1． 所选择的论文/研究的题目是什么？

　　 电子商务安全——电子签名的发展与研究

2． 对本领域既有的研究的回顾，包括文献纵述。

　　在传统的商务交易活动中，为了保证交易的安全与真实，一份书面合同或公文要由当事人或其负责人签字、盖章，以便让交易双方识别是谁签的合同，保证签字或盖章的人认可合同的内容，在法律上才能承认这份合同的有效性。然而在电子商务的虚拟世界中，合同或文件是以电子文件的形式表现和传递的，但传统的手写签名与盖章却无法在其上进行，因此必须依靠技术手段来替代。能够在电子文件中识别双方交易人的真实身份，保证交易的安全性和真实性及不可抵赖性，起到与手写签名或盖章同等作用的签名的电子技术手段，称之为电子签名。联合国贸发会的《电子签名示范法》中对电子签名作如下定义：“只在数据电文中以电子形式所含、所附或在逻辑上与数据电文有联系的数据它可用于鉴别与数据电文相关的签名人和表明签名人认可数据电文所含信息”；在欧盟的《电子签名共同框架指令》中就规定：“以电子形式所附或在逻辑上与其它电子数据相关的数据，作为一种判别的方法”称电子签名。

　　电子签名并不是书面签名的数字图像化，它是一种电子代码，利用它，收件人能在网络上轻松验证发件人的身份和签名，还能验证出文件的原文在传输过程中有无变动。

　　 实现电子签名的技术手段有很多种，但目前比较成熟的，世界先进国家普遍使用的电子签名技术还是基于PKI （Public Key Infrastructure）的数字签名技术。美国电子签名标准（DSS, FIPS186-2）对数字签名作了如下解释：“利用一套规则和一个参数对数据计算所得的结果，用此结果能够确认签名者的身份和数据的完整性。”按照上述定义PKI可以提供数据单元的密码变换，并能使接收者判断数据来源及对数据进行验证。PKI的核心执行机构是电子认证服务提供者，即通称为认证机构CA (Certificate Authority)，PKI签名的核心元素是由CA签发的数字证书。

　　认证机构CA是PKI的核心执行机构，是PKI的主要组成部分，是一种权威性、可信任性和公正性的第三方机构。建立CA的目的是加强数字证书和密钥的管理工作，增强网上交易各方的互相信任，提高网上购物和网上交易的安全，控制交易的风险，从而推动电子商务的发展。它的基本功能是：1、生成和保管符合安全认证协议要求的公共和私有密钥、数字证书及其数字签名；2、对数字证书和数字签名进行验证；3、对数字证书进行管理，重点是证书的撤销管理，同时追求实施自动管理。第一代CA由SETCO公司建立，以SET协议为基础，服务于B2C电子商务模式的层次性结构。由于B2B电子商务模式的发展，要求CA的支付接口能够兼容支持B2B与B2C，因此产生了以公钥基础设施(PKI)为技术基础的平面与层次结构混合型的第二代CA体系。近年来，PKI技术在理论和应用上都逐步走向了成熟，建立在PKI技术基础上的第二代安全认证体系与支付应用接口所使用的主要标准有：1、由Internet特别工作组颁发的标准：LDAP（轻型目录访问协议）、S/MIME（安全电子邮件协议）、TLC（传输层安全套接层传输协议）、CAT（通用认证技术，Common Authentication Technology）和GSS-API（通用安全服务接口）等；2、由国际标准化组织（ISO）获国际电信联盟（ITU）批准颁发的标准为9594-8/X.509（数字证书格式标准）。

