Add to collection(s) Add to saved
  1. Science
  2. Physics
  3. Quantum Physics

Computable Enhanced Electronic Signatures.

advertisement 
TECHNOLOGY NEUTRALITY ON ELECTRONIC
SIGNATURES
Ignacio Mendívil
SeguriDATA
imendi@seguridata.com
Draft 1.1
Acknowledgements.
I would like to acknowledge the opinions from:
Burt Kalisky
Neal Koblitz
Arjen K. Lenstra
Andrew Odlysko
RSA Laboratories
University of Waterloo.
Citibank.
AT&T Labs - Research
Disclaimer. The opinions contained in this article are only attributable to the author unless they are quoted
from third person’s opinions.
Introduction ......................................................................................................................... 2
Ground Rules ...................................................................................................................... 3
Computable Enhanced Electronic Signatures. .................................................................... 3
Non Computable Enhanced Electronic Signatures. ............................................................ 5
Computable Enhanced Electronic Signatures and Technological Issues. .......................... 6
Introduction
Technology Neutrality is an unmovable legislative policy or principle which guarantees
non-discrimination practices in favor or against a given technology. In the case of
Electronic Signatures, technology neutrality should guard against legislative
discrimination in favor or against an electronic signature technique.
A particular type of Electronic Signature called “Enhanced”, “Advanced” or “Secure”
Electronic Signature has been the center of attention. For example, UNICTRAL on its
latest draft 1defines Electronic Signature and Enhanced Electronic Signatures on the
following terms:
(a) “Electronic signature” means [data in electronic form in, affixed to, or logically
associated with, a data message, and] [any method in relation to a data message] that may
be used to identify the signature holder in relation to the data message and indicate the
signature holder’s approval of the information contained in the data message;
[(b) “Enhanced electronic signature” means an electronic signature in respect of which it
can be shown, through the use of a [security procedure] [method], that the signature:
(i) is unique to the signature holder [for the purpose for][within the context in] which it is
used;
(ii) was created and affixed to the data message by the signature holder or using a means
under the sole control of the signature holder [and not by any other person];
[(iii) was created and is linked to the data message to which it relates in a manner which
provides reliable assurance as to the integrity of the message”;]]
As we can see, an Electronic Signature (ES) can be practically anything but an Enhanced
Electronic Signature (EES) is a much narrow concept. The definition implies a security
procedure that guarantee uniqueness, sole control, and integrity.
Misunderstandings on the scope or technology neutrality, when applied to electronic
signatures, have produced uses and abuses of this policy. The only systematic work in
this area, that I’m aware2, UNCITRAL texts, and anecdotes recollections with
DRAFT UNIFORM RULES ON ELECTRONIC SIGNATURES – 35th session.
Technology Neutrality and Secure Electronic Commerce: Rule Making in the Age of “Equivalence” Michael S. Baum
1
2
UNICTRAL readers had lead me to conclude that there is a need to distinguish between
science and technology. Technology Neutrality should not be synonymous of Scientific
Neutrality.
The purpose of this article is to analyze the scientific alternatives that provide viable
technological solutions to an EES.
Ground Rules
In order to analyze technical alternatives for an EES, some ground rules are to be set. The
first question to be answered is: By what means is an EES produced and authenticated?.
If an EES is produced and authenticated by computerized means then we can conclude
that signing and authenticating are computable methods. If an EES can be produced and
authenticated by non-computable methods then the ground rules change dramatically.
The first scenario, the computable scenario, is certainly the most familiar. In this case, an
EES is produced and verified by a computer. Anecdotes narrated by Michael Baum 2,
anecdotes collected by me, texts from UNICTRAL, the original mandate from the
General Assembly to the UNCITRAL, and numerous articles referring to technology
neutrality are very suggestive that this is the scope of Technology Neutrality on
Electronic Signatures.
The non-computable scenario is less likely, in fact it is very futuristic. For the sake of
completeness, and for the sake of given “technology neutrality” the benefit of the doubt
that this is the framework where the debate should take place, a discussion of this
scenario is also covered by this article.
It should be clarified that the use of biometric techniques are computational. Biometric
techniques are used to identify handwritten signatures, fingerprints or retina
measurements, no matter how they are collected and processed, they are collected and
processed by computerized devices.
