M. Kutyłowski Mediated Signatures - Towards Advanced Digital Signatures Undeniability of Digital Data in Technical Qualified Signatures Validity of the and Legal Framework Signature Standard Implementation Risk Issues Reasons of Failure 1 1 Mediated Przemysław Kubiak , Mirosław Kutyłowski , Signatures 1 2 Cryptographic Anna Lauks-Dutka , Michał Tabor Description Mediated RSA Example Application Scenario Institute of Mathematics and Computer Science1, Legal Framework Wrocław University of Technology
Trusted Information Consulting2, Warsaw
LIT 2010, May 3 Outline
M. Kutyłowski 1 Advanced Digital Signatures Advanced Digital Qualified Signatures Signatures Qualified Signatures Validity of the Signature Validity of the Signature Standard Implementation Standard Implementation Risk Issues Risk Issues Reasons of Failure Reasons of Failure Mediated Signatures Cryptographic Description 2 Mediated Signatures Mediated RSA Example Cryptographic Description Application Scenario Legal Framework Mediated RSA Example Application Scenario Legal Framework Outline
M. Kutyłowski 1 Advanced Digital Signatures Advanced Digital Qualified Signatures Signatures Qualified Signatures Validity of the Signature Validity of the Signature Standard Implementation Standard Implementation Risk Issues Risk Issues Reasons of Failure Reasons of Failure Mediated Signatures Cryptographic Description 2 Mediated Signatures Mediated RSA Example Cryptographic Description Application Scenario Legal Framework Mediated RSA Example Application Scenario Legal Framework Qualified Certificate 1 certificate issuer 2 date of issue and expiration 3 ID of the certificate holder: family name: Kutyłowski given name: Mirosław personal number (PESEL): ... 4 2048 RSA public key: 0x00308187028181 . . . 5 signature of the issuer . .
The Concept of Qualified Signatures
M. Kutyłowski
Advanced Digital Signatures Qualified Signatures Validity of the signature Signature Standard creation data Implementation Risk Issues (secret key) Reasons of Failure
Mediated Signatures Cryptographic Description Mediated RSA signature Example Application Scenario verification data Legal Framework (public key) The Concept of Qualified Signatures
M. Kutyłowski Qualified Certificate Advanced Digital 1 certificate issuer Signatures Qualified Signatures Validity of the signature 2 date of issue and expiration Signature Standard creation data 3 ID of the certificate holder: Implementation Risk Issues (secret key) Reasons of Failure family name: Kutyłowski
Mediated given name: Mirosław Signatures personal number (PESEL): Cryptographic Description ... Mediated RSA signature Example Application Scenario verification data 4 2048 RSA public key: Legal Framework (public key) 0x00308187028181 . . . 5 signature of the issuer . . The Concept of Qualified Signatures
M. Kutyłowski
Advanced Digital Signatures Qualified Signatures signature digital Validity of the Signature creation data document SIGN signature Standard Implementation Risk Issues (secret key) Reasons of Failure
Mediated Signatures Cryptographic Description signature Mediated RSA validation Example verification data signature + VERIFY Application Scenario output Legal Framework (public key) document problem: the signing key can be: stolen (with a smart card), retained by the certification provider, leaked (trapdoor), smart card can be misused, ...
Cryptographic Point of View Additional Mechanisms If signature verifies correctly then: Each certificate: it was created with the proper has limited validity signing key, or period the signing scheme has been can be revoked by broken issuer / signer
Checking the Signature
M. Kutyłowski 1 Verification of the signature (using the public key from the certificate) Advanced Digital Signatures 2 Qualified Signatures Verification of the identity of the key holder Validity of the checking the certificate Signature – Standard Implementation Risk Issues Reasons of Failure
Mediated Signatures Cryptographic Description Mediated RSA Example Application Scenario Legal Framework problem: the signing key can be: stolen (with a smart card), retained by the certification provider, leaked (trapdoor), smart card can be misused, ...
