A primer on digital signatures and Malaysia's digital signatures act 1997

D i g i t a l S i g n a t u r e s - II

DIGITAL SIGNATURES --I I A PRIMER ON DIGITAL SIGNATURES AND MALAYSIA'S DIGITAL SIGNATURES ACT 1997

John Chong

Digital signature legislation belongs to a genre of new laws that attempt to regulate and facilitate the information age. Although digital signatures and cryptography are a several-decades-old area of applied mathematics, they are only now receiving legal attention.To many legal professionals, digital signatures are like some arcane technological wizardry - - capable of wondrous feats, yet little understood. This article seeks to demystify digital signatures and introduce the reader to its underlying cryptographic concepts as well as the numerous associated nomenclature. A brief discussion of digital signature legislation in the context of Malaysia's Digital Signatures Act 1997 follows thereafter.

INTRODUCTION

Cryptography (from the Greek 'krypt6s graphia', meaning 'hidden writing') is generally defined as the art and science of keeping messages secure)This is achieved through the transformation of ordinarily readable words, known as 'plaintext' or 'cleartext', into an encoded form, also called 'ciphertext ' or 'codetext' , via the process of 'encryption' . The transformed and encrypted message is commonly referred to as a 'cryptogram'.2

Only a person with the correct 'cipher key' can recover the original plaintext from the cryptogram. In certain encryption mechanisms both the encryption and decryption are performed with the same key, while for other mechanisms different keys are used to encrypt and decrypt the message. 'Cryptanalysis' is the study of breaking or compromising cryptographic mechanisms, and 'cryptology' is the discipline of cryptography and cryptanalysis combined. 3 A 'cryptosys- tern' describes the computer hardware and software framework that utilizes and encapsulates a part icular cryptographic method.

As a tool cryptography is primarily used by governments to keep military and diplomatic communications secure. Cryptography has served this role since the time of the Romans. 4 In more recent history examples of applied cryptography include Abraham Lincoln's Civil War ciphers and the German Enigma machine of World War II. Cryptography is also applied in more mundane situations. For example, as a means for couples to exchange secret love notes, which in one fictional adventure took no less a sleuth than Sherlock Holmes to decipher, s

Businesses have also resorted to cryptography to safeguard commercial exchanges and transactions, the stakes in corporate espionage being no less than in military intelli- gence. In fact, electronic commerce, the next 'big thing' on the Internet, (' has in recent years been a prime mover in the development of cryptography. 7 Moreover, with information

being heralded as the new currency of the coming millenni- um the place o f cryptography is assured and its role looms ever larger.

CRYPTOGRAPHIC METHODS

Cryptography may be broadly classified into two variants.The first, know n popularly as 'private key cryptography' , 8 involves the use of one and the same key to encrypt and decrypt the message (see Figure/).This necessarily involves sharing of the key between the parties to the communication. Because the key must be kept secret, finding a way to share it without anyone else finding out is the major concern of public key cryptography. If the sender and receiver are able to meet in person in a secure location there is no problem. The problem surfaces when the sender and receiver are physically apart - - they must trust a courier, or a phone system, or some other transmission medium to prevent the exposure of the secret key, otherwise anyone who intercepts the key in transit can later read, modify and forge all messages encrypted or authenticated using that key. Hence, the security of a private key cryptosystem depends largely on how safely the key is managed.

T

Figure 1: Private Key~Symmetric Cryptography.

322 Computer Law & Security Report Vol. 14 no. 5 1998 0267 3649/98/$19.00 © 1998 Elsevier Science Ltd. All rights reserved

D i g i t a l S i g n a t u r e s - - II

Sender's Private

t

Sen~f's Public Key

Figure 2." Public Key/Asymmetric Cryptography

The generation, transmission and storage of keys is called 'key management ' ; all cryptosystems must deal with key management issues. 9 Because all keys in a private key cryptosystem should and must remain secret, such a system is flawed in that the management of the key is inherently compromised. This becomes apparent when using a private key cryptosys- ten] in an 'open ' system l° with a many-to-many architecture such as the lnternet. A widely distr ibuted piece of confiden- tial communicat ion could involve ei ther (a) many parties being privy to the 'secret ' key or (b) many keys being used, one for each different sender-receiver pair. None of these sce- narios is feasible where security and efficiency are priorities.

Enter 'public key cryptography ' , l l a concept introduced in 1976 by Whitfield Diffie and Martin Hellman in order to solve the key management p r o b l e m ) 2 In a public key cryptosystem everyone has two mathematically related comple- mentary keys, the public key and the private key (known collectively as a 'key pair ') . Each key unlocks the code that the o ther key makes (see Figure 2).The key pair is designed such that knowing the public key does not help you deduce the corresponding private key. In this way, although many people may know the sender 's public key and use it to deci- phe r messages encrypted with his private key, they cannot derive the sender 's private key and use it to forge messages using his identity.This is referred to as the principle of ' i r re- versibility'. ~3

Hence, the public key may be publ ished and disseminated whilst the private key is kept secret. It is no longer necessary for the sender and receiver to put their trust in a communications channel nor to share secret information.Another major advantage of public key cryptography is that it enables the use of digital signatures, as explained further below.

Nevertheless, both private and public key cryptography each have their respective roles to play; in some circumstances the latter is not necessary and the former alone is suf- ficient. Private key cryptography will function effectively in environments where key management is secure, for example where users are able to meet in person privately or in a single-user scenario. In general, public key cryptography is best suited for an open multi-user environment.~4 Public-key cryp-

tography is not meant to replace secret-key cryptography, but rather to supplement it, to make it more secure.

Algorithms Although cryptographic techniques are categor ized into the publ ic and private key varieties, each c ryp tosys tem within those categories will differ in its execut ion of the encryption and decryp t ion process .The mathematical set of rules or p rocedure appl ied for this pu rpose is known as the 'algo- r i thm'. Each algori thm is unique in its approach to generat- ing keys and enc ryp t ing /dec ryp t ing data, and as such exhibi t varying degrees of s trengths and weaknesses . Some of the be t te r known algori thms in use today include RSA, Diffie-Hellman, DSA and EI-Gamal (for publ ic key cryptosystems); and DES, 3DES, CAST, RC4, RC5 and IDEA (for private key cryptosystems) .

