Re: Sender and receiver non-repudiation

2001-07-03 Thread Lynn . Wheeler



all true

it was part of the original point ... which was that much of the writing
about security in conjunction with digital signatures  all have to do
with the responsibilities of certification authorities.

However, it is possible to have a totally insecure infrastructure with the
best certification authority along with their best policies and practices
... and still have a situation like the "Emperor's new clothes".

It is further possible to have a terrible secure infrastructure with secure
chip-card, secure public/private keys, secure display, secure processes,
along with  trusted digital signatures ... and have absolutely no
certificates.

In lots of cases, you can treat certification authorities and certificates
as totally orthogonal to the issues involved in trusting digital
signatures.

some random refs:
http://www.garlic.com/~lynn/subtopic.html#fraud
http://www.garlic.com/~lynn/subtopic.html#privacy
http://www.garlic.com/~lynn/subtopic.html#sslcerts
http://www.garlic.com/~lynn/subtopic.html#radius




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]



Re: Sender and receiver non-repudiation

2001-07-03 Thread David Honig

At 08:55 AM 7/3/01 -0700, [EMAIL PROTECTED] wrote:
>signing. With digital signatures it becomes murkier ... how does somebody
>know that what they are looking at is the same thing that the computer is
>calculating a digital signature for.

Good point.  There's no way without a trusted host somewhere.  

Imagine that you scanned the paper doc, inspected it visually,
and digitally signed the image file.  Even this is succeptible to
a trojan that alters the display, alters what's printed, etc.

If you do have a little trusted island, e.g., a java button
on a ring you wear in the shower, or a PDA display you trust, 
you can often leverage this to make a trusted system.  







 






  







-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]



Re: Sender and receiver non-repudiation

2001-07-03 Thread Eugene Leitl

On Tue, 3 Jul 2001 [EMAIL PROTECTED] wrote:

> there is even simpler "misappropriation" ... that of virus on the machine
> ... how do you really know what your computer is doing.

The more control you have over your machine, and the environment, the more
security you have. By hiding sensitive tasks into armored compartments you
can push this way further, making it sufficiently secure for all practical
purposes.

> with paper signatures  it is somewhat more clear-cut that the person
> signing a document ... is actually looking at the document they are
> signing. With digital signatures it becomes murkier ... how does somebody

But you are looking at a representation of a document, as rendered in the
frame buffer. If you're worried about your machine being compromised,
either use armored crypto hardware protected by clean
protocols/interfaces, or an air gap protected machine containing only the
barest OS essentials and crypto binaries, only transferring _passive_
(thanks to MS, it's essentially just plain ASCII) documents via
sneakernet.

For practical purposes you would use a smart card with a crypto processor
on it. I personally think it would be interesting to see what can be done
with polymer/OLED frame buffers printed directly on the top of a deep
embedded, which does both video and crypto directly in the framebuffer
compartment, and only talks via a fast packet switched network to the rest
of the (wearable) computer. The less code and state is in there, the less
potential for exploits.

> know that what they are looking at is the same thing that the computer is
> calculating a digital signature for.

-- Eugen* Leitl http://www.lrz.de/~ui22204/";>leitl
__
ICBMTO  : N48 10'07'' E011 33'53'' http://www.lrz.de/~ui22204
57F9CFD3: ED90 0433 EB74 E4A9 537F CFF5 86E7 629B 57F9 CFD3




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]



Re: Sender and receiver non-repudiation

2001-07-03 Thread Lynn . Wheeler



there is even simpler "misappropriation" ... that of virus on the machine
... how do you really know what your computer is doing.

with paper signatures  it is somewhat more clear-cut that the person
signing a document ... is actually looking at the document they are
signing. With digital signatures it becomes murkier ... how does somebody
know that what they are looking at is the same thing that the computer is
calculating a digital signature for.

in retail situations, the burdon of proof is typically with the
institutions to disproove any claims of forged signature.

some of the draft digital signature laws (associated with certificates and
certification authorities) started out trying to move that burden of proof
to the consumer (i.e. most of the laws don't so much talk about
"non-repudiation" per se ... they talk about disputes and who has the
burden of proof and the standards for burden of proof). Some of these
somewhat implied that a certificate was sufficient proof ... somewhat
ignoring there could be thousands of foibles that might result in a digital
signature not being what the key owner expected.

business issues typically are associated with amount of risk ... aka how
hard is it to defeat or compromise some system, how hard is it to show
intent, etc.