Additional Mechanisms Each certificate: has limited validity period can be revoked by issuer / signer
Checking the Signature
M. Kutyłowski 1 Verification of the signature (using the public key from the certificate) Advanced Digital Signatures 2 Qualified Signatures Verification of the identity of the key holder Validity of the checking the certificate Signature – Standard Implementation Risk Issues Reasons of Failure
Mediated Signatures Cryptographic Description Mediated RSA Cryptographic Point of View Example Application Scenario Legal Framework If signature verifies correctly then: it was created with the proper signing key, or the signing scheme has been broken Checking the Signature
M. Kutyłowski 1 Verification of the signature (using the public key from the certificate) Advanced Digital Signatures 2 Qualified Signatures Verification of the identity of the key holder Validity of the checking the certificate Signature – Standard Implementation problem: the signing key can be: stolen (with a smart Risk Issues Reasons of Failure card), retained by the certification provider, leaked
Mediated (trapdoor), smart card can be misused, ... Signatures Cryptographic Description Mediated RSA Cryptographic Point of View Additional Mechanisms Example Application Scenario Each certificate: Legal Framework If signature verifies correctly then: it was created with the proper has limited validity signing key, or period the signing scheme has been can be revoked by broken issuer / signer Standard Implementation – Properties
M. Kutyłowski
Advanced Digital Signatures Qualified Signatures A secret (signing) key: Validity of the Signature stored on a cryptographic smart card Standard Implementation access secured with a PIN number Risk Issues Reasons of Failure Mediated Status of the certificate can be checked with: Signatures Cryptographic Description OCSP (Online Certificate Status Protocol) Mediated RSA Example recent CRL (Certificate Revocation List) – Application Scenario Legal Framework risky for the verifier Standard Implementation – Properties
M. Kutyłowski
Advanced Digital Signatures Qualified Signatures Validity of the Key idea: Signature Standard Implementation enable signing offline Risk Issues Reasons of Failure
Mediated Reality: Signatures Cryptographic verification must be performed online Description Mediated RSA Example signing time unknown Application Scenario Legal Framework 2 poor randomness (⇒ cryptographic compromise) 3 kleptography (⇐ malicious manufacturer) 4 retaining the key (⇐ if generated by a provider of the certification cervices) 5 revoking certificates (⇒ for complicating the legal situation) 6 signatures based on qualified certificate but not on a secure signature creation device 7 decline of mathematical/technical strength 8 standards and obscure technical requirements
Many of above problems can be eliminated by adopting:
Mediated Signature Architecture
Risk Issues
M. Kutyłowski 1 loosing control over a signature creation device
Advanced Digital Signatures Qualified Signatures Validity of the Signature Standard Implementation Risk Issues Reasons of Failure
Mediated Signatures Cryptographic Description Mediated RSA Example Application Scenario Legal Framework 3 kleptography (⇐ malicious manufacturer) 4 retaining the key (⇐ if generated by a provider of the certification cervices) 5 revoking certificates (⇒ for complicating the legal situation) 6 signatures based on qualified certificate but not on a secure signature creation device 7 decline of mathematical/technical strength 8 standards and obscure technical requirements
Many of above problems can be eliminated by adopting:
Mediated Signature Architecture
Risk Issues
M. Kutyłowski 1 loosing control over a signature creation device 2 poor randomness (⇒ cryptographic compromise) Advanced Digital Signatures Qualified Signatures Validity of the Signature Standard Implementation Risk Issues Reasons of Failure
Mediated Signatures Cryptographic Description Mediated RSA Example Application Scenario Legal Framework 4 retaining the key (⇐ if generated by a provider of the certification cervices) 5 revoking certificates (⇒ for complicating the legal situation) 6 signatures based on qualified certificate but not on a secure signature creation device 7 decline of mathematical/technical strength 8 standards and obscure technical requirements
Many of above problems can be eliminated by adopting:
Mediated Signature Architecture
Risk Issues
M. Kutyłowski 1 loosing control over a signature creation device 2 poor randomness (⇒ cryptographic compromise) Advanced Digital 3 kleptography (⇐ malicious manufacturer) Signatures Qualified Signatures Validity of the Signature Standard Implementation Risk Issues Reasons of Failure