Security The impenetrabil i ty of any cryptosystem is largely a function of mathematical difficulty and probabil i ty ~s - - the greater the number of combinat ions and permutat ions presented by the algorithm, the harder it is to fred the one key that will open it.

In private key cryptography, the number of combinat ions or 'key space' presented is de termined by the 'key length' used in the algorithm, a measurement typically expressed in bits. Being a binary expression, every bit represents two possible combinat ions and each additional bit in the key length cumulatively doubles the possible combinations. For exam- pie, a key length of say 10 bits means that there are 2 m or 1024 possible combinations. Finding the correct key in a private key algorithm, like DES or RC5, is usually a matter of try- ing all of the possible keys until the correct one is found.This approach is called an 'exhaustive key search attack' or more commonly, a 'brute force a t tack ' )6To defeat such an attack, a private key cryptosystem should have a long enough key length (resulting in a vast number of combinat ions) to make it computat ionally infeasible to find the correct key.

Public key cryptography on the other hand relies on a different mathematical challenge to secure the cryptosystem. Using RSA as an example, the challenge lies in the 'factoring problem'.~7 Very briefly, in RSA the user randomly generates two large pr ime numbers, denoted 'p ' and 'q'. These pr ime numbers are multiplied to form the 'modulus ' , ~ i .e. 'p * q = n'. Essentially the public key is 'n' , the private key is 'p ' and 'q'. If one could factor 'n ' into 'p ' and 'q', then one could obtain the private key. 'Factoring' is descr ibed in RSA's Cryptography FAQ 19 as "the act of splitting an integer into a set of smaller integers '(factors) ' which, when mult ipl ied together, form the original integer".As an example, the factors of 143 are 11 and 13; the factoring problem is to find 11 and 13 when given 143.To complicate cryptanalysis, the RSA algorithm relies on 'pr ime factorization', a method of factoring that requires splitting an integer into factors that are 'pr ime numbers '2° - - every integer has a unique pr ime factorization. Multiplying two prime integers together is easy, factoring the product is much more difficult. By selecting a very long modulus (say a key length of 1024 bits which is equal to a 308 digit number), 21 the mathematical probabil i ty of finding the pr ime factors becomes vanishingly low. 22

Computer Law & Security Report Vol. 14 no. 5 1998 323 0267 3649/98/$19.00 © 1998 Elsevier Science Ltd. All rights reserved


The key length of any particular algorithm is normally fixed, although man)' current algorithms are flexible enough to support variable key lengths. Determining the appropri- ate key length to use is an important question in cryptography since the unbreakabi l i ty of the c ryptosys tem is dependent on it. The United States Government considers 'strong' encrypt ion as symmetric algorithms at key lengths over 40 bits and asymmetric algorithms at key lengths over 512 bits, which can be referred to as '40/512 cryptography'. z3 With the power of comput ing today cryptanalysts would disagree.

Using symmetric cryptography as an example, this was demonstrated in January 1997 when Ian Goldberg, a universi- ty graduate student, managed to crack a message encrypted with the 40-bit RC5 algorithm. 24 The feat was accomplished in 210 minutes using the harnessed power of 259 computers and workstations. 2s Later that same year in June, headlines were made when DES fell.

The Data Encryption Standard (DES) is the official secret key algorithm of the American Government. Introduced in 1977, it is used not only by the state, but also by the banking and financial community of the United States.Thought to be secure for over 20 years, DES was defeated by a team (code- named DESCHALL) led by Rocke Verser. z6 The DESCHALL team comprised tens of thousands of volunteer computers from industry, universities, government and individuals linked through the Internet. The equipment volunteered ranged from the largest workstations to modest PCs. Even then, it took the team almost 140 days to crack DES, which has 72 quadrillion (7.2 x 1016) possible keys. 27 DES was cracked by another team for the second time on 26 February 1998 at a record speed of 39 days. 2s

With special cryptanalytic machines, DES could be even more vulnerable. In 1993, MichaelWiener put forward a design for a dedicated DES cracking machine which could find a DES key in, on average, 3.5 hours. 29 The cost of such a device: US$1.5 million; 3° easily within the reach of many organizations and governments. Due to the advances in technology, Wiener estimates that for the same expenditure in 1997 a machine could be built that will crack DES in 35 minutes!

Similarly, today's technology poses a threat to asymmetric cryptosystems. In 1977, Ron Rivest estimated that a 129-digit RSA key (roughly 429 bits) would take over 40 quadrillion years to factor. Instead it happened in 1994 when Atkins and Lenstra, with the help of 1600 computers around the world, managed to perform the factorization over an 8-month period.31 With an investment of US$1 million, it is estimated that a 512-bit RSA key may be factored in the same time in 1997. 32

The message is clear: 40/512 cryptography is not strong enough. The current recommendation by cryptologists is at least 80/768 cryptography. 3-~ However, the industry is already moving ahead with calls for 128-bit symmetric algorithms.As for asymmetric cryptosystems, RSA's recommended key lengths are now 768 bits for personal use, 1024 bits for corporate use and 2048 bits for extremely valuable keys like the key pair of a certifying authority. 3~

THE ROLE OF CRYPTOGRAPHY

Cryptography's role has traditionally been to preserve the pri- vacy of messages; to keep secrets hidden from prying eyes.

But today's cryptograph}, is more than secret writing, more than encryption and decryption. According to Merrill, 3s today's concept of message security involves the fulfillment of five different objectives: 1. Confidentiality - - to keep the contents of a message

secret so that the sender and receiver have the exclusive knowledge of it.

2 . Authentication - - to positively identify the origin of the message so that impersonation, known in techno-speak as spoofing, is not possible.

3. Message Integrity - - to ensure that the message has not been modified in transit, whether by innocent computer glitch or malicious tampering by third parties.

4. Non-Repudiation - - to provide assurance of the origin or delivery of data in order to protect the sender against false denial by the recipient that the data has been received, or to protect the recipient against false denial by the sender that the data has been sent.

5. Time-Date Stamping - - the ability to accurately determine the time and date when the message was created, sent and/or received. The objectives above are not new. Business people and

lawyers in ordinary paper-based society have been applying such principles for many years in order to protect the sancti- ty of their transactions. It is now just a matter of using technological measures, such as cryptography, to achieve the same objectives in the virtual world. As commerce becomes more sophisticated, the role of cryptography in securing the information society follows accordingly. Recognizing this, the OECD defines cryptography as,"The discipline which embod- ies principles, means and methods for the transformation of data in order to hide its information content, establish its authenticity, prevent its undetected modification, prevent its repudiation, and/or prevent its unauthorized use. ''36 This is the new paradigm of cryptography and the foundation of digital signatures.