Non-computable techniques have nothing to do with biometrics. By non-computable
techniques I referred to some natural systems found for example on Quantum Mechanics
that can be used to naturally process some electronic phenomena. This has nothing to do
with collecting and processing biometric data in the computer world. Techniques such as
“signature dynamics” are nothing more than computerized techniques.
Computable Enhanced Electronic Signatures.
One of the most common mistakes when applying technology neutrality to electronic
signatures is the notion that asymmetric or public key cryptography is a technology, but it
is not. Of course specific methods, and hardware or software that implements
asymmetrical cryptography are technological tools, but asymmetric cryptography itself is
a mathematical discipline, a scientific discipline and that makes a lot of difference.
Take for example the first mind attempt that most people think when they first think on
functional equivalents to handwritten signatures. Well, digitalize your handwritten
signature and attach it to a data message. Send it to your trade partner and you will have a
serious problem. Now your trading partner can formulate new data messages and attach
your digitalized signature forging your signature.
We can sophisticate this idea of digitalizing biometrics and conclude that we can find a
hard-to-forge signature method fulfilling the properties of an EES. But the fundamental
question is: how hard is it hard to forge a signature?. Hard, very hard, very very hard, and
so forth so on. The fundamental question is then how viable is to forge an EES method.
Mathematicians and Computer Scientist have systematically studied the problems that
have a hard computational solution. Cryptography is a mathematical discipline that
applies the principles of known problems with hard computational solutions.
Cryptography takes computational hard to solve problems and applies them to solve
applicative or real life problems. Problems like data integrity, confidentiality, and
electronic signatures can be solved by mathematical models that base its hardness in a
known mathematical hard solution problem.
Every one of the problems mentioned above: integrity, confidentiality, electronic
signatures, and others rely on hard problems to assure that integrity is detected,
confidentiality is kept away from eavesdropping, and electronic signatures are hard to
forge.
We then can conclude that an ES that is hard-to-forge, scientifically hard-to-forge, must
be a cryptographic method. An EES has the property of being “under the sole control” of
the signer that implies an asymmetric relationship between the signer and the
authenticator. Signer and authenticator must not share any secrets. In this asymmetrical
cases, cryptosystems are called asymmetric cryptosystems.
Therefore we can conclude that only asymmetric cryptosystems can solve the problem of
an EES. Moreover we can conclude that a hard to forge non-enhanced ES, should be
based on a symmetrical cryptosystem and that a hard to forge EES should be based on an
asymmetrical cryptosystem.
An EES must be based on cryptosystems otherwise it is based on obscurantism, no
technology can be based on obscurantism, technology must be based on scientific
grounds. This should not surprise us at all, after all, mathematical science and computer
science are the fundamental sciences of all types of computational devices.
For the sake of completeness I should mention that biometric techniques can be helpful as
complement when using an EES but, if and only if, the EES is based on the underlying
use of an asymmetric cryptosystem. For example biometrics can help to authenticate a
person allowing him/her to logon into his/her computer, can help to “open” a person’s
private key but will not be involved on the computation on the signature itself.
Non-Computable Enhanced Electronic Signatures.
This scenario is very futuristic and probably not realistic, in fact I know only one possible
method and yet I do not know if this method can be used to generate an EES. But
anyhow, lets think a bit on a non-computable EES. That means that a wire from Bob’s PC
goes out into a non-computable device that produce Bob’s EES s over a data message m.
The message and Bob’s EES are sent to Alice for her to authenticate Bob’s signed
message,
Alice receives m and s and before getting in Alice PC the data stream goes into another
non-computational device similar to Bobs device. Alice non-computational devices will
authenticate m, s, and Bob’s public component. The non-computational device will then
inform Alice PC about the authentication status.
For example Bobs PC is plugged into a device such that the electrical impulses of the
data stream is converted to a light beam which is passed through a polarized filter. A
polarized filter is a non-computational device that can transform a data stream into
another data stream in a predictable way, by the laws of nature. Physics is the scientific
discipline that should be applied and not computer science.