3． 你选择这一研究课题的动机及背景是什么？

　　 伴随着Internet的蓬勃发展，电子商务正以其高效、低成本的优势，逐步成为新兴的经营模式和理念，B2B、B2C等经营模式的不断优化和成熟更是推动了世界范围内电子商务的发展。人们已不再满足于信息浏览和发布，而是渴望着能够享受网络所带来的更多的便利。为了满足人们的需求，越来越多的网站投身到提供电子商务服务的行列中来，越来越多的企业开始将自己的业务通过Internet的形式直接提供给客户，一个基于Internet的全球电子商务框架正在形成。然而网络也是一柄双刃剑，在享受网络带来的便捷与高效的同时，人们不得不面对同样“便捷”与“高效”的网上作案手段。从个人的日常事务处理到企业的商务运作，网络时代的社会经济活动从一开始就笼罩着安全性问题的阴影，在安全性未得到有效保证之前，现有的电子商务模式将永远无法发展到应有的层次和深度。

电子商务的安全主要包括两大方面：网络安全和商务安全。网络安全主要指计算机和网络本身可能存在的安全问题，也就是要保障电子商务平台的可用性和安全性；商务安全则指商务交易在网络这种媒介中体现出的安全问题，也就是要实现电子商务的保密性、完整性、真实性和不可抵赖性。

　　 在本课题中主要研究电子签名的发展与运用，因为它在商务安全中占有非常重要的地位。电子签名是电子商务的基础，是电子商务交易中的“身份证”和“护照”，是电子商务交易安全的保障。电子签名为电子商务的开放性和全球性交易提供了可能，电子商务中身份和信息内容的确认，是电子商务中制定交易规则的依据。电子签名解决电子商务发展所面临的一些关键性的法律问题，实现电子合同合法化、电子交易规范化和电子商务法制化。可以说如果电子签名的安全性不能得到很好的实施，那么所有想要利用电子商务来进行快捷、方便交易的人们只能在一片混乱中不断的怀疑。

4． 你所选择的这项研究有何价值及意义？

　　信息化是人类社会活动方式的一次巨大变革，这一变革的技术基础就是对信息的处理、储存及传递方式的改变。人类正在逐步告别纸和笔，用数字表达信息。这一改变将引起人类的商务活动、政务活动、文化活动的根本改变。在利用Internet和网络技术实现电子商务是需要解决好安全问题，除了采用防火墙、防病毒和防攻击等网络安全措施外，还要采取适当的信息安全技术来完成身份认证、信息加密传输、保证信息的完整性以及交易的不可否认性。

　　 在电子商务的实践中，保证电子交易安全的重要手段是靠电子签名，电子签名的主要作用有三个：一、证明文件的来源，即识别签名人；二、表明签名人对文件内容的确认；三、构成签名人对文件内容正确性和完整性负责的根据。然而电子签名的应用中却出现了不少问题：电子签名、数据电文是否具有法律效力；电子签名的规则不明确，发生纠纷后责任难以认定；为电子交易各方提供信誉保证的电子认证机构的法律地位和法律责任不明确；电子签名的安全性、可靠性会成为制约电子商务发展的障碍。

　　 《电子签名法》，作为中国第一部真正意义上的信息化法律，从最初酝酿到草案的争论、妥协直至最后的通过，历史漫长。这一法律的出台无疑将对我国带来很大的改变。回想2000年6月30日美国总统克林顿正式签署了网络时代的重大立法《电子签名法案》，它使电子签名和传统方式的亲笔签名具有同等法律效力，被认为是美国迈向电子商务时代的一个重要标志。而在中国，随着相关法律的出台和实施，电子签名将对我国规范电子签名活动，保障电子交易安全，维护电子交易各方的合法权益，促进电子商务的健康发展起到极其重要的作用。随着技术的不断进步，人们将会完全感受到网络的保密性、完整性、真实性和不可否认性。因此，进一步研究电子签名的发展是非常有意义，也是很有发展前景与空间的。

5． 你所要进行的这项研究的大概内容是什么？

　　 主要是研究基于PKI的公钥密码技术的数字签名，希望也能接触到其他的电子签名的方法，例如：以生物特征统计学为基础的识别标识；手印、声音印记或视网膜扫描的识别；密码、密码代号或个人识别码等等。

