Schneier: When is a Signature not a Signature? When it's a chad.

[Somebody]

Bruce falls into the same error he points out: attempting
to devine intent rigorously.  In fact there lots of ways
humans have agreed to evidence agreement, and none of
them are tamper proof.  Much of the corporate
world runs on electronically printed signatures for checks,
there is a long and illustreous history of signet rings and
carved chops being used as contractual evidence...  His
argument is equivalent to saying that we should not accept
a corporate check because the computer room could
have been hacked, or that King X should not accept the
seal of King Y because his nemesis might have snuck in
at night and borrowed it from his finger while he slept,
or that Wu-san's chop had been copied by an expert
carver.  (and I'm certain such events have in fact occurred.)

I think his only valid point is that digital signatures are
not somehow better.  What they do provide are
1) an interesting possibility for _remote_ contracting, and
2) a way for computing machinery to do things analogous
to humans contracting with each other.
Both of these are important and will likely yield lots of
exciting new applications.

Bruce should keep in mind that the Digital Signature Law
recently enacted basically says that no signature will be
deemed invalid _purely_ because it is electronic in nature.
It doesn't say that computation of m^e mod n constitutes
Alice's intent to sign.  It does say that if Alice and Bob
agree to use such a digital mechanism to evidence intent,
then they may.

And just as we are learning this week that a "vote" is
a more ambiguous concept than we may have intuitively
thought, a "signature" has _never_ been a black-and-white
expression of human intent, simply one piece of evidence
in a sometimes cluttered, occasionally fraudulent, and
always contestable world.

"R. A. Hettinga" wrote:

