Slashdot Mirror

← Back to Stories (view on slashdot.org)

More On The SDMI Crack & Why Digital Sigs Are Not

Posted by Hemos on from the more-fun-with-1s-and-0s dept.

The latest issue of Crypto-Gram has some good coverage of the new digital signatures law as well as more on the SDMI crack. The signatures law is interesting - essentially claiming that a digital signature law is /not/ the same as signatures.

6 of 114 comments (clear)

  1. No they are every bit as good by WolfWithoutAClause · · Score: 4

    First. What legally speaking is a signature?

    It's not as easy as it seems. Is it a cross on a piece of paper? It can be, particularly if the signer is unable to write.

    Is it a thumb print. Yup could be.

    Is it a digital signature. Yup often is.

    The point is that the law is actually more flexible and subtle than its often assumed to be.

    Ok. Can written signatures be forged? Of course. Happens every day and twice on sundays.

    Can digital signatures be forged? Yes, either by cracking the cryptographic system (usually very hard) or by hacking into the system that has the cryptographic system running on it (usually pretty easy, although not always).

    Also with digital signatures (and with written signatures) there is a question of identity - is the John Smith that's signing the SAME John Smith that's paying? And if so, who says so? ;-)

    Either way a fraud can been commited. And either way the court is the place to duke it out.

    Is a digital signature less secure than a written one? Right now I doubt it, although in future it may be less or more so depending on the systems used.

    I personally think that Bruce Schneier is trying to drum up more business for his security company ;-) (He writes great books though)

    --

    -WolfWithoutAClause

    "Gravity is only a theory, not a fact!"
  2. Re:Why this article is not. by TMB · · Score: 4
    He mentions that a digisig is less secure than a normal sig because the person does not have to read what he/she is signing. Well, isnt this also the case with normal sigs? How many of you read the contract when you joined your local video club?

    That's not the point. The point is, whether you read it or not, we know you intended to sign the video club contract. You had it in your hands and chose to sign it. We can't prove that you intended to sign a digitally-signed message.

    The computer is not a trusted environment. Well, if you dont trust your machine, then thats your own problem. I trust mine, because I take care of it remaining trusted.

    But do you trust the program that computes your digital signature? I think this is one of the applications where having access to the source is vital. Maybe it would be even better if the algorithm were very easy to implement, so everyone could roll their own signing program and be absolutely certain that it was kosher?

    [TMB]

  3. "You can't make a secure watermark" by evanbd · · Score: 4

    I've heard this so many times, and it's just an assertion. Before public key crypto was out, they said the same. I believe you can't secure digital data against an insecure recipient who can decode it; nothing says the data itself can't contain stuff the user can't notice -- you can't do a mathematical proof about content / the human ear, people! What's to say they can't do inaudible phase shifts, volume changes you can't hear, and other such? I don't think they can, but it takes a lot of chutzpah to just say you CAN'T outright with no backing. They did a good (not good enough, it seems) job; what's to say they can't do sufficiently better? I'll wager it takes more than just more money, but I don't see why they can't. Any thoughts?

  4. Re:Why this article is not. by honkycat · · Score: 4
    When you sign a physical document, you definitely came in contact with it and left physical artifacts of your contact with the document. If you go around signing papers you haven't read, you should be more careful, but that's another issue. I think the concern he raises is a very valid one -- it is easier to steal a (and harder to detect a stolen) private key than it is to steal a "real" signature. Physical forgeries happen all the time, but because of the local nature of the physical world, it is very hard not to leave a trail of evidence.

    Be careful who you trust. No matter how careful I am about installing software, scanning for viruses, etc, I wouldn't trust any PC fully. Can you be _sure_ that Win98 has no backdoors? Can you be _sure_ that Linux has no backdoors?

    The real danger in digi signatures is considering them to have the potential to be any different from regular signatures. If you require a notary to witness a physical signature, then you damn well better require a notary to _physically_ witness the real person issuing a digital signature. Maybe there's a digital means for authenticating a person better than a human notary, so that may be an option. But authenticating the person in a truly secure way is necessary. This is not only an issue for the signer, but also for the party with whom he is contracting -- if there is any doubt that the signature was inauthentic, they are open to litigation... so really, everyone wants authentication from human->document.

    Of course, I am of the opinion that physical artifacts should not be done away with. For many tasks, they may be the best solution available -- if security is really at stake, you may be better off _not_ moving at full internet speed.

  5. It's All About The Legal System by danmil · · Score: 4
    Surprise, surprise, lots of people on Slashdot seem to be missing the key to Shneier's argument about digital signatures: it's all about whether or not they would stand up in court.

    A bunch of programmers read about digital signatures and they think "Great, here's a way to verify that a specific person signed a specific document. How cool." (And it is very cool, don't get me wrong). Then Shneier comes along and points out the problems with using these digital signatures to replace the role of physical signatures in our current legal system (they won't stand up to court challenge, because it's so easy to claim that the computer was compromised or the key stolen).

    He's right. His point is about the legal system, not about the philosophical issue about how to verify that someone actually signed something. Sure physical signatures don't do that, but that doesn't matter. They work well in our legal system. He argues that digital sigs won't.

    So everyone should stop making such a todo about how he's being solipsistic, or techophobic or whatever. He's talking about legal issues.

    -Dan

    --

    I have written a truly remarkable operating system which this sig is too small to contain.

  6. I wish the lawyers knew about this..... by jcrb · · Score: 4
    Here is a nice article by the ABA (American Bar Assoc) demonstrating that they think digital signatures are better than the 'real thing'

    --
    -jon