DIGITAL SIGNATURES

What is a digital signature? Conceptually, a digital signature is "any identifier or authentication technique attached to or logically associated with an electronic record that is in tended by the person using it to have the same force and effect as a manual signature". 37 In effect, a digital signature is the counterpar t of a manual signature that is used by a person to sign electronic documents.

Because the implementation of digital signatures is based largely on public key cryptography, there has been a legislative tendency to define digital signatures based on that technological background. This is the approach taken by the Malaysian statute on digital signatures, where a digital signature means:

"a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer's public key can accurately determine (a) whether the transformation was created using the private

key that corresponds to the signer's public key; and (b) whether the message has been altered since the transfor-

mation was made."


Digi ta l S i g n a t u r e s - II

Such a definition views a digital signature as a specific process (a transformation) achieved by a specific method (an asymmetric cryptosystem) to achieve specific objectives (message authentication and integrity). Nevertheless, there is an object within this framework of processes, methods and objectives that the cryptographic community can pinpoint and distinctly identify as 'the' digital signature - - it is the message's 'encrypted hash result'. 38 Hash results are discussed below.

<Signed SiglD=l> To Whom It May Concern: This is to certify that John Chong is a person duly admitted into practice as an Advocate and Solicitor of the High Court of Malaya.

Registrar </Signed> <Signature SiglD=l PsnlD=regar082> 2AB3764578CC18946A29870F40198B240C D2302B2349802DE002342B212990BA5330 249CID20774C1622D39</Signature>

Figure 3:An example of a signature block.

The digital signature, as an object, can take many forms depending on the particular cryptographic software used. In many instances, it is automatically generated by the software in a transparent process that is invisible to the user. In other implementat ions the digital signature will appear as a 'signature block', 39 which is normally appended to the end of a message (see Figure 3).The signature block is the clos- est thing to a physically visible manifestation of the digital signature.

Hash functions Hash functions are an integral part of the digital signature framework, within which they play the role of ensuring the integrity of the message. Technically speaking, a 'hash function or message digest algorithm' is an algorithm 4o that processes the message, known also as the 'preimage', and generates a short and unique 'distillate' from it. This distillate is called the 'hash result' or 'message digest'.

Each hash result is unique to the message from which it is derived. Hash functions are designed to be 'collision resis- tant ' so that it is computationally infeasible that two uniden- tical messages can be found that produce the same hash result. 4~ Since a hash funct ion will yield the same hash result every time the algorithm is executed using the same preimage as input, any change to the message invariably pro- duces a different hash result when the same hash function is used. By comparing an independent ly generated hash result to the sender 's hash result the recipient can determine if the message has been tampered with. 42 The hash result thus serves as a digital ' f ingerprint ' that can be used to corrobo- rate the contents of a message and provide assurance that there has been no modification of the message since it was digitally signed. 43

A hash function together with the asymmetric cryptosystem form the basic components of a digital signature scheme.

How digital signatures work A diagram and commentary describing the processes and steps involved in using digital signatures appear in Figure 4.

Certification Authorities (CAs) The digital signature scheme as outl ined in Figure 4 has one weakness, that is, there is no intrinsic association be tween a particular public/private key pair to any person. When Bob downloads what is purportedly Alice's public key from a 'key server', there is no assurance that that public key really belongs to her. It is possible for an infiltrator, who we shall name Crook, to substitute his own key in place of Alice's real public key. When Bob downloads what he thinks is Alice's public key, he is actually getting a bogus key from Crook. Crook is then able to decipher messages in tended for Alice since he has the matching private key. He may even re- encrypt the message usingAlice's real public key and send it to her so that no one suspects any wrongdoing . Furthermore, Crook can frame Alice because he can make apparently good signatures from Alice with his private key because everyone will use the bogus public key to check Alice's signatures. Crook has thus in terposed himself be tween Alice and Bob in what is known as a 'middleperson attack' .44

Some convincing strategy is necessary to reliably associate a particular person or entity to the key pair. If Alice and Bob are able to meet in person and exchange public keys, there is no problem. But what if one party is out of reach or there is no reliable way of getting his/her public key? Perhaps, Bob could obtain Alice's public key from a mutually trusted friend David who knows he has a good copy ofAlice's public key. In cryptographic parlance, David would be a 'trusted third party' who is able to associate an identified person with a specific public key. 45 Such a trusted third party is commonly called a 'certification authority'.

To certify that a particular public key belongs to a particular person the certification authority will need proof of identity. When the certification authority confirms Alice's identity and her control of the requisite key pair, it will assign to Alice a 'distinguished name' (DN) 46 - - a notat ion that labels Alice uniquely in all the world so that the nomi- nal link be tween Alice and her key pair is unmistakable. 47 Subsequently, the certification authority will issue a 'digital ID', better known as a 'certificate', 48 an electronic record which identifies Alice's public key as the 'subject ' of the certificate and confirms that Alice (through her distinguished name) is the person who holds the public key and the corresponding private key. The certificate thus 'binds ' the public key to a particular person, in this caseAlice who is now a 'subscriber ' to the CA. The CA will further sign the certificate with its own private key to create a signed certificate which is then published in a ' repository '49 or made available by other means (e.g. enclosed with the message).A recipient of the certificate can use the public key listed in the certificate with reasonable certainty that it comes from the per-



How Digital Signatures Work

" i Messagel

I Hash I I Function

@

Hash Function

iii i

I with Alice's O Private Key

,I

l / Encryption ! e with Bob's i

,, Public Key j )

7777 l

Modem

Ciphertext

~Pla - ~ \ \ intext

I Message

O Alice (sender) creates a message for Bob (recipient).

O Alice then runs the message through a hash function to generate a hash result. This is called sealing the message.

O Alice then encrypts the hash result with her private key. By this process, she signs the message and the encrypted hash result is called the digital signature, which is unique to both the message and the private key used to create it. The digital signature is normally also timestamped at this point.

~) Alice then encrypts the message together with her digital signature with Bob's public key. This ensures that only Bob can decipher the package. This fulfills the objective of confidentiality.

