Electronic signature, the theory and the practice, Poland and Europe

Transcription

1 Electronic signature, the theory and the practice, Poland and Europe Andrzej M. Borzyszkowski Institute of Computer Science, Gdańsk Branch, Polish Acad. of Sci. Abrahama 18, Sopot, Poland Rada Naukowa Centrum Certyfikacji Signet Abstract. We recall the technical background of electronic signatures, at least the ones widely used in existing statutes, then we discuss the legal aspects, afterwards we discuss in more detail Polish legislation and briefly compare it with the European one. Finally, we conclude on prospects of the use of electronic signature. 1 How does it work? The idea of electronic signature relies on the concept of asymmetric cryptography. Thus at first we start with recalling some details about the latter. Then we describe how the mathematics is turned into a real life. 1.1 Cryptography Cryptography is a science (and a technology) about converting a text, called a plain-text, into a text unreadable for not involved, called a cipher-text. There are, generally speaking, two parties involved, a sender and a receiver. In classical cryptography, the one in use from ancient times until recently, both parties shared a key, the key was used to encrypt a text by the sender as well to decrypt it by the receiver. The problem of authentication has been solved in a similar manner. Two parties shared a secret, authenticity has been established if one of them could prove to the other it knows the secret. The problem how to exchange these secrets securely, how to revoke them, how to handle them have haunted the users for ages. There is no room for such a cryptography if parties have not contacted each other previously or do not plan for a longer relationship, as it is customary in commerce. In the mid 70-ties Diffie and Hellman proposed the idea of having two keys for two purposes. One of the key would be used to encrypt a text, the other to decrypt it. In this schema encryption uses a public key of intended receiver but to decrypt it the receiver s private key is necessary. In such a way the problem of key transport is solved, a public key can and should be published openly, a private key need not to be transported at all. The first implementation of this idea have been provided by Rivest, Shamir and Adleman. Hence, the name RSA. Today this is probably the best known catchword in the area,

2 Preparing a key pair: 1. take two new big prime numbers, p and q; 2. calculate their product n = p q and Euler function e = (p 1) (q 1); 3. take any number f, f < e, f prime w.r.t. e; 4. find its inverse g in a sense that f g = 1 modulo e; 5. publish n, f, keep secret n, g. Signing a message m (m is treated as a number, m < n): s = m g modulo n. Verifying: checking if m = s f modulo n. Justification: (m g ) f = m g f = m 1+multiply e, by Euler s theorem m e = 1, all calculations done modulo n, hence the former must equal m. Fig. 1. RSA algorithm The same idea can be, and is, also used when the issue is to ensure the identity of a sender of the text and the integrity of the text. Then a text is encrypted with the use of a private key of a sender and can be decrypted only using his public key. The possibility to decrypt the text is a proof that the encryption has been done with a corresponding private key. In this situation we use rather terms signature and verification. Note that this time we use the keys in opposite order, first a private one, then a public one. In RSA system the order does not matter. Hence RSA may be used both for encryption and for signing. Other systems are specific. E.g., DSS, Digital Signature Standard, is based on other mathematical idea than RSA and it is applicable only for signing, not for encryption. The technology has one subtlety, namely, the asymmetric key cryptography algorithms are highly inefficient. Therefore, not a whole message is signed but only a message digest, which is (1) very short, say, 160 bits, (2) yet almost unique in the sense that it is improbable to find out, randomly or acting on purpose, another message with the same digest. In such a way a signed message consists of the original message and an encrypted message digest. The verification of a signature consists of comparing a decrypted message digest and the message digest of the signed document they should be equal. 1.2 Certification From the previous section it is clear that upon receiving a signed message one can check if the message has been signed using a private key associated with a public key known to the verifier. Assuming cryptography works it is still unclear who possesses the private key. First problem is if the private key is possessed by a single entity or, maybe, is known to others. Private suggests the former is true, but the latter may be true due to an accident, theft, carelessness of the original possessor, or for some other reasons. We have to be aware about such a possibility, but let s assume for a moment that a private key is possessed by a single entity. So the next problem is, who is this entity? Here, a trusted third party proves to be useful.

