In my previous post I addressed the issue of how to ensure the integrity of content as ephemeral as that of a digital file, in terms of how it passes from the controlled safekeeping of the physical format in which the file is recorded to a purely “logical” system of file content identification resulting from hashing functions.
A different question is addressed here, namely, how to ensure, not the content, but the authorship or origin of the file. This is fundamental when using the electronic medium for communications with legal implications, for transmitting scientific statements, or when the content is legally attributable to specific persons.
How such an useful technical tool came to be devised is an interesting story not only in intellectual terms but also for its idiosyncratic beginnings.
It was the early seventies and Whitfield Diffie, a long-haired hippy mathematician and MIT graduate, whose interests included breeding skunks and other exotic animals, was travelling around the USA with his girlfriend in a dilapidated old Datsun 510. Visiting libraries and trying to interview anyone with information about an issue on which few were forthcoming, that is, modern mathematical cryptography techniques. An unusual branch of knowledge that had proved crucial in bringing the Second World War to a successful conclusion and which, during the Cold War, had been completely shrouded in secrecy by the national intelligence services. In particular, the NSA state agency, an organization so cryptic that scarcely anyone knew of its existence let alone its activities.
Diffie was both an eccentric and a visionary and at that time he was obsessed with the threat to individuals’ privacy that, in his view, was posed by the development and growth of computer technology. His fears were based on the fact that some information in digital format is extremely vulnerable to intrusion and copying. In a context in which huge volumes of information on our lives were about to be digitalized, protecting privacy required a specific tool which, of course, was modern cryptography which made use of the computer’s calculating capacity. Citizens needed access to this type of cryptography in order to protect their privacy. It was also necessary in economic activities, and in particular trade in the new digital medium. However, everything about cryptography was a state secret.
All the information in this matter was classified, patents could not be registered, scientific works were supervised, NSA procured all the best brains who worked in a closed area and were subject to stringent confidentiality undertakings, and anyone with the temerity to investigate in an independent capacity would soon find a federal agent peering over their shoulder and putting all kinds of obstacles in their way.
As he roamed around the United States in his Datsun, Whit Diffie barely managed to pick up any information, but what he did manage to find was a kindred soul with whom he joined forces. Martin Hellman was an electrical engineer who taught at Stanford University and who shared an interest in cryptography and who had a similar anti-establishment stance towards the implacable nature of official secrecy.
Having approached the matter from various perspectives, Diffie concluded that he would have to develop a decentralized cryptography system, that is, one which did not have an administrator allocating keys to all users, and therefore knowing everyone’s password, as occurred when various people began to share working hours or the same computer equipment. Total security for the information generated and registered in the new digital medium would only be feasible if each user could encrypt their files with a password that only they knew. Furthermore, in order to encrypt information for both personal and private use, such as communications or messages between specific subjects, the only cryptography known to that point was always a “symmetric” type, which means that the same key used to codify or encrypt a text also had to be used to decipher it and make it legible.
As a result, within the scope of communications this cryptography can only operate between subjects who know and trust each other, because they need to share the secret of that unique key, and it is also exposed to the threat of a third party discovering or intercepting the key, because the parties need to indicate the key that they will use beforehand, and this communication requirement is the weak point in the system, as the more people that know it the more insecure it becomes, because the system is only as trustworthy as the least reliable or careless persons who are part of the process.
One day in May 1976, Diffie came up with an idea that would revolutionize cryptography forever, by breaking down the key into two elements so that what is coded with one part can only be decoded with the other part, and in addition, knowing one of those parts does not reveal the other key. If a pair of keys of this type were generated, one could be made known through an insecure medium, which could even be known to the general public (complete heresy in the age-old history of cryptography), whereas the other would be kept secret by the user. This in turn provided two different functionalities that should not be confused.
– One it can serve to transmit messages confidentially and through an insecure medium (which was soon to become internet). The sender codifies or encrypts the message by precisely applying the addressee’s public code, which had been obtained previously through a medium that is not necessarily confidential, or which could also be known to the general public. In this way, only this specific address can read the message, because only that person can decrypt it by applying the private code (which is the key correlating to the key used to encrypt).
– And secondly, for something different and very important that is not related to confidentiality or secrecy but which concerns authorship, with the security of knowing the provenance and therefore allocation of a message: as a tool for electronic or digital signature. For this purpose, the sender encrypts the whole message or a brief summary of its content which is its hash (for an explanation of this concept I refer you to my previous post) with its private code, and sends it. Anyone receiving a totally or partially encrypted message in this way can check its origin simply by applying the public key of the person appearing as sender. If the message or its encrypted part is decrypted, then we can be sure that it was encrypted precisely by that specific person who, it is assumed, is the only one who knows and could apply the private correlative key. In this way, a dual key cryptography becomes an instrument that enables recipients of messages to unquestionably verify their origin. Which is the same as saying that this cryptography becomes a tool for generating an electronic signature: by applying my private key to any message I am signing insofar as I am applying a mark or signal of recognition which it can be assumed that only I can apply, in that it presupposes in turn that I am the only person in the world that knows that private key.
In addition, the two functions of asymmetric cryptography thus explained can be combined: the sender signs the message by applying their private key and then encrypts it by applying the addressee’s public key. In this way only that person can read it and also its provenance is guaranteed.
How can a pair of keys with these properties be achieved?
In June 1976 Diffie and Hellman published their first article entitled «Multiuser Cryptographic Techniques», in which they confined themselves to explaining their vision of a possible dual key cryptographic system, which would provide security (both confidentiality and authenticity) for communications between people who did not know each other. The mathematical tool for this purpose should have a “one-way function”- easy to compute in one sense but very difficult to reverse- which would be provided with a “back door” that would enable the person who knows a specific secret key (a crucial part of the information on how the original computation was made) to easily decipher the message. The problem was to find that mathematical rarity, a one-way function.
Following publication of this article, Ralph Merkle, a Berkeley University computer studies student, got in touch with the authors because at that time he was working by himself on something similar (his proposals are known as Merkle’s Puzzles and the backpack problem).
Having been influenced by Merkle’s ideas, Diffie and Hellman, in a refurbished version of their first article, published under the title «New Directions in Cryptography» in November 1976, proposed what would become known as Diffie-Hellman Algorithm, based on a one-way function consistent with the mathematical operation of the discrete or modular exponentiation and its difficult reverse operation which is the discrete logarithm. Discrete or modular exponentiation consists of calculating the remainder c resulting from raising a base b to a determined exponent e and dividing the result by a modulus m. It is an easy operation to carry out, even with very big numbers. The reverse operation, that is, calculation of the exponent e given b, m and c –the discrete logarithm – is, however, an extremely difficult operation.
Without entering into the technicalities of the mathematical formula, what we are interested in knowing is this: Bob and Alice each generate two numbers by chance, one is kept secret and the other is exchanged through an insecure source, subsequently, by applying the algorithm to the number received from the counterpart and their own secret number, each of them obtains a new number which they then exchange once more. On the basis of these two last different numbers, Bob and Alice carry out an operation which results in both cases in the same number, a number known only to them and which they can use as a key. In this model, the difference between the calculation that requires application of the back door available to Bob and Alice and the computational effort of brute force that a third party attack would require is exponential (it could require millions of years of computing time). Notwithstanding, this design has the disadvantage that it does not provide authenticity of origin, that is, it is not feasible for signing a message and permitting its secure allocation to a specific sender. Simply, it serves to generate securely a shared key, that is, symmetric, among unknown subjects or those who operate in an insecure communications medium.