O The encrypted package can then be sent to Bob via the Internet.

Upon receipt Bob will use his private key to decrypt the package.

O Bob will then decrypt Alice's digital signature with her public key to recover Alice's hash result. If the decryption works then Bob is assured that Alice sent the message since no one but Alice could have sealed the message with Alice's private key. Alice is also estopped from denying that she sent the message. The objective of authentication and non- repudiation is thus achieved.

Q Bob will then run the Alice's message using the same hash function as Alice to generate his own hash result.

• Lastly, Bob will compare his hash result to Alice's hash result. If the two tally then Bob can be sure that the message has not been altered in any way. This fulfills the objective of integrity.

I

Note: In executing steps O, O, and • Bob is sa id to validate or verify the digital signature.

Figure 4: How digital signatures work.


Dig i ta l S i g n a t u r e s - - II

Received from Alice

! Function j

Ciphertext [ 7777~

~pDeCryption with Bob's / rivate Keys

-1 Plainte~ Message I

Com0.re

Alice's Signed Certificate

Download.__.b~ ~ by Bob " ~

I with CA '~ Public Key)

(Oec ption- I with Alice's|

Alice's Public Key

Figure 5: Role of Certificates in Public Key CryptograptJy

son identified in the certificate (see Figure 5).The CA's certificate functions as a ' letter of introduct ion ' for users who know and trust the CA but don ' t know the entity identified by the certificate.

It is possible to have a multi-tiered 'hierarchy of trust ' where certification authorities exist at different levels. In such a structure a lower level certification authority may have its digital signature certified by a higher level certification authority, which in turn may be certified by an even higher level certification authority and so on until it reaches the top level certification authority, known as the 'root' . Instead of just having a certificate, the recipient would get a 'certificate chain' that should satisfy even the most paranoid u s c r .

Every certificate must have a time limit or validity period against which the message recipient can compare the time stamp on the digital signature.This is to ensure that the message was created during the validity period stated in the certificate. The validity period is a safeguard against situations where the digital signature becomes compromised or invalid. For instance, it sometimes happens that the connec- t ion be tween the person and the key as stated in a certificate may be broken - - the subscriber loses control of the private key, or when the key belongs to a job in an organization that the person no longer holds. In such situations the certificate is no longer reliable and may be temporarily 'suspended ' or pe rmanen t ly ' revoked' by the certification

authority. Immediately upon the suspension or revocation of a certificate, a notice to that effect must be published on a 'certificate revocation list' (CRL) either by the certification authority or the subscriber.The signature verification proce- dure should check that the message was signed when the signature was in effect by reference to the certificate and/or the CRL.

Certificates and certification authorities are the final com- ponent which together with the asymmetric cryptosystem and hash algorithm make up the complete digital signature scheme.

THE DIGITAL SIGNATURES ACT 1997

With the enactment of the Digital Signatures Act 1997 (DSA) 5° on 30 June 1997 Malaysia became the first nation in South East Asia, and amongst the first few countries in the world, 5~ to have legislation dealing with digital signatures. The DSA is part of a larger legislative initiative known infor- mally as the 'Cyberlaws' whose objective is to enable and encourage electronic conmmrce and provide intellectual property protection for the digital age. The DSA adopts the prescriptive approach 52 to law making and is based substan- tially on the Utah Digital Signature Act, Utah Code ~46-3-101 et seq of 1996. 53

The DSA itself is targeted at promoting electronic commerce in Malaysia through the use of digital signatures to


Dig i ta l S i g n a t u r e s - II

/1, Subscribers ~ Subscribers

Subscribers

Figure 6.'Hierarchy of Trust.

enhance the security of electronic transactions. The most important developments introduced by it are: • the legal definition of a digital signature • the legal recognition of electronic documents signed by a

digital signature • the mandatory use of digital signatures for certain elec-

tronic documents • the establishment of licensed certification authorities • the statutory warranties and duties imposed on certifica-

tion authorities and subscribers in relation to digital signatures

• the distribution and apport ionment of liability for digital signature fraud On the policy front, the Malaysian Government imposes

few roadblocks on the use of digital signatures and encryp- t ion.There are no import or expor t restrictions on cryptographic software, nor is c ryp tography cons ide red a restricted dual-use good (that is, goods that can be used both for a military and for a civil purpose) under the Wassenaar Ar rangement on Expor t Controls for Conventional Arms and Dual-Use Goods and Technologies. Subscribers will also note that the DSA does not mandate key escrow - - which is an important factor in promot ing the widesp read use of digital signatures. It is likely that Malaysia will fo l low the OECD Guidel ines on Cryptography, which generally favour unhindered legal use of cryptography.

Digital Signatures under the DSA As earlier mentioned, the DSA adopts a very specific definition of digital signatures - - in Malaysia, a digital signature compris- es the asymmetric cryptosystem and not any other technological solution. This approach has its share of critics, who feel that "it is foolish to legislatively enshrine public key cryptography as the only technology capable of authenticating an electronic document", s4 Members of the Malaysian parliamentary opposition have also expressed the view that the DSA should have been technology neutral in order to cater for other inno- vations, such as 'biometrics',Ss that can achieve the same goals as public key cryptography. Nevertheless, at the current state- of-play public key cryptography is one of the most viable solu- tions for digital signatures - - it has been extensively tested and peer reviewed, it is mathematically sound, easily available, cost-effective and transportable.

The primary objective of the DSA is to provide for the legal recognition of digital signatures. Since 1993, s6 the Malaysian courts have admitted as evidence documents produced by a computer. For the avoidance of doubt, the DSA makes it clear that a digitally signed message is deemed to be a written document. s7 However, prior to the DSA there was no provision as to the legally binding nature of such documents nor the recognition of the validity of electronic documents where it must be signed by hand under this law.The DSA remedies this situation in two main sections namely section 62(2) and section 64(1). The former reads:

"Notwithstanding any writ ten law to the contrary: (a) a document signed with a digital signature in accordance

with this Act shall be as legally binding as a document signed with a handwritten signature, an affixed thumb- print or any other mark; and

