Digitally Notarized Documents in Brazil

Remote writes: "As of next year, Brazilians will be able to obtain notary-authenticated digital documents and have them sent over the Internet (English) . You can also obtain a CD or floppy from a notary office, containing your document encrypted with an assymetric key. The key generation, though, demands that one shows up in person at the notary office for ID verification. This was made possible by legislation that recognises public-key encrypted documents and signatures as legally valid. This is one first step, and I don't see why this wouldn't be applied to things like contracts, invoices, wills, etc. Brazilian Notary and Register Association claims that one can even print as many copies of, say, your driver license as desired, though I don't see how this part would work..."

Re:Why Digital Signatures Aren't Signatures

[swillden]

And of course you can bridge the gap between you and the computer with biometric autorisation.

I don't think you read Schneier's article. The point is that you, the putative signer, never know what the computer, the real signer, is actually signing. How you authenticate yourself to the computer to unlock the signing key is irrelevant, and biometrics aren't really any better than other authentication mechanisms (from a security point of view, biometrics are actually very poor authentication mechanisms).

lot of security is based on thrust.

All security is based on controlling, quantifying and limiting trust. Schneier's point is that the trustworthiness of digital signatures depend absolutely on the trustworthiness of the software and hardware performing the signing operation. You have to trust that the key is stored securely, authentication of the user is performed securely (and correctly), that the signing operation is performed correctly and that the correct document (and *only* the correct document is signed. And if the computer in question is a standard, easily hackable PC running, such trust is almost impossible to justify.

I started to implement a secure digital signature system based (mostly) on commodity hardware a while back. Unfortunately the project was cancelled before it was finished, but here's what we had to do:

• Use a secure crypto card for key generation, storage and access control (the IBM 4758 (don't let the recent bad press fool you, it's an extremely secure device)). A naive person would think we're done here, and then some.
• Use a stripped-down version of an open source operating system, thoroughly reviewed. We were going to use an old Linux kernel (from the days when it was smaller and simpler). The source had to be reviewed line by line, and the policies and procedures that had to be set up around how this code was stored and how modifications were tracked were very onerous.
• Write and thoroughly review the document display and signing software.
• Build the OS and software on a secure build server and burn it onto a CD. Run an MD5 hash of the CD contents and burn a few copies of another bootable CD whose only function is to verify the first CD (using the hash). Distribute the verification CDs to appropriate, trusted, people, who store them in personal safes. Put the first CD in a lockbox in a vault. Distribute keys to the lockbox to appropriate, trusted, people who don't have verification CDs.
• Remove all drives from the PC except for one CD-ROM drive and one floppy drive, configure the BIOS to boot only from the CD-ROM drive and set a BIOS password. Lose the password.
• Place the entire PC in a custom-built, TEMPEST-shielded, lockable cabinet, with only the CD-rom drive, floppy drive, keyboard and LCD display (not CRT) exposed. The keyboard must be entirely inside the cabinet except for the keys. No cabling can be exposed, except the power cord. Put the cabinet in a secure room and tightly control access to it.
• When you want to sign something, write the document on a floppy in ASCII text, find someone with a lockbox key and someone with a verification CD.
• Retrieve the system CD. Boot the secure PC off the verification CD. Insert the system CD for verification. Assuming it verifies correctly, unplug the PC, insert the system CD and your floppy and power the PC back on. The system will read your document, display it on-screen, then ask you to identify yourself. You specify your username and passcode, which are passed to the 4758 along with the document. The 4758 checks your credentials, hashes and signs the document and passes the signature back to the PC, which writes it to the floppy.
• Return the system CD to the vault.

There are obviously a lot of other issues I didn't mention, such as the policies and procedures around key generation, who is given signing privileges, how public keys are distributed to relying parties, how certification is done, etc., etc., etc.

Of course, very few situations require this level of security. But there are also fairly few situations where there's any point in using software-based signing on a general-purpose PC.

And biometrics make absolutely no difference to any of this. Biometrics are to security like syntactic sugar is to a programming language.