Reprinted with permission from Financial Management Network.
What Every A/P Manager Needs to Know About Digital Signatures and Encryption
or Julius Caesar’s Impact on Accounts Payable
Mary Ludwig Schaeffer
One of the biggest fears your boss has about the Internet is the lack of security. The solution to the security problem lies in encryption and digital signatures. A/P professionals need to understand that these new technologies are coming to accounts payable — quickly.
At the Electronic Commerce 2000 conference, Chevron’s manager of accounts payable reengineering, James M. Burstedt, and Ed Ames, a Chevron analyst for electronic commerce and a cofounder of the Unclaimed Property Holders Association, explained these approaches, and how they are reflected by Chevron’s corporate policy.
Chevron’s Corporate Policy
The policy states that, “Information and the systems supporting it are key company assets, requiring prudent and proactive protection by information owners and users alike. It is the policy of the company to secure these assets from external and internal threats through a combination of technology, practices, processes and monitoring, based on risk and the value of the assets. The goal is to minimize the potential for damage either purposeful or accidental, to the company’s computer and communications systems, company data and information.”
This policy allows Chevron to focus its resources to protect its most important asset – its information. Like other companies, Chevron needs to protect itself from hackers, pranksters, dishonest insiders, competitors and information terrorists. It is concerned about viruses, interception, prying eyes, alteration or loss of data, communication blocks and system disruptions. However, the biggest concern is unauthorized access.
The Origins of the Problem and Its Solutions
The speakers pointed out that security breaches can arise: an intruder masquerading as an employee; eavesdropping; data being changed en route; e-mail addresses being changed en route; or cracked passwords and IDs. The speakers also identified the defenses that stop unauthorized access to computer information transferred over the Internet. These include authentication (digital signature-private key/hash), encryption, digital certificates (ID validation/non repudiation), firewalls, and strong passwords.
The consequences of not having these defenses can be severe. Financial loss, damage to the company's reputation, loss of business, legal actions, and the loss of strategic information are only a few of the possible results.
When an employee has a laptop stolen the biggest loss is not the cost of the laptop, but the strategic information stored on the hard drive. Thus, Chevron relies on what it calls “secured messaging.”
Chevron defines secured messaging as the use of encryption and digital signatures. Before defining what a digital signature is, let us focus on what it is not. It is not a digitized signature — the manual signature by an individual on an electronic device such as those used by certain department stores for charge card purchases. Burstedt and Ames provided the following definitions.
- Digital signature. Unique to the person and using a private key, digital signatures can be verified as belonging specifically and used solely by that person. It is linked to data, so any change to the data will invalidate the signature. It is also nonreputable, which means that a person can prove they sent a communication and conversely, can not deny that they sent it. It is the equivalent in the paper world to getting a document notarized.
- Encryption. This is the ability to transform electronic information into an unreadable format that can only be converted back to its original readable state by specific individuals previously authorized to do so.
- Encryption engines. Also known as encryption algorithms, are now powerful enough to generate truly random keys, taking this responsibility out of the hands of people. It also allows for session keys that can be used once or multiple times and then discarded.
Back to Math Class
Upon hearing the word algorithm above, some of the accounts payable professionals reading this may vaguely remember high school math class. An algorithm is a detailed sequence of calculations performed in a specific number of steps to achieve a desired outcome. A hash algorithm is a function that reduces a message to a mathematical expression and is called a one-way hash because the expression cannot be reversed. For example, if every letter of the alphabet were assigned a number (a=1, b=2 etc.) any name could be reduced to a single digit. The speakers choose Julius Caesar since he was one of the earliest users of encryption.
Altering any original message or file including a change in the spelling of a word, eliminating apostrophes or changing a comma to a period will result in a different hash.
Messages are encrypted and decrypted using public and private keys. Expect to hear much more about Public Key Infrastructure (PKI) in the upcoming months as commerce continues to move to the Internet. The speakers also offered a clear explanation of how these keys are used. “Two sets of electronic keys are used to encrypt and decrypt documents. Public keys can be shared while private keys are known only to their specific owner. An encrypted document is created using the sender’s private key and the receiver’s public key. The receiver decrypts the document using the sender’s public key and the receiver’s private key. The public key is the certificate authority. Separate pairs of keys can be used to encrypt or digitally sign to strengthen security.”
“Whatever is locked by a private key can only be unlocked by the corresponding public key and vice versa. Encrypting and sending with the sender’s private key and the receiver’s public key can therefore only be decrypted with the receiver’s private key and the sender’s public key. Use the private key to create the digital signature/hash.”
Readers should be aware that currently there is a huge debate going on over setting standards for the PKI. It does not look like it will be settled soon as a number of entities have a vested interest in becoming the standard setter. These concepts may be new to many reading this, but Managing Accounts Payable believes that it is imperative that anyone who works for a company that uses the Internet understands these concepts. Remember, there was a time not too long ago, when the whole idea of the Internet seemed alien. To see how Chevron is using these concepts in its accounts payable department, see the related story, “How Chevron’s A/P Dept. Addressed Internet Security Concerns & Set The Tone for the Entire Co."