CO) a digital signature created in accordance with this Act shall be deemed to be a legally binding signature." The latter states: ?A [digital] message shall be as valid, enforceable and

effective as if it has been writ ten on paper if: (a) it bears in its entirety a digital signature; and (b) that digital signature is verified by the public key listed in

a certificate which: (i) was issued by a licensed certification authority; and (ii) was valid at the time the digital signature was created." Moreover, where a rule of law requires a signature or pro-

vides for certain consequences in the absence of a signature, that rule shall be satisfied by a digital signature, if (a) the digital signature is verified by a valid certificate issued by a licensed certification authority, Co) the digital signature was affixed by the signer with the intention of signing the message; and (c) the recipient has knowledge or notice that the signer has breached a duty as a subscriber or does not rightfully hold the private key used to affix the digital signature, s~

Certification Authorities under the DSA Certification authorities play an essential role in the digital signature scheme envisioned by the DSA. For a digital signature to enjoy the status conferred by the DSA it must be certified by a certification authority; not just any certification authority but a licensed one. Moreover, all certification authorities must be licensed - - the DSA makes this mandatory. 59 In fact, it is an offence (punishable by a free of up to RM500 000 or to impris-

328 Computer Law & Security Report Vol, 14 no. 5 1998 0267 3649/98/$19.00 © 1998 Elsevier Science Ltd. All rights reserved


onment for up to 10 years or both) to operate or hold oneself out as a certification authority when no licence has been obtained.6°There is one situation where an unlicensed certification authority may operate, that is, if it has been exempted from the licensing requirement as provided by the DSA. 61

Licences may be obtained from the Controller of Certification Authorities, 62 the agency responsible for moni- toring and overseeing the activities, and determining the com- petency of certification authorities in Malaysia. There was an unconfirmed report that the Controller would be the Postal Service Department; 63 this is likely to change with the pro- posed establishment of a specialized multimedia authority. To date, the qualification requirements for certification authorities have not been specified. It should be noted that the DSA allows the Controller to recognize, by way of an order published in the Gazette, foreign certification authorities licensed or authorized by governmental entities outside Malaysia. 64 Such recognized foreign certification authorities and the certificates they issue enjoy all the benefits of the DSA.

Mthough licensing is generally mandatory, it does not mean that a certificate issued by an unlicensed certification authority is invalid.As stated in the explanatory statement to the DSA,"a digital signature may nevertheless be reliable and legally valid if verified by a certificate issued by an unlicensed cert if ication authori ty or wi thout verification at all". However, in such cases neither the liability limits in Chapter 8 nor Part V of the DSA shall apply. 6s The licensing requirements under the DSA shall not affect the effectiveness, enforceability or validity of any digital signature, unless otherwise contracted by the parties. 66 This implies that if an unlicensed certification authority is used, the validity of the digital signature is not deemed under the DSA and must be given recognition in a contract.

A reading of the DSA suggests that a flat hierarchy of trust model will apply in Malaysia. The DSA does not expressly cater for more than one level of certification authorities and the Controller has neither the power nor duty to certify certification authorities down the line.

Repositories A repository is the entity that manages certificates after they are issued by the certification authority.A certification authority may also act as a repository rather than it being a separate organization. A repository may act as depot or distribution point for certificates, but its main function is to keep the certificate suspension and revocation lists.

Under the DSA, repositories are given a grace period of one day to update the certificate suspension and revocation lists from the time notice is given that a certificate has been suspended or revoked. Failure to perform timely updates can expose the repository to liability. If a loss occurred (arising out of the misuse of a suspended or revoked certificate) more than one business day after receipt of a request to publish a notice of suspension or revocation and the repository failed to make such a publication, it will be liable for that loss.67This liability cannot be disclaimed but is capped by the reliance limit of the relevant certificate. 68 In any event, a repository is not liable for punitive or exemplary damages or damages for pain of suffering or for misrepresentation in a certificate published by a certification authority. 69

A repository does not need to be licensed but merely'recognized' by the Controller. TM

Duties and Obligations under the DSA Equally as important as the legal recognition of digital signatures are the duties and obligations imposed by the DSA on the participants of a digital signature scheme.These encumbrances are directed towards and distributed amongst the three main groups: the certification authorities, the subscribers and the persons who rely on the digital signature.

The major eno~mbrances upon a certification authority: 1. The most important function of a certification authority is

to provide assurance of the identity of the owner of a key pair. In order to enforce this the DSA prescribes a strin- gent standard for the issuance of digital certificates. In general, the certification authority has a duty to take all reasonable measures to check for proper identification of the subscriber to be listed in the certificate. 71 More specifically, the process of applying for a certificate starts with a signed request by the prospective subscriber. 72 Thereafter, before a certificate can be issued, the certification authority is required to confirm the following particulars: 73 i) that the prospective subscriber is the person to be

listed in the certificate; ii) that the information in the certificate to be issued is

accurate; iii) that the subscriber rightfully holds the private key cor-

responding to the public key listed in the certificate; iv) that the subscriber holds a private key capable of

creating a digital signature; and v) that the public key to be listed in the certificate can

be used to verify the digital signature held by the subscriber.

The precise method of confirming the above particulars, especially of identity, is not known but it is expected that all applicants must submit proof of identity. 74 If necessary, the certification authority may require the prospective subscriber to certify the accuracy of the relevant information under oath or affirmation. 75 It is also very likely that the applicant has to appear in person. Lastly, upon the issuance of a certificate the certification authority must cause the application for the certificate to be certified by a notary public. 76

2. The act of issuing a certificate amounts to a statutory representation that: 77 i) the information in the certificate and listed as con-

firmed by the licensed CA is accurate; ii) all information foreseeably material to the reliability

of the certificate is stated within the certificate; iii) the subscriber has accepted the certificate; and iv) the licensed CA has complied with all applicable

laws governing the issuance of the certificate. 3. The certification authority's operations must be audited at

least once a year to evaluate its compliance with the DSA. TM The audit must be performed by a certified public accountant having expertise in computer security or an accredited computer security professional. 79



4. The certification authority has to use a ' trustworthy system' for the maintenance and processing of certificates and its own private key. ~° A trustworthy system means computer hardware and software which are reasonably secure from intrusion and misuse; provide a reasonable level of availabil- ity, reliability and correct operation; and are reasonably suited to performing their intended functions. 81 As the above shows, the encumbrances placed upon a cer-

tification authority are quite onerous. For one, the statutory duties and representations in connect ion with confirming the correctness and accuracy of a certificate mean that a totally online, paperless application process is impossible; papers still have to be filed and notarized; the applicant may have to visit the certification authority.Aside from increasing processing time and cost, the requirements of the DSA also mean that only select classes of certificates may be issued.