random refs:
http://www.garlic.com/~lynn/2001g.html#25 Root Certificates
http://www.garlic.com/~lynn/aadsm5.htm#shock  revised Shocking Truth about Digital 
Signatures
http://www.garlic.com/~lynn/aadsm5.htm#shock2  revised Shocking Truth about Digital 
Signatures
http://www.garlic.com/~lynn/aadsm5.htm#ocrp3  Online Certificate Revocation Protocol
http://www.garlic.com/~lynn/aadsmore.htm#schneier  Schneier: Why Digital Signatures 
are not Signatures (was Re :CRYPTO-GRAM, November 15, 2000)
http://www.garlic.com/~lynn/ansiepay.htm#anxclean  Misc 8583 mapping cleanup
http://www.garlic.com/~lynn/2000f.html#64  Cryptogram Newsletter is off the wall?
http://www.garlic.com/~lynn/2000f.html#65  Cryptogram Newsletter is off the wall?
http://www.garlic.com/~lynn/2000g.html#34  does CA need the proof of acceptance of key 
binding ?


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]



Re: Sender and receiver non-repudiation

2001-07-03 Thread Helger Lipmaa

On Tue, 3 Jul 2001, Panayiotis Kotzanikolaou wrote:

> The problem in this scheme is that Bob signs and sends the proof after
> he has received M. Bob can receive M and never send a receipt.
>
> By using a trusted delivery service, it is easy to produce
> non-repudiation evidence both for the sender and the receiver.
> Is there any cryptographic protocol that "forces" Bob to produce
> non-repudiation evidence during execution?

Answering only to this concrete question: the kind of things you want are
accomplished by contract signing protocols. A few recent papers:

Optimistic Protocols for Fair Exchange(N. Asokan, Matthis Schunter,
Michael Waidner, 1996)

Optimal Efficiency of Optimistic Contract Signing(Birgit Pfitzmann,
Matthias Schunter, Michael Waidner, PODC 98)

Optimistic synchronous multi-party contract signing(N. Asokan, Birgit
Baum-Waidner, Matthias Schunter, and Michael Waidner, dec 1998)

Asynchronous protocols for optimistic fair exchange(N. Asokan, Victor
Shoup, Michael Waidner, may 1998)

Optimistic asynchronous multi-party contract signing(Birgit Baum-Waidner
and Michael Waidner, nov 1998)

Optimistic fair exchange of digital signatures(N. Askon, Victor Shoup,
Michael Waidner, oct 1999)

Abuse-free Optimistic Contract Signing(Juan Garay, Markus Jakobsson, Phil
MacKenzie, CRYPTO '99)

Abuse-free Multi-party Contract Signing( Juan Garay, Phil MacKenzie, DISC
'99)

Provable Secure Certified Mail(Birgit Pfitzmann, Matthias Schunter,
Michael Waidner, 2000)

Analysis of Abuse-Free Contract Signing( Vitaly Shmatikov, John C.
Mitchell, 2000)

06/23/01 Optimistic Asynchronous Multi-Party Contract Signing with Reduced
Number of Rounds(Birgit Baum-Waidner, eprint 2001/044)

(you can find links to them at
http://www.tml.hut.fi/~helger/crypto/link/protocols/contract.html)

Answering more generally: it does not help you to get non-repudiation.
Nothing does, unless Bob is able to prove that you signed this document
consiously, being sober, and generally, that you MEANT to sign it.

Helger




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]



Re: Sender and receiver non-repudiation

2001-07-03 Thread Dimitrios . Petropoulos


The problem you are referring to is known as 'selective receipt' (where a party 
acknowledges only messages it wishes) and generally there are two ways to overcome it:

a. make use of an incremental disclosure protocol over many rounds where in each round 
some knowledge about the message and the receipt acknowledgement are transmitted. If 
any party aborts the execution of the transaction prior to completion then both 
parties have comparable information (one party has an incomplete message and the other 
an incomplete receipt acknowledgement). This method however suffers from the fact that 
requires many rounds and also assumes the two parties have equal computational power.

b. make use of a TTP that is somehow involved in the message exchange and guarantees 
the production of evidence about the actions that have taken place. Such TTPs can be:
- inline, where all communications between the two parties go through the TTP
- online, where production of evidence requires the TTP to be online for the duration 
of the transaction, but communication between parties does not take place via the TTP
- offline, where the TTP does not need to be present during the execution of the 
transaction but is otherwise somehow involved, e.g. a Certification Authority

