Bruce's article is well-written, but it covers ground already
well-trodden by others. Moreover, most, if not all, of his points
apply to data-scrambling encryption applications on the same computer.
Still, maybe it'll raise the visibility of this problem.
-Declan
On Wed, Nov 15, 2000 at 10:51:06PM -0500, R. A. Hettinga wrote:
> At 5:58 PM -0600 on 11/15/00, Bruce Schneier wrote:
>
>
> > Why Digital Signatures Are Not Signatures
> >
> >
> >
> > When first invented in the 1970s, digital signatures made an amazing
> > promise: better than a handwritten signature -- unforgeable and uncopyable
> > -- on a document. Today, they are a fundamental component of business in
> > cyberspace. And numerous laws, state and now federal, have codified
> > digital signatures into law.
> >
> > These laws are a mistake. Digital signatures are not signatures, and they
> > can't fulfill their promise. Understanding why requires understanding how
> > they work.
> >
> > The math is complex, but the mechanics are simple. Alice knows a secret,
> > called a private key. When she wants to "sign" a document (or a message,
> > or any bucket of bits), she performs a mathematical calculation using the
> > document and her private key; then she appends the results of that
> > calculation -- called the "signature" -- to the document. Anyone can
> > "verify" the signature by performing a different calculation with the
> > message and Alice's public key, which is publicly available. If the
> > verification calculation checks out then Alice must have signed the
> > document, because only she knows her own private key.
> >
> > Mathematically, it works beautifully. Semantically, it fails
> > miserably. There's nothing in the description above that constitutes
> > signing. In fact, calling whatever Alice creates a "digital signature" was
> > probably the most unfortunate nomenclature mistake in the history of
> > cryptography.
> >
> > In law, a signature serves to indicate agreement to, or at least
> > acknowledgment of, the document signed. When a judge sees a paper document
> > signed by Alice, he knows that Alice held the document in her hands, and
> > has reason to believe that Alice read and agreed to the words on the
> > document. The signature provides evidence of Alice's intentions. (This is
> > a simplification. With a few exceptions, you can't take a signed document
> > into court and argue that Alice signed it. You have to get Alice to
> > testify that she signed it, or bring handwriting experts in and then it's
> > your word against hers. That's why notarized signatures are used in many
> > circumstances.)
> >
> > When the same judge sees a digital signature, he doesn't know anything
> > about Alice's intentions. He doesn't know if Alice agreed to the document,
> > or even if she ever saw it.
> >
> > The problem is that while a digital signature authenticates the document up
> > to the point of the signing computer, it doesn't authenticate the link
> > between that computer and Alice. This is a subtle point. For years, I
> > would explain the mathematics of digital signatures with sentences like:
> > "The signer computes a digital signature of message m by computing m^e mod
> > n." This is complete nonsense. I have digitally signed thousands of
> > electronic documents, and I have never computed m^e mod n in my entire
> > life. My computer makes that calculation. I am not signing anything; my
> > computer is.
> >
> > PGP is a good example. This e-mail security program lets me digitally sign
> > my messages. The user interface is simple: when I want to sign a message I
> > select the appropriate menu item, enter my passphrase into a dialog box,
> > and click "OK." The program decrypts the private key with the passphrase,
> > and then calculates the digital signature and appends it to my
> > e-mail. Whether I like it or not, it is a complete article of faith on my
> > part that PGP calculates a valid digital signature. It is an article of
> > faith that PGP signs the message I intend it to. It is an article of faith
> > that PGP doesn't ship a copy of my private key to someone else, who can
> > then sign whatever he wants in my name.
> >
> > I don't mean to malign PGP. It's a good program, and if it is working
> > properly it will indeed sign what I intended to sign. But someone could
> > easily write a rogue version of the program that displays one message on
> > the screen and signs another. Someone could write a Back Orifice plug-in
> > that captures my private key and signs documents without my consent or
> > knowledge. We've already seen one computer virus that attempts to steal
> > PGP private keys; nastier variants are certainly possible.
> >
> > The mathematics of cryptography, no matter how strong, cannot bridge the
> > gap between me and my computer. Because the computer is not trusted, I
> > cannot rely on it to show me what it is doing or do what I tell it
> > to. Checking the calculation afterwards doesn't help; the untrusted
> > computer can't be relied upon to check the calculations properly. It
> > wouldn't help to verify the code, because the untrusted computer is running
> > the code (and probably doing the verification). It wouldn't even help to
> > store the digital signature key in a secure module: the module still has to
> > rely on the untrusted computer for input and output.
> >
> > None of this bodes well for digital signatures. Imagine Alice in court,
> > answering questions about a document she signed. "I never saw it," she
> > says. "Yes, the mathematics does prove that my private key signed the
> > document, but I never saw it." And then an expert witness like myself is
> > called to the stand, who explains to the judge that it is possible that
> > Alice never saw the document, that programs can be written to sign
> > documents without Alice's knowledge, and that Alice's digital signature
> > doesn't really mean anything about Alice's intentions.
> >
> > Solving this problem requires a trusted signing computer. If Alice had a
> > small hand-held computer, with its own screen and keyboard, she could view
> > documents on that screen and sign them with that keyboard. As long as the
> > signing computer is trusted, her signatures are trusted. (But problems
> > remain. Viewing a Microsoft Word document, for example, generally involves
> > the very software most responsible for welcoming a virus into the
> > computer.) In this case we're no longer relying on the mathematics for
> > security, but instead the hardware and software security of that trusted
> > computer.
> >
> > This is not to say that digital signatures are useless. There are many
> > instances where the insecurities discussed here are not relevant, or where
> > the dollar value of the signatures is small enough not to warrant worrying
> > about them. There are also instances where authenticating to the signing
> > computer is good enough, and where no further authentication is
> > required. And there are instances where real-world relationships can
> > obviate the legal requirements that digital signatures have been asked to
> > satisfy.
> >
> > Digital signatures prove, mathematically, that a secret value known as the
> > private key was present in a computer at the time Alice's signature was
> > calculated. It is a small step from that to assume that Alice entered that
> > key into the computer at the time of signing. But it is a much larger step
> > to assume that Alice intended a particular document to be signed. And
> > without a tamperproof computer trusted by Alice, you can expect "digital
> > signature experts" to show up in court contesting a lot of digital
> >signatures.
> >
> > Comments on the new federal digital signature law:
> > <http://www4.zdnet.com:80/intweek/stories/news/0,4164,2635346,00.html>
> > (multipage, don't miss the others)
> > <http://www4.zdnet.com:80/intweek/stories/news/0,4164,2634368,00.html>
> > <http://www.infoworld.com:80/articles/hn/xml/00/10/02/001002hnesign.xml>
> > <http://www.pioneerplanet.com/tech/tcv_docs/028992.htm>
> >
> > A survey of laws in various states and countries:
> > <http://rechten.kub.nl/simone/DS-LAWSU.HTM>
>
> --
> -----------------
> R. A. Hettinga <mailto: [EMAIL PROTECTED]>
> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
> 44 Farquhar Street, Boston, MA 02131 USA
> "... however it may deserve respect for its usefulness and antiquity,
> [predicting the end of the world] has not been found agreeable to
> experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
>