6． 你所要进行的这项研究大概分为哪些阶段？

　　 大概分为这几阶段：第一阶段，对既有理论的研究，找出不足之处以及未完善的地方，拓宽自己的研究思路。第二阶段，具体研究数字签名的实现，在利用PKI技术的基础上，使电子签名实现应有的功能。如：发件人在电子文档上加盖电子图章，即可表明该发件人的身份；文件所有者可以将自己的信息存储在电子图章中，以便查看；对电子文档进行加密处理，接受方需具有相应安全证书，防止非法用户窃取文件信息；电子图章的唯一性来保证交易安全中的不可否认性等。第三阶段，作调查、统计，利用问卷、官方或非官方的数据希望得出目前人们对电子签名的认识与利用程度，这一结果可以帮助认识电子签名在实际的运用中是否顺利以及应如何改进。

7． 你在研究中将采取哪些主要的研究的方法?

　　研究对一个电子文档如何进行数字签名，其实现的过程大致分为三部分：首先在网上进行身份的验证，接着进行签名，最后是对签名的验证。

　　PKI技术提供的服务首先就是身份的验证，而认证的前提是甲乙双方都拥有CA签发的证书。在单向认证中，情况比较简单，一方只需获取另一方的证书，当拿到证书后，首先用CA的根证书公钥验证该证书的签名，即检查是否为有效证书。第二步检查证书的有效期及检查该证书是否作废。在双向认证中，双方都要确认对方证书的有效性。

　　当身份已互相确认后，进入数字签名的部分。该部分由两块组成：签名与验证。发件人将文本原文用哈希（Hash）算法求得数字摘要，用签名私钥对数字摘要做非对称加密得到数字签名，发件人将原文和数字签名一起发送；当接受方接到后用公钥解密数字签名，导出数字摘要，接着采用同样的哈希算法得到一个新的数字摘要，若两数字摘要匹配，则表示文件传输成功。

8． 你的研究中将包含哪些环节和实施步骤

　　 需要建立网间信息传递的模型，利用该模型可对数字签名的流程一目了然。

　　 定量/定性分析统计数据得出电子签名的实际运用效果

　　案例分析，研究成功与失败的电子签名案例，得出启发与经验。

9． 你的科研预期所要达到的效果/结果是什么？

　　 希望能够更深的研究电子商务的安全，尤其是电子签名技术。希望电子签名的技术能得到广泛的安全的使用，从而推动电子商务的健康发展。

10． 列举你所要从事的这项研究将会涉及的某些专业文献。

? Electronic Commerce: A Managerial Perspective》By Efraim Turban, Jae Lee, David King&H.Michael Chung 2001 by Higher Education Press and Pearson Education North Asia Limited

? Web Security & Commerce> By Simson Garfinkel, Gene Spafford 1997 by O’Reilly&Associates, Inc.

? 蒋旭平：《电子商贸与网络营销》，北京，清华大学出版社，1999

? 关振胜：《公钥基础设施PKI与认证机构CA》，电子工业出版社，2002

? 《电子签名基础知识》TechTarget网站

1． Title
E-Commerce Security – The Development and Research on Electronic Signature

2． Brief Review of Electronic Signature as a Technology
In the virtual world of e-commerce, contracts or documents are expressed and transmitted electronically, accordingly, signing and stamping must also be realized electronics. Electronic signature can be defined as all those electronic technical means used to identify the true identity of both parties of a transaction as appear on the electronic documents so as to ensure the truthfulness, safety and irrevocability of a transaction, with the same effect as handwritten signature or stamping in paper-based transaction documents.

Electronic signature is not the digitalized image of the written signature. It is an electronic code by which the recipient of the document is capable of ascertaining the identity of the document sender and his/her signature. In addition, the original text can be checked as to whether any alterations have happened during the transmission.