> At 5:58 PM -0600 on 11/15/00, Bruce Schneier wrote:
>
> >     Why Digital Signatures Are Not Signatures
> >
> >
> >
> > When first invented in the 1970s, digital signatures made an amazing
> > promise: better than a handwritten signature -- unforgeable and uncopyable
> > -- on a document.  Today, they are a fundamental component of business in
> > cyberspace.  And numerous laws, state and now federal, have codified
> > digital signatures into law.
> >
> > These laws are a mistake.  Digital signatures are not signatures, and they
> > can't fulfill their promise.  Understanding why requires understanding how
> > they work.
> >
> > The math is complex, but the mechanics are simple.  Alice knows a secret,
> > called a private key.  When she wants to "sign" a document (or a message,
> > or any bucket of bits), she performs a mathematical calculation using the
> > document and her private key; then she appends the results of that
> > calculation -- called the "signature" -- to the document.  Anyone can
> > "verify" the signature by performing a different calculation with the
> > message and Alice's public key, which is publicly available.  If the
> > verification calculation checks out then Alice must have signed the
> > document, because only she knows her own private key.
> >
> > Mathematically, it works beautifully.  Semantically, it fails
> > miserably.  There's nothing in the description above that constitutes
> > signing.  In fact, calling whatever Alice creates a "digital signature" was
> > probably the most unfortunate nomenclature mistake in the history of
> > cryptography.
> >
> > In law, a signature serves to indicate agreement to, or at least
> > acknowledgment of, the document signed.  When a judge sees a paper document
> > signed by Alice, he knows that Alice held the document in her hands, and
> > has reason to believe that Alice read and agreed to the words on the
> > document.  The signature provides evidence of Alice's intentions.  (This is
> > a simplification.  With a few exceptions, you can't take a signed document
> > into court and argue that Alice signed it.  You have to get Alice to
> > testify that she signed it, or bring handwriting experts in and then it's
> > your word against hers.  That's why notarized signatures are used in many
> > circumstances.)
> >
> > When the same judge sees a digital signature, he doesn't know anything
> > about Alice's intentions.  He doesn't know if Alice agreed to the document,
> > or even if she ever saw it.
> >
> > The problem is that while a digital signature authenticates the document up
> > to the point of the signing computer, it doesn't authenticate the link
> > between that computer and Alice.  This is a subtle point.  For years, I
> > would explain the mathematics of digital signatures with sentences like:
> > "The signer computes a digital signature of message m by computing m^e mod
> > n."  This is complete nonsense.  I have digitally signed thousands of
> > electronic documents, and I have never computed m^e mod n in my entire
> > life.  My computer makes that calculation.  I am not signing anything; my
> > computer is.
> >
> > PGP is a good example.  This e-mail security program lets me digitally sign
> > my messages.  The user interface is simple: when I want to sign a message I
> > select the appropriate menu item, enter my passphrase into a dialog box,
> > and click "OK."  The program decrypts the private key with the passphrase,
> > and then calculates the digital signature and appends it to my
> > e-mail.  Whether I like it or not, it is a complete article of faith on my
> > part that PGP calculates a valid digital signature.  It is an article of
> > faith that PGP signs the message I intend it to.  It is an article of faith
> > that PGP doesn't ship a copy of my private key to someone else, who can
> > then sign whatever he wants in my name.
> >
> > I don't mean to malign PGP.  It's a good program, and if it is working
> > properly it will indeed sign what I intended to sign.  But someone could
> > easily write a rogue version of the program that displays one message on
> > the screen and signs another.  Someone could write a Back Orifice plug-in
> > that captures my private key and signs documents without my consent or
> > knowledge.  We've already seen one computer virus that attempts to steal
> > PGP private keys; nastier variants are certainly possible.
> >
> > The mathematics of cryptography, no matter how strong, cannot bridge the
> > gap between me and my computer.  Because the computer is not trusted, I
> > cannot rely on it to show me what it is doing or do what I tell it
> > to.  Checking the calculation afterwards doesn't help; the untrusted
> > computer can't be relied upon to check the calculations properly.  It
> > wouldn't help to verify the code, because the untrusted computer is running
> > the code (and probably doing the verification).  It wouldn't even help to
> > store the digital signature key in a secure module: the module still has to
> > rely on the untrusted computer for input and output.
> >
> > None of this bodes well for digital signatures.  Imagine Alice in court,
> > answering questions about a document she signed.  "I never saw it," she
> > says.  "Yes, the mathematics does prove that my private key signed the
> > document, but I never saw it."  And then an expert witness like myself is
> > called to the stand, who explains to the judge that it is possible that
> > Alice never saw the document, that programs can be written to sign
> > documents without Alice's knowledge, and that Alice's digital signature
> > doesn't really mean anything about Alice's intentions.
> >
> > Solving this problem requires a trusted signing computer.  If Alice had a
> > small hand-held computer, with its own screen and keyboard, she could view
> > documents on that screen and sign them with that keyboard.  As long as the
> > signing computer is trusted, her signatures are trusted.  (But problems
> > remain.  Viewing a Microsoft Word document, for example, generally involves
> > the very software most responsible for welcoming a virus into the
> > computer.)  In this case we're no longer relying on the mathematics for
> > security, but instead the hardware and software security of that trusted
> > computer.
> >
> > This is not to say that digital signatures are useless.  There are many
> > instances where the insecurities discussed here are not relevant, or where
> > the dollar value of the signatures is small enough not to warrant worrying
> > about them.  There are also instances where authenticating to the signing
> > computer is good enough, and where no further authentication is
> > required.  And there are instances where real-world relationships can
> > obviate the legal requirements that digital signatures have been asked to
> > satisfy.
> >
> > Digital signatures prove, mathematically, that a secret value known as the
> > private key was present in a computer at the time Alice's signature was
> > calculated.  It is a small step from that to assume that Alice entered that
> > key into the computer at the time of signing.  But it is a much larger step
> > to assume that Alice intended a particular document to be signed.  And
> > without a tamperproof computer trusted by Alice, you can expect "digital
> > signature experts" to show up in court contesting a lot of digital
> >signatures.
> >
> > Comments on the new federal digital signature law:
> > <http://www4.zdnet.com:80/intweek/stories/news/0,4164,2635346,00.html>
> > (multipage, don't miss the others)
> > <http://www4.zdnet.com:80/intweek/stories/news/0,4164,2634368,00.html>
> > <http://www.infoworld.com:80/articles/hn/xml/00/10/02/001002hnesign.xml>
> > <http://www.pioneerplanet.com/tech/tcv_docs/028992.htm>
> >
> > A survey of laws in various states and countries:
> > <http://rechten.kub.nl/simone/DS-LAWSU.HTM>
>
> --
> -----------------
> R. A. Hettinga <mailto: rah at ibuc.com>
> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
> 44 Farquhar Street, Boston, MA 02131 USA
> "... however it may deserve respect for its usefulness and antiquity,
> [predicting the end of the world] has not been found agreeable to
> experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'