1. Why is there a need to enact the ETA?
   
   

   The advent of e-commerce and the use of the digital medium as an alternative to the physical medium have created some novel legal issues where there are no clear answers. Hence, there is a need to enact the ETA to set the basic legislative framework for e-commerce and electronic transactions. This removes existing legal impediments and instils confidence in businesses and individuals to engage in e-commerce, bringing Singapore to the forefront of international e-commerce developments and achieving our vision of turning Singapore into an international e-commerce hub.

2. What are the purposes of enacting the ETA?
   
   
   • to facilitate electronic communications by means of reliable electronic records;
   • to facilitate e-commerce, eliminate barriers to e-commerce resulting from uncertainties over writing and signature requirements, and to promote the development of the legal and business infrastructure necessary to implement secure electronic commerce;
   • to facilitate electronic filing of documents with government agencies and statutory corporations, and to promote efficient delivery of government services by means of reliable electronic records;
   • to minimise the incidence of forged electronic records, intentional and unintentional alternation of records, and fraud in electronic commerce and other electronic transactions;
   • to help to establish uniformity of rules, regulations and standards regarding the authentication and other electronic transactions; and
   • to promote public confidence in the integrity and reliability of electronic records and e-commerce, and to foster the development of e-commerce through the use of electronic signatures to lend authenticity and integrity to correspondence in any electronic medium.

     See Section 3 for more information.

3. When was the ETA enacted?
   
   

   The ETA was enacted on 10 July 1998.

4. How does the ETA help in the development of e-commerce in Singapore?
   
   

   It addresses the legal issues necessary to set the stage for a secure and pro-business environment for electronic commerce in Singapore.

5. What are the salient features of the ETA?
   
   

   Broadly, the ETA seeks to:

   • enact a commercial code to support e-commerce transactions;
   • set the legislative framework for Certification Authorities;
   • enable electronic applications and licences for the public sector; and
   • clarify network service providers' liability for third party content.
     
     
6. How does the ETA enact a commercial code to support e-commerce transactions?
   
   

   The ETA clarifies the rights and obligations of transacting parties by setting out provisions dealing with issues related to the formation of electronic contracts. It also gives legal recognition on the use of electronic records and signatures and their secure counterparts.

7. How does the ETA set the legislative framework for Certification Authorities?
   
   

   The ETA stipulates the duties of Certification Authorities (CAs) and their subscribers and provides for the appointment of a Controller of CAs to regulate and license CAs in Singapore.

8. How does the ETA enable the public sector's use and acceptance of electronic records and signatures?
   
   

   There is an omnibus provision for Government departments and statutory boards to accept electronic filing and issue electronic documents without having to amend their respective Acts. The ETA also provides that government departments and statutory boards can specify as regulations, additional requirements for the retention of electronic records under their purview.

   See Section 47 for more information.

9. How does the ETA clarify the liability of the network service providers?
   
   

   The ETA provides that a service provider is not subject to criminal or civil liability for third party material for which the provider merely provides access.

   See Section 10 for more information.

10. How does the ETA compare with existing frameworks in other countries?
    
    

    The ETA is partly based on the UNCITRAL Model Law on Electronic Commerce. It also includes some of the best features from other sources such as the State of Illinois Electronic Commerce Security Act, German Multimedia Law and the Utah Digital Signature Act.

11. Does the ETA prescribe a specific technology for secure electronic signatures?
    
    

    The ETA is intended to be technologically neutral. Although the Act specifically qualifies digital signature as a form of secure electronic signature, it has also been worded broadly to accommodate all forms of electronic signatures provided they satisfy the requirements for secure electronic signature.

12. What are the requirements for secure electronic signatures?
    
    

    Under the ETA, an electronic signature shall be treated as a secure electronic signature if it can be verified, through the application of a prescribed security procedure or a commercially reasonable security procedure agreed to by the parties involved, that the signature is:

    • unique to the person using it;
    • capable of identifying such person;
    • created in a manner or using a means under the sole control of the person using it; and
    • linked to the electronic record to which it relates in a manner such that if the record is changed, the electronic signature would be invalidated.

    See Section 17 for more information.

13. What are the requirements for digital signatures to be legally binding in Singapore?
    
    

    There are 4 ways in which a digital signature can be given legal recognition under the ETA:

    • use certificates issued by a licensed CA;
    • use certificates issued by a CA outside Singapore but recognised by the Controller of CAs;
    • use certificates issued by an approved Government CA; or
    • establish a contractual agreement between the parties involved in the transaction to use a prescribed digital signature mechanism that is secure.

