrocketing, the acceptance of digital signatures was more a question of when rather than if. In fact, many companies have been using proprietary digital-signature technology for decades as part of electronic data interchanges.
But what exactly will your digital signature look like? While most folks might imagine scribbling with little electronic pens on an interactive notepad, digital signatures will, for the foreseeable future, remain far more arcane -- and not entirely intuitive. For now, your signature is likely to be a simple bit of encryption embedded in your PC that tells other computers that your request for a commercial transaction over the Internet is coming from your computer.
In a couple of years, when technology improves, your signature could be an image of your retina, your fingerprint, or your face, scanned by a computer and matched with a bit of numeric code lodged on the servers of security companies that you've signed on with. Or perhaps one authority will emerge that authenticates signatures in cyberspace -- much in the way Network Solutions authenticates and monitors URLs. Nobody knows for sure yet.
SEPARATE KEYS.
But forget about writing your name in cyberspace. At its most basic level, digital signatures are nothing more than blocks of data -- strings of 1s and 0s --- that have been scrambled by some type of encoding algorithm.
Computer-security companies design and incorporate these algorithms into software that customers can download from the Internet. These so-called asymmetric algorithms use two separate keys -- one to encrypt the message and the other to decipher it. But these keys are not interchangeable, like the key on your chain and the key under the rock by the porch, to unlock a house. With two keys at either end of the transaction, a consumer using a digital signature and a company providing a service over the Net could do business without divulging anything beyond that specific transaction.
Will digital signatures replace the real thing right away? Probably not. That will come when companies perfect techniques of facial recognition or fingerprint verification in conjunction with your encrypted signature key. Until then, digital signatures on purchases at Amazon.com or credit-card requests for Victoria's Secret lingerie may have your computer's stamp of approval, not yours. So your daughter could order that lingerie without you knowing about it.
POROUS PCs.
What's more, you would have no way of proving that you didn't order that lingerie if you tried to return the merchandise your daughter bought. Furthermore, experts question a system where unstable and easy-to-hack desktop PCs become the primary means of transacting business electronically. They worry that the PC isn't the best place to store sensitive digital signatures. "You are doing security in a PC environment which is the equivalent of a fish tank," explains Benjamin Jun, vice-president at San Francisco-based Cryptography Research.
That's where a second level of security comes in. Mountain View (Calif.)-based Verisign has created a third-party verification system where it issues certificates that confirm the digital fingerprints on transactions. For now, Verisign has a hammerlock on this market, with more than 250,000 e-commerce sites using its certificates.
But some experts claim the only way to create a truly secure transaction is to use something that only one person would know -- like a password. To that end, Verisign now offers a roaming service that lets users enter a PIN code on any Internet connection and reconstruct their private key -- a big step toward creating truly portable digital signatures.
"GETTING EASIER."
Verisign sees a day when one-click digital signatures will become common. "The nature of the implementations that are going out there are constantly improving. It's getting easier," says Michael Baum, vice-president for external affairs at Verisign.
Another portable alternative comes in the form of an encrypted signature stored in a smart card that every desktop can read, thanks to a special embedded chip. "If two years from today, every PC includes a smart-card reader, then I think you will see people executing their signatures by inserting their smart card and typing in the PIN code," says Scott Schnell, senior vice-president for marketing at encryption and security company RSA Security.
For the ultimate in authentication, Schnell and others see some sort of
biometric technology possibly coming to fore. Likely candidates for that could include desktop retinal scanners, facial-recognition software connected to small video cameras, or fingerprint scanners. Scientists say all of these minute physical measurements would prove nearly impossible to replicate and just as impossible to separate from the user's identity.
SPADEWORK.
That scenario greatly worries some privacy advocates, who say biometrics make it easy to compile an extensive database of personal information without having to ask subjects anything. But a desktop fingerprint scanner has already hit the market, and many other biometric products are coming in the pipeline.
Before any digital signature scheme really goes mainstream, the industry has some work to do. Like the credit-card companies did in the 1960s and 1970s, companies doing e-commerce and e-business need to hammer out a broad standard for transactions that can easily cross industries and platforms. And they also need to build in safeguards to keep digital signatures in the right hands -- and away from, say, recently fired employees who still might have access to computer systems.
In short, the digital signatures legislation provides a framework, but not much more than that. "What is considered a digital signature is somewhat vague," says Jun of Cryptography Research. "That's good because it can add to some differentiation in the market. That's not good because it can add to confusion in the market." And until businesses can figure out how to eliminate this confusion, digital signatures won't replace the good ol' John Hancock.
Salkever writes about security issues for BW Online. Follow his column twice a month, only on BW Online
EDITED BY DOUGLAS HARBRECHT
Get BusinessWeek directly on your desktop with our RSS feeds.
Add BusinessWeek news to your Web site with our headline feed.
Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video.
To subscribe online to BusinessWeek magazine, please click here.
Copyright 2000 , by The McGraw-Hill Companies Inc. All rights reserved.
Printer-Friendly Version