There are a number of technical approaches that can realize electronic signature. The relatively mature current approach, which is widely used in most of the developed countries in the world, is the PKI (Public Key Infrastructure)-based digital technology. PKI can provide code transformation of the digital unit and allows the receiver to judge the source of the data and test its authenticity. PKI’s core executive organization is electronic certification service provider, usually called CA (Certificate Authority) and the core element of PKI signature is the digital certificate issued by CA.

CA is PKI’s central executive organization, the main component of PKI, which is a third party representing authority, credibility and fairness. CA is set up to strengthen the management of the digital certificates and the key, promote the mutual trust among online dealers, ensure the safety of online transaction and control commercial risks. The ultimate aim is to promote the development of e-commerce. CA’s basic functions are as following—1. generating and safeguarding both the public and the private keys, the digital certificates and their digital signatures that conform to the safety certificate protocols; 2. authentication of digital certificates and signatures; 3. management of digital certificates focusing on the management of disaffirmation of the certificates.

The first generation of CA was set up by SETCO based on SET protocols, serving the B2C e-commerce hierarchy. With the development of B2B e-commerce, CA’s payment interface was required to support both B2B and B2C. Under such circumstances, the second generation of CA which combines both the two-dimensional and hierarchical structures based on PKI technology was born.

In recent years, PKI technology has matured both theoretically and in application. The key standards used by the second-generation security certificate system based on PKI technology and by the payment interface include: 1. LDAP, S/MIME, TLC, CAT (Common Authentication Technology）and GSS-API issued by special International Work Group. 2. The standard issued by ISO with the approval of ITU is 9594-8/X.509.

3． Motivation and Background of the Research
With the robust development of the Internet, E-commerce is becoming a new concept and a new pattern of business operations and management with its high efficiency and low cost. However, the Internet is also a double-edge sword. While enjoying the convenience and efficiency of the Internet, people face to face equally convenient and efficient internet criminalities. Before the Internet safety can be effectively guaranteed, the existing e-commerce will find it hard to reach its proper level of sophistication and depth.

E-commerce safety refers to both the network safety and the transaction safety. The transaction safety which this research concentrates on refers to the security of business transactions as incorporated in the media of the network. Specifically, the security consists of the confidentiality, integrity, truthfulness and incontestability of the e-business activity.

My research prepares to examine the development and the application of electronic signature because the subject has dominant importance in e-business. Electronic signature is the very foundation of e-business as the ID or Passport for electronic transactions. Electronic signature makes it possible for people to conduct e-business globally and the authentication of identity and relevant information is the very basis for formulating transaction regulations in e-commerce. Electronic signature can work out some of the most crucial legal problems in e-business by legalizing the electronic contracts signed, standardizing e-commerce activities and institutionalizing e-commerce.

4． The Significance and Value of the Research
Informatization has been a radical revolution in human social activities, greatly changing the way of data processing, storing, and transmission. In addressing the safety problems of the Internet-based e-commerce, we must use firewall, antivirus and anti-attack measures to ensure network security. In addition, we must use appropriate information security technologies to ensure the authentication of identity, the encrypted transmission of data, the completeness of data and the undeniability of the transaction.

Electronic signature fulfills three major roles—a) to ascertain the source of the document and identify the person of signature; b) to indicate the confirmation of the content of the signed documents by the person of signature; c) serving as evidence indicating that the person of signature bears responsibility for the correctness and completeness of the content of the signed documents.

However, in the actual application of the electronic signature, there have emerged a lot of problems. Do the electronic signature, the statistics and the texts carry any legal validity? Due to some indefinite regulations regarding electronic signature, it is sometimes difficult to determine the legal responsibilities when disputes occur. The legal status and liabilities of the electronic authentication organizations which provide credibility for the parties involved in e-commerce are uncertain. With the further development of internet technology and of the e-business, people will need a heightened level of electronic signature safety. Therefore, it will be very significant to study the development of electronic signature and the research will have an important prospect of application.

