CDR: Schneier: Why Digital Signatures are not Signatures (was Re: CRYPTO-GRAM, November 15, 2000)

Wed Nov 15 19:51:06 PST 2000

At 5:58 PM -0600 on 11/15/00, Bruce Schneier wrote:


>     Why Digital Signatures Are Not Signatures
>
>
>
> When first invented in the 1970s, digital signatures made an amazing
> promise: better than a handwritten signature -- unforgeable and uncopyable
> -- on a document.  Today, they are a fundamental component of business in
> cyberspace.  And numerous laws, state and now federal, have codified
> digital signatures into law.
>
> These laws are a mistake.  Digital signatures are not signatures, and they
> can't fulfill their promise.  Understanding why requires understanding how
> they work.
>
> The math is complex, but the mechanics are simple.  Alice knows a secret,
> called a private key.  When she wants to "sign" a document (or a message,
> or any bucket of bits), she performs a mathematical calculation using the
> document and her private key; then she appends the results of that
> calculation -- called the "signature" -- to the document.  Anyone can
> "verify" the signature by performing a different calculation with the
> message and Alice's public key, which is publicly available.  If the
> verification calculation checks out then Alice must have signed the
> document, because only she knows her own private key.
>
> Mathematically, it works beautifully.  Semantically, it fails
> miserably.  There's nothing in the description above that constitutes
> signing.  In fact, calling whatever Alice creates a "digital signature" was
> probably the most unfortunate nomenclature mistake in the history of
> cryptography.
>
> In law, a signature serves to indicate agreement to, or at least
> acknowledgment of, the document signed.  When a judge sees a paper document
> signed by Alice, he knows that Alice held the document in her hands, and
> has reason to believe that Alice read and agreed to the words on the
> document.  The signature provides evidence of Alice's intentions.  (This is
> a simplification.  With a few exceptions, you can't take a signed document
> into court and argue that Alice signed it.  You have to get Alice to
> testify that she signed it, or bring handwriting experts in and then it's
> your word against hers.  That's why notarized signatures are used in many
> circumstances.)
>
> When the same judge sees a digital signature, he doesn't know anything
> about Alice's intentions.  He doesn't know if Alice agreed to the document,
> or even if she ever saw it.
>
> The problem is that while a digital signature authenticates the document up
> to the point of the signing computer, it doesn't authenticate the link
> between that computer and Alice.  This is a subtle point.  For years, I
> would explain the mathematics of digital signatures with sentences like:
> "The signer computes a digital signature of message m by computing m^e mod
> n."  This is complete nonsense.  I have digitally signed thousands of
> electronic documents, and I have never computed m^e mod n in my entire
> life.  My computer makes that calculation.  I am not signing anything; my
> computer is.
>
> PGP is a good example.  This e-mail security program lets me digitally sign
> my messages.  The user interface is simple: when I want to sign a message I
> select the appropriate menu item, enter my passphrase into a dialog box,
> and click "OK."  The program decrypts the private key with the passphrase,
> and then calculates the digital signature and appends it to my
> e-mail.  Whether I like it or not, it is a complete article of faith on my
> part that PGP calculates a valid digital signature.  It is an article of
> faith that PGP signs the message I intend it to.  It is an article of faith
> that PGP doesn't ship a copy of my private key to someone else, who can
> then sign whatever he wants in my name.
>
> I don't mean to malign PGP.  It's a good program, and if it is working
> properly it will indeed sign what I intended to sign.  But someone could
> easily write a rogue version of the program that displays one message on
> the screen and signs another.  Someone could write a Back Orifice plug-in
> that captures my private key and signs documents without my consent or
> knowledge.  We've already seen one computer virus that attempts to steal
> PGP private keys; nastier variants are certainly possible.
>
> The mathematics of cryptography, no matter how strong, cannot bridge the
> gap between me and my computer.  Because the computer is not trusted, I
> cannot rely on it to show me what it is doing or do what I tell it
> to.  Checking the calculation afterwards doesn't help; the untrusted
> computer can't be relied upon to check the calculations properly.  It
> wouldn't help to verify the code, because the untrusted computer is running
> the code (and probably doing the verification).  It wouldn't even help to
> store the digital signature key in a secure module: the module still has to
> rely on the untrusted computer for input and output.
>
> None of this bodes well for digital signatures.  Imagine Alice in court,
> answering questions about a document she signed.  "I never saw it," she
> says.  "Yes, the mathematics does prove that my private key signed the
> document, but I never saw it."  And then an expert witness like myself is
> called to the stand, who explains to the judge that it is possible that
> Alice never saw the document, that programs can be written to sign
> documents without Alice's knowledge, and that Alice's digital signature
> doesn't really mean anything about Alice's intentions.
>
> Solving this problem requires a trusted signing computer.  If Alice had a
> small hand-held computer, with its own screen and keyboard, she could view
> documents on that screen and sign them with that keyboard.  As long as the
> signing computer is trusted, her signatures are trusted.  (But problems
> remain.  Viewing a Microsoft Word document, for example, generally involves
> the very software most responsible for welcoming a virus into the
> computer.)  In this case we're no longer relying on the mathematics for
> security, but instead the hardware and software security of that trusted
> computer.
>
> This is not to say that digital signatures are useless.  There are many
> instances where the insecurities discussed here are not relevant, or where
> the dollar value of the signatures is small enough not to warrant worrying
> about them.  There are also instances where authenticating to the signing
> computer is good enough, and where no further authentication is
> required.  And there are instances where real-world relationships can
> obviate the legal requirements that digital signatures have been asked to
> satisfy.
>
> Digital signatures prove, mathematically, that a secret value known as the
> private key was present in a computer at the time Alice's signature was
> calculated.  It is a small step from that to assume that Alice entered that
> key into the computer at the time of signing.  But it is a much larger step
> to assume that Alice intended a particular document to be signed.  And
> without a tamperproof computer trusted by Alice, you can expect "digital
> signature experts" to show up in court contesting a lot of digital
>signatures.
>
> Comments on the new federal digital signature law:
> <http://www4.zdnet.com:80/intweek/stories/news/0,4164,2635346,00.html>
> (multipage, don't miss the others)
> <http://www4.zdnet.com:80/intweek/stories/news/0,4164,2634368,00.html>
> <http://www.infoworld.com:80/articles/hn/xml/00/10/02/001002hnesign.xml>
> <http://www.pioneerplanet.com/tech/tcv_docs/028992.htm>
>
> A survey of laws in various states and countries:
> <http://rechten.kub.nl/simone/DS-LAWSU.HTM>

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'