You might want to take a look at the following (by no means an exhaustive list):
1. ISO/IEC 10181-4. Information technology - open systems interconnection - security 
frameworks for open systems, Part 4: Non-repudiation framework, 1997.
2. ISO/IEC 13888-1. Information technology - Security techniques - Non-repudiation - 
Part 1: General, 1997.
3. ISO/IEC 13888-2. Information technology - Security techniques - Non-repudiation - 
Part 2: Mechanisms using symmetric techniques, 1998.
4. ISO/IEC 13888-3. Information technology - Security techniques - Non-repudiation - 
Part 3: Mechanisms using asymmetric techniques, 1997.
5. J. Zhou and D. Gollmann. Evidence and non-repudiation. Journal of Network and 
Computer Applications, 1997.
6. J. Zhou and D. Gollmann. A fair non-repudiation protocol. Proceedings of 1996 IEEE 
Symposium on Research in Security & Privacy, 1996
7. J. Zhou and D. Gollmann. Observations on non-repudiation. Advances in Cryptology - 
Asiacrypt 96, 1996.
8. J. Zhou and D. Gollmann. An Efficient Non-repudiation Protocol. 10th Computer 
Security Foundations Workshop, IEEE Computer Society Press, 1997.
9. T. Coffey and P. Saidha. Non-Repudiation with Mandatory Proof of Receipt. ACM 
Computer Communication Review, 26(1), 1996.

Regards,
Dimitrios Petropoulos


> It is well known that digital signatures can be used to ensure
> non-repudiation of the sender in message exchange.
>
> Say that Alice (A) sends to Bob (B) a mesage M. If Alice sends to Bob a
> signed receipt of the message sent, then Alice cannot refuse of having
> send the message.
> A-->B: M, SIGN_A(A sends M to M)
>
> Now if Bob receives the message and replies with a signed receipt
> B-->A: SIGN_B(B received M from A)
> then Bob cannot later refuse of having received the message M.
>
> The problem in this scheme is that Bob signs and sends the proof after
> he has received M. Bob can receive M and never send a receipt.
>
> By using a trusted delivery service, it is easy to produce
> non-repudiation evidence both for the sender and the receiver.
> Is there any cryptographic protocol that "forces" Bob to produce
> non-repudiation evidence during execution?
>
>
>
> [Your exposition is filled with statements lots of people might take
> issue with, like the concept that Alice "cannot" deny sending the
> message. What if Alice claims it wasn't her key, or her key was stolen
> or misappropriated, or what have you? One lesson I've learned -- you
> cannot perfect law with technology, or eliminate business risk with
> law. --Perry]
>
> -
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
> [EMAIL PROTECTED]



-
Visit our Internet site at http://www.reuters.com

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]



Re: Sender and receiver non-repudiation

2001-07-03 Thread Emmanouil Magkos

A 1997 paper might be of great help for you:

Asokan, Victor Shoup, and Michael Waidner. Asynchronous protocols for
optimistic fair exchange. Research Report RZ 2976 (#93022), IBM Research

www.zurich.ibm.com/csc/infosec/publications/bibliography/


In this paper, there is a trusted third party (TTP), which is used
optimistically. This means that TTP is only invoqued if something goes
wrong. Although used in the context of contract signing, this approach can
be used in the "certified delivery" context.




=
Emmanouil Magkos
Department of Informatics
University of Piraeus
185 34 Piraeus, Greece
tel (1): +30 1 2113090
tel (2): +30 1 4142134
fax: +30 1 4142264
mobile: +30 945 075815
e-mail: [EMAIL PROTECTED]
=

> It is well known that digital signatures can be used to ensure
> non-repudiation of the sender in message exchange.
>
> Say that Alice (A) sends to Bob (B) a mesage M. If Alice sends to Bob a
> signed receipt of the message sent, then Alice cannot refuse of having
> send the message.
> A-->B: M, SIGN_A(A sends M to M)
>
> Now if Bob receives the message and replies with a signed receipt
> B-->A: SIGN_B(B received M from A)
> then Bob cannot later refuse of having received the message M.
>
> The problem in this scheme is that Bob signs and sends the proof after
> he has received M. Bob can receive M and never send a receipt.
>
> By using a trusted delivery service, it is easy to produce
> non-repudiation evidence both for the sender and the receiver.
> Is there any cryptographic protocol that "forces" Bob to produce
> non-repudiation evidence during execution?
>
>
>
> [Your exposition is filled with statements lots of people might take
> issue with, like the concept that Alice "cannot" deny sending the
> message. What if Alice claims it wasn't her key, or her key was stolen
> or misappropriated, or what have you? One lesson I've learned -- you
> cannot perfect law with technology, or eliminate business risk with
> law. --Perry]
>
> -
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
[EMAIL PROTECTED]
>




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]