Ethic in information management context involved a standard or code of behavior expected by individual or group of people about a right and wrong behavior within a society. Everybody must aware about this matter as who are not alert about ethic can be charge under a legal law. This term paper has specifically focused about an ethic in a digital signature environment as nowadays is having a crime in this profession. Government has introduces a Digital Signature Act 1997 that cover any crimes that related with Digital Signature crimes. Person who done this job is having a special and powerful skills who can get access to anyone private devices or accounts without a permission from the legal owners. Government has decided that the crimes that involved about Digital Signature is one of the offences and can be arrested by an enforcement body. Everybody should have a good ethic as a step to continue a future life.
Keyword: Ethic, Digital Signature Act, Digital Signature, Biometric System, Iris recognition, security
Digital Signature is a new technology that has an evolution from a manual system. According to Lekkas & Lambrinoudakis (2006), Digital Signature is better than handwriting signature, unforgeable, uncopyable and cannot be manipulated. Knowadays, Digital Signature is increase gaining a momentum in every electronic transaction but their usage is still limited cause of lack of user and application that implement this technology. Through Digital Signature, it preserves a basic security to a digital document such as integrity and authenticity of binary data. Even though a mathematic is involved in digital signing are complex, the main concept of signing process is simple as it is base on key cryptography. A signer will have a pair of key with a Private and Public Key. Private Key is only for the owner of signer with he or she can access to a certain transaction and for a public key is only for an interested parties through open directory only for general information.
Then, according to Song, Jin & Connie (2007), they said that user authentication of information need to confidential and against from unauthorized access. Password is commonly used to authenticate a person but this method can be easily broke by simple dictionary attack by unethical person. So, an alternative method for this problems is an introducing a biometric device as a solution. Biometric authentication is a technology that analyzes human physical and behavioral characteristics such as fingerprint, iris, hand geometry, keystroke and signature for personal authentication purpose. Through a biometric device, it allows a physical access control, law enforcement and data security to make rapid and foolproof identity checks. Cryptography is a form of user authentication that widely use today. It is the art and science that keep information from unauthorized use. Symmetric and asymmetric cryptosystem appear as a good solution to protect important data like digitized media and credit card information.
Digital signature is become a lot of user in everyday of electronic transaction. According to Lekkas, Gritzalis & Mitrou (2005), they emphasize that a signed a documents in digital format have become popular in a wide range like in a transaction records, scientific work, contract and governmental issues. Through the technology, it preserve a basic security characteristics of a digital document such as it integrity and authenticity. Besides that, various electronic signature applications have been proposed to apply the technology. The procedure is based on public key cryptography where the signer encrypts a sequence of data using their private key and the verifier of the signature need to ensure the originality of the data by decrypted the signature using the public key of the signer.
Furthermore, according to MAMPU (n.d), biometrics is a method to recognize individuals based on biological characteristics and behavioral of individual. Biological characteristics and behavior of the individual as fingerprints, palms, eyes, voice, face, recognition of the deoxyribonucleic acid (DNA), keystroke, signature and etc. have been used to identify individuals since a few times ago. In Malaysia, biometric technology has also been used by many public sector agencies to improve the safety and quality of their service delivery system. Among the applications that use biometric technology is the MyKad as Malaysian identification documents and Automated Fingerprint Identification System (AFIS) to identify Malaysian identity through thumbprint detection. Biometric systems have advantages over other authentication methods for biological characteristics of an individual are unique and not similar to each other.