3 The trusted third party is an institution which verifies that a person is in possession of a private key, either by checking this fact or by generating this key, and then it issues a certificate, i.e., a document stating that a particular person is an owner of a private key complementary to a public key contained in the certificate. Technically speaking, this certificate is again an example of a signed document signed by a certificate issuer. The problem of checking the latter signature is solved by a wide publication of certificate issuer s public keys, e.g., by preinstalling them in popular Web browsers. Now, a signer of a document signs it using his private key and attaches the certificate to a document, or points to a repository where this certificate is available. A verifier of a signed document checks if the document has been signed using a key paired to a key contained in the certificate and checks the certificate itself, possibly going a longer route, if the certificate issuer s public key is known only by means of another certificate. If verification is positive, one assumes that the document has been signed by a person named in the certificate mentioned at the beginning. Now let us return to the fact that a private key may be lost, despite the fact it should never happen. Then a certificate has to be revoked. One of the services of certificate issuers is to maintain a list of revoked certificates. The process of signature verification is therefore longer. It involves the inspection of the CRL (certificate revocation list) of a given issuer. However, this is still not the end of the story. A signed document verified today may turn out to be not verifiable tomorrow. This happens if a certificate is valid in the time of verification process but is revoked at some time later. In many cases this will not create a problem. But if a signed document has to be kept for a longer time as a proof of a legal action, there is another service needed time-stamping. A signer of a document not only signs it with his private key but also asks a timestamping authority to record a time the document existed as being signed. This servise needs on-line connection to time-stamping authority. Technically, not the whole document is being stamped, but only its small digest. One of the purposes is not to overload connection lines; the other purpose is not to reveal possibly sensitive data to the public. Now, if a certificate is revoked, one can still check that a document has been signed earlier, and conclude the signature is valid. On technical level, there are industry standards for the formats of certificates and certificate revocation lists, for certificate management protocols. The one worth mentioning is widely used X.509 v. 3 standard. A certificate conforming to the standard contains not only obvious data like the name of an owner and his public key, but also the name of its issuer and some technical data, e.g., what algorithm is to be used with this key and what algorithm is to be used to compute a message digest. 1.3 Legislation The two previous sections show how one may arrive at a conclusion that a particular document has been signed by a particular person. However, the

4 legal meaning of such a conclusion has to be provided by law, technology alone is not enough. At the turn of the 20 th and 21 st century, both in USA and in Europe, there appeared legislative initiatives whose effects have been to make an electronic signature legally equivalent to a handwritten signature. Generally, the following is required from electronic signature: 1. it must include a method to identify the signer, 2. it must be under the sole control of the person using it, 3. it must be linked to a document in such a way that every change of the document invalidates the signature. The first European country to adopt such a law has been Germany. In 1999 the European Parliament and the Council has adopted directive 1999/93/EC on a Community framework for electronic signatures. The electronic signature, as defined by the directive, is based on already described ideas of certificates and certificate issuing authorities. Only qualified certificates count, and a certificate is qualified if its issuer conforms to some measures. E.g., thoroughly checks the identity of a person applying for a certificate, or assumes responsibility for possible damages of those who rely on a qualified certificate. Of course, a company can issue both: qualified certificates and non-qualified ones, too. The second ones e.g., given away for free to everybody who applies electronically. Neither the identity of such applicants can be checked, nor there is a reason to assume liability for such a product. Certification authorities, according to the directive, may be subject to accreditation process. Such an accredited certification provider gains more faith of a public in the quality and accuracy of its certificates. On a technical level there are several classes of certificates: class 1 certificates are the ones just binding whatever name to a key; class 2 certificates require some check-outs; class 3 certificates are probably issued only in case a person appears in person, or some other equivalent measure is taken to assure the identity of a certificate owner; class 4 certificates imply some serious check-out of certificates content has been done. Still, one has to be aware, that a certificate is not a certificate of somebody s credit capabilities neither of moral conduct. We talk only about identity. 2 Poland The Polish parliament has adopted an electronic signature bill on September 18, 2001 (Dz.U. 130/1450) with a 9-month vacatio legis. The Polish bill is along the lines of a European directive mentioned above, and of course it is more detailed. 2.1 Statute The statute carefully formulates conditions which a qualified certification authority have to meet: it has to buy an insurance against possible losses due