It has been the practice of some certification authorities to issue certif icates of different classes. For example, Verisign Inc. 82 issues three types of certificates: a Class l certificate is issued simply upon E-mail request wi thout further proof; a Class 2 certificate on the other hand requires third party proofing of name, address and other personal information (e.g. notarized copies of passport or driver's l icence); to obtain a Class 3 certificate, the subscriber must appear in person in addition to presenting notarized cre- dentials. INTRUST, s3 Malaysia's pilot certification authority, follows a similar certificate classification. Based on the requirements of the DSA, it would appear that at the minimum only Class 2 (and more likely Class 3) certificates can be granted.

Lastly, another side effect of the identification requirements is that certification authorities who intend to have Malaysian subscribers will have to have a presence in the country, otherwise it would not be viable to accept applica- tions where the applicant has to appear personally.

The major enctmlbrances upon a subscriber: 1. To exercise reasonable care to retain control of the pri-

vate key and prevent its disclosure to any person not authorized to create the subscriber's digital signature. 84

2. To only use a trustworthy system to create a private key. 8s 3. By accepting a certificate issued by a licensed CA, the sub-

scriber certifies to all who reasonably rely on the certificate that: 86 • the subscriber rightfully holds the private key corm-

sponding to the public key listed in the certificate; • that all representations made by the subscriber to

the licensed certification authority and made in the certificate are true; and

• that all representations made by the subscriber to the licensed certification authority or made in the certificate and not confirmed by the licensed CA are true.

4. Implied duty to tell the truth.The obligation of providing true information is underscored by the penalty - - a person who makes, signs or furnishes any declaration, return, certificate, or other document or information required under the DSA which is untrue, inaccurate or misleading in any particular commits and offence and shall on con- viction, be liable to a fine of up to RM500 000 or to maximum 10 year jail sentence or both. 87

The major encumbrances upon a recipient: 1. The primary encumbrance upon a recipient is that he

assumes the risk that a digital signature is forged if reliance on the digital signature is not reasonable under the circumstances. 88 Knowledge is the key element in Whether the recipient assumes this risk and the rules relating to constructive knowledge and reckless indiffer- ence are likely to be relevant. It is important to note that this assumption of risk may be excluded by contract.

2. If the recipient chooses not to rely on a digital signature he has a duty to notify the signer of his choice and the grounds fbr the choice. 89

Distribution of Liability under the DSA The question of liability for digital signature fraud, negligence or misuse is a sensitive one. Since digital signatures have only come to the public eye recently, there is understandably a lot of concern about their potential abuse and misuse, and about who should bear the burden or risk of such dangers.The DSA attempts to bring some order to this vexed question by laying down rules for the apport ionment of liability.

As a start, the DSA requires the certification authority to place a reliance limit on each issued certificate. 9° The reliance limit caps the liability of the certification authority in respect of transactions executed with that certificate where there is a loss occasioned by a misrepresentat ion contained in the certificate of any fact that the certification authority is required to confirm or if the certification authority fails to comply with the duties of issuing a certificate. 91 The reliance limit is, therefore, the maximum exposure of the certification authority where it is negligent. On the users' side, the reliance limit is a recommendat ion that a person rely on the certificate only to the extent that the total amount at risk does not exceed it.

If the certification authority had complied with the requirements of the DSA, then it is not liable at all for any loss caused by reliance on a forged or false digital signature. 92 The certification authority is not in any event liable for punitive or exemplary damages or damages for pain or suffering. 93

Furthermore, certification authorities have a second layer of protection in the form of an indemnity from its subscribers. By accepting a certificate the subscriber undertakes to indem- nify the certification authority for any loss or damage caused by issuance or publication of the certificate in reliance on (a) a false and material misrepresentation of fact by the subscriber or (b) the failure by the subscriber to disclose a material fact if the representation or failure to disclose was made with intent to deceive or with negligence. 94 This indemnity cannot be disclaimed or contractually limited in scope. 9s

Essentially, the DSA adopts a very protectionist attitude towards the certification authority. The bulk of the liability and responsibility is shunted to the subscriber.

Outstanding Issues The DSA, like many of its counterparts around the world, remains an incomplete piece of legislation.The DSA does an admirable job of setting out the legal framework but does not at the moment address any technical issues.Yet, the technical issues must be resolved before a digital signature scheme can



be fully operational. Like many areas of technology today, digital signatures work best when they are interoperable and conform to the same standards.The following is a brief list of issues that warrant some guidance:

1. Digital Signature specifications The DSA only requires that an asymmetric cryptosystem be used, but does not specify the actual algorithm. The algorithm should remain unspecified to allow for new cre- ations and so as not to have a statutory monopoly for any" single algorithm. Yet, different cryptosystems should be interoperable to provide a simplified and consistent use of digital signatures.The government could study the IEEE P1363: Standard Specifications For Public-Key Cryptography. 96 The DSA does not specify a minimum key length.The key length is an important consideration because it will determine the security/unbreakability of the digital signature. To ensure that digital signatures remain secure against intrusion, minimum key lengths should be recommended. Such recommendations should be periodically reviewed to compensate for the increase in computing power.

2. Certification Authorities There are presently no rules as to who can become a certification authority or what criteria must be satisfied in order to obtain a licence. Equally unknown are what £man- cial incentives are given to certification authorities or whether there is any prescribed schedule of charges for their services.

3. Certificate specifications Certificates should also follow a standard format, for example the ITU-T X.509 recommendation, to allow different cryptosystems to accept and verify the certificates. Adhering to a particular standard also allows certification authorities to be certain of the kind of information they have to check for and put into a certificate.

4. Trustworthy System Both subscribers and certification authorities have to uti- lize a trustworthy system in the creation and management of their digital signatures.Although the term 'trustworthy system' is defined in the DSA, the definition is a very broad one and does not in practice offer any concrete guidance on how to build or evaluate a secure computer system.A

suggested source of such information is the publication entitled Trusted Computer System Evaluation Criteria (popularly called the 'Orange Book'), followed by Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria (popularly called the 'Red Book') which provides supplemental information for security over networks. Both books are published by the United States Department of Defence and they offer a four-step security ranking classification. It has been the practice of some American corporations to use the Orange & Red Book standards in evaluating their systems for trustwor- thiness. It is expected that a trustworthy system will require a sub- stantial investment in hardware and software. Herein lies one of the problems with the DSA - - it does not distin- guish between a subscriber and a certification authority; there is no accounting for the fact that a subscriber does not have the expertise or resources to build a trustworthy system equal to one built by the certification authority. The DSA should expect a lower standard from subscribers.

