[7665] in cryptography@c2.net mail archive
Re: Non-Repudiation in the Digital Environment (was Re: First
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Fri Aug 11 18:09:35 2000
Mime-Version: 1.0
Message-Id: <v0421010bb5b9b0aa0819@[24.218.56.92]>
In-Reply-To: <3.0.6.32.20000809201038.008cecf0@pop.sprynet.com>
Date: Fri, 11 Aug 2000 17:39:36 -0400
To: David Honig <honig@sprynet.com>, Eric Murray <ericm@lne.com>,
Derek Atkins <warlord@MIT.EDU>
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Cc: Ian BROWN <I.Brown@cs.ucl.ac.uk>, "R. A. Hettinga" <rah@shipwright.com>,
Digital Bearer Settlement List <dbs@philodox.com>, dcsb@ai.mit.edu,
cryptography@c2.net, cypherpunks@cyberpass.net,
AMcCullagh@exchange.gadens.com.au
Content-Type: text/plain; charset="iso-8859-1" ; format="flowed"
Content-Transfer-Encoding: quoted-printable
At 8:10 PM -0700 8/9/2000, David Honig wrote:
>At 08:29 AM 8/9/00 -0700, Eric Murray wrote:
>>It's 1) saying that the passphrase can "usually be broken". I'm sure
>>that some people manage to choose poor/short passphrases, but "usually"
>>would be pushing it.=A0
>
>Has anyone ever published an entropy vs. frequency study for
>real-world passwords?
>
>[Dollars to donuts its not uniform...]
>
I did a small study on the subject among PGP users in 1995. It is at=20
http://world.std.com/~reinhold/passphrase.survey.asc
Among other results (from a small sample) is that the median=20
passphrase was 21 characters long and a quarter of the responders has=20
passphrases of14 characters or less. I think it is fair to say that=20
at least a large minority of PGP passphrase are breakable and that a=20
majority may be. Since PGP users were and are at the vanguard of=20
public use of cryptography, I would expect the general public to pick=20
even weaker passphrases.
I think Mr. McCullagh is right to criticize the Non-Repudiation=20
notion. I don't think he goes far enough. In particular, I would=20
object to the notion that "trusted systems" as defined by ISO 15408=20
are enough to make a public key signature conclusive in a legal sense.
In public-key cryptography "Non-Repudiation" means that that the=20
probability that a particular result could have been produced without=20
access to the secret key is vanishingly small, subject to the=20
assumption that the underlying public-key problem is difficult. If=20
that property had be called "the key binding property" or "condition=20
Z," or some other matheze name, we would all be able to look at this=20
notion more objectively. "Non-repudiation," has too powerful a=20
association with the real world.
To transfer the cryptographic meaning of "non-repudiation" to a legal=20
presumption against repudiation requires legislative acceptance four=20
things:
1. the mathematically unproven assumptions in public key cryptography
2. the binding of a particular public key to a person
3. the ability of an ordinary individual to keep a private key secret
4. holding the individual responsible for failure to do so.
As for 1, note that at the moment there is not even consensus as to=20
the long term security of , say, a 1024-bit RSA key. As to 2., read=20
the Verisign certification practice statement. As to 4. not that in=20
the US we do not presently hold individuals responsible for loss of a=20
credit card.
The most problematic assumption is 3. McCullagh lists a couple of=20
attacks, but there are many more. Here is my incomplete list:
1. Planting a program on the user's computer to capture their keyring=20
and passphrase.
2. Replacing the users copy of the cryptographic program with a=20
doctored version
3. Planting a bug in their keyboard to capture key strokes
4.* Using a microTV camera to capture passwords and PIN numbers
5.* Substituting documents. (You think you are buying a pizza but you=20
are actually signing a deed to your house.
6. Public/private key pairs generated by a third party who's security=20
is less than perfect
7. Poor or deliberately weak random number generation at key creation
8.* Algorithm substitution (e.g. multiprime) that weakens security to=20
reduce computation times
9. Guessable passphrases and PINs
10.* Allowing someone else to use your key (does the president of=20
World Wide Widget really hold the key token, or does he give it to=20
his secretary?)
11.* Con artist techniques ("I'm an field agent from CyberSec --=20
here's my ID card -- and we'd like your help in tracking down child=20
pornography dealers on the Internet. We'll need your key token and=20
PIN. ")
12.* Finding ways to penetrate "tamper proof" mechanisms, e.g. power=20
fluctuation attacks.
McCullagh believes that "trusted systems," which he defines as "at=20
least Bl (TCSEC)/E3(ITSEC)/ or even possibly B2(TCSEC)/E4( ITSEC)"=20
can provide a basis for non-repudiation in the legal sense. He is=20
under the apprehension that "A trusted computing system performs in=20
accordance with its documented specification and will prevent any=20
unauthorised activity." Since Mr. McCullagh background is in law,=20
let me provide an equivalent statement: "Laws reflect the public's=20
consensus of what is right and wrong and the judicial system fairly=20
and accurately enforces those laws." Both are statements of a lofty=20
goal, not a reality that anyone has been able to achieve.
Well designed cryptographic tokens can counter some of the attacks I=20
listed, but not all. The ones I marked with an asterisk are still=20
applicable and there is still the problem of verifying and auditing=20
the token manufacturer, a lucrative target for organized crime.
I can't address the legal arguments he makes since he is in=20
Australia, but my understanding of the recently enacted electronic=20
signature law in the US is that it attempts to put electronic=20
signatures on exactly the same legal footing as paper signatures. It=20
has no special status for PKC signatures. Clicking an http "I Accept"=20
button is just as valid, as I understand the law.
The term "non-repudiation" should be retired. The best that one can=20
say about public key signature systems for use by the general public=20
is that they can make forgery much more difficult. That difficulty=20
should result in reduced rates of attempted fraud, but should never=20
be a valid pretext for changing the legal burden of proof.
Arnold Reinhold
