eSignForms uses similar digital signature technologies behind
a PKI, but it's removed the need to annually distribute certificates, exchange keys,
install special software, muck around with email client or email server setups,
or worry about keeping all users' computers secure. Yozons' technology is based on industry
standard encryption and digital signatures, though with much more secure key sizes than
others in the industry use. Yozons uses standard XML digital signature technology based on
SHA-512 data hashes and 4096-bit RSA keypairs. Instead of revoking
a digital certificate (which are rarely checked by most applications) or waiting for a year to pass
and have them become invalidated, access to an account can be stopped immediately, thus immediately
preventing further use of your private keys.
Public Key Infrastructure (PKI)
PKI has been around for a long time, but it has not taken off except in a few
high security niches. The reason is that PKIs are complex, very expensive and suffer
interoperability issues. The costs and pains of creating, distributing and keeping
digital certificates secure on thousands of computers has been too high to make it
cost effective except in small, closed networks. In a PKI, it is important to
train all users how to keep their certificates secure (even when they upgrade
their computers, have them serviced, replace a hard drive or when a virus strikes),
install special software on every computer, and then exchange the public keys of all parties involved.
Needless to say, PKIs simply have failed to scale outside of specialty networks. PKIs are typically
composed of an LDAP directory, a Certificate Authority (CA), a Registration Authority (RA), Certificate
Revocation Lists (CRL) that can get unwieldy when they are checked, Online Certificate Status Protocl (OCSP)
in order to check certificates in real-time, digital certificates (issued to all parties before they can use
the PKI, with the CA's root certificates being distributed to all parties before as well), and special software
that's designed to work with a given implementation of a PKI.
In a PKI, someone determines if you can be trusted or not and issues you a digital
certificate when they have determined that you can be trusted. Because there are so many parties who want
to use digital signatures, it is hard to distribute the public keys of these parties. Instead, they simply
distribute the CA's certificate, and then use the CA's private key to digitally sign your public key. Thus,
applications that know about the CA certificate can trust your public key is valid if the CA digital signature
validation is okay. Digital certificates typically have a specific lifetime (usually one year) and a specific
purpose. Therefore, it is likely that a given person would have to keep many digital certificates for a single
person handy, and they'd have to keep these certificates forever in order to validate signatures at a later
date. Unfortunately, as new certificates are issued yearly, each person will also have to keep the
multiple certificates for the other people over time.
RSA is a public key cryptosystem invented by Rivest, Shamir and Adleman (hence the
R.S.A. initials) in 1977. It is the dominant top public key encryption algorithms
used by businesses today.
The RSA algorithm was patented in the United States by
but that patent expired in 2000 and so the algorithm is now royalty free. Most
systems rely on 1024 bit keys, whereas Yozons uses 4096 bit keys for dramatically added strength
over time. The RSA algorithm relies on the complexity of factoring very large
prime numbers. While it's an encryption algorithm, it's most widely used for
digital signatures. Because RSA is comparatively slow for traditional encryption,
when it is used, it's often paired with a symmetric encryption algorithm, such
as AES, in which the data is encrypted using the faster AES, and then the much
smaller AES key used is encrypted with the RSA algorithm.
DSA is the Digital Signature Algorithm and was adopted by the U.S. Federal
Information Processig Standard (FIPS) for the Digital Signature Standard (DSS).
However, RSA continues to be the de facto standard for digital signatures.
DSA is considered to be far more vulnerable to attack than RSA because it is
ElGamal is another public key cryptosystem, but is primarily used to establish
common keys and not to encrypt messages. It was invented by Taher Elgamal and
was never patented. It's biggest drawback is that the encrypted message becomes
twice the size of the plaintext, so standard symmetric encryption is usually used
and that key is then encrypted with ElGamal. It is based on the discrete logarithm
problem. DSA is based in part of this algorithm.
SHA is the Secure Hashing Algorithm. It's not a type of encryption, but is
a way of creating a small value out of very large data sets (the hash or message digest).
Most digital signature systems employ SHA-1 in order to condense the size of a
plaintext into a much smaller (160 bits or 20 bytes long) value that can then
easily be encrypted using a signer's private key to create a digital signature.
Note that secure hashing is a one-way algorithm in that you cannot ever retrieve the
original data by analyzing the hashed value. However, any changes to the original
data will result in a different hashed value, thus it creates a simple way of
determining whether two sets of data are the same or not. Yozons makes use
of SHA-512 for its digital signatures.
MD5 is another hashing algorithm created by Rivest of MIT and one of the
creators of the RSA algorithm. It produces a 128 bit message digest, and while
quite popular, it's generally not considered to create unique hashes of the
same quality as SHA-1.
Pretty Good Privacy (PGP) is one of the most widely used encryption standards
for email. It was created by Phil Zimmermann in 1991 and is defined by the
OpenPGP Working Group of the IETF standard RFC 2440.
PGP is excellent software, but it requires that all parties purchase and install
supported software, generate their encryption keys, and then exchange those keys
in a secure way. If you forget the password that protects your keys, you will
forever lock yourself out from your own documents and data!
PGP supports digital signatures that ensure the validity of a message or a file,
but does not support multiple, legal electronic signatures to be applied, nor
does it allow you to send a document and request the other party to sign your
S/MIME is based on PKI so it suffers the same problems and
high costs. Like PGP, it also just digitally signs the message created by the sender.
S/MIME is built into most email clients, including the ever popular Microsoft Outlook, but it's rarely
used because of it's reliance on PKI. S/MIME was developed by RSA Security.