This type of natural phenomena that can process electrical coded data streams into other
predictable data streams is very interesting but certainly out of the scope of any
reasonable interest in the computer world. However, it is worth to mention that when this
type of non-computational methods are studied by physics, we can talk of Physics
Cryptography. The concept of Cryptography goes then beyond Mathematics.
A known non-computational phenomena that is used to encrypt data is studied by
Quantum Mechanics. It is known by Physics theorems that the sole act of observing a
photon changes its correlation with the photons that follow. This rule of Physics help to
build communications channels where eavesdropping is possible but always detectable. A
new field in Physics that is called Quantum Cryptography studies methods, that based on
Quantum Mechanics, are known to be hard problems and applies them to solve, for
example, confidentiality problems.
It is worth mentioning that although a non-computational method is used to obtain an
EES, it can be conceptualized as a cryptographic method. Because of the asymmetric
nature of an EES, a non-computational method can be conceptualized as an asymmetric
cryptographic method.
For the sake of completeness it should be said that Quantum Cryptography has nothing to
do with Quantum Computing except the fact that they both use Quantum Mechanics
kingdom. Quantum computers are a new qualitative type of computers, but are computers
nonetheless. Quantum Cryptography do not use quantum computers.
Computable Enhanced Electronic Signatures and
Technological Issues.
In this section, when referring to asymmetrical cryptography should be understood
mathematical asymmetrical cryptography.
An asymmetrical cryptography model expressed on terms that can be run on a computer
is called asymmetric cryptography algorithm. When that algorithm can be used to solve
the EES problem, then we have an asymmetrical cryptography signature algorithm. An
intrinsic characteristic of an EES is that the only secret is the private key.
An EES cryptosystem should be understood as a computer procedure that combines a
mathematical asymmetric cryptography signature algorithm with other techniques
(probably symmetrical algorithms) to produce at least three functions: Key generation,
Signature, and Authentication.
There are several highly respectable algorithms and cryptosystems that solve the EES
problem. RSA which bases it strength on the difficulty of factoring numbers versus the
easiness of multiplying, DSA which bases it strength on the difficulty of computing the
logarithm function versus the easiness of exponentiation, Elliptic Curves which bases it
strength on the difficulty of computing the logarithm versus adding.
If a cryptosystem is made to work, then we enter into the boundaries of science and
technology so, at this point, technology neutrality should be applied. The first statement
that technology neutrality can make is to declare neutrality on asymmetric cryptosystems.
So technology neutrality should prevent discriminating against or in favor of RSA, DSA,
Elliptic Curves and others asymmetric cryptosystems.
After declaring neutrality on any given algorithm or cryptosystem lets exam other
technological issues.
On a traditional paper-ink signed document, additional proof must be presented to have a
non-repudiable evidence. Proof of the binding between the signer and his/her handwritten
signature and, in cases, proof of the existence of the signed document at a given time and
date. In a similar fashion, an EES signed data message needs to be complemented with
electronic proof of the binding of the signatory with his/her public key. Also it is needed
an electronic proof of the existence of the signed data message at a given time and date.
Digital certificates are EES signed messages by a trusted third party. The message
contains the credentials of a person and a reference to her/his public key. Time-stamping
testimonies are EES signed messages by a trusted third party, the message contains a
signed message and a time and date.
Digital certificates and time stamping are infrastructure services that complement EES in
order to build truly non-repudiable evidence. This infrastructure services are called Public
Key Infrastructure or PKI. But these PKI services are technological issues, so
theoretically, technology neutrality should be applied to them. Whether or not technology
neutrality should not be applied by practical or legal reasons is beyond the scope of this
article.
Related documents
Homework #9 - University of Idaho
Homework #9 - University of Idaho
CHE 450 - Department of Chemistry at Syracuse University
CHE 450 - Department of Chemistry at Syracuse University
Clinical Agency Specific Orientation
Clinical Agency Specific Orientation
Application for Research Funding - The University of Tennessee at
Application for Research Funding - The University of Tennessee at
Online applicants - Heart is Found Photography
Online applicants - Heart is Found Photography
Application
Application
The Military Order of the World Wars
The Military Order of the World Wars
evaluation form for general employment traits
evaluation form for general employment traits
Download
advertisement