We owe the definitive step on the path to asymmetric cryptography to Ronald Rivest and his collaborators Adi Shamir and Leonard Adleman, all MIT mathematicians, who in 1977 published a collective work entitled «A method for obtaining digital signatures and public-key cryptosystems». The method in question used as a one-way function the product of two big prime numbers- of more than hundred digits- the reverse operation of which, factorization in order to find the two primes that have been multiplied, is an extremely costly computational task, which can only be resolved through brute force. On this basis, they devised an algorithm, known as RSA (by Rivest, Shamir and Adleman), consistent with a sequence of operations that did generate two mathematically interlinked keys, with the properties that I anticipated earlier, namely, what is encrypted with a single key can be encrypted with the other and vice versa, and knowledge of one of these will not permit the other key to be deduced. And this is why one of the keys can be made public, providing the dual functionality that Whitefield Diffie had envisaged.
However – and it is particularly important to understand this – for the private key/public key method to be used as a signature mechanism, these mathematical properties of the keys generated by the RSA algorithm are not sufficient, as there is also a need to introduce two elements that are completely removed from mathematical science.
But what happens if Alice and Bob do not know each other? How can Bob know with any certainty the public key that Alice uses and which allows her to be considered the author of specific messages? Because a third party that Bob trusts is involved and certifies Alice’s public key.
Regarding this third party, there are two systems, one is decentralized or peer-to-peer, in which some users confirm the signatures of others, creating a network of recognition. Then centralized system which is generally known by its initials PKI (Public Key Infrastructure), in which a particular subject professionally assumes the role of certifier of public keys. This subject or agent carries out two specific tasks, one of identification (what is usually known as “registration authority”) and certification (“certification authority”). The registration authority’s task is to identify – normally by making a personal appearance and verifying by means of an official identity document of some kind- the person wishing to create a pair of keys that will be used as an instrument for digital signature. In this way this third party will be responsible for linking a specific person and a particular public key. The activity of certification consists of maintaining an accessible online register of current certificates by means of which, any interested party will be able to confirm the identity of the holder of a specific public key (just a like a telephone directory with a list of names and their corresponding telephone numbers). Thus, when anyone receives a message signed with this type of electronic signature, the signature verification program available to the recipient automatically carries out two operations: firstly, it checks that the message was effectively signed with the sender’s private key (three things are done in this regard, the public key of the potential sender is applied, which is indicated in the message, on the sender’s encrypted hash in order to obtain the unencrypted version of said hash; subsequently the hash of the message received is directly calculated by applying the corresponding hashing function; and finally, the hash obtained is compared with the decrypted hash to check that they coincide); and secondly, it checks that the public key applied in the previous operation is effectively allocated to the sender in a current certificate according to online registration maintained by the appropriate certification authority (for which purpose it will be necessary to access the certifier’s website).
In our positive law, the aforementioned registration and certification authorities are the main objective of most of the precepts in respect of the law on electronic signature which considers, in accordance with European community law, that the provision of electronic signature certification services is not a public function but a business activity, and part of the sphere of free competition, although subject to specific legal requirements in order to ensure that the signatures supported by their certificates are deemed to be “recognized electronic signatures” which are those that are accorded full legal status equal to handwritten signatures under law.
In any case, what is interesting in this matter is the fact that the link between a public key and a specific person does not result from application of the actual cryptographic technique or any mathematical function, but rather from attestation or certification of this trusted third party which is provided by the registration and certification authority.
Regarding this question, the fundamental legal problem is raised of whether there could be a contractual or commercial link for a person, given the existence of a message signed with an electronic signature device (that is, by applying the correlative private key to the public key registered ) in those cases where a third party made use of the device, having known the private key, albeit because its owner voluntarily revealed it , or because it was obtained surreptitiously or with violence (the case referred to by cryptographers as the rubber hose attack, a contingency to which ultimately any cryptographic system is exposed, however mathematically secure it may be).
(For anyone whose curiosity is piqued by the subject of cryptography I recommend the fascinating book “Crypto. How the Code Rebels Beat the Government Saving Privacy in the Digital Age ” by Stephen Levy, Penguin Books 2002).