    See Section 20 for more information.

14. Does the ETA apply to digital signatures and certificates used in cross-border transactions?
    
    

    The basic elements of contract formation (acceptance, offer, intention to enter into legal relations and consideration) are addressed. Conflict of laws principles for cross-border transactions are as applicable in cyberspace as they are in the tangible "real world". The use of digital signatures, especially against a backdrop of cross-border cross-certification arrangements can help to resolve some jurisdictional issues. The borderless nature of cyberspace and the relative difficulty in finding geographical reference points for such applications provide impetus for Singapore to continually work out practical and predictable arrangements (e.g. bilateral agreements) to address such issues.

15. What are the duties of a CA?
    
    

    The duties of a CA include using trustworthy systems in performing its services and maintaining secure procedures for the issuance, renewal, suspension, revocation and publication of its certificates.

    See Section 27 to 35 for more information.

16. What are the duties of a subscriber of a certificate?
    
    

    The duties of the subscriber include providing accurate and complete information when applying for certificate, safeguarding the private key and initiating suspension or revocation requests if his private key is compromised.

    See Section 36 to 40 for more information.

17. What are the penalties that will be imposed on a CA if it fails to observe any of its obligations?
    
    

    A CA guilty of an offence under the ETA or its regulations shall be liable on conviction to a fine or to term imprisonment or to both depending on the nature of the offence committed.

    See Section 25, 26, 42, 48, 51, 53, 56 and 59 for more information.

18. What is the role of the Controller of CAs?
    
    

    The role of the Controller of CAs (CCA) is to regulate and license the activities of CAs in Singapore. As CAs perform a trusted role in verifying the identities of parties in electronic transactions, the CCA seeks to provide the assurance that the CAs' responsibilities are met and that these services are made available with high integrity, security and service standards.

    See Section 41 and 42 for more information.

19. How does one know if a CA is licensed by the Controller of CAs?
    
    

    The Controller of CAs will maintain a publicly accessible database containing a CA disclosure record for each licensed CA.

Electronic Transactions (Certification Authority) Regulations

1. Why is there a need to enact the Regulations?
   
   

   In the faceless world of the Internet, transacting parties may not be able to reliably verify each other's identity. A CA thus plays the important role of a trusted third party in vouching for the identities of holders of certificates that it issues (i.e. its subscribers). The Regulations seeks to set a benchmark for the integrity and security of the services offered by CAs, thus giving electronic commerce (e-commerce) security a boost.

2. What is the purpose of enacting the Regulations?
   
   

   The Regulations aim to ensure high standards of integrity, security and service levels for licensed CAs in Singapore by:

   • putting in place a licensing scheme for CAs;
   • laying down the administrative framework for licensing by the Controller of CAs; and
   • stipulating the licensing criteria for CAs in Singapore and the continuing operational requirements after obtaining a licence.
     
     
3. When was the Regulations enacted?
   
   

   The Regulations was enacted on 10 February 1999.

4. Is it mandatory for a CA to be licensed in Singapore?
   
   

   No, it is not compulsory for a CA to be licensed in Singapore, as the licensing regime that Singapore adopts is a voluntary scheme. Such arrangement mitigates over-regulating and stifling the CA industry and e-commerce which are in their budding stages.

5. What are the licensing criteria that CAs will be evaluated against?
   
   

   The criteria that CAs will be evaluated against include their financial standing, operational policies and procedures, and the security of their systems.

   See regulation 7,8,9 and 10 for more information.

6. Are licensed CAs required to provide a trusted time-stamping service?
   
   

   The Regulations do not require licensed CAs to provide trusted time-stamping services. There is currently no legislation that regulates the provision of such services. The government may enact new legislation in this area subsequently if it is necessary to ensure the integrity and to promote the use of such services.

7. What are the auditing requirements?
   
   
   CAs that apply to be licensed will have to be audited for compliance against the ETA, the Regulations, its Certificate Practice Statement (CPS), the Security Guidelines and other licensing conditions imposed by the Controller of CAs. The auditing team must be independent of the CA that it audits and approved by the Controller. The team must also comprise of a Certified Public Accountant (CPA) and a Certified Information Systems Auditor, either of them must possess sufficient knowledge of PKI.

   See regulation 10 for more information.

8. What are the benefits of licensing?
   
   

   Although the licensing scheme is a voluntary one, there are certain benefits for a CA to be licensed such as:

   • a licensed CA will enjoy evidentiary presumption for digital signatures generated from the certificates it issues;
   • its liability is limited under the Act.
   • the licensing of a CA by the Controller is also indication to the public that the CA has met the stringent regulatory requirements established.
     
     
9. Under what circumstances will the licence of a CA be revoked or suspended?
   
   

   A CA's licence will be revoked if the CA is wound up or at the request of the CA. The Controller of CAs may also revoke or suspend the CA's licence if it fails to comply with any mandatory conditions pertaining to the issuance/ renewal of the licence.

   See regulation 11 and 12 for more information.

Security Guidelines for CAs

1. What is the purpose of the Security Guidelines for CAs
   
   

   The Security Guidelines for CAs is a set of security criteria for the management, systems and operations of CAs. It supplements the Electronic Transactions (CA) Regulations. All licensed CAs are required to comply with the mandatory requirements stated in the security guidelines.

2. What are the salient features of the security guidelines?
   
   

   The security guidelines cover the whole life cycle of certificate management - from identification and key generation to suspension and revocation. The sections of the security guidelines are Management and Obligations, Certificate Management, Key Management, Systems and Operations, and Application Integration.

3. Who can qualify to conduct the "suitably qualified independent party review"?
   
   

   The suitably qualified independent party should have in-depth security and technical competence in PKI and cryptographic engineering to review the critical security components of the CA system. Formal certification of the CA software and cryptographic modules would also be considered as meeting the "suitably qualified independent party review" requirement where the security certification was awarded by a reputable certifying body.

4. What are the salient considerations for incident response procedures listed in Guideline 2.4.8?
   
   

   The following (together with ET(CA) Regulations Part V Regulation (27)) should be taken into consideration when an incident occurs:

   • Information security staff needs to have documented procedures so that the information can be recorded and the data preserved.
   • Information security manager should develop data preservation procedures with the advice and assistance of a legal counsel, the organization's managers and law enforcement officers with computer forensic experience.
   • IS staff must understand a few basic forensic actions including taking no actions that could change/modify/contaminate potential of actual evidence.
     
     
5. What constitutes "adequate security" in the "hot" disaster recovery location as listed in Guideline 2.9.6?
   
   

   The "hot" disaster recovery site shall be sufficiently secure so that full service of the certificate directory can be reinstated within the time-critical period stipulated under the ET (CA) Regulations (30).

6. What is considered "sensitive personal information" as listed in Guideline 3.1.5?
   
   

   Sensitive personal information may include but not limited to:

   • Sensitive personal data means personal data consisting of information about racial or ethnic origin, the subject's political opinions, religious beliefs, sex life, physical or mental health, any proceedings for offences committed.
   • Attribute or eligibility information such as the educational, medical, criminal, employment or financial history of the individual may be considered sensitive.
   • Any other piece of identifying information that may be considered an invasion of privacy under the applicable regulatory requirements.
     
     
7. The security guidelines require the cryptographic modules to conform to the US FIPS 140-1 or 140-2 standards. Do the cryptographic modules need to be formally certified to be compliant to FIPS 140-1 or 140-2 as listed in Guideline 4.10?
   
   

   Formal certification is not mandatory. However, the independent party who reviews the systems should verify that they are indeed compliant to FIPS 140-1 or 140-2 standards.

8. What does the term "application security risk assessment" encompass as listed in Guideline 6.1.4?
   
   

   Coverage for application security risk assessment should be limited to the certificate management software.

Licensing Process

1. What are the steps involved in the licensing process?
   
   

   The entire licensing process involves 4 parts:

   • Obtaining application package by the CA;
   • Application submission;
   • Application Processing; and
   • Award or Reject of Application.
     
     
2. What are the documents to be submitted for the application of a CA's licence?
   
   

   An application has to be accompanied by the following documents:

   • certified true copies of the insurance certificate
   • cross cheque or bank draft for S$5,000 with IDA as the payee
   • certified true copies of the company's resolution
   • original business profile report with certification from RCB
   • business plans (including cash flow projections and budget statements)
   • audited accounts for the past 3 years (if applicable)
   • the CA's Certification Practice Statement (CPS)
   • technical specifications of the CA system and CA security policies and standards
   • organisational chart and details of all trusted personnel
   • report of the initial audit within 4 weeks upon completion of the audit (if available at that point of time)
     
     
3. How long does each step of the licensing process take?
   
   

   Provided that all the required information and documents are in order, the application can be processed between 12 to 15 weeks.

