[EMAIL PROTECTED]? On Thu, Nov 16, 2000 at 01:37:37PM -0500, R. A. Hettinga wrote: > > --- begin forwarded text > > > Date: Thu, 16 Nov 2000 10:09:43 -0800 > From: Somebody > Reply-To: [EMAIL PROTECTED] > To: "R. A. Hettinga" <[EMAIL PROTECTED]> > Subject: Re: Schneier: When is a Signature not a Signature? When it's a chad. > > Bruce falls into the same error he points out: attempting > to devine intent rigorously. In fact there lots of ways > humans have agreed to evidence agreement, and none of > them are tamper proof. Much of the corporate > world runs on electronically printed signatures for checks, > there is a long and illustreous history of signet rings and > carved chops being used as contractual evidence... His > argument is equivalent to saying that we should not accept > a corporate check because the computer room could > have been hacked, or that King X should not accept the > seal of King Y because his nemesis might have snuck in > at night and borrowed it from his finger while he slept, > or that Wu-san's chop had been copied by an expert > carver. (and I'm certain such events have in fact occurred.) > > I think his only valid point is that digital signatures are > not somehow better. What they do provide are > 1) an interesting possibility for _remote_ contracting, and > 2) a way for computing machinery to do things analogous > to humans contracting with each other. > Both of these are important and will likely yield lots of > exciting new applications. > > Bruce should keep in mind that the Digital Signature Law > recently enacted basically says that no signature will be > deemed invalid _purely_ because it is electronic in nature. > It doesn't say that computation of m^e mod n constitutes > Alice's intent to sign. It does say that if Alice and Bob > agree to use such a digital mechanism to evidence intent, > then they may. > > And just as we are learning this week that a "vote" is > a more ambiguous concept than we may have intuitively > thought, a "signature" has _never_ been a black-and-white > expression of human intent, simply one piece of evidence > in a sometimes cluttered, occasionally fraudulent, and > always contestable world. > > "R. A. Hettinga" wrote: > > > At 5:58 PM -0600 on 11/15/00, Bruce Schneier wrote: > > > > > Why Digital Signatures Are Not Signatures > > > > > > > > > > > > When first invented in the 1970s, digital signatures made an amazing > > > promise: better than a handwritten signature -- unforgeable and uncopyable > > > -- on a document. Today, they are a fundamental component of business in > > > cyberspace. And numerous laws, state and now federal, have codified > > > digital signatures into law. > > > > > > These laws are a mistake. Digital signatures are not signatures, and they > > > can't fulfill their promise. Understanding why requires understanding how > > > they work. > > > > > > The math is complex, but the mechanics are simple. Alice knows a secret, > > > called a private key. When she wants to "sign" a document (or a message, > > > or any bucket of bits), she performs a mathematical calculation using the > > > document and her private key; then she appends the results of that > > > calculation -- called the "signature" -- to the document. Anyone can > > > "verify" the signature by performing a different calculation with the > > > message and Alice's public key, which is publicly available. If the > > > verification calculation checks out then Alice must have signed the > > > document, because only she knows her own private key. > > > > > > Mathematically, it works beautifully. Semantically, it fails > > > miserably. There's nothing in the description above that constitutes > > > signing. In fact, calling whatever Alice creates a "digital signature" was > > > probably the most unfortunate nomenclature mistake in the history of > > > cryptography. > > > > > > In law, a signature serves to indicate agreement to, or at least > > > acknowledgment of, the document signed. When a judge sees a paper document > > > signed by Alice, he knows that Alice held the document in her hands, and > > > has reason to believe that Alice read and agreed to the words on the > > > document. The signature provides evidence of Alice's intentions. (This is > > > a simplification. With a few exceptions, you can't take a signed document > > > into court and argue that Alice signed it. You have to get Alice to > > > testify that she signed it, or bring handwriting experts in and then it's > > > your word against hers. That's why notarized signatures are used in many > > > circumstances.) > > > > > > When the same judge sees a digital signature, he doesn't know anything > > > about Alice's intentions. He doesn't know if Alice agreed to the document, > > > or even if she ever saw it. > > > > > > The problem is that while a digital signature authenticates the document up > > > to the point of the signing computer, it doesn't authenticate the link > > > between that computer and Alice. This is a subtle point. For years, I > > > would explain the mathematics of digital signatures with sentences like: > > > "The signer computes a digital signature of message m by computing m^e mod > > > n." This is complete nonsense. I have digitally signed thousands of > > > electronic documents, and I have never computed m^e mod n in my entire > > > life. My computer makes that calculation. I am not signing anything; my > > > computer is. > > > > > > PGP is a good example. This e-mail security program lets me digitally sign > > > my messages. The user