CDR: Re: Schneier: Why Digital Signatures are not Signatures (was Re: CRYPTO-GRAM, November 15, 2000)

Thu Nov 16 09:52:35 PST 2000

On Thu, Nov 16, 2000 at 09:40:01AM -0500, R. A. Hettinga wrote:
> 
> At 1:12 AM -0500 on 11/16/00, Declan McCullagh wrote:
> 
> 
> > Bruce's article is well-written, but it covers ground already
> > well-trodden by others.
> 
> Certainly.
> 
> Carl Ellison, Perry Metzger, and even law professors like Jane Kauffman
> Wynn, have been saying this stuff for years.
> 
> > Moreover, most, if not all, of his points
> > apply to data-scrambling encryption applications on the same computer.
> 
> Yup.
> 
> But, frankly, you don't want to do commerce, especially finance, on a
> platform you don't have absolute control over, anyway. As Chaum and others
> point out, you want your own box, with its own I/O, and so on. Fortunately,
> falling hardware prices and miniaturization continue to accelerate apace.

What's interesting about this is that while everyone wants the
added security from a device like this, no one wants to pay for it.

I did a lot of the design for a secure smartcard keyboard that was
produced a few years ago by a company called N*Able (bought last year by
Wave Systems).  It solved the problem of trusting the PC that you shove
your smartcard into not to steal the PIN or sign something else or lie
about what you're signing.  Rather than having to trust MS (or linux)
to protect your signing keys and what you're signing, you only had to
trust our keyboard, which was designed from the beginning to be secure
(while that's not perfect but it's a heck of a lot better than trusting MS,
and good enough for commercial applications).

However, in meeting with the US banking industry, we were told in so
many words "this solves our security problems, we'd love to use it, but
we want someone else to pay for deployment".  The financial industry
sees security problems not as something to be fixed, but as a cost to
be borne.  If the cost of the security breaks is less than the cost of
the technology to fix it, or if the cost of security breaches can be
passed on to someone else, there is no reason to put a security measure
into place to fix the problem.  I beleive that most financial systems
in the US, operate on the second model (credit cards do
by law- loss over $50 is eaten by the merchant or sometimes the issuing
bank, to be passed back to consumers in higher prices).

I think that the force that would distribute secure signing hardware
in the US is profit- the hardware and the systems to support it would
need to cost enough less than the fraud rate that there's a profit to
be made off the difference.  Unfortunately with this type of hardware,
most of the cost is not in the hardware itself, but in the distribution,
software and support.  AMex seems to have discovered that with "blue"-
there's no support for actual on-line payments.  In fact the company
that did the software, GlobeSET, recently folded.  So now it's a regular
credit card with a pretty gold-colored symbol on one side.  The cost
might have been worth paying for long-term customer acquisition, but it
was a bust as far as fraud reduction and security is concerned.

-- 
  Eric Murray           Consulting Security Architect         SecureDesign LLC
  http://www.securedesignllc.com                            PGP keyid:E03F65E5