In the paper-based system of shipping
documents, the shipper normally receives the bill of lading from the carrier
after the goods have been loaded aboard.
In order to obtain documentary credit in an international sales transaction,
the shipper then endorses the bill to a bank in his country.
This bank is usually chosen by the issuing bank, which is a bank in the
buyer’s country. After verification of the bill the shipper’s bank then
endorses it against payment to the issuing bank, which finally transfers the
bill of lading to the buyer. As the order bill of lading is a negotiable
document of title and represents the goods in transit, it gives the bank
rights over the goods themselves as a security for the advance.
On arrival of the goods the buyer can then represent it to the carrier who
will release the goods from his vessel to the person in possession of the
original paper bill of lading. The regular and lawful bill of lading holder is
the only person who is entitled to demand the delivery of the goods.
The objective of a replacement of this
well-established traditional bill of lading process by electronic means is to
hold on to all its important features – apart from the issuing of a physical
paper document. Some of the functions are relatively easy to replace, as long
as it merely concerns information to be sent via a computerised system.
However, in order to replace the function of a document of title, it is
‘necessary to send proof of title’ by electronic means.
The general basis on which all attempts of
computerized or electronic communication are based is called ‘electronic data
interchange’ (E.D.I.).
This system was designed to facilitate trade without any form of documentation
and it rather functions as a closed system of electronic communications
between commercial parties.
The E.D.I. network connects the computers of businesses with each other and
data streams or electronic files are sent via telephone lines
to the trading partner in question. The contained information is secured by a
so-called ‘private key’, which is issued in substitution for the document of
title. The current holder of this key is the rightful person to obtain
possession of the commodities. If the goods are sold through the E.D.I.
network while in transit, the existing private key is cancelled and replaced
by a new key issued to the person entitled to control the goods.
Such a private key needs to be secured
against fraud and unauthorized alteration when being sent by electronic means.
To ensure a sufficiently high level of security in electronic commerce,
today’s computer world uses the techniques of digital signatures.
It is absolutely necessary to fully
understand the rather complicated procedure of digital signatures. Only when
it has become clear how this electro-technical mechanism proceeds, it can be
argued that the electronic bill of lading in question is an acceptable
substitute for the traditional bill in maritime commerce.
Essentially, a digital signature verifies a
person’s identity. These electronic
signatures can be classified in two categories: first, in key-based encryption
and secondly, in biometrics.
The latter ones use ‘physical characteristics such as voice and face
recognition’,
iris scanning and fingerprints.
However, for the scope of this dissertation only the former signatures are
relevant and will be dealt with.
These key-based digital signatures
authenticate an electronic message with the public key infrastructure (PKI), a
method that consists of two keys - a public key and a private key – and the
mathematical cryptography technique.
The public key infrastructure is also known as asymmetric key cryptography.
Encryption of information is the scrambling
of data files from a plaintext into a ciphertext,
so that only a person with the appropriate key can make it readable again. The
keys work as a pair, meaning that a given public key will only decrypt
messages coded with its associated private key and vice versa.
Therefore, if an author sends his message by encrypting it with the public key
of the receiver, then only the receiver has the possibility to decrypt the
message with his private key. This is the way confidential notes can be sent.
On the other hand, a message that is encrypted with the private key of the
sender can be decrypted by everyone with his public key. If the decryption
works and produces a readable signature, then the message must have come from
the sender since his private key was used to encrypt it in the first place.
Most importantly therefore, private keys
must be kept as secret as possible and not shared with any other party
involved.
Only if these essentials are observed, the public key infrastructure will work
correctly.
Although the mathematical cryptography
technique behind the described encryption and decryption of digital signatures
is very sophisticated, a short look shall be devoted to it as this process
gives the system its exceedingly high level of security.
Cryptography of digital signatures is based
on mathematical algorithms.
The best known algorithm used in this process is the RSA algorithm, named
after its inventors Rivest, R.L., Shamir, A., and Adleman, L.
This algorithm is a mathematical transformation based on the multiplication of
two large prime numbers. A prime number is a number that has no divisors
except for 1 and itself, e.g. 5, 7, 13, or 17. The multiplied primes as well
as their product are used to form the two keys, i.e. ‘the public key is the
product of two randomly selected large prime numbers, and the secret key is
the two primes themselves’.
The reason why this applied algorithm is extremely secure is because of the
great mathematical difficulty to find the two prime factors of a large number,
and of finding the private key from its relating public key.
As there are infinitely many prime numbers, it is said that a 128 bit public
key would – with enough computing power to check one trillion of these numbers
a second – take more than 121,617,874,031,562,000 years to crack.
Before cryptography is used to secure the
document, the signer’s software applies a ‘hash’ function to the original
message.
This hash function computes the ‘message digest’ of the plaintext to be
signed. It compresses bits of the data, e.g. the total number of characters
and their value in a document, to a fixed-size hash value which is a
representation of the message unique to that particular message.