Compared with other methods such as Personnel Identification Number (PIN) or password, biometric methods can be difficult to duplicate and complicate identity fraud. Biometric method does not require the user to remember a pin number or password. They just need to present themselves at the sensor or reader a follow the instruction. Generally, biometric system have three main function with are Enrollment, Verification and Identification. In the Enrollment process, the system will generate and store the individual biometric enrollment templates in the database. Then, authentication is the function where the system verifies the identity of a person. Authentications use a matching method to a process. Process validation and matching can be made by comparing the current biometric sample obtained from an individual with individual biometric templates stored in the system using either a portable media databases. For verification and matching of biometric templates in the database, the initial identification data such as the number of user Identification Details (ID) entered need to matching the database has made as many biometric templates. Lastly is identification is a function of where the system needs to identify a person identity from the list of existing users. Identification requires matching from one to many processes. Verification and matching the process performed by compare the characteristics of the biometric samples while individuals with all the templates available in the system to identify the individual involved. Below are the examples of biometric system in our country;
In completing this term paper, primary and secondary literatures are used to enable in depth understanding about an issues that related with Digital Signature matters. The primary sources used in this study are get information from recorded video about a digital signature crimes occur in the country. The statement is release by Ministry of Communication and Multimedia, Inspector General of Police (IGP) and any authorized person. They are made an arrestment to an involved person and investigate them. Then, they will announce it through mass media like Television Broadcasting to a public and hope a public will take awareness about the problems. Getting the sources also from the online radio as radio station also has a news session, so through the session also I got information about the cases.
Another one is secondary sources with get from a journal article, book, newspaper and etc. Study the journal articles and get some information about the cases. Furthermore, the journal also created by an authority person so it can be classify as a reliable sources. The selected article is relevant to a topic that needs to be discussing in this paper. Besides that, I also get information from Unit Pemodenan Tadbiran dan Perancangan Pengurusan Malaysia (MAMPU) that brief about a biometric system in the government agecy.
So, from the sources that I have got give a confident to write about a digital signature problem and a biometric system function in the organization. Furthermore, digital signature and biometric application is one form a branches of a security topic that will be discussed later.
3.0 Definition and concepts of the topic
There are various definitions about digital signature applications. Firstly is Biometric system architecture, according to Morosan (2011), he said that Biometric is a unique human characteristic and rarely change. There are two type of biometrics with are a physiological and behavioral. Physiological is less controllable by the owner like fingerprint, face, retina, iris and voice. Behavioral is more controllable by the owner like a signature pattern, handwriting and gait. Moreover, a specific setting s need as recognition of individual location away from the sensor. A biometric system is a computerized system that allows a user to be authenticated based on their biometric with base on four components;
' A 'Sensor module' which include a reader or scanner to acquire a raw biometric image from user
' A 'Features Extractor module' which extracts a feature set from the raw biometric image and create a template for the user.
' A 'Matching and Decision Making module' which compare a feature set extracted from existing in the database.
' A 'Database module' which a repository of template for a users.
Then, according to Alsaid & Mitchell (2005), they said that to generate a digital signature in a data structure, it must encode it as a serial string of bits and bytes. Then, it is expected that the signature will unambiguously commit the signer of the content to the serialized document. However, ambiguity can arise in the interpretation of data string when it can be view differently. Signature functionality can be integrated into specific application as a stand-alone application. If digital signature functionality is transform into application it must aware with the document format to avoid from any interpretation issues occur from dynamic content. Furthermore, the system also has a problem in their dynamic content so to overcome it by enable the signing application to communicate with the application to understand the document format. Besides that, Private key must be protect by storing it in a security module such as a Smart Card and requiring entry of a password.
Then, a lot of process in needed for implementing a biometric application in Digital Signature environment. According to Song, Jin & Connie (2007), they said that to apply a biometric in cryptosystem, symmetry encryption cryptosystem are design to accept an identical key for encryption and decryption. The uniqueness of biometric technology is limited by fluctuation of biometric sensor and signal capacities. But, biometric also will be not function if any environment factor is affect is such misalignment, lighting, background noise and so on factor. So, organization needs to keep monitor the device from time-to-time to make sure that the application is well function.
Besides that, biometric device also have their benefit. According to Janbandhu & Siyal (2001), they said that biometric signature requires an accurate, easy-to-use and fast recognition technology based on a unique technology. From all the biometric technology, iris recognition is the most promising technology that fulfills the requirement. This is because the iris recognition is hard to be manipulate as everybody have a different physical recognition. Every iris has a different among others so it is a suitable security device to be implemented. Through the advantage with iris recognition, they hope that recognition technology is choose as a biometric signature in any transaction and as a step is need to integrate it properly.
Furthermore, the digital signature also has some weakness. Lekkas & Lambrinoudakis (2006), state that a problem with a digital signature is the use of Private Key that are not directly controlled and indirectly through a machine or application. If any broken password is done, it will affect the key in the database. So, the management of key for a verifying a digital signature is a complicated process. Consideration arise about the lifespan of signing key is cannot be answer without a knowledge on cryptography. There are some question that need to be handle if any contingency technical problem is arise;
' How to create key pair?