4. What are the fees payable for a CA to be licensed?
   
   

   The application/ renewal fee payable is S$5,000 in respect of each submission. In addition, the applicant must also pay an annual licence fee of S$1,000 for the entire duration of the licence upon approval of the application.

5. The audit of a CA must be conducted by an independent auditing firm approved by the Controller. How is the independence between the auditing firm and the CA assessed?
   
   

   An auditing firm is generally considered as independent of the CA being audited if the former is not directly involved in the design, supply, implementation and operations of the CA systems. The auditing firm must make a formal declaration of its independence to the CA and the Controller.

   See regulation 10(3) for more information.

6. What are the minimal qualifications and expertise required for an auditing team to audit a CA against the licensing criteria?
   
   

   The financial auditing team must include a CPA or someone with equivalent qualification. The security auditing team must include a CISA or someone with equivalent qualification and possess demonstrable expertise and experience in the area of public key infrastructure.

   See regulation 10(2) for more information.

7. Must a licensed CA be re-audited if its CPS is changed?
   
   

   Yes, a re-audit is necessary. The auditors can recommend whether a full or partial audit is required.

8. Is it mandatory for a CA to obtain insurance?
   
   

   Yes, a CA must be minimally insured against liability arising from errors or omissions on its part, its officers or employees.

   See regulation 7(1) for more information.

Digital Signature

1. What is a digital signature?
   
   

   A digital signature is an electronic form of a real world hand-written signature. Instead of applying to paper documents, digital signatures are applied to electronic documents. Like hand-written signatures, digital signatures can be used to prove the authenticity of electronic documents. Someone who reads a document that is digitally signed by you can be assured that the document came from you. In addition, he is also assured of the integrity of the document, i.e., the document is complete and has not been modified in any way.

2. Why do we need digital signatures?
   
   

   On the Internet, it is difficult to tell where your messages truly come from. If you receive an email from familiar email address, you may assume that your friend sent it. But not many people realise that it is not difficult to fake an email by assuming another person's identity on the Internet. Even when you access a familiar Web site, you can never be sure about the Web site's authenticity, because a hacker on the Internet may have created a fake one to lure you into giving him your credit card number. With digital signatures, you will be able to verify that emails came from people you know and that Web sites are authentic. Digital signatures provide trust on the Internet.

3. Are digital signatures recognised by Singapore laws?
   
   

   Yes, digital signatures are recognised by Singapore law. The ETA, enacted in July 1998, states that digital signatures will be given legal recognition. The ETA also provides for a licensing scheme for CAs - where the digital certificates issued by licensed CAs are automatically accorded validity in court, unless proven otherwise. Many other countries have also enacted laws to recognise digital signatures. Some of these countries are Germany, Italy, USA and Malaysia.

4. How do I create a digital signature?
   
   

   Before creating digital signatures, you will need to register yourself with a Certification Authority (CA). The registration process is to accurately identify yourself to the CA so that the CA can vouch for your signatures to be recognised by everyone else on the Internet. It is similar to the process of getting your bank to recognise your hand-written signature - after registering your signature with your bank, you can use the same signature subsequently to perform banking transactions. In the electronic world, the CA will issue you with a digital certificate, which acts like your passport on the Internet, telling everyone what your digital signature should look like. The digital certificate, together with a secret code, called the private key, can be stored in a smart card. When you need to sign an electronic document, you will then insert the smart card into a smart card reader attached to your computer. Your digital signature can only be created by entering a password to activate the private key stored in your smart card. Hence, you will need to protect your smart card and password securely so that no one else can forge your digital signature.

5. What is non-repudiation?
   
   

   Non-repudiation is a property of a system in which a person cannot deny actions that he had performed or committed to. Digital signatures generated based on asymmetric cryptography have a non-repudiation property, in the sense that the person who created the signature cannot deny that he/she has done so.

6. What is integrity?
   
   

   The integrity of a message refers to the completeness and correctness of the message, i.e. it has not been altered. Digital signatures can be used to prove the integrity of an electronic message.

7. How do I validate a digital signature?
   
   

   The first step in the process of validating a digital signature is to verify that the corresponding digital certificate is valid. The public key in the certificate, which indicates how the signatory's signatures should look like, is then used to verify if the digital signature is authentic. The process also verifies that the contents of the digitally signed document or record have not been tampered with since the fixation of the signature. The application software you are using (e.g. email software or Web browser) usually performs the whole process.

