The Silly World of Wet Signatures - When the Cyber Age Gets Stuck in the 19th Century

Don't you just love when someone has put document restrictions on your Word document, and then has a password on the file? All you want to do is to add your signature, but you have to print it out, and sign it, and then put it in the post.

Yes. I appreciate it is quite good for defining word limits, but not much else.

Lifting protection through the ages

Personally I've not found the restrictions actually work. Here are the methods I've used through the ages:

• Clear text password. In the early versions of Microsoft Word, the password was there is a fairly clear form in the Word document, so that it could be overwritten.This used to be great for investigators, as it would take a few seconds to reset a password on a password-protected document.
• Save as RTF. The next phase of getting round the restrictions was to save in another format which preserved the document's properties, as RTF, but which broke the rights (and then save again as Word, as RTF is a rather verbose format).
• Meta details. And then, with DOCX, the security got a bit tighter, but you just renamed your DOCX file as a ZIP file (doh!), and then extracted the metadata from the ZIP (oh ... did anyone tell you that a DOCX file is actually a ZIP file?), and then edit meta data to remove restrictions. You then put it all back together as a ZIP file, and change it's file extension back to DOCX, and there were not passwords and restrictions any more.
• Via Acrobat. In the modern age, the best one is now the Save As... into PDF, and then Acrobat will read, and then produce a beautifully unprotected Word document on the other side. Adobe has been working on great convertors between Acrobat and Word, and it all works seemlