Digital Signatures: Identity in Cyberspace

By Karen Coyle, Published in: AALL Spectrum, v.2, n.4,December, 1997. pp8-10.
In March of 1997, the Social Security Administration made its Personal Earnings and Benefit Estimate Statements (PEBES) database available over the Internet so that individuals could access their information online. To see your personal data over the Inte rnet you filled in a form with your full name, your Social Security number, your date of birth, the state of your birth and your mother's maiden name. The PEBES system returned your earnings history and benefit estimates.

On a Monday in April a story about the PEBES database ran in USA today. By Tuesday the system was so flooded with users that it was nearly impossible to get through. By Wednesday, there was a public outcry over the insecurity of the system, and by Thursda y the SSA system had been denounced in Congress and the access to PEBES over the Internet had been withdrawn. Something had gone very wrong.

The outcry was over the fact that the system did not successfully prevent others from accessing your PEBES information and therefore from seeing some fairly personal financial information. To prove this fact, some privacy advocates retrieved PEBES records for prominent public figures. The five pieces of information required by PEBES, while not obtainable from common sources like the phone book, are not terribly difficult to determine for any given individual. Some people felt that the SSA had been neglige nt in their implementation of the PEBES Internet service. But it takes only a little investigation to understand that the SSA had run into one of the key problems that we face today for online transactions: authentication. In plain language, how do you kn ow who you are talking to on the Internet?

And Who Are You?

The Internet was designed for almost anonymous communication. When you access information over the World Wide Web, the site you are visiting sees you only as a return Internet address. This return address identifies the computer that will receive the requ ested information, such as a Web page, and is necessary for its delivery. The address is merely a set of numbers that serve as a kind of street address that relates to a point in cyberspace, i.e. 128.48.104.15. The address can reveal the identity of the l arger institution with which the user has an account -- for example, the address of the computer on my desk reveals that it is on a University of California subnetwork -- but it does not say anything about the identity of the person who is using that comp uter at that moment. As far as the Internet is concerned, cyberspace consists only of computers; that there are humans sitting at some of these computers simply isn't relevant to how the Internet works. So there is no way for the SSA's PEBES database to l ook past the Internet address and identify the human sitting at the keyboard, even though that person has a logon and password at their local system.

This is a particular dilemma for the commercial potential of the Internet. Business transactions require contracts; contracts require signatures that are legally binding and can stand up in a court of law ("Is this your signature here at the bottom of the contract?"). Even e-mail messages are unreliable in their identification of the human sender. An e-mail message is like a typed letter with no signature. The "From:" portion of the e-mail message is not by any means proof of who actually sent the message . It takes only rudimentary knowledge of how Internet e-mail works to produce a message that looks like it came from someone else. Even worse, an e-mail message is only a plain ASCII file, and can be typed in at a keyboard, so one could produce dozens of phony e-mail messages for ones files.

One proposed solution to this general problem of authentication is called "digital signatures." A digital signature is not a digital copy of your handwritten signature. That would be useless since anyone who obtained a copy could then attach it to other e lectronic documents. Digital signatures instead make use of current encryption technologies to produce a mark that is yours and yours alone. Your "signature" would be the result of some very complex mathematics that are controlled by a secret password tha t only you know. The digital signature wouldn't look like a hand-written signature at all. As a matter of fact, it would probably look something like today's encrypted signatures (fig.1). However, the signature could be read by an authenticating program a nd would be able to assure that, mathematically, the signature is indeed yours and no one else's.

Fig. 1 - A Digital Signature

iQA/AwUBNEkQNejklpniTSshEQLaNQCg85LO05B/J75nUcQP/Dwz4MZ4FecAn2QC
MZ5LEs5PxBQ/CjRfmsdM/8Sb
=+0Z7

Digital signatures are actually quite interesting and can do things that hand-written signatures cannot, such as authenticate documents, and that fits in neatly to how the signatures work. If your digital signature were the same every time it would be eas y for someone else to copy it and re-use it. But your signature is never "visibly" the same, it is only deeply mathematically the same. It responds to the same verification, even though the actual value is different. To make the signature different each t ime, other elements beyond your password must be thrown into the mix. One convenient way to accomplish this is to perform an algorithm using the text of the document being signed. This results in a unique, but valid, digital signature, and it also provide s a way to verify that the document has not been changed after the signature was affixed. The signature itself works also as a checksum on the document. (fig. 2) This makes a signed contract un-modifiable.

Fig. 2 - Two Digital Signatures; Same Signer, Different Documents

iQA/AwUBNEkP/ujklpniTSshEQKjQgCZAZmSY3TXosIsJhER0IWMDjb9E+QAoJlk
DGKlFsuXTpusS6X6ukw9hbQA
=q18+

iQA/AwUBNElMY+jklpniTSshEQLLOwCfT31zYuvTLcKmGX4Ya05twUUD2cMAnie1
q+BVKrBpJcv02lyFWGwPcsiL
=VRLM

We have the encryption technology today to create digital signatures. You can download a free copy of Pretty Good Privacy, an encryption program that is widely used on the Internet and use this to encrypt documents and to sign documents. So, you may ask, why aren't we using digital signatures more widely? And why didn't the SSA choose this method for its PEBES database? There are two major barriers to the use of this technology: one is organizational, and the other involves national security.

Encryption and National Security

Let's start with the national security issue first. The national security barrier relates to the fact that encryption devices (and that includes computer programs) are considered munitions because of their role in allowing the transfer of secret messages in times of war. Export of encryption is therefore controlled by the U.S. Department of State and regulated under the Defense Trade Regulations. Weak encryption devices are allowed to be exported or included in products that will be sold internationally, but the kind of strong encryption that would be needed to produce digital signatures of a quality required for business and other legal transactions falls under these export restrictions. The purpose of this is to keep strong encryption out of the hands o f our enemies. While computer companies could produce programs for use only within the U.S., so much of our commerce today is international in nature that a product of that type would be nearly useless. In general, computer companies have not been willing to invest in the development of products that make use of encryption until this issue is resolved with the federal government. And in spite of many years of arguments back and forth on the question, we seem to be no closer to a resolution than we were fi ve years ago. Even beyond the national security issue, the U.S. government maintains that strong encryption will lead to an erosion of the power of law enforcement since criminals will be able to mask their communications with unbreakable encryption. It w ould also mean that it would be very hard to monitor monetary transactions and business deals and that whole systems of accountability could be rendered obsolete. Opponents of the restrictions (which include a number of our larger software companies) argu e that strong, secure cryptography can and has been developed outside of the U.S., so criminals only have to purchase their programs from a non-U.S. source. The federal government, however, is not swayed by this argument, and the two sides are as far apar t as ever.

The government does, however, recognize the need for digital signatures. In 1991, the National Institute of Standards and Technology published a notice in the Federal Register proposing a federal digital signature standard. This standard has not been adop ted due to the fact that it uses a form of encryption that is considered by many to be too weak to provide the level of security that users want.

Managing Digital Signatures

The barriers imposed by management issues are no less difficult than those imposed by the issue of encryption strength even though there is no similar legal opposition. It, too, is compounded by the global nature of electronic commerce. For a digital sign ature system to be truly useful, its use must be wide-spread. The system must also be recognized by courts of law and must be in accord with the many thousands of national, state and local laws wherever a person's signature is required for a transaction. A search of the online version of the California state commercial code brings up over one thousand different sections where the word "signature" is used at least once. The body of law that must be brought into the digital age is enormous.

In 1996, the American Bar Association Information Security Committee produced a report making recommendations for a national digital signature standard. The recommendations in this report hav e not yet been translated into federal legislation although they have heavily influenced a number of efforts at the state level. At this point nearly forty states have discussed digital signature legislation and 31 have passed at least one piece of legislation relating to digital signatures.

