2023/4/20

CHAPTER 5

DIGITAL SIGNATURE

Chữ kí số (digital signature) là một dạng của chữ kí điện tử

Các dịch vụ cung cấp chữ kí điện tử (e-signature)
- Certificate Authority: Tổ chức cung cấp chữ kí số công cộng -> Cung cấp cho DN + Nhiều CA
- Trên CA là RCA (R- root): Tổ chức cung cấp chữ kí số quốc gia -> Xác thực cho CA + 1 RCA only

Chữ kí số: Bảo vệ tt qua 2 lần mã hoá

Chapter 5: Digital signature

5.1 Overview of E-contract

5.2 Security threats in the EC environment

5.3 Digital signature

1
 2023/4/20

5.1.1. Definition and the characteristics

“A civil contract is an agreement between the

parties to establish, change or terminate civil rights
and/or obligations”
( Article 388; Section 7; Chapter XVII –
The Civil Code 2005)

Definition

“E-contracts mean contracts established in the form

of data messages provided for in this Law”
(Article 33 – Law on E-transactions)

2
 2023/4/20

5.1.2. E-contract and traditional contract

Similarities:
 Both are contracts and only formed when the parties reach
the unity.
 Based on a specific legal basis
 Compliance with the principle of "freedom of contract,
but not contrary to law, public morals" and "voluntariness,
equality, goodwill, cooperation, honesty and uprightness“
 Adhere to the principal of implementing the contract

5.1.2. E-contract and traditional contract

Differences:
• The subjects involved in entering into the contract:

BUYER

CERTIFICATION NETWORK
AUTHORITY SUPPLIER

SELLER

3
 2023/4/20

5.1.2. E-contract and traditional contract

 Signing method:
+ E-contract: signed by electronic means in the Internet
environment
+ Traditional contract: in the form of paper contract or
verbal contract in normal environment

5.1.2. E-contract and traditional contract

 Content of the contract:

+ Legal address
+ The right to access and change the information
+ E-payment method
+ The appearance of terms and conditions:
- Display without any link
- Display with a link
- Display at the bottom
- Display as dialog box

4
 2023/4/20

5.1.3. E-contract classification

- Traditional contracts are posted on the website

- E-contracts are formed through automatic
transactions (through manipulation of click, type
and browse)
- Email contracts
- E-contracts use digital signature

5.2. Security threats in the EC environment

Phishing and
identity theft

Unwanted Hacking and

program cybervandalism

Malicious code
SECURITY Credit card
THREATS fraud/theft

5
 2023/4/20

5.2. Security threats in the EC environment

Sniffing

DOS and DDOS

Insider attacks
attacks

SECURITY Poorly designed

Spoofing and
server and
spam websites THREATS client software

Malicious code

Malicious code (malware) includes a variety of

threats such as viruses, worms, Trojan horses and
bots
- A virus is a computer program that has the ability
to replicate or make copies to itself, and spread to
other files. Some major categories: macro viruses,
file-infecting viruses, script viruses.

6
 2023/4/20

Malicious code

- A worm is a malware that is designed to spread

from computer to computer.
- A Trojan Horse appears to be benign, but then
does something other than expected. The Trojan
horse is not itself a virus, but is often a way for
viruses or other malicious code to be introduced
into a computer system.

Malicious code

- Bots (short for robots) are a type of malicious

code that can be convertly installed on your
computer when attached to the Internet. Once
installed, the bots responds to external command
sent by the attackers.

attack -> mã hoá cục màu vàng 1 lần nữa -> Gói phong bì số: Mã
hoá 2nd time, sử dụng public key của receiver -> Receiver có
private key để mở khoá -> 2 cặp khoá

7
 2023/4/20

Unwanted program

Some unwanted programs such as: adware,

browser parasites, spyware...
- Adware is typically used to call for pop-up ads to
display when the user visit certain sites. However,
it is not typically used for criminal activities.

Unwanted program

- A browser parasite is a program that can monitor

and change the settings of a user’s browser.
- Spyware is a program used to obtain information
such as user’s keystrokes, email... and even take
screenshots

8
 2023/4/20

Phishing and identity theft

- Phishing is any deceptive, online attempt by a third

party to obtain confidential information for financial
gain.
- Phishing attacks do not involve malicious code but
instead rely on straightforward misreprentation and
fraud, so-called “social engineering” techniques.

Hacking and cybervandalism

- A hacker is an individual who intends to gain

unauthorized access to a computer system.
- Cracker: within the hacking community, a term
typically used to denote a hacker with criminal intent.
- Cybervandalism: intentionally disrupting, defacing
or even destroying a site.

9
 2023/4/20

Credit card fraud/theft

The most frequent cause of stolen cards and card

information is the systematic hacking and looting of
a corporate server where the information on millions
of credit card purchases are stored.

