Electronic signature

Q: What is a digital signature?
A: A digital signature is an electronic signature produced by using the public key method. With a digital signature it is possible to verify that the recipient receives the message in its original form and that the signer is who he or she claims to be. The creator of the digital signature has a private key, which is needed to sign the message. The recipient of the message has signer's public key, which can be used to verify the signature. Digital signatures are based on the Public Key Infrastructure (PKI) and the use of asymmetric encryption methods and hash functions.

Q: What are digital signatures used for?
A: Digital signatures are used to electronically ensure the integrity of electronically transmitted information and also to ensure that the person sending the information is who he or she claims to be and cannot later deny having sent the information. Therefore digital signatures have additional features compared to handwritten signatures.

Q: What kind of keys are used in creating digital signatures?
A: The public key encryption is used in creating digital signatures. The public key encryption is based on the use of key pairs (private/public). The message is encrypted with one key and decrypted with the other. The digital signature is created using the signer's private key. The recipient can verify the signature using the signer's public key.

Q: How is a digital signature created and verified?
A: The signer first computes the hash value of the message that intends to be signed. The hash value is like a compressed version of the message. Hash algorithms work so that it is very hard to find two messages with the same hash value. When the signer has computed the hash value the signer transforms it to a signature with the private key. The recipient of the message transforms the signature back to the hash value with the sender's public key, and then compares the hash value computed from the message. If these hash values match it can with certainty be verified that the message and the signature belong to the holder of the private key used to sign the message. Since the signer uses a unique private key to sign the message the signature is authentic.

Certificates

Q: What is a certificate?
A: In simple terms, a certificate is a data structure that binds the name of the person the certificate is issued to and that person's public key together. The certificate is an electronic proof issued by a reliable authority - a certification authority. It verifies that the public key and other information in the certificate, for instance, the person's name/identity, correspond to each other. Certificate also includes the name of certification authority and a period of validity for the certificate. The certification authority's digital signature guarantees the origin and integrity of the certificate. When a signed message is received, the recipient can search for the certificate in a directory with the sender's personal data. The signature can be verified by using the public key given in the certificate. Certificates are issued not only to individuals but also to associations, organisations and computer devices.

Q: What does a certificate contain?
A: The certificate contains, among other things, the public key of the holder, the name of the holder, the period of validity for the certificate, the name of the certification authority that issued the certificate and the serial number of the certificate. The issuing certification authority digitally signs the certificate.

Q. What is a Controller of Certification Authority?
A: The Controller of Certification Authorities as the “Root” Authority certifies the technologies, infrastructure and practices of all the Certifying Authorities licensed to issue Digital Signature Certificates.

Q: What is a certification authority (CA)?
A: A certification authority is an organisation that issues certificates, and signs the certificates and the revocation lists with its private key.

Q: What is a Registration Authority?
A: A Registration Authority (RA) can be used to offload many of the administrative functions from the CA, including end-user registration.

Q: What is a certificate revocation list?
A: A certificate revocation list (CRL) is a compilation of certificates that a certification authority has revoked before their period of validity has expired. A revoked certificate cannot be restored to use.

Q: What can certificates be used for?
A: Certificates can be used, for instance, for the following purposes:
Privacy: certificates can be used to encrypt and decrypt messages.
Authenticity: certificates can be used to digitally sign a message. A digital signature verifies the authenticity of the sender of the message and that the message has remained unaltered.
Access control: certificates can be used to control, for instance, the access of employees to the organisation's intranet.

Q: What is certification service operation?
A: Certification service operation means issuing and maintaining certificates. Certification service operation includes registration of the applicants, creation of certificates, distribution of certificates through the directory service, revocation of certificates and revocation list service.

Encryption methods

Q: What is a key?
A: A key is a long number sequence that is used as a parameter for the encryption and decryption algorithms. Symmetric algorithms use the same key for encryption and decryption. Public key algorithms use both a public and private key. The length of the key is an important factor in ensuring the security of communications. The key lengths are given in bits. In symmetric encryption a key length of 128 bits and in asymmetric encryption a key length of 1024 is considered to be secure

Q: What are encryption algorithms?
A: Encryption algorithms are mathematical formulas that are used to transform a readable message to a message that can only be read by the intended recipient. In this encryption method the information is encrypted so that only the intended recipient is able to read and transform the message. The message can be intercepted, but it is useless to a person, who cannot decrypt it. Encryption and decryption of the information requires, in addition to the encryption algorithm, a key. Only the person, who has the right key and the algorithm, can decrypt a message encrypted in this way.

Q: What are the algorithms for a public key?
A: The algorithms of a public key are encryption algorithms that require two keys: a public and a private key. When one of these keys is used to encrypt the message only the other key is able decrypt it. The private key must be kept secret. The public key may be published, for instance, in a public directory. The public key can be used to verify the message that has been signed with a secret key or to encrypt a message that can only be decrypted with the private key.
If someone wants to send you a message it can be encrypted using your public key and you can decrypt it with your private key. Since you are the only one with access to your private key, you are also the only one who can decrypt the message.
Public key algorithms are also called asymmetric encryption algorithms.

Public Key Infrastructure (PKI)

Q: What is PKI?
A: PKI stands for Public Key Infrastructure. To enable the use of electronic signatures in an open environment (such as the Internet) where the participants do not know each other, it is necessary to know who the signer is. PKI is a system created for this purpose and in this system a reliable third party issues an electronic certificate. The certificate contains information about the person the certificate is issued to. PKI uses a key pair, in which the other key is public and the other is private. The system is based on asymmetric encryption. The signer signs the message with a private key, known only by the signer. The recipient can verify the authenticity of the signature and the integrity of the message with the public key given in the certificate.