' How to protect our private key?
' How is the application handling the problems?
Then, according to MAMPU (n.d), there are an example of biometric system that have been implement in this country with are fingerprint, iris, face, voice, DNA, hand geometry, vein, signature, keystroke and etc. This entire device is have their own advantages and suitable with the environment today. The component that are contain in the biometric system is
' Data capturing system
' Sample processing system
' Data Storage system
' Matching system
' Decision- making system
Furthermore, implementation of biometric system also for a certain purpose likes controlling physical access, controlling logical access, self identification and forensics purpose. So, for a purpose of maintenance of biometric systems such factors as the frequency and complexity should be taken an action to determine whether maintenance should be performed in-house or in need of support providers. If a support is needed a providers, provider should support the capabilities to make sure that the maintenance system can be done.
Besides that, our country also involved in a developing a biometric standard system inside the country and also at the international level. Department of Standards Malaysia and SIRIM is the standards body responsible for identifying biometric standards that can be used in the Malaysian environment. Biometrics Technical Committee (TC 10) was established in October 2003 in which the scope of work includes the development of TC 10 standards for biometric technology that supports interoperability and exchange of data across applications. The Committee is to follow the overall standard activities at national and international level where Malaysia is a Participating member of the ISO / IEC JTC1/SC 37-Biometrics. To ensure that the standards adopted as Malaysia is a quality standard, practical and preserve mutual feedback obtained from various organizations such as the government, private sector, associations, and university researchers. Feedback is used as input in standards development activities.
Table above show a theory that relate with Biometric technology with Digital Signature application. These theory is explain about a process in the digital signature process. Theory 1a and 1b is by Janbandhu & Siyal (2001) with is about a biometric signatures using RSA algorithm and DSA. The process show from the first with scanning an iris to a devices until verify. After the process is success and the verification is done, user can get access to the transaction.
Then, Theory 2 is from Lekkas & Lambrinoudakis (2006) with is a Trust model for the Client-generated signatures and Signature outsourcing. The trust of signature is derived from a relationship and trust the digital certificate issued to a signer. After the process is successful, user can get access to the transaction.
Theory 3 is a framework of biometric key generation scheme by Song, Jin & Connie (2007). The RS-based error correction method is use to stabilize the Fingerhash so that it can be use directly to lock and unlock the biometric key. Prerequisite of biometric key generation from the security viewpoint is how to protect the biometric data from the privacy concern.
Lastly is Theory 4a and 4b introduced by Alsaid & Mitchell (2005). These two theories are discussed about a signing of a digital document and verifying a signed document. To sign a digital document, the signer use a relevant application to check a document that appears is correctly. Then is a process of verifying a digital signature on a document with a dynamic content. When the process has verified a user data, it will proceed to the next process before user can get access to the transaction. '
There are several common challenges in developing an effective digital signature application for a security matter. Every good approach will have their constraint before it is successful implement. Moroson (2012) state that eventhough biometric application will be spread their usage among application, it need to be survive with any application that have been implemented. The challenge that needs to be face by biometric technology is about their belief about system functionality, privacy, trust and technology anxiety. Belief about system functionality is how much an understanding of users about the biometric application. The objective of evaluation of the technology cannot be performing by public users to use the application.
Next is about a privacy with are a selective disclosure of personal information found between personal private and social identity. Biometric application is continuously develop their privacy concern as a critical topic. Then is about trust with are relate about uncertainty, dependence and high risk. Conceptual of trust is important in a context of biometric system in travel in an organization. Lastly is about technology anxiety with are about fear about suffering physical harm as a result in using the technology. Some customers is too concern about hygiene of the sensor as a lot of people use the application. We do not a physical of people who use the sensor with user just need to touch a certain button before scanning their iris at the iris recognition. This is because it will affect another user through the sensor. To overcome these challenge is by giving an enough understanding to a public about a biometric technology in a digital signature transaction.