CONCLUSION

The DSA is a step forward in Malaysia's goal of enabl ing E-commerce. By laying down the legal foundation of digital signatures, the DSA paves the way for building an onl ine commercial community. However, the work of the DSA is incomplete and there are still many areas to address, in particular the harmonizat ion of standards both domestically and internationally, to ensure that E-commerce is truly borderless.

Yet, the ultimate success of digital signatures and E-commerce lies in the willingness of the public to use them.To this end, the public must come to understand the commercial, legal and technological basis of digital signatures and over- come their fears and concerns.This way, the full potential of digital signatures may be realized.

John Chong Intellectual Property Department Skrine & Co. Kuala Lumpur © 1998 John Chong

Footnotes lB. Schneier, Applied Cryptography." Protocols, Algorithms and Source Code in C, Wiley (1994). 2D. Russell and G.T Gangemi St., 'Encryption' in Computer Security Basics, O'Reilly &Assocites (1991). 3RSA Data Security Inc., Answers to Frequently Asked Questions About Today's Cryptography ver 3.0, p. 12. 4Civilian use of cryptography dates back to 1900 BC. For a brief history of cryptographic milestones see the Cryptography Timeline at h t tp : / /www.c la rk .ne t /pub / cme/html/timeline.html. 5In the Adventure o f the Dancing Men byA.C. Doyle. ('Electronic commerce encapsulates many aspects: online shopping & purchases, business-to-business transactions, Web advertising, electronic communication, electronic bill presentment, electronic banking, electronic securities trad-

ing, electronic initial public offerings (e-lPOs), etc. Figures from the Internet Advertising Bureau show that close to US$1 billion was spent on Web advertising in 1997 (NUA Internet Survey, 2 February 1998), whilst NUA estimated that total online sales for 1997 was in the region of US$8-10 billion (NUA Review of 1997). NUA surveys can be found at http://www.nua.ie/surveys. 7A study by Frost & Sullivan revealed that the greatest concern in the E-commerce market is for the security of the transactions (NUA Intemet Surveys, May 1997). 8Also known as 'secret key-, single key-, symmetric'- or just 'conventional cryptography'. 9Ihidn. 3,p. 17. mAn open system is one in which participation is not restricted. ~lAlso known as 'dual key'- or 'asymmetric cryptography'.



12First disclosed in the landmark paper: W. Diffie and M.E. Helhnan, "New Direct ions in Cryptography" in IEEE Transactions on Information Theory, IT-22 November 1976. 13American Bar Association, Digital Signature Guidelines, (1996), p. 11. l qb id n. 3,p. 19 lSSecurity also depends on the effectiveness of the algorithm. However, everything being equal, the longer the key length the more secure the algorithm. 16M.J. Wiener, 'Efficient DES Key Search - - An Update ' in Cryptobytes, (1997)Vol. 3, No. 2, p. 6. 17Other well known public key algorithms such as EIGamal and Diffie-Hellman depend on the intractability of the 'dis- crete logarithm problem' to deter cryptanalysis. 18In public key cryptography, the key/key length is also known as the modulus. 191bid n. 3, p. 51. 2°Prime numbers are numbers that are divisible only by themselves and one, such as 2, 3, 5, 7, 11, 13 .... 21A 1024-bit RSA key has a modulus n such that 2 I°23 <= n < 21024. Since 21024 is 1.8... x 103°8, a 1024-bit RSA key has a modulus which has 308 decimal digits.Thanks to Ray Sidney of RSA Laboratories for the tip. 22For any given key length, it is easier to crack a public key cryptosystem than a private key one.This is because in the former the attacker needs only to find the pr ime factors of the key, whereas in the latter the attacker has to search through each value in the key space.To compensate for this, longer key lengths are chosen for public key cryptosystems. 23RSA Data Security Inc., Answers to Frequently Asked Questions about Cryptography Export Laws, (1996), p. 4. 24Equal to a 1.1 trillion key space. 25G. Caronni and M. Robshaw, 'How Exhausting is Exhaustive Search?' in Cryptobytes, (1997)Vol. 2, No. 3. 26See: Government Encryption Standard DES Takes a Fall at h t tp : / /www.rsa .com/des . 27DES uses a 56-bit key, resulting in 256 or 72 quadrillion keys. 2UPress release from RSA Data Securi ty Inc. at h t tp : / /www.rsa .com/pressbox/html /980226.html 29Ibid n. 16. 3°Including par ts /hardware and development cost. 3lA. M. Odlyzko, 'The future of Integer Factorization' , Cryptobytes, (1995)Vol. 1, No. 2, p. 6. 32Ibid n. 3, p. 26. 331bid n. 23, p. 6. 34Ibid n. 3, p. 26. 35C.R. Merrill, 'A Cryptography Primer' in The Internet and Business:A Lawyer's Guide to the Emerging Legal Issues, Compute r Law Associates (1996). Online vers ion at ht tp : / /cla.org/RuhBook/chp2.htm. 360ECD's Annex to Guidelines for Cryptographic Policy found at h t tp : / /www.oecd.org/ds t i / iccp/crypto_e .h tml . 37From the def ini t ion of ' e lec t ron ic s ignature ' in Massachusetts Electronic Records and Signatures Act (draft dated 4 November 1997) found at ht tp: / /www.mag- net. state.ma.us/i td/legal/mersa.htm. 38Ibid n. 3, p. 18.