5 e.g., to its negligence; it should not be negligent; it should hire an appropriate personnel, it should maintain an appropriate security policy, it should use an appropriate hardware and software, etc. Of course, a qualified certification authority has to maintain CRL, it is obliged to keep important documents for quite a long time and many more detailed conditions. It is also subject to a scrutiny done by appropriate authority (art. 25 of the bill). A qualified certification authority receives a certificate signed by a central root authority. In fact, Polish statute carefully applies the term signature to physical persons only, as only people have hands to put handwritten signatures ;-), and there is a different term used for signatures put by authorities e.g., on certificates or time stamps. A signature verified against a valid qualified certificate is equivalent to a handwritten signature. If a certificate is no longer valid, revoked or expired, a signature is still considered valid if one can prove it has been done when the certificate was valid, e.g., utilizing a time-stamping service defined in the statute. Again, this is considered a legal evidence if time-stamping is done by a qualified authority. Polish bill imposes some restrictions on the content of a qualified certificate. It should contain not only an owner s name, a public key, the issuing authority s name, but also the time of its validity. An important part of a certificate is a pointer to a policy according to which a certificate is issued. There one can learn about the process of certificate production, how much one can rely on the data contained in a certificate, and for what purposes a given certificate is appropriate. According to the bill, a qualified certificate has to be clearly marked as such. Also, a certificate may contain some additional restrictions, like the upper bound of the value of transactions that can be signed using this certificate, or a particular field of the use of such a certificate. A certificate needs not to contain somebody s surname, it may contain a pseudonym, but then it has to be marked as such. Of course, documents signed under a pseudonym have little legal effect. 2.2 Services We have already mentioned the most common service binding a name to a public key. Even this service has a few versions, an issuer of a certificate may require the person to show up and examine his/her passport, or it may issue a certificate to anyone wishing to have one and applying through the Internet. Also, a certificate may be issued not for a physical person, but, say, for an SSL server, which also possesses a name. Of course, such certificates are not covered by the law we discuss here. Moreover, certification authorities may want to issue certificates to each other, just to ease the process of signature verification. Such certificates are within the framework of the statute. Yet another kind of certificates are certificates for encryption. Technically they are not much different, they bind a name of a person to a public key which can be used to encrypt a message to this person. These certificates however are outside the scope of the statute in question.

6 The Polish bill recognizes some other services concerning certificates that a provider may offer. E.g., if a certificate owner wants to keep his private key in secret, then an issuer only checks if the owner really possesses the private key. It may also generate the key pair for the prospective owner on his request. The statute sets a lot of conditions to the effect, that the certificate issuer does not know private keys of its clients, as otherwise signatures could be forged. While it is legally forbidden, and technologically not justified, to keep somebody s private key used for signature, it is reasonable to keep somebody s key used for encryption, allowing for access to encrypted documents in case a key is lost key escrow. Usually such keys are kept in a manner requiring some effort to reconstruct them, e.g., coordinated action of several entities. Certificates expire, thus new ones have to be acquired. The process of replacing old ones for new ones may be simpler, and cheaper, than the process of issuing brand new certificates. A certification authority has to maintain certificate revocation lists. The Polish bill allows also for a temporary suspension of the validity of a certificate. Therefore, another list has to be maintened. A CA may also offer a service to check validity of certificates on-line, again to make the lifes of customers easier. Also, apart from keeping the list of revoked certificates, a certification services provider may keep the list of valid certificates. In such a way these certificates need not be attached to signed documents, it is enough to point to them, making signed documents shorter. Time-stamping is a service much different than certificate issuing. There is no need to contact people in person. Instead, there is a need to contact customers on-line. Also a creditable source of time is needed, which only seems to be a simple story. 2.3 Service providers Currently we have three qualified certification authorities in Poland offering their service to the general public, Certum, Signet, Sigillum, There are also certification authorities for banking industry only. Signet, one of the issuers, offers certificates of almost any kind: class 1 for casual Internet users and qualified certificates for legal transactions; certificates for encryption; certificates for use in a company to identify users of a local net; certificates for servers, etc. Recently (August 1, 2003) a certificate for all internauts accessing Internet via Polish national telekom TPSA was offered. In fact, Signet is a CA of TPInternet, an Internet service provider owned by TPSA. While this certificate is not a qulified one, and legally cannot be used to sign documents, one may hope that its wide availability will raise the public awareness of the existing technology.

7 Signet also offers certificates for companies which want to apply public key infrastructure for their internal use, e.g., for signing documents internally, for control access, etc. Certificates offered for companies can be taylored for particular needs. 3 Europe and Poland As already mentioned, the first European country adopting electronic signature law was Germany. The other are: Austria, the United Kingdom, Ireland, Denmark, Sweden,.... The list is not exhaustive. There are some similarities among European statutes and some differences. E.g., the Austrian bill introduces the notion of a supervising body (Telekom- Control-Kommission) which monitors certificate providers. It is not a root of PKI in a strict technical sense as it does not issue certificates for providers, like the Polish bill requires. However, Telekom-Control will keep a register of certificates of these providers, which serves the purpose. Also, as mentioned earlier, it seems that the Polish bill requires that a certificate issuer, before being accepted as qualified, undergoes a procedure which is effectively equivalent to accreditation in the Austrian bill, and which is optional only there. Unfortunately, the Polish bill does not use the term accreditation at all, thus putting the Polish certificates somehow in a weaker position than the European ones they are as good as made by accredited providers in Europe, but they are not recognized as such. 4 Conclusions As a conclusion we allow ourselves to utter a few opionions of the current status of electronic signature in Poland. It seems that currently we have all the infrastructure we need we have a law making electronic signature not only a toy for computer nerds, we have certificate issuers, making certificates available to the public. Yet, electronic signatures are not as popular as plastic money or mobile phones are, though the latter ones exists only since a few years, too. A question arises why is it so and what are the perspectives? I think there are a few reasons. One is time. The technology is really new, only 2 3 years, not 5 10 years old. E.g., only from July 1, 2003, we have a statute regulating the way citizens may communicate with governmental administration electronically. Without such a statute even if an electronic document signed electronicaly is considered equivalent to a paper document with handwritten signature, still a particular officer does not know how to handle it. It really takes some time for many to understand that electronic documents are much, much easier to handle and as safe and as valid, and as tangible as the paper ones. Understanding is not enough, the wide use of computers and network is neccessary. The other reason why electronic signatures are not widely used is probably the price of certificates. The first users have to pay the price to start the system.

8 And there is no immediate gain in having a certificate if almost nobody uses this technology. The only way to change this situations seems to be providing certificates to a great number of people. This is precisely what Signet does recently. The other reason why electronic signatures are not widely used is, in my opinion, legislation concerning banks. Until recently banks have disclosed little interests in the use of electronic signature. They have their own legislation, specific for banks, which allows for other ways to authenticate users and authorize transations on-line. These ways are much weaker just giving a credit card number known, by definition, widely is enough to commit a transaction. Under this legislation no wonder banks were not interested in a more complex infrastructure. A new bill limits responsibility of users for transactions authorized in this way. So again, chances are that the use of electronic signature will be considered soon as a reasonable way of authorization. 5 Sources of information The most important single book containing a lot of materials on algorithms used in cryptography and also a source of bibliographical data is [1]. Diffie and Hellman published his idea first in an article [2]. Rivest, Shamir and Adleman published his idea if the implementation of public key cryptosystem in [3], it has been patented, cf. [4]. American National Standard Institute published a lot o standards concerning cryptography, e.g., [5] defines other than RSA implementation of digital signature while [6] defines a hash function (message digest) that have to be a part of the algorithm. The same Institute published also its standards based on RSA too, ANSI X.91. The most popular standard concerning the format of certificates, CRL, directories etc. is X.509, by International Telecommunication Union. It is available e.g., as [7]. However, the format is not new, it evolves, currently version 3 is in use, hence the European Electronic Signature Standarization Initiative publishes new technical standards as e.g., [8]. The European Parliament and Council publish its directives, among them the directive on electronic signature [9], Polish implementation of the directive has been published in two years later, cf. [10]. References 1. A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography. CRC Press, W. Diffie and M. E. Hellman, New directions in cryptography, IEEE Transactions on Information Theory, 22 (1976), pp R. L. Rivest, A. Shamir, and L. M. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, 21 (1978), R. L. Rivest, A. Shamir, and L. M. Adleman, Cryptographic communications system and method, U.S. Patent #4,405,829, 20 Sep 1983.

9 5. ANSI X9.30 (PART 1), American National Standard for Financial Services Public key cryptography using irreversible algorithms for the financial services industry, Part 1: The digital signature algorithm (DSA), ASC X9 Secretariat American Bankers Association, ANSI X9.30 (PART 2), American National Standard for Financial Services Public key cryptography using irreversible algorithms for the financial services industry, Part 2: The secure hash algorithm (SHA), ASC X9 Secretariat American Bankers Association, R. Housley, W. Ford, W. Polk, and D. Solo Request for Comments: 2459, Internet X.509 Public Key Infrastructure Certificate and CRL Profile ftp://ftp.isi.edu/ in-notes/rfc2459.txt, Qualified Certificate Profile, EESSI, TS v.1.2.1, Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, Official Journal of the European Communities L 13/ Ustawa z dnia 18 wrzesnia 2001 r. o podpisie elektronicznym, Dz.U nr 130 poz