Moreover, when stand alone signature application is apply, a problem of dynamic content will be more serious since the digital signature program is not aware of the format of the document that need to be signed. One way to avoid the problem is by enabling the signing application to communicate with the application which understands about the document format. Furthermore, the security of the signing process also relies the integrity of the private signing key that controls the limit. Then, the Private Key should be protect by storing it in a security module like a smart card to enable it use for a need time.
Then is the weakness and risk on the signature creation process. According to Lekkas, Gritzalis & Mitrou (2005), firstly is can the signature-creation devices being trust. The signer is providing with a qualified certificate bind with their identity to their public key. Anyone cannot be denied that a specific private key has been use for a creation of a digital signature for an electronic document. Besides that, anyone also cannot deny creation of a digital signature or state that is action was not protecting by act. A fundamental problem in digital signature is not directly affected to a physical entity but indirectly through the application. The risk is lies in the fact that calculate of a digital signature is perform transparently by hardware and software that is mostly unknown for a user that also be least unreliable.
Next is does the smart card is solve the problem of untrustworthy system. Although a regular computing system is considered untrustworthy for the creation of digital signature, it is accepted a smart card that provide a high-level of security in the cryptographic operations needed for digital signing data. The creator is conforming to the European directive on digital signature that requires a secure signature creation device that remains under the control of the signer. Furthermore, smart card is generally as tamper-proof device with their usage is authorizing by a Personal Identification Number (PIN).
According to MAMPU (n.d), it is impossible to get a system that can achieve hundred percent (100%) accuracy performance every time. Therefore, the agency should establish acceptance ratio error for a biometric system to be obtained. The system performance can be evaluated using the measurement and evaluation of biometric False Match Rate (FMR) and False Not Match Rate (FNMR). The value of both measurements should be identified to take into account the ratio of errors that may occur. FM occurs when an individual biometric system masquerading as authorized users are allowed access to the system. Agencies need to set an acceptable rate of FMR to prevent intrusion into the system by unauthorized users. FNM occurs when the biometric system fails to identify legitimate users because of users are not allowed access to the system. This is because sometimes caused changes to the biometric data of the user. This can also occur if the user does not to capture a biometric data by the equipment properly. Agencies need to set the pace FNMR acceptable to reduce the incidence of restricted access to legitimate users.
At the global level, the use of biometric technology has increased, especially in the field of security and forensics for identification and verification of the identity of an individual. For example, airports in the United States (US) used a biometric identification system containing photographs and fingerprints foreign of visitors in their country. Japan country also was applying a vein system in the office or company and personal information systems in their educational and health institutions.
In our country, the main role of the Malaysian Communication and Multimedia Commission (SKMM) is to implement and promote the country national policy objectives for the communications and multimedia sector. Commission also oversees the new regulatory framework for the convergence of telecommunications, broadcasting and online activities parallel with the objectives have been set by a national policy in the Communications and Multimedia Act 1998. Digital Signature Act provides about the role of the Commission in carrying out the implementation of the policy while policy decisions are determined by the Minister who also give directions to the Commission for a legal action. Individual who are offences under the Digital Signature act will be charge about maximum at RM 200,000 or imprisonment for not exceeding four (4) years or both. Through the punishment, people will be careful in their action especially that is involved in Digital Signature crime. So, everybody should understand that a white collar crime also one of the branches of crime and should not do it easily.
To response to the challenges above, there is a several recommendations are proposed to overcome the problems. According to guideline by MAMPU (n.d), firstly is the agencies need to examine whether the use of biometrics is protected and recognized in terms of legislation or policies in place. If not, the agency needs to look at the possibility to make amendments if necessary. For example, if the act relating to state agency services in identity verification one is enough with identification documents, the act should be amended to include the use of biometric element if the agency wants to enforce the use of biometrics to increase the safety factor. Agencies need to look at possible amendments to existing acts deemed necessary. The willingness of customers especially from a public user to use biometric methods should be considered before using this technology. Customer attitudes towards the use of this technology can affect the performance of system usage for a future.
Besides that, the implementations of biometrics technology also can improve the efficiency and effectiveness of service delivery agencies. For example, the use of biometrics can reduce a fraud and save a processing time for any transaction. This is because, through the data that have been store in the database, anyone cannot manipulate it as it is having a security monitoring. Next is the use of biometrics can increase the level of physical security for a specific location or level of logical security application system primarily involves access to confidential or secret information. This is because the application is covered with a security monitoring that need a legal identification to access to the transaction. Biometric technology is a secure method for a digital access as it is hard to be cheating especially for a digital signature transaction.