5． Synopsis of the Research
The study will specifically focus on the digital signature based on PKI public key coding technology. It is also expected that I can be exposed to other forms and technologies of electronic signature such as symbol recognition on the statistical basis of biological traits, palm prints, vocal impressions or recognition based on retina scanning; encoding, code number or individual recognition codes.

6． Some of the Stages in my Scholarly Research Agenda
My research will be roughly divided into the following three stages. In the first stage, I will re-examine the exiting theories and try to find out their inadequacies where improvements can be made. In this stage, I will develop a broad framework for my research. In the second stage, I will investigate how to realize the digital signature. The utilization of the PKI technology will achieve the following functions of the electronic signature. When the sender affixes an electronic stamp on the electronic document, the stamp can indicate the identity of the sender. The document sender can store his/her personal data in the electronic stamp for verification and checking. Encrypting the electronic documents to which the receiver can have access only through corresponding safety certificates so as to avoid the access by illegal users. The exclusiveness of the electronic stamp is used to indicate the undeniability of the transaction. In the third stage, I will conduct surveys by means of questionnaires and by using official as well non-official statistics in order to obtain reliable data concerning the general public’s understanding and the use of the electronic signature. My research findings will help us gain insights into the current application of electronic signature and what needs to be improved.

7． The Methodologies I will Adopt
To affix an electronic signature onto an electronic document, there are about three steps. First, the identity will be authenticated online, then signature will be affixed, and finally the authentication of the signature will be made.

The service provided by the PKI technology is first and foremost the authentication of identity and the identity authentication presupposes the holding by the both parties of transaction of the certificates issued by the CA. A unilateral authentication is relatively simple. One of the parties first obtains the certificate of the other party and then use the CA’s root certificate public key to verify the signature of the certificate. This can determine the validity of the certificate. The next step is to check the term of validity of the certificate and whether the certificate has expired. In a bilateral authentication, both parties should affirm the validity of the other party’s certificate.

When the identities of both parties have been mutually authenticated, they enter the stage of affixing the digital signature. This will consist of two parts—signing the document and authenticating the signature. The sender obtains a digital abstract of the original text by means of the Hash algorithm and then obtains the digital signature by applying asymmetrical encryption by means of private key. The sender finally sends the original document together with the digital signature. When the receiver receives the message, he/she uses the public key to decode the digital signature and obtains the digital abstract. By applying the same Hash algorithm, he/she obtains a new digital abstract. The perfect matching of the two sets of digital abstracts indicates that the document has been successfully transmitted.

8． Specific Steps and Procedures of My Research
During my research, I will construct a model for internet data transmission and the model will give a clear picture of all the procedures of making an electronic signature. Through both quantitative and qualitative analysis, I will use the statistics to investigate into the actual effects of the use of electronic signature. I will also establish case studies to derive successful experiences and lessons of failure of the use of electronic signatures.

9． The Final Results I Wish to Achieve
Through this research, I wish to gain an in-depth understanding of the e-business as a whole and of the electronic signature technology in particular. I hope that my research will contribute to the more widespread and safer use of electronic signature and promote the healthy development of e-commerce in general.

10． Bibliography and References

1. Electronic Commerce: A Managerial Perspective Efraim Turban, Jae Lee, David King & H. Michael Chung, Higher Education Press and Pearson Education North Asia Limited 2001

2. Web Security & Commerce Simson Garfinkel, Gene Spafford, O’Reilly & Associates, Inc. 1997

3. Secure Preservation of Electronic Documents (A project being undertaken by the research team led by Prof. at the University of x x x, which will be completed by February 2005.)

4. E-Commerce and Network Marketing Jiang Xuping Tsinghua University Press, Beijing, 1999

5. Public Key Infrastructure (PKI) and Certificate Authority (CA) Guan Zhengsheng Electronic Industry Press, 2002

6. Fundamentals of Electronic Signature TechTarget Website