8. What are some of the services on the Web that make use of digital certificates and digital signatures?
   
   

   Some of the banks in Singapore that have introduced banking services on the Internet make use of digital signatures for added security. Stock trading firms that have gone online are also making use of digital signature technology. Other examples include the public sector online services such as the Integrated Land Information System by the Ministry of Law, and the CPF PAL Internet Online system.

Cryptography

1. What is cryptography?
   
   

   Cryptography is the science of disguising information by transforming a piece of data into something that seems totally random. The transformation process, known as encryption, usually involves an electronic key, which is just a string of digital bits functioning like a key to a lock in the physical world. Encrypting a piece of data is like putting the data into a safe and locking it with a key. By performing the reverse transformation (decryption), which may require the same key or a different key, the original data can be retrieved.

2. What is public-key cryptography?
   
   

   Public-key cryptography is a kind of cryptographic system that uses two electronic keys. One key is kept private to the user while the other key is made known to the general public.

3. What is a public-key infrastructure (PKI)?
   
   

   A public-key infrastructure refers to the whole system of digital certificates, certificate servers and Certification Authorities (CAs).

4. What is a message digest?
   
   

   A message digest is a small piece of data that results from performing a special mathematical function, called the hashing function, on a piece of electronic data. Hashing functions have the property of being difficult to reconstruct the original data from a message digest. Message digests are used in creating digital signatures.

5. How should I secure my private keys?
   
   

   Private keys are usually stored in smart cards. When you need to sign an electronic document, you will insert the smart card into a smart card reader attached to your computer. Your digital signature can only be created by entering a password to activate the private key stored in your smart card. Hence, you will need to protect your smart card and password securely so that no one else can forge your digital signature.

Certification Authority (CA)

1. What is a CA?
   
   

   A CA is a relied-upon entity that issues, publishes, suspends and revokes digital certificates. The CA's basic role is to verify and vouch for the identity of subscribers and to provide certificate management services. A CA acts like a trusted electronic notary public, telling everyone who the valid users are and what their digital signatures should look like.

2. Why do we need CAs?
   
   

   Without CAs, there will be no trusted entity that issues digital certificates to us. It will be difficult to verify the authenticity of digital signatures since there are no digital certificates to tell us how each user's digital signature should look like.

3. What is a Certificate Revocation List (CRL)?
   
   

   This is a list of digital certificates that have been revoked due to various reasons. Certificates may be revoked when critical information on the certificate is no longer accurate, or when the private key associated with the certificate is compromised.

4. Are there CAs in Singapore?
   
   

   Yes, there are CAs in Singapore. The first public CA in Singapore is a company called Netrust. ID.Safe is a second CA that is being created.

Digital Certificate

1. What is a digital certificate?
   
   

   A digital certificate is an electronic document that ties each person's or organisation's identity to his/her public key. It contains certain digitally signed information, including the identification information of the person to be certified, the public key, purpose and scope of the usage of the key, name of CA, etc. Digital certificates are signed by the CA, so that users can verify that the certificates are authentic. A digital certificate used in conjunction with the private key of the subscriber, serves as a form of electronic identification, much like a digital passport.

2. How do I get a digital certificate?
   
   

   To obtain a digital certificate, you will need to register yourself with a CA. After verifying your identity with reliable identification documents, the CA will issue you with a digital certificate.

3. Why do I need a digital certificate?
   
   

   A digital certificate is like your passport on the Internet, telling everyone what your digital signature should look like. Without a digital certificate, the parties you transact with would not be able to verify that you digital signatures are authentic.

4. How do I know if a digital certificate is valid?
   
   

   Digital certificates are digitally signed by the issuing CA. By checking the authenticity of the CA signature on the certificate, you will be able to verify that a digital certificate is valid. This is usually done by the application software (e.g. email software or Web browser) that you are using. The application software should also check the expiry date of the digital certificate and the Certificate Revocation List (CRL) to determine if the digital certificate has been revoked.

Glossary of Terms

• Asymmetric cryptography
  See "public-key cryptography"
  
  
• Authentication
  The process of identifying an individual, usually based on username, password, biometrics, cryptography, etc.
  
  
• Certificate
  See "digital certificate"
  
  
• Certificate Policy (CP)
  "Certificate Policy and Certification Practices Framework"
  A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. A Certificate Policy also indicates the value of transactions for which the certificate is suitable.
  
  
• Certificate Revocation List (CRL)
  This is a list of digital certificates that have been revoked due to various reasons. Certificates may be revoked when critical information on the certificate is no longer accurate, or when the private key associated with the certificate is compromised.
  
