During an audit of an enterprise that is dedicated to e-commerce, the IS manager states that digital
signatures are used when receiving communications from customers. To substantiate this, an IS
auditor must prove that which of the following is used?
A.
A biometric, digitalized and encrypted parameter with the customer’s public key
B.
A hash of the data that is transmitted and encrypted with the customer’s private key
C.
A hash of the data that is transmitted and encrypted with the customer’s public key
D.
The customer’s scanned signature encrypted with the customer’s public key
Explanation:
The calculation of a hash, or digest, of the data that are transmitted and its encryption require the
public key of the client (receiver) and is called a signature of the message, or digital signature. The
receiver performs the same process and then compares the received hash, once it has been
decrypted with their private key, to the hash that is calculated with the received datA. If they are
the same, the conclusion would be that there is integrity in the data that have arrived and the origin
is authenticated. The concept of encrypting the hash with the private key of the originator provides
non repudiation, as it can only be decrypted with their public key and, as the CD suggests, theprivate key would not be known to the recipient. Simply put, in a key-pair situation, anything that
can be decrypted by a sender’s public key must have been encrypted with their private key, so they
must have been the sender, i.e., non repudiation. Choice C is incorrect because, if this were the
case, the hash could not be decrypted by the recipient, so the benefit of non repudiation would be
lost and there could be no verification that the message had not been intercepted and amended. A
digital signature is created by encrypting with a private key. A person creating the signature uses
their own private key, otherwise everyone would be able to create a signature with any public key.
Therefore, the signature of the client is created with the client’s private key, and this can be verifiedby