Some of the state schemes set up very specific mechanisms for the creation of systems of authentication with rules for certifying agencies. Other states have passed legislation that is much less specific but that supports the use of any known and reliable digital signature scheme. It's clear that at both the state and the federal level there's a fear of over-regulating digital signatures since this is technology that is still in its infancy. And many of the legislators themselves are undoubtedly not nearl y as conversant on this topic as they are with issues they've been working with for years, such as agriculture, transportation or education.

The main management question that arises in attempts to create a legal definition for digital signatures is: who has the responsibility and authority to validate that a digital signature is valid? Some proponents favor setting up government-sponsored agen cies that will be the authenticators of digital signatures. Others would like to have an open market for certifying agencies so that consumers could chose an agency that they trust. Either way, these agencies would hold certified copies of signatures agai nst which they could validate subsequent uses of that signature. Then there is the question of who has the authority to regulate these validating agencies? Many state governments are assuming that to be their task, especially in light of the lack of a fed eral digital signature structure.

Followed closely is the issue of who is liable when a certified signature does turn out to be invalid? To much liability on the shoulders of certifying agencies and few will be willing to enter that market. At the same time, some resolution on liability i s necessary before businesses can be expected to risk accepting digital signatures. It is no simple task to develop this structure and to create a level of confidence such that the signatures can be used when important business deals are at stake.

On an international level, there is the same interest in facilitating commerce through digital signatures as there is nationally. The World Wide Web Consortium (W3C) is a technical body that develops standards for the Web. This organization has a working group that is looking at the technical issue of how digital signatures will be integrated with Web software for the greatest security and maximum ease of use. While the management structure of certifying authorities and enc ryption standards work in the background, a successful digital signature program needs an easy to use interface and an interconnection with the most common online communication tools. The Consortium hopes to have the tools ready for use when the managemen t structure is settled.

The Real World

After the abrupt closure of their online PEBES service in April, 1997, the Social Security Administration held a series of five public forums across the United States to gather the testimony and ideas of citizens and computer security experts. In light of that testimony, SSA has arrived at a new design for their Internet service. In the future, users will be required to log on to the SSA site and give the same five pieces of identifying information that were previously required. No information about benef its will be immediately available from the PEBES site. Instead, the user will receive an access code via e-mail, after which he or she can access a select set of benefits data. Users will be allowed to expand the amount of data they can access over the In ternet, but only if they "opt in" for such a service, and only after receiving a warning about the possible privacy implications of allowing that information to be made available online.

Until this new service is ready, you can still get your PEBES data the old-fashioned way: by U.S. mail. You can initiate this process on the PEBES Internet site, and the same five pieces of information provide the key to your file. But instead of getting instant access to the information you give your mailing address and wait three to six weeks for your benefits summary to arrive.

We should be asking ourselves why we consider this method more secure. The method of authentication is identical to that of the online service. And that method of authentication requires two more pieces of information than are required when you mail in yo ur request to the SSA rather than request it over the Internet. Yet there has been no outcry over the insecurity of the "real world" service and no privacy experts have used it to demonstrate the ease with which they can obtain information about public fi gures. Why is this? It probably has more to do with human nature than with the design of systems and security, and human nature is the real bug in all of our code. We feel anonymous at the computer, but not when the mailman delivers a letter to us even if that goes to a post office box. And the wait for something to be produced by a large bureaucracy and then delivered in hard copy discourages the frivolous invasion of privacy that is so tempting when the response is instantaneous.

Authentication in the real world is fraught with error. Surely we don't believe that the bank checks the signature on each of our checks, or that no one else could call the bank's customer service number with our Social Security Number and mother's maiden name and get detailed information on our checking account. Most of our data is secure only because others have little to gain by accessing it. With digital signatures, security over our personal data could be much more secure than it is today, perhaps of f-setting the ease with which anyone with a computer will be able to get close to where that data is stored. There will not be perfect security in the future, as there is not today; the best that can be done is to increase the amount of work needed to cra ck a system beyond the value of the data it holds - a simple, economic concept of cost and benefit.


About the Author:

©Karen Coyle, 1997
Creative Commons License
This work is licensed under a Creative Commons License.