39Note: a signature block should not be confused with a public key block. The confusion often arises because they both look almost identical and are located at the end of the message. However, a public key block is normally identified by words to that effect. 4°Examples: RIPEMD-160, SHA-1, MD5, SHA, MD2. nRSA Labs, 'On Recent Results for MD2, MD4 and MD5' in RSA Laboratories Bulletin, (November 1996) No. 4. 42Both hash results must be generated by the same hash function for such a test to be valid. 43B. Preneel, et al., 'The Cryptographic Hash Function RIPEMD-160' in Cryptobytes, (1997) Vol. 3, No. 2. 44pGP 5.0 User Guide, pp. 96-97. 45For further reading on trusted third parties see: M. Froomkin, The Essential Role of Trusted Third Parties in Electronic" Commerce, (1996) 75 Oregon L. Rev. 49, 46A distinguished name is the string representat ion of an entity's name. It consists of a series of comma-separated 'attribute-value assertions' (AVAs). Example: uid=jchong, [email protected], cn=JohnChong, o=Skrine & Co., c=MY. 47B. Wright, Eggs in Baskets." Distributing the Risks of Electronic Signatures, (June 1995), found at h t tp : / / info- haus.com/access/by-seller/Benjamin_Wright. 48A certificate is like a driver 's license, a passport , or any other personal ID that provides generally recognized proof of a person 's identity. The ITU-T X.509 standard for digital certificates requires all certificates to contain (1) information about the user 's public key, including the algorithm used and a representat ion of the key itself; (2) the certificate's serial number; (3) the per iod during which the certificate is valid; (4) the DN of the certificate subject; (5) the DN of the CA that issued the certificate; (6) the algorithm used by the CA to create its own digital signature; (7) the CA's digital signature, obtained by hashing all of the data in the certificate together and encrypt ing it with the CA's private key. A certificate can also contain extensions, not listed here, that provide additional data used by the client or server. From: Netscape's Use o f Public-Key Cryptography at h t tp : / /developer .ne tscape .com/l ibrary/documenta t ion/sec urity/SSO/crypt.htm. 49Repositories are online databases of certificates and other information available for retrieval and use in verifying digital signatures. 5°An online version of the DSA (draft bill form) is at ht tp: / /www.cert .org.my/digi tal .html. SlOther countries which have or are planning to have digital signature legislation at a national level include Argentina, Austria, Belgium, Chile, Canada, Denmark, Finland, France, Germany, Italy, Japan, South Korea, Sweden and the United Kingdom.Although the first digital signature legislation orig- inated from the United States, this was a state-level Act. There is as yet no federal statute dealing with digital signatures in America. Sources: McBride Baker & Coles (h t tp : / /www.mbc.com/ds_sum.html) , the Digital Signature Law Survey (http:/ /cwis.kub.nl/- frw/people/hof/DS- lawsu.htm), and the Internet Law & Policy Forum (ht tp: / / www.ilpf.org/digsig/intl .htm). 52The prescriptive approach is a comprehensive effort that seeks to enable and facilitate electronic commerce with the



recognit ion of digital signatures through a specific regulato- ry and statutory framework. It establishes a detailed public key infras t ructure l icensing scheme, a l locates dut ies be tween contract ing parties, prescr ibes liability standards, and creates evidentiary presumptions and standards for signature or document authentication. From: Survey of State Electronic & Digital Signature Legislative Initiatives found at h t tp : / /www.i lpf .org/digs ig/digrep.htm. Alternatives to the prescript ive approach are the Criteria-based approach and the Signature-enabling approach. 53There are some poin ts of d ivergence be tween the Malaysian and Utah Acts; these are highlighted in N. Annamalai, Cyber Laws of Malaysia - - the Multimedia Super Corridor, [ 1997] 12 JIBL 473. 54B. Biddle, Public Key Infrastructures and Digital Signature Legislation: 10 Public Policy Questions, deliv- ered at CFP '97: Lunchtime Workshop, 12 March 1997. 55For example: fingerprint validation or retinal scans. S6Due to an amendment to the Evidence Act 1950 which in t roduced a new section 90A which reads:"In any criminal or civil proceedings a document p roduced by a compute r or a s tatement contained in such document shall be admis- sible as evidence of any fact stated therein if the document was p roduced by the compute r in the course of its ordinary use, whe the r or not the person tendering the same is the maker of such document or statement." S7s. 64(1). SSs. 62(1). 59S. 4(1). 6°ss. 4(2) and 16. 61ss. 4(3) and 4(4). Exemptions may be given to, say, a com- pany that acts an ' internal ' certification authority for its employees only. 62ss. 7 and 8. 63Reported in Shipping Times, 17 February 1998. 64s. 19(1). 6Ss. 4(6).

66s. 13(3). 67s. 69(1). 68s. 69(2)(b). 69S. 69(2)(c) and (d). 70S. 68. 71s. 6(2). However, the DSA itself does not define what "reasonable measures" are; it is expec ted to be elaborated upon in upcoming regulations. 72s. 29(1). 73s. 29(1) et seq. It is important to note that these requirements cannot be waived or disclaimed according to s. 29(2). 74For example: national identity card, driver 's l icence or passport . 7Ss. 42. 76s. 6(3). 77s. 36. 7Ss. 20(1). 7%. 20(2). S°s. 27. 81S. 2.

82Founded in May 1995 Verisign Inc. is one of the world 's premier certification authorities. For more information see: ht tp: / /www.veris ign.com. 83Web site at ht tp: / /www.mtrust .com.my. 8% 43. ~Ss. 27(2). 8%. 38. ~7s. 73. S8s. 63(1). S9s. 63(2). 9°s. 60(1). 91s.61(b). 92s. 61(a). 9~s. 61(c). 948.41(1). 9Sss. 40 and 41(3). 96http:/ /grouper. ieee.org/groups/1363/index.html.

Book Review

Telecommunications Telecommunicat ions - - Glossary of Telecommunicaton Terms, 1997, Federal Standard 1037C, soft-cover, Government Institutes, ISBN 0 86587 580 4

This document provides federal depar tments and agencies in the United States with a comprehensive source of definitions of terms used in te lecommunicat ions and directly related fields by international and US Government telecommunicat ions specialists. This n e w glossary of terms is a des ignated Federal Standard, deve loped by the Federal Telecommunicat ions Standards Committee and issued by the General ServicesAdministration in order to improve the federal acquisitions process by providing federal depar tments and agencies with a comprehensive, authoritative source of definitions. As from 3 February 1997, all federal dcpar tmcnts and agencies must use this reference as the authoritative source of definitions for terms used in preparat ion of all telecoms documentat ion.This use is mandatory.

Available fxom: Government Institutes, 4 Research Place, Rockville, MD 20850, USA; tel: +1 301 9212355 o r fax: +1 301 9210373; E-mail: #info@govinst .com; Internet: www.govinst .com.


Documents

A primer on digital signatures and Malaysia's digital signatures act 1997