Open any popular article on public-key infrastructure (PKI) and you're likely to read that a PKI is desperately needed for e-commerce to flourish. Don't believe it. E-commerce is flourishing, PKI or no PKI. Web sites are happy to take your order, even if you use a secure connection, or don't have a certificate. Fortunately, you're protected by credit card rules.
The main risk in believing this popular falsehood stems from the cryptographic concept of "non-repudiation."
Under old, symmetric-key cryptography, the analogue to a digital signature was a message authentication code (MAC). If Bob received a message with a correct MAC, he could verify that it hadn't changed since the MAC was computed. If only he and Alice knew the key needed to compute the MAC and if he didn't compute it, Alice did. This is fine for the interaction between them, but if the message was "Pay Bob $1,000,000.00, signed Alice" and Alice denied sending it, Bob could not go to a judge and prove that Alice sent it. He could have computed the MAC himself.
A digital signature does not have this failing. Only Alice could have computed the signature. Bob and the judge can both verify it without having the ability to compute it. This is called "non-repudiation": the signer cannot credibly deny having made the signature. Since Diffie and Hellman discussed this concept in their 1976 article, it has become part of the conventional wisdom of the field and has made its way into standards documents and various digital signature laws.
However, practice differs from theory.
Alice's digital signature does not prove that Alice signed the message, only that her private key did. When writing about non-repudiation, cryptographic theorists often ignore a messy detail that lies between Alice and her key: her computer. If her computer were appropriately infected, the malicious code could use her key to sign documents without her knowledge or permission. Even if she needed to give explicit approval for each signature (for example, via a fingerprint scanner), the malicious code could wait until she approved a signature and sign its own message instead of hers. If the private key is not in tamper-resistant hardware, the malicious code can steal the key as soon as it's used.
While it's legitimate to ignore such details in cryptographic research literature, it is just plain wrong to assume that real computer systems implement the theoretical ideal. Our computers may contain viruses. They may be accessible to passersby who could plant malicious code or manually sign messages with our keys. Should we then need to deny some signature, we would have the burden of proving the negativeĀthat we didn't make the signature in question against the presumption that we did.
Digital signatures are not the first mechanical signatures. There have been check-writing machines for at least 50 years, but in the U.S. their signatures are not legally binding without a contract between two parties declaring them acceptable. Digital signatures are proposed to be binding without such a contract. Yet, the computers doing digital signatures are harder to secure than mechanical check-writers that could be locked away between uses.
Other uses of PKI for e-commerce are tamer, but there are risks there too.
A certificate authority signing SSL server certificates may have none of the problems we've described, but that doesn't imply the lock in the corner of your browser window means that the Web page came from where it says it did. SSL deals with URLs, not with page content, but people actually judge where a page came from by the logos displayed on the page, not by its URL and certainly not by some certificate they never look at.
Using SSL client certificates as if they carried e-commerce meaning is also risky. They give a name for the client, but a merchant needs to know if it will be paid. Client certificates don't address this.
Digital signatures might be used with reasonable security for business-to-business transactions. Businesses can afford to turn signing computers into single-function devices, kept off the Net and physically available only to approved people. Two businesses can sign a paper contract listing signature keys they will use and declaring that digital signatures will be accepted. This has reasonable security and reflects business practices, but it doesn't need any PKI, and a PKI might actually diminish security.
Independent of its security problems, it seems that PKI is becoming a big business. Caveat emptor.
©2000 ACM 0002-0782/00/0200 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2000 ACM, Inc.
No entries found