Mediated Signatures Cryptographic Description Mediated RSA Example Application Scenario Legal Framework 5 revoking certificates (⇒ for complicating the legal situation) 6 signatures based on qualified certificate but not on a secure signature creation device 7 decline of mathematical/technical strength 8 standards and obscure technical requirements
Many of above problems can be eliminated by adopting:
Mediated Signature Architecture
Risk Issues
M. Kutyłowski 1 loosing control over a signature creation device 2 poor randomness (⇒ cryptographic compromise) Advanced Digital 3 kleptography (⇐ malicious manufacturer) Signatures Qualified Signatures 4 retaining the key (⇐ if generated by a provider of the Validity of the Signature certification cervices) Standard Implementation Risk Issues Reasons of Failure
Mediated Signatures Cryptographic Description Mediated RSA Example Application Scenario Legal Framework 6 signatures based on qualified certificate but not on a secure signature creation device 7 decline of mathematical/technical strength 8 standards and obscure technical requirements
Many of above problems can be eliminated by adopting:
Mediated Signature Architecture
Risk Issues
M. Kutyłowski 1 loosing control over a signature creation device 2 poor randomness (⇒ cryptographic compromise) Advanced Digital 3 kleptography (⇐ malicious manufacturer) Signatures Qualified Signatures 4 retaining the key (⇐ if generated by a provider of the Validity of the Signature certification cervices) Standard Implementation Risk Issues 5 revoking certificates (⇒ for complicating the legal Reasons of Failure situation) Mediated Signatures Cryptographic Description Mediated RSA Example Application Scenario Legal Framework 7 decline of mathematical/technical strength 8 standards and obscure technical requirements
Many of above problems can be eliminated by adopting:
Mediated Signature Architecture
Risk Issues
M. Kutyłowski 1 loosing control over a signature creation device 2 poor randomness (⇒ cryptographic compromise) Advanced Digital 3 kleptography (⇐ malicious manufacturer) Signatures Qualified Signatures 4 retaining the key (⇐ if generated by a provider of the Validity of the Signature certification cervices) Standard Implementation Risk Issues 5 revoking certificates (⇒ for complicating the legal Reasons of Failure situation) Mediated Signatures 6 signatures based on qualified certificate but not on a Cryptographic Description secure signature creation device Mediated RSA Example Application Scenario Legal Framework 8 standards and obscure technical requirements
Many of above problems can be eliminated by adopting:
Mediated Signature Architecture
Risk Issues
M. Kutyłowski 1 loosing control over a signature creation device 2 poor randomness (⇒ cryptographic compromise) Advanced Digital 3 kleptography (⇐ malicious manufacturer) Signatures Qualified Signatures 4 retaining the key (⇐ if generated by a provider of the Validity of the Signature certification cervices) Standard Implementation Risk Issues 5 revoking certificates (⇒ for complicating the legal Reasons of Failure situation) Mediated Signatures 6 signatures based on qualified certificate but not on a Cryptographic Description secure signature creation device Mediated RSA Example Application Scenario 7 decline of mathematical/technical strength Legal Framework Many of above problems can be eliminated by adopting:
Mediated Signature Architecture
Risk Issues
M. Kutyłowski 1 loosing control over a signature creation device 2 poor randomness (⇒ cryptographic compromise) Advanced Digital 3 kleptography (⇐ malicious manufacturer) Signatures Qualified Signatures 4 retaining the key (⇐ if generated by a provider of the Validity of the Signature certification cervices) Standard Implementation Risk Issues 5 revoking certificates (⇒ for complicating the legal Reasons of Failure situation) Mediated Signatures 6 signatures based on qualified certificate but not on a Cryptographic Description secure signature creation device Mediated RSA Example Application Scenario 7 decline of mathematical/technical strength Legal Framework 8 standards and obscure technical requirements Risk Issues
M. Kutyłowski 1 loosing control over a signature creation device 2 poor randomness (⇒ cryptographic compromise) Advanced Digital 3 kleptography (⇐ malicious manufacturer) Signatures Qualified Signatures 4 retaining the key (⇐ if generated by a provider of the Validity of the Signature certification cervices) Standard Implementation Risk Issues 5 revoking certificates (⇒ for complicating the legal Reasons of Failure situation) Mediated Signatures 6 signatures based on qualified certificate but not on a Cryptographic Description secure signature creation device Mediated RSA Example Application Scenario 7 decline of mathematical/technical strength Legal Framework 8 standards and obscure technical requirements
Many of above problems can be eliminated by adopting:
Mediated Signature Architecture based on trust and not technical measures: use of randomness, key generation services signing time unclear: after creating the signed data, before - requires additional mechanisms no way to block temporarily: impossible to disable signing possibility temporarily (like a credit card) or apply a signing policy legal problems: Poland: impossible to check legal status of a signature at the time of verification, it is possible to check validity for the past
Reasons of Failure of Qualified Signatures
M. Kutyłowski Some Critical Issues Advanced single technical point of failure: secure signature creation Digital Signatures device Qualified Signatures Validity of the Signature Standard Implementation Risk Issues Reasons of Failure
Mediated Signatures Cryptographic Description Mediated RSA Example Application Scenario Legal Framework signing time unclear: after creating the signed data, before - requires additional mechanisms no way to block temporarily: impossible to disable signing possibility temporarily (like a credit card) or apply a signing policy legal problems: Poland: impossible to check legal status of a signature at the time of verification, it is possible to check validity for the past
Reasons of Failure of Qualified Signatures
M. Kutyłowski Some Critical Issues Advanced single technical point of failure: secure signature creation Digital Signatures device Qualified Signatures Validity of the Signature based on trust and not technical measures: use of Standard Implementation randomness, key generation services Risk Issues Reasons of Failure
Mediated Signatures Cryptographic Description Mediated RSA Example Application Scenario Legal Framework no way to block temporarily: impossible to disable signing possibility temporarily (like a credit card) or apply a signing policy legal problems: Poland: impossible to check legal status of a signature at the time of verification, it is possible to check validity for the past
Reasons of Failure of Qualified Signatures
M. Kutyłowski Some Critical Issues Advanced single technical point of failure: secure signature creation Digital Signatures device Qualified Signatures Validity of the Signature based on trust and not technical measures: use of Standard Implementation randomness, key generation services Risk Issues Reasons of Failure signing time unclear: after creating the signed data, before Mediated Signatures - requires additional mechanisms Cryptographic Description Mediated RSA Example Application Scenario Legal Framework legal problems: Poland: impossible to check legal status of a signature at the time of verification, it is possible to check validity for the past
Reasons of Failure of Qualified Signatures
M. Kutyłowski Some Critical Issues Advanced single technical point of failure: secure signature creation Digital Signatures device Qualified Signatures Validity of the Signature based on trust and not technical measures: use of Standard Implementation randomness, key generation services Risk Issues Reasons of Failure signing time unclear: after creating the signed data, before Mediated Signatures - requires additional mechanisms Cryptographic Description no way to block temporarily: impossible to disable signing Mediated RSA Example Application Scenario possibility temporarily (like a credit card) or Legal Framework apply a signing policy Reasons of Failure of Qualified Signatures
M. Kutyłowski Some Critical Issues Advanced single technical point of failure: secure signature creation Digital Signatures device Qualified Signatures Validity of the Signature based on trust and not technical measures: use of Standard Implementation randomness, key generation services Risk Issues Reasons of Failure signing time unclear: after creating the signed data, before Mediated Signatures - requires additional mechanisms Cryptographic Description no way to block temporarily: impossible to disable signing Mediated RSA Example Application Scenario possibility temporarily (like a credit card) or Legal Framework apply a signing policy legal problems: Poland: impossible to check legal status of a signature at the time of verification, it is possible to check validity for the past Outline
M. Kutyłowski 1 Advanced Digital Signatures Advanced Digital Qualified Signatures Signatures Qualified Signatures Validity of the Signature Validity of the Signature Standard Implementation Standard Implementation Risk Issues Risk Issues Reasons of Failure Reasons of Failure Mediated Signatures Cryptographic Description 2 Mediated Signatures Mediated RSA Example Cryptographic Description Application Scenario Legal Framework Mediated RSA Example Application Scenario Legal Framework Mediated Signature Architecture
M. Kutyłowski
Advanced Digital Signatures Qualified Signatures Background Validity of the Signature 1 there are at least two parties of the protocol: Standard Implementation Risk Issues user Reasons of Failure security mediator Mediated Signatures Cryptographic 2 creation of a single signature is possible if all the Description Mediated RSA Example necessary parties are involved (by using the Application Scenario Legal Framework appropriate cryptographic material) there is one public key K related to the secret key pair (K1, K2) S is the signature of M
Mediated Signature Architecture
M. Kutyłowski
Advanced Mediator Digital User Signatures (2) finalizes the signature, Qualified Signatures (1) creates a pre-signature S1 Validity of the using the appropriate keying Signature S1, using his private key K1: Standard material K2: Implementation Risk Issues Reasons of Failure S1 = SIG(K1, Hash(M)) S S = FIN(K2, S1) Mediated Signatures Cryptographic Description Mediated RSA Example Application Scenario Legal Framework Mediated Signature Architecture
M. Kutyłowski
Advanced Mediator Digital User Signatures (2) finalizes the signature, Qualified Signatures (1) creates a pre-signature S1 Validity of the using the appropriate keying Signature S1, using his private key K1: Standard material K2: Implementation Risk Issues Reasons of Failure S1 = SIG(K1, Hash(M)) S S = FIN(K2, S1) Mediated Signatures Cryptographic Description Mediated RSA Example Application Scenario there is one public key K related to the secret key pair Legal Framework (K1, K2) S is the signature of M Signature Creation d signer: s1 := (hash+padding(M)) 1 d mediator: s2 := (hash+padding(M)) 2
signature: s := s1 · s2 mod n
Signature Verification as usual
RSA Based Mediated Signature
M. Kutyłowski Keys
Advanced n = pq, d · e = 1 mod ϕ(n) Digital Signatures splitting the key d: Qualified Signatures Validity of the for mediator: d := HSM(K , ID ) Signature 1 signer Standard for the signer: d := d − d Implementation 2 1 Risk Issues Reasons of Failure
Mediated Signatures Cryptographic Description Mediated RSA Example Application Scenario Legal Framework RSA Based Mediated Signature
M. Kutyłowski Keys
Advanced n = pq, d · e = 1 mod ϕ(n) Digital Signatures splitting the key d: Qualified Signatures Validity of the for mediator: d := HSM(K , ID ) Signature 1 signer Standard for the signer: d := d − d Implementation 2 1 Risk Issues Reasons of Failure Mediated Signature Creation Signatures Cryptographic d1 Description signer: s1 := (hash+padding(M)) Mediated RSA Example := ( ( ))d2 Application Scenario mediator: s2 hash+padding M Legal Framework signature: s := s1 · s2 mod n
Signature Verification as usual For Paranoids split the key into even more pieces and put them on independent devices
RSA Based Mediated Signature
M. Kutyłowski Extended Scenario one key on a smart card Advanced Digital the second key on the laptop Signatures Qualified Signatures Validity of the the third key on a server Signature Standard Implementation Risk Issues Attack Reasons of Failure
Mediated creating a signature by the adversary requires Signatures Cryptographic stealing the smart card, and Description Mediated RSA Example stealing the laptop, and Application Scenario Legal Framework breaking into the server RSA Based Mediated Signature
M. Kutyłowski Extended Scenario one key on a smart card Advanced Digital the second key on the laptop Signatures Qualified Signatures Validity of the the third key on a server Signature Standard Implementation Risk Issues Attack Reasons of Failure
Mediated creating a signature by the adversary requires Signatures Cryptographic stealing the smart card, and Description Mediated RSA Example stealing the laptop, and Application Scenario Legal Framework breaking into the server
For Paranoids split the key into even more pieces and put them on independent devices Main Features
M. Kutyłowski Revocation
Advanced The signer can block signing possibility for any time, any Digital Signatures reason, ... : Qualified Signatures Validity of the block the card used in his office for vacation time and Signature Standard Implementation holidays Risk Issues Reasons of Failure block the card during a stay in a hospital Mediated Signatures block the card for the time 23:00-6:00 every day Cryptographic Description ... Mediated RSA Example Application Scenario in this case the signature WILL NOT BE CREATED Legal Framework
Monitoring Mediator can monitor the signing activities and refuse to finalize if something suspicious is going on Main Features II
M. Kutyłowski Signing Time Mediator can implement hash chaining and provide Advanced Digital undeniable and verifiable evidence of the signing time Signatures Qualified Signatures Validity of the Signature Standard Verification Implementation Risk Issues no adjusting the software necessary - no special time Reasons of Failure
Mediated stamps, ... that need to be interpreted well Signatures Cryptographic in fact, Mediator performs pre-validation of a signature, Description Mediated RSA making it easier for the recipient of the document Example Application Scenario Legal Framework Risks we do not depend solely on security of smart cards! two weaker but independent mechanisms are better than a single strong one Public Administration Case Study
M. Kutyłowski Signing documents exchanged between citizens and public Advanced Digital authorities: Signatures Qualified Signatures single point of contact as a favorable solution: it can be Validity of the Signature integrated with Mediator Standard Implementation Risk Issues privacy: the public bodies know anyway these Reasons of Failure documents Mediated Signatures signature can be created by ID cards even if thousands Cryptographic Description Mediated RSA of them are stolen or lost (security does not depend Example Application Scenario solely on ID cards) the smart cards do not require the Legal Framework best possible protection and can serve for a longer time automatic and provable date of signing - elimination of frauds and legal disputes Use in Corporations
M. Kutyłowski
Advanced Digital Signatures Qualified Signatures Validity of the Signature Standard full control over signing activities, disabling a single Implementation Risk Issues user immediate Reasons of Failure
Mediated excellent tool for controlling document flow in a Signatures Cryptographic heterogeneous IT environment Description Mediated RSA Example Application Scenario Legal Framework 2 Mediator runs security mechanism that are fully compatible with the Directive, the Directive does not prohibit to use further cryptographic keys to improve security 3 the whole systems really satisfies the security requirements from Annex III, affordable smart cards do not fulfill these requirements, if we take them seriously
Compatibility with EU Directive
M. Kutyłowski
Advanced Digital Signatures 1 signature creation data are still in hands of the signer Qualified Signatures Validity of the Signature Standard Implementation Risk Issues Reasons of Failure
Mediated Signatures Cryptographic Description Mediated RSA Example Application Scenario Legal Framework 3 the whole systems really satisfies the security requirements from Annex III, affordable smart cards do not fulfill these requirements, if we take them seriously
Compatibility with EU Directive
M. Kutyłowski
Advanced Digital Signatures 1 signature creation data are still in hands of the signer Qualified Signatures Validity of the 2 Mediator runs security mechanism that are fully Signature Standard Implementation compatible with the Directive, Risk Issues Reasons of Failure the Directive does not prohibit to use further cryptographic
Mediated keys to improve security Signatures Cryptographic Description Mediated RSA Example Application Scenario Legal Framework Compatibility with EU Directive
M. Kutyłowski
Advanced Digital Signatures 1 signature creation data are still in hands of the signer Qualified Signatures Validity of the 2 Mediator runs security mechanism that are fully Signature Standard Implementation compatible with the Directive, Risk Issues Reasons of Failure the Directive does not prohibit to use further cryptographic
Mediated keys to improve security Signatures Cryptographic 3 the whole systems really satisfies the security Description Mediated RSA Example requirements from Annex III, Application Scenario Legal Framework affordable smart cards do not fulfill these requirements, if we take them seriously Foresight
M. Kutyłowski
Advanced Digital Signatures Qualified Signatures Validity of the Signature Future Standard Implementation the concept of qualified electronic signatures based on Risk Issues Reasons of Failure classical X.509 architecture is technically obsolete Mediated Signatures the future belongs to distributed security mechanism Cryptographic Description supported by online mechanisms Mediated RSA Example Application Scenario Legal Framework M. Kutyłowski
Advanced Digital Signatures Qualified Signatures Validity of the Signature Standard Implementation Risk Issues Reasons of Failure Thank you for attention!
Mediated Signatures Cryptographic Description Mediated RSA Example Application Scenario Legal Framework