The software then encrypts the message
digest with the user’s private key into the final digital signature, attaches
it to a document and sends it to the receiver. Thereafter, the receiver’s
software decrypts the signature with the sender’s public key and ‘hashes’ it
back into the message digest. If the message hashes back to the former hash
value it is proved that the message has not been altered by an unauthorized
person.
From the above procedure we learn that an
electronic document which is secured with a digital signature can hardly ever
be tampered by a third person. Therefore, once the message is saved on the
hard drive of the recipient or some other electronic medium suchlike a
diskette or a self-written compact disc, it is just as much evidence of the
contractual communication as a paper document is.
Hence, an electronic bill of lading which
was secured with the aforesaid cryptography mechanism is equally to a
traditional bill of lading concerning its functions as a receipt for the goods
shipped and as proof of evidence of the contract between the shipper and the
carrier.
However, as mentioned above, the real
difficulty concerning electronic bills of lading is their function as a
negotiable document of title. It was already said that in order to fulfil this
requirement, it is necessary to send proof of title by electronic
means.
In the computerized, electronic-based world
this requirement of proof of title is provided by a trusted third party
called the ‘Certification Authority’ (CA).
These certification authorities are independent but state-controlled bodies
that issue and sign qualified digital certificates. They are also responsible
for the renewal and revocation of digital certificates.
Such an electronic authentication certificate contains information concerning
the identity of the CA, the subscriber’s identity, the expiration date of the
certificate, a serial number as well as a number representing the holder’s ID,
and finally the public key that is associated with that identity.
The digital certificates themselves are then digitally signed by the
certification authority.
By these means the certification
authorities ensure that an encryption key emanates from the person from whom
it purports to originate.
Therefore, the buyer of goods that are in transit knows that the seller is the
person entitled to the goods, if he encrypted his offer with a public key that
was issued by a certification authority. Furthermore, the carrier knows that
he can release the goods to the consignee, if he received an encrypted and
signed certification naming the new consignee.
In other words, the institution of
certification authorities is similar to a notary public, who compulsory states
that the document in question is an original and unaltered record. As the
CA-bodies are state-controlled and need to fulfil certain standards
themselves, they are trustworthy and can therefore function as an independent
third party to the contract.
For that reason the verification of the
parties’ identity by the certification authorities can be regarded as a
substitute for the paper-based document of title. A qualified digital
certificate by a CA is the guarantee that the two keys of a digital signature
encrypt a negotiable document of title.
These digital signatures that are verified
by a CA are also known as ‘advanced digital signatures’, as they fulfil the
four additional requirements imposed by the EU Electronic Signature Directive
(1999/93/EC).
The above description of digital signatures
has demonstrated the way electronic documents can be secured today is indeed a
matter of great security. However, this arena is subject to day-to-day changes
and developments. News emerges on a regular basis that even greater, faster
and better algorithms have been invented
or - on the other hand – that some key size has been cracked.
Notwithstanding the above, a look at the
traditional paper bill of lading discloses even greater shortcomings in
respect of security matters.
In order to forge a paper-based bill of
lading, it is simply necessary to issue a second faked set of documents and
distribute it to potential new buyers or to a different, unauthorized
consignee. Obviously, the original and rightful signature on the bill of
lading must be copied or falsified. Using this method, an ‘entire bill of
lading may be counterfeited, (...) the quantity of the goods may be altered,
and the consignor may fraudulently sell the same goods two or three times to
different buyers’.
It could even be possible to trade with goods that do not exist
or to seek for documentary credit with nonexistent securities.
In comparison, such forgery is much more
difficult with electronic bills of lading. Unless the defrauder is able to
crack the cryptographic code - which was shown above is computationally
infeasible to do – there is no way that a third party can issue a faked set of
electronic documents. This is impossible because every electronic document
which is not encrypted with a digital signature approved by a certification
authority will be deemed by other parties to be inconsistent with the
requirement of using qualified, digital certificated key encryption.
The evaluation in this second chapter has
proved that the complicated technical and computerized processing of
electronic bills of lading does not only fulfil the first and second
requirements of the traditional bill of lading, but also provides a solution
for the aspect of negotiability. The function of the certification authority
as a trusted third party enables merchants in international sales to believe
in the rightful possession of goods and to regard the e-bill as a negotiable
and transferable document of title.
Beyond that, it has become clear
that electronic bills of lading are much more secure than the traditional
bills in regard of forgery matters. The mathematical algorithms with which
cryptography works are far beyond the human comprehension and it is unlikely
that a new mathematical breakthrough will be achieved in the near future in
order to break down the innumerable number of primes in question.
Additionally, the development of constantly growing bit seizes
makes it more and more difficult for unauthorized individuals to decipher the
secret codes.
© 2003
Carsten
Schaal &
Lex e-Scripta,
INTER-LAWYER.com. All Rights Reserved.