DIgital Signatures

[Brian Gladman]

There have been a useful exchange of views on this list over recent days on
the issues of bringing digital signature technology into widespread use.  An
important aspect that many of the posts have clarified is that there are two
central issues of principle in gaining confidence in (cryptographic) digital
signature primitives:

1. confidence in the strength of the binding between public signature
verification keys and  the people (or entities) with which they are
associated.

2. confidence that secret signature keys are truly secret and only capable
of being used by the people (or entities) associated with the related public
verification keys.

There is no obvious reason to focus on the solution of one of these two
problems without the other but this is exactly what government CA/TTP
policies seem to do.  It is also surprising that a number of companies who
are rushing (prematurely in my view) into the provision of third party CA
services offer no obvious solutions to the second of these difficulties.
Even a perfect CA infrastructure will be of no use while we cannot give any
assurances about the safety and security with which secret signing keys are
being used.

The secrecy requirement for signature keys is especially challenging because
we need to keep the key values completely secret so that even key owners do
not know them (to avoid the repudiation of valid signatures).  And, as a
number of list participants have pointed out, we can easily discount the use
of 'software only' mechanisms for meeting such requirements.

We are thus faced with considering approaches implemented partly or
completely in hardware.  This is an area that has been debated before on
this list but it is worthwhile asking what requirements a hardware solution
will have to meet by recounting the current and earlier debate (not in any
particular order):

1.  The secret signature key value must only exist in one place and must
never, ever be duplicated.  This requires key generation, key use and key
destruction on a hardware card of some kind and under the control of the end
user.

2.  So that the signing key never leaves the card, any data to be signed
(and the results) need to pass onto and off the card.  This will require a
capable card processor and a high bandwidth card interface (there are some
schemes for doing part of this task 'off card' to reduce these requirements
but I am unclear how effective these are).

3.  The user pass phrase will need to be input directly to the card and not
though any computer interface to avoid its capture by software means (this
is a difficult requirement to meet).

4. As pointed out by Markus Kuhn there is an absolute requirement for a
publicly accountable design and implementation process.  This is vital since
experience shows that the design, implementation and operation of high grade
cryptographic systems is very difficult and it is easy to make subtle,
exploitable mistakes.  In a closed design process it is also possible to
deliberately introduce exploitable weaknesses - in any card designed for
international use there will always be the suspicion that a host government
has insisted on such action on the part of a domestic card manufacturer.

5.  For widspread use in globally open systems the mechanisms used to
achieve signatures need to be built to open international standards.

There are other requirements as well but considering just these suggests
that smart-cards are not yet capable of implementing digital signatures.
However the PCMCIA card format is a contender (the US Department of Defence
uses a combined signature/encryption card in exactly this format although
not meeting all of the above requirements).   Although this would mean that
many computers would need PCMCIA slots, any hardware solution will need an
interface of some kind if it is not implemented at processor level.

PCMCIA based signature cards could probably be produced for $100 or less in
high volume and this is not a cost that would undermine professional use. It
would be too high for mass market consumer use but the costs would reduce
with time anyway once the market started to develop.

The issue gets more interesting if we move from technology to politics.
Although crypto export controls are not supposed to impact on
authentication, in practice they do.   Also hardware is physical in form and
can be controlled much more easily than software.  Thirdly the companies who
are capable of delivering hardware solutions all depend on government orders
for their existence (at the moment at least) and they are not going put such
products into the mass market unless their governments are content for this
to happen.  Lastly, since these companies are competing with each other,
none of them (as far as I know) gets even close to meeting requirement 4
above - we are simply expected to trust what they put on offer.

So my conclusion is that, without government interference, technical
solutions for effective hardware based digital signatures could be achieved
at costs that are sensible for professional and high end personal use.  Once
such use got underway  normal market processes in a  free and unconstrained
market would lead to cost effective solutions for widespread use.

Governments will not leave us alone, however, and it hence seems inevitable
that the market for the hardware solutions that effective digital signatures
require will continue to be undermined by intervention.  In addition it is
unclear whether any of the companies involved will be prepared to meet the
need for publicly accountable scrutiny of the design, implementation and
operation of their products.

I hence agree with the several commentators who have concluded that digital
signatures are not ready for widespread use in open systems environments (we
will see uses in closed environments where the risks can be contained by
other means).   However I am inclined towards the belief that the reasons
for this are more political than technical.

My apologies for the length of this post.

   Brian