The other three choices are incorrect because they are true statements. In general, electronic signatures have received the same legal status as that of written signatures. Cryptography can provide a means of linking a document with a particular person, as is done with a written signature. Electronic signatures rely on the secrecy of the keys, the link or binding between the owner of the key, and the key itself. If a key is compromised due to social engineering by theft, coercion, or trickery, then the electronic originator of a message may not be the same as the owner of the key. Although the binding of cryptographic keys to actual people is a significant problem, it does not necessarily make electronic signatures less secure than written signatures. Trickery and coercion are problems for written signatures as well.
183. Which of the following security services or statements is
a. It generates a digital signature.
b. It does not require a third-party certificate.
c. It assures nonrepudiation of a message.
d. It verifies a digital signature.
The DSA provides the capability to generate and verify digital signatures. Signature verification makes use of a public key that corresponds to, but is not the same as, the private key. Each user possesses a private and public key pair. It is assumed that the public knows about public keys. Private keys are never shared. Anyone can verify the signature of a user by employing that user’s public key. Only the possessor of the user’s private key can perform signature generation. Because of this, nonrepudiation of a message is achieved. This means that the parties to an electronic communication could not dispute having participated in the communication, or it can prove to a third party that data was actually signed by the generator of the signature.
The DSS can be implemented in hardware, software, and/or firmware and is subject to U.S. Commerce Department export controls. The DSS technique is intended for use in electronic mail, electronic funds transfer, electronic data interchange, software distribution, data storage, and other applications that require data integrity assurance and origin authentication.
A digital signature system requires a means for associating pairs of public and private keys with the corresponding users. A mutually trusted third party such as a certifying authority can bind a user’s identity and his public key. The certifying authority could issue a “certificate” by signing credentials containing a user’s identity and public key. Hence, a third-party certificate is needed.
184. Pretty good privacy (PGP) and privacy enhanced mail (PEM) are electronic-mail security programs. Which of the following statements is
a. They both encrypt messages.
b. They both sign messages.
c. They both have the same uses.
d. They are both based on public-key cryptography.
