CDR: Re: Schneier: Why Digital Signatures are not Signatures (was Re: CRYPTO-GRAM, November 15, 2000)

Wed Nov 15 22:12:24 PST 2000

Bruce's article is well-written, but it covers ground already
well-trodden by others. Moreover, most, if not all, of his points
apply to data-scrambling encryption applications on the same computer.

Still, maybe it'll raise the visibility of this problem.

-Declan

On Wed, Nov 15, 2000 at 10:51:06PM -0500, R. A. Hettinga wrote:
> At 5:58 PM -0600 on 11/15/00, Bruce Schneier wrote:
> 
> 
> >     Why Digital Signatures Are Not Signatures
> >
> >
> >
> > When first invented in the 1970s, digital signatures made an amazing
> > promise: better than a handwritten signature -- unforgeable and uncopyable
> > -- on a document.  Today, they are a fundamental component of business in
> > cyberspace.  And numerous laws, state and now federal, have codified
> > digital signatures into law.
> >
> > These laws are a mistake.  Digital signatures are not signatures, and they
> > can't fulfill their promise.  Understanding why requires understanding how
> > they work.
> >
> > The math is complex, but the mechanics are simple.  Alice knows a secret,
> > called a private key.  When she wants to "sign" a document (or a message,
> > or any bucket of bits), she performs a mathematical calculation using the
> > document and her private key; then she appends the results of that
> > calculation -- called the "signature" -- to the document.  Anyone can
> > "verify" the signature by performing a different calculation with the
> > message and Alice's public key, which is publicly available.  If the
> > verification calculation checks out then Alice must have signed the
> > document, because only she knows her own private key.
> >
> > Mathematically, it works beautifully.  Semantically, it fails
> > miserably.  There's nothing in the description above that constitutes
> > signing.  In fact, calling whatever Alice creates a "digital signature" was
> > probably the most unfortunate nomenclature mistake in the history of
> > cryptography.
> >
> > In law, a signature serves to indicate agreement to, or at least
> > acknowledgment of, the document signed.  When a judge sees a paper document
> > signed by Alice, he knows that Alice held the document in her hands, and
> > has reason to believe that Alice read and agreed to the words on the
> > document.  The signature provides evidence of Alice's intentions.  (This is
> > a simplification.  With a few exceptions, you can't take a signed document
> > into court and argue that Alice signed it.  You have to get Alice to
> > testify that she signed it, or bring handwriting experts in and then it's
> > your word against hers.  That's why notarized signatures are used in many
> > circumstances.)
> >
> > When the same judge sees a digital signature, he doesn't know anything
> > about Alice's intentions.  He doesn't know if Alice agreed to the document,
> > or even if she ever saw it.
> >
> > The problem is that while a digital signature authenticates the document up
> > to the point of the signing computer, it doesn't authenticate the link
> > between that computer and Alice.  This is a subtle point.  For years, I
> > would explain the mathematics of digital signatures with sentences like:
> > "The signer computes a digital signature of message m by computing m^e mod
> > n."  This is complete nonsense.  I have digitally signed thousands of
> > electronic documents, and I have never computed m^e mod n in my entire
> > life.  My computer makes that calculation.  I am not signing anything; my
> > computer is.
> >
> > PGP is a good example.  This e-mail security program lets me digitally sign
> > my messages.  The user interface is simple: when I want to sign a message I
> > select the appropriate menu item, enter my passphrase into a dialog box,
> > and click "OK."  The program decrypts the private key with the passphrase,
> > and then calculates the digital signature and appends it to my
> > e-mail.  Whether I like it or not, it is a complete article of faith on my
> > part that PGP calculates a valid digital signature.  It is an article of
> > faith that PGP signs the message I intend it to.  It is an article of faith
> > that PGP doesn't ship a copy of my private key to someone else, who can
> > then sign whatever he wants in my name.
> >
> > I don't mean to malign PGP.  It's a good program, and if it is working
> > properly it will indeed sign what I intended to sign.  But someone could
> > easily write a rogue version of the program that displays one message on
> > the screen and signs another.  Someone could write a Back Orifice plug-in
> > that captures my private key and signs documents without my consent or
> > knowledge.  We've already seen one computer virus that attempts to steal
> > PGP private keys; nastier variants are certainly possible.
> >
> > The mathematics of cryptography, no matter how strong, cannot bridge the
> > gap between me and my computer.  Because the computer is not trusted, I
> > cannot rely on it to show me what it is doing or do what I tell it
> > to.  Checking the calculation afterwards doesn't help; the untrusted
> > computer can't be relied upon to check the calculations properly.  It
> > wouldn't help to verify the code, because the untrusted computer is running
> > the code (and probably doing the verification).  It wouldn't even help to
> > store the digital signature key in a secure module: the module still has to
> > rely on the untrusted computer for input and output.
> >
> > None of this bodes well for digital signatures.  Imagine Alice in court,
> > answering questions about a document she signed.  "I never saw it," she
> > says.  "Yes, the mathematics does prove that my private key signed the
> > document, but I never saw it."  And then an expert witness like myself is
> > called to the stand, who explains to the judge that it is possible that
> > Alice never saw the document, that programs can be written to sign
> > documents without Alice's knowledge, and that Alice's digital signature
> > doesn't really mean anything about Alice's intentions.
> >
> > Solving this problem requires a trusted signing computer.  If Alice had a
> > small hand-held computer, with its own screen and keyboard, she could view
> > documents on that screen and sign them with that keyboard.  As long as the
> > signing computer is trusted, her signatures are trusted.  (But problems
> > remain.  Viewing a Microsoft Word document, for example, generally involves
> > the very software most responsible for welcoming a virus into the
> > computer.)  In this case we're no longer relying on the mathematics for
> > security, but instead the hardware and software security of that trusted
> > computer.
> >
> > This is not to say that digital signatures are useless.  There are many
> > instances where the insecurities discussed here are not relevant, or where
> > the dollar value of the signatures is small enough not to warrant worrying
> > about them.  There are also instances where authenticating to the signing
> > computer is good enough, and where no further authentication is
> > required.  And there are instances where real-world relationships can
> > obviate the legal requirements that digital signatures have been asked to
> > satisfy.
> >
> > Digital signatures prove, mathematically, that a secret value known as the
> > private key was present in a computer at the time Alice's signature was
> > calculated.  It is a small step from that to assume that Alice entered that
> > key into the computer at the time of signing.  But it is a much larger step
> > to assume that Alice intended a particular document to be signed.  And
> > without a tamperproof computer trusted by Alice, you can expect "digital
> > signature experts" to show up in court contesting a lot of digital
> >signatures.
> >
> > Comments on the new federal digital signature law:
> > <http://www4.zdnet.com:80/intweek/stories/news/0,4164,2635346,00.html>
> > (multipage, don't miss the others)
> > <http://www4.zdnet.com:80/intweek/stories/news/0,4164,2634368,00.html>
> > <http://www.infoworld.com:80/articles/hn/xml/00/10/02/001002hnesign.xml>
> > <http://www.pioneerplanet.com/tech/tcv_docs/028992.htm>
> >
> > A survey of laws in various states and countries:
> > <http://rechten.kub.nl/simone/DS-LAWSU.HTM>
> 
> -- 
> -----------------
> R. A. Hettinga <mailto: rah at ibuc.com>
> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
> 44 Farquhar Street, Boston, MA 02131 USA
> "... however it may deserve respect for its usefulness and antiquity,
> [predicting the end of the world] has not been found agreeable to
> experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
> 