Furthermore, the system also should be used by the majority of users. If there is a problem where the user biometric sample could not be registered, alternative methods should be provided. For example, for visually impaired users cannot be registered through the system using iris technology, alternative methods should be provided. There is a multi-model biometric system in which a combination of more than one biometric technology used. So, it is depends on the need for multi-model biometric system and the additional cost is need to setup the additional sensor. Additional sensor is as a backup plan to the main application as we do not know a physical condition of public user.
Biometric system should be easy to use by users and system operators. The creators of the application need to train a staff in the organization until they are mastered with the application including a minor error that are occur since their office hours. Among the best practices to facilitate the use of biometric applications include the following:
' Its use must be simple and automatic to use
' The reader should be flexible in any individual biometric characters can be scanned from different positions
' Take note and aware about the needs of Persons With Disabilities (PWDs)
Furthermore, biometric system also needs to provide an easily to be understand instructions by a user. Instruction should be clear, easy to read and not too long. If not, it will make a user to take a lot of time to understand the instruction before continue the transaction. The following criteria is;-
' Instructions are provided in sequence (whether through an audio or display system
' Inform the a user if the transaction was successful or need be repeat
' Inform the user if the reader or scanner require user action to a certain case.
' Consumers are regular to use the system are given the option use or not use the audio skip instruction
Lastly is biometric system should be reliable to ensure uninterrupted use for a specific period such as 24 hours a day and so on. The down time for the system should be minimal and the agencies need to look at alternatives such as a backup plan for contingency matter. For example, a service kiosk that implements a biometric system should have a high degree of reliability over the counter use of which operates only during office hours. This is because this service will have a many users so it needs to be standby for 24 hours per day and seven (7) days per week. Contingency plan should be prepare as a backup for any uncertainty matter.'
In a conclusion, it can be said that the biometric technology is as a best application for a digital signature especially about a security factor. Nowadays, a lot of technology is built up and expand every time to time. In an online transaction also have an evolution with have a online digital signature. The suggested solutions require all documents to handle the application to create an awareness of digital signature program in order to function properly. Furthermore, to signing a digital document, user needs to use their Private Key to access to the application to continue the transaction. The new opportunity in digital environment has come with a new challenge to provide a protection to the owner against unauthorized use of their content in digital environment.
Besides that, through the biometric application, it has reduced a user to remember their certain Personal Identification Number (PIN). Through the biometric device, they just present themselves at the sensor and follow an instruction. Some biometric application need to scan a finger print, iris scanning, hand geometry and etc. Then, they can access to the transaction successfully through the application. Through he requirement, user need to keep care themselves as if there are any changes in their physical body, it will affect a biometric system to recognize us. If this happen, user need to inform with the organization about the cases so they can help us with alternative methods.
As a recommendation, established organization should implement the technology as a security factor. Example is a keystroke application is usually apply by a security department and the identification process will compare the characteristics of the key press on data existing in the system for verification. This method is used by an agency who conducts an investigation and the activities of high impact national security. Same as an iris recognition, this technique uses features of unique images of the pupil. Eye scanner will take a high-resolution photo eye and record the data. This data will then be converted into an algorithm and compared it with the character and shape of the pupil who has been reported. This method is applied to access locations of high security level especially who want to enter the vault room containing the secret items.
Furthermore, every organization needs to study an environment of their business before implementing a biometric application. They need to study a number of their customer and the frequency of using a transaction. From the study, they will know a weakness of the late technology and will decide to find a latest one. This is because, using a PIN code for a transaction is still can be manipulate by other people example is someone who stolen a anybody Automatic Teller Machine (ATM) cards can draw a money if they are success to access the account.
The use of biometric technology has great potential in improving the delivery of public sector services especially in terms of security and integrity. Agencies should refer to the guidelines when planning to implement biometric technology in their respective agencies as want a successful on their business transaction. Moreover, they also need to consider with the budget that are provide for them as the implementation process is need a lot of money. After that, they will decide a type of biometric application that they are interested according to their budget.