Recently, increases in identity theft, corporate espionage, and other motives for data theft have created a need for more secure electronic communications. One method for securing communications is the use of digital signatures. A digital signature is a block of data that identifies the source of information. For example, a sender may attach a digital signature to an electronic mail message to indicate that the message was actually sent by the sender. The attached digital signature indicates that a third party did not send the message in the name of the sender. The digital signature can also be used by the recipient of the electronic message to verify that the message was not altered after it was sent by the sender. Digital signatures can be used to encrypt any type of data communications, such as webpages, file transfers, etc.
To obtain a digital signature, a user typically visits the webpage of a provider of digital signatures. The webpage causes software on the user's computer to generate a public and a private key for the digital signature. The public key and the private key are asymmetric pairs, which means that a message that is encrypted with one key can only be decrypted with the other key. The user can share the public key with anyone that is interested in sending a message to the user. The public key is used to encrypt the message before sending the message. When the user receives the encrypted message, the message is decrypted using the private key. The private key is the only key that can be used to decrypt the message. As a result, even if a third party intercepts the message, they cannot decrypt the message. In addition to encrypting the message using the user's public key, the message sender may additionally include their own digital signature to indicate that they are the actual sender.
Anyone with software for creating digital signatures can generate a digital signature indicating that they are any other person. Accordingly, the authenticity of a digital signature is typically certified by a digital signature certifier. VeriSign® is a popular certifier of digital signatures. When a user wishes to have their digital signature certified, they send a request to the digital signature certifier to certify the digital signature. The digital signature certifier often sends an electronic message to the email address specified in the digital signature. The user retrieves a code from the message and enters it on the digital signature certifier's webpage, proving that they are the user associated with the email address. The digital signature certifier then generates a certificate stating that the digital signature certifier vouches for the validity of the digital signature. When the digital signature is attached to a message, the certificate with the identity of the digital signature certifier is included. When the message is received by a recipient, the recipient can determine whether they trust the digital signature certifier.
As digital signatures are used more frequently and for more sensitive purposes (e.g., electronic banking), methods for verifying the authenticity of digital signatures will need to become more secure. While verifying that a user requesting a digital signature can receive an electronic mail message provides some security, a third party may be able to intercept messages to a user and, thus, could obtain a digital signature in the name of the user.