  
• Certification Authority (CA)
  A CA is a relied-upon entity that issues, publishes, suspends and revokes digital certificates. The CA's basic role is to verify and vouch for the identity of subscribers and to provide certificate management services. A CA acts like a trusted electronic notary public, telling everyone who the valid users are and what their digital signatures should look like.
  
  
• Certification Practice Statement (CPS)
  "Certificate Policy and Certification Practices Framework"
  A statement of the practices that a CA employs in issuing certificates.
  
  
• Confidentiality
  Protecting the secrecy of confidential data. This is usually done through the use of encryption.
  
  
• Cryptography
  Cryptography is the science of disguising information by transforming a piece of data into something that seems totally random. The transformation process, known as encryption, usually involves an electronic key, which is just a string of digital bits functioning like a key to a lock in the physical world. Encrypting a piece of data is like putting the data into a safe and locking it with a key. By performing the reverse transformation (decryption), which may require the same key or a different key, the original data can be retrieved.
  
  
• Decryption
  The process of decoding data that has been encrypted. It is the inverse function of encryption.
  
  
• Decryption key
  A cryptographic key that is used for decryption.
  
  
• Digital certificate
  A digital certificate is an electronic document that ties each person's or organisation's identity to his/her public key. It contains certain digitally signed information, including the identification information of the person to be certified, the public key, purpose and scope of the usage of the key, name of CA, etc. Digital certificates are signed by the CA, so that users can verify that the certificates are authentic. A digital certificate, used in conjunction with the private key, serves as a form of electronic identification, much like a digital passport.
  
  
• Digital signature
  A digital signature is an electronic form of a real world hand-written signature. Instead of applying to paper documents, digital signatures are applied to electronic documents. Like hand-written signatures, digital signatures can be used to prove the authenticity of electronic documents. Someone who reads a document that is digitally signed by you can be assured that the document came from you. In addition, he is also assured of the integrity of the document, i.e., the document is complete and has not been modified in any way.
  
  
• Encryption
  The transformation of data into an apparently random and less readable form through a mathematical process.
  
  
• Encryption key
  A cryptographic key that is used for encryption.
  
  
• Hash
  A mathematical function that maps values from a large domain into a smaller range. A "good" hash function is such that the results of applying the function to a large set of values in the domain will be evenly and randomly distributed over the range. Hash functions are used for generating message digests. Examples of hash functions are SHA and MD5.
  
  
• Integrity
  The integrity of a message refers to the completeness and correctness of the message, i.e. it has not been altered. Digital signatures can be used to prove the integrity of an electronic message.
  
  
• Key
  A string of digital bits that functions like a key to a lock in the physical world. It may be used to encrypt, decrypt and sign data.
  
  
• Message digest
  A message digest is a small piece of data that results from performing a special mathematical function called the hashing function, on a piece of electronic data. Hashing functions have the property of being difficult to reconstruct the original data from a message digest. Message digests are used in creating digital signatures.
  
  
• Non-repudiation
  Non-repudiation is a property of a system in which users cannot deny actions that they performed. Digital signatures have the non-repudiation property, in that the person who created the signature cannot deny that he/she has done so.
  
  
• Private key
  In public-key cryptography, private key is the key that is kept private to the user. It is used for decryption and signing.
  
  
• Public key
  In public-key cryptography, public key is the key that is made known to the general public. It is used for encryption and verifying the authenticity of digital signatures.
  
  
• Public-key cryptography
  Public-key cryptography is a kind of cryptographic system that uses two electronic keys. One key is kept private to the user while the other key is made known to the general public. Examples of public-key cryptographic systems are RSA and Elliptic Curve Cryptosystem.
  
  
• Public-key infrastructure (PKI)
  A public-key infrastructure refers to the whole system of digital certificates, certificate servers and Certification Authorities (CAs).
  
  
• Secret key
  A cryptographic key that is used for encryption and decryption in a secret-key cryptographic system.
  
  
• Secret-key cryptography
  A type of cryptographic system where the same key is used for encryption and decryption. Examples
  of secret-key cryptographic systems are DES, IDEA and RC4.
  
  
• Signing key
  A cryptographic key that is used for creating digital signatures.
  
  
• Smart card
  A credit-card sized electronic device that contains electronic memory, and possibly an embedded integrated circuit. Smart cards can be used as secure storage for private keys.
  
  
• Symmetric cryptography
  See "secret-key cryptography"