Spoofing and spam websites

Spoofing a website is also called “pharming”,

which involves redirecting a web link to an address
different from the intended one, with the site
masquerading as the intended destination.

10
 2023/4/20

DOS and DDOS attacks

- DOS (Denial of service) attacks: typically cause a

website to shut down, making it impossible for users
to access the site.
- A DDOS (Distributed denial of service) attack uses
numerous computers to attack the target network
from numerous launch points.

Sniffing

A sniffer is a type of eavesdropping program that

monitors information traveling over a network.
When used for criminal purposes, it can be
damaging and very difficult to detect.

11
 2023/4/20

Insider attacks

Some of the largest disruptions to services,

destruction to sites, and diversion of customer credit
data and personal information have come from
insiders – once trusted employees.

Poorly designed server and client software

The increase in complexity and size of software

programs, coupled with demands for timely delivery
to markets, has contributed to an increase in software
flaws or vulnerabilities in Internet and PC software.

12
 2023/4/20

5.3. Digital signature

“Digital signature means a type of e-signature created by

transformation of a data message using an asymmetric
cryptosystem whereby the person having the initial data
message and public key of the signer may accurately
determine:
a/ Whether such transformation is created with a private key
corresponding to the public key in the same key pair;
b/ Whether the data message has been altered since the
transformation.”

Chữ ký số
“ Chữ ký số là một dạng chữ ký điện tử, được tạo ra bằng sự
biến đổi một thông điệp dữ liệu sử dụng hệ thống mật mã
không đối xứng theo đó người có được thông điệp dữ liệu ban
đầu và khóa công khai của người ký có thể xác định được
chính xác:
Chữ kí số phải liên quan đến encrypt và decrypt
a)Việc biến đổi nêu trên được tạo ra bằng đúng khóa bí mật
tương ứng với khóa công khai trong cùng một cặp khóa
b)Sự toàn vẹn nội dung của thông điệp dữ liệu kể từ khi thực
hiện việc biến đổi nêu trên”

Cipher text: Thông điệp đã được mã hoá

13
 2023/4/20

The characteristics

Hash là unique -> Verify message integrity

• Message integrity: provides assurance that the message
has not been altered từ A -> B k bị thay đổi

• Nonrepudiation: prevents the user from denying he or

she sent the message tính chống phủ định. A k thể phủ nhận A k phải là ng gửi

• Authentication: provides verification or the identity of

Tính xác thực. B biết được A là DN được đk nhà nước
the person (or computer) sending the message
• Confidentiality: gives assurance that the message was
not read by others. Tính bảo mật. Nếu 3rd party steal thì cũng k đọc được

E-CERTIFICATE

An e-certificate means a data message issued by

an e-signature certification service - providing
organization in order to verify that the certified
agency, organization or individual is the person
having made the e-signature.
- Symmetric key cryptography: mã hoá bí mật/đối xứng: use chung 1
khoá để mã hoá và decrypt message -> bên nhận và gửi use chung 1
khoá -> secret
- Public key cryptography: Sender and receiver use different keys. Trong
đó có 2 khoá
+ Key 1 (A -sender): private
+ Key 2 (B -receiver): public (As Cty A giao dịch với nhiều org, cop khác
trên mkt)

14
 2023/4/20

E-CERTIFICATE

Content of e-certificate:
1. The name of the certification authority.
2. The name of the subscriber.
3. The serial number of the digital certificate.
4. The term of validity of the digital certificate.
5. The public key of the subscriber.
6. The digital signature of the certification authority.

E-CERTIFICATE

Content of e-certificate:
7. Restrictions on purposes and scope of use of the
digital certificate.
8. Restrictions on legal liability of the certification
authority.
9. Other necessary contents as prescribed by the
Ministry of Post and Telematics.

15
 2023/4/20

2.3. Signing process

Original message

Hash
Private key

Summary Digital signature

(Hash value) Encrypt

Attach to
first message

Digitally signed
message

2.3. Signing process

1. The sender creates an original message.

2. The sender applies a hash function, producing a hash
digest (hash value).
3. Hash digest is encrypted by the sender’s private key,
digital signature is created.
4. Digital signature is attached to the original message,
and the sender encrypts the signed message again using
the receiver’s public key.
5. The result of this double encryption is sent over the
Internet.

16
 2023/4/20

VERIFY
Digitally signed
message

Public key seperate

Original Message
decrypt Digital
signature
Hash

Can Summary Summary

1 2
decrypt?

Similitary?
Message integrity
Right sender
Message has been alterd

Verifying process

1. The receiver uses his private key to decrypt digital

envelope.
2. The receiver separates the digitally signed message into
original message and digital signature.
3. Hash function is applied to original message, producing
hash value 1; digital signature is decrypted by the sender’
public key, producing hash value 2.
4. The receiver compares 2 hash values to check the
integrity of the original message.

17