interface is simple: when I want to sign a message I > > > select the appropriate menu item, enter my passphrase into a dialog box, > > > and click "OK." The program decrypts the private key with the passphrase, > > > and then calculates the digital signature and appends it to my > > > e-mail. Whether I like it or not, it is a complete article of faith on my > > > part that PGP calculates a valid digital signature. It is an article of > > > faith that PGP signs the message I intend it to. It is an article of faith > > > that PGP doesn't ship a copy of my private key to someone else, who can > > > then sign whatever he wants in my name. > > > > > > I don't mean to malign PGP. It's a good program, and if it is working > > > properly it will indeed sign what I intended to sign. But someone could > > > easily write a rogue version of the program that displays one message on > > > the screen and signs another. Someone could write a Back Orifice plug-in > > > that captures my private key and signs documents without my consent or > > > knowledge. We've already seen one computer virus that attempts to steal > > > PGP private keys; nastier variants are certainly possible. > > > > > > The mathematics of cryptography, no matter how strong, cannot bridge the > > > gap between me and my computer. Because the computer is not trusted, I > > > cannot rely on it to show me what it is doing or do what I tell it > > > to. Checking the calculation afterwards doesn't help; the untrusted > > > computer can't be relied upon to check the calculations properly. It > > > wouldn't help to verify the code, because the untrusted computer is running > > > the code (and probably doing the verification). It wouldn't even help to > > > store the digital signature key in a secure module: the module still has to > > > rely on the untrusted computer for input and output. > > > > > > None of this bodes well for digital signatures. Imagine Alice in court, > > > answering questions about a document she signed. "I never saw it," she > > > says. "Yes, the mathematics does prove that my private key signed the > > > document, but I never saw it." And then an expert witness like myself is > > > called to the stand, who explains to the judge that it is possible that > > > Alice never saw the document, that programs can be written to sign > > > documents without Alice's knowledge, and that Alice's digital signature > > > doesn't really mean anything about Alice's intentions. > > > > > > Solving this problem requires a trusted signing computer. If Alice had a > > > small hand-held computer, with its own screen and keyboard, she could view > > > documents on that screen and sign them with that keyboard. As long as the > > > signing computer is trusted, her signatures are trusted. (But problems > > > remain. Viewing a Microsoft Word document, for example, generally involves > > > the very software most responsible for welcoming a virus into the > > > computer.) In this case we're no longer relying on the mathematics for > > > security, but instead the hardware and software security of that trusted > > > computer. > > > > > > This is not to say that digital signatures are useless. There are many > > > instances where the insecurities discussed here are not relevant, or where > > > the dollar value of the signatures is small enough not to warrant worrying > > > about them. There are also instances where authenticating to the signing > > > computer is good enough, and where no further authentication is > > > required. And there are instances where real-world relationships can > > > obviate the legal requirements that digital signatures have been asked to > > > satisfy. > > > > > > Digital signatures prove, mathematically, that a secret value known as the > > > private key was present in a computer at the time Alice's signature was > > > calculated. It is a small step from that to assume that Alice entered that > > > key into the computer at the time of signing. But it is a much larger step > > > to assume that Alice intended a particular document to be signed. And > > > without a tamperproof computer trusted by Alice, you can expect "digital > > > signature experts" to show up in court contesting a lot of digital > > >signatures. > > > > > > Comments on the new federal digital signature law: > > > <http://www4.zdnet.com:80/intweek/stories/news/0,4164,2635346,00.html> > > > (multipage, don't miss the others) > > > <http://www4.zdnet.com:80/intweek/stories/news/0,4164,2634368,00.html> > > > <http://www.infoworld.com:80/articles/hn/xml/00/10/02/001002hnesign.xml> > > > <http://www.pioneerplanet.com/tech/tcv_docs/028992.htm> > > > > > > A survey of laws in various states and countries: > > > <http://rechten.kub.nl/simone/DS-LAWSU.HTM> > > > > -- > > ----------------- > > R. A. Hettinga <mailto: [EMAIL PROTECTED]> > > The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> > > 44 Farquhar Street, Boston, MA 02131 USA > > "... however it may deserve respect for its usefulness and antiquity, > > [predicting the end of the world] has not been found agreeable to > > experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' > > --- end forwarded text > > > -- > ----------------- > R. A. Hettinga <mailto: [EMAIL PROTECTED]> > The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> > 44 Farquhar Street, Boston, MA 02131 USA > "... however it may deserve respect for its usefulness and antiquity, > [predicting the end of the world] has not been found agreeable to > experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' >
