The following was passed to me by Paul Karger, as I don't have
time to keep up with sci.crypt.
------- Forwarded Message
Xref: ceylon sci.crypt:12368 alt.security:6615
Newsgroups: sci.crypt,alt.security
Path:
ceylon!noc.near.net!MathWorks.Com!europa.eng.gtefsd.com!howland.reston.ans.net!pipex!uknet!pavo.csi.cam.ac.uk!rja14
From: rja14(_at_)cl(_dot_)cam(_dot_)ac(_dot_)uk (Ross Anderson)
Subject: Re: Legal status of crypto signatures
Message-ID:
<1994Jan7(_dot_)151042(_dot_)21407(_at_)infodev(_dot_)cam(_dot_)ac(_dot_)uk>
Sender: news(_at_)infodev(_dot_)cam(_dot_)ac(_dot_)uk (USENET news)
Nntp-Posting-Host: nene.cl.cam.ac.uk
Organization: U of Cambridge Computer Lab, UK
References: <memo(_dot_)218671(_at_)cix(_dot_)compulink(_dot_)co(_dot_)uk>
Date: Fri, 7 Jan 1994 15:10:42 GMT
Lines: 81
In article <memo(_dot_)218671(_at_)cix(_dot_)compulink(_dot_)co(_dot_)uk>,
nikb(_at_)cix(_dot_)compulink(_dot_)co(_dot_)uk
(Nick Barron) writes:
|> Can anyone enlighten me on the legal status of crypto signatures in the UK?
|> We have a customer who are considering implementing an electronic document
|> distribution system, and many of their documents (predominently QA related)
|> require authorisation by signature. There are significant health and safety
|> considerations, as some of the documents relate to hazardous machinery.
I have so far helped as an expert witness in one civil and four criminal trials
in the UK which involved `cryptographic' evidence in some sense (they all had
to do with the security of automatic teller machines). Of these, three of the
criminal matters have so far gone to a conclusion.
The overall picture is that cryptographic evidence is extremely easy to
challenge, and using digital signatures in court is MUCH more difficult than
most crypto salesmen would ever admit.
UK law says that for computer evidence to be admissible, the computer manager
has to produce a certificate saying that the system was working properly, or
that is it wasn't then the faults didn't affect the ouyput.
Very few installations can cope with this certification requirement, as it
would mean keeping extensive logs (which would mean lots more disk drives) and
software engineering techniques of the sort that most people just talk about
rather than implement.
In both the cases where I was on the defence team, someone had had a phantom
cash machine withdrawal on her bank account, and had in each case been told by
the bank `our systems are infallible, so you must have been ripped off by your
family or friends'. In each case they went to the police; in each case a
colleague at work was accused of theft because of circumstantial evidence
suggesting that they might have had the opportunity to `borrow' the card.
The main item of evidence in each case was the victim's bank statement, and so
we demanded the certificates. Both of them arrived on preprinted forms, full of
legal boilerplate which seemed designed to stop the systems manager being had
up for perjury; they basically said that `the systems seemed to be working on
day X as far as I can remember'.
We then wrote to the prosecutor and demanded the supporting evidence - the
system logs, audit trails and so on. In each case, the bank replied with words
to the effect of `unfortunately the information you requested is not avalaible
and/or would be too expensive to obtain'. This made clear in both cases that
the evidence certificate had been filled out as a metter of routine, without
any checks being made, and in both cases the prosecution had to withdraw.
It may be significant that the banks' cryptographic systems, which are used to
generate, protect and verify PINs, were designed more for due diligence
purposes than to meet hard security goals. The basic argument is that `since we
use a VISA security module to work out your PIN from your accounr number, the
transaction must have been made using your card and PIN, so it can't be our
system's fault: you must have been negligent.'
Now, quite apart from the known bugs in the VISA security module, this argument
is clearly bogus: even if the crypto itself were designed and implemented
properly (a big if), there are dozens of ways in which the surrounding systems
can break down or be subverted, especially by insiders. See for example my
article `Why Cryptosystems Fail' at the Fairfax conference.
There are a number of interesting scientific issues here. For example, what is
robustness? This tends to mean different things in different industries - what
should it mean in the context of a computer security system?
More generally, we lack a paradigm of computing for use in evidence. Lawyers
have suggested that computer systems whose purpose is to provide evidence
should have append-only disk drives. Mathematicians often suggest that all
transactions should have a digital signature. However, neither of these are
enough on their own.
There is an even deeper problem: even if you could come up with an infallible
solution to the due diligence problem, a court might not accept it. In the
landmark case on cash machine phantom withdrawals in the USA, Dorothy Judd
sued Citibank for a refund of a transaction she disputed. Citibank claimed
that their systems were infallible; and the judge found that this claim was
untenable in law, in that it would have placed `an unmeetable burden of proof'
on the plaintiff.
In any case, using cryptology for due diligence seems rather dodgy to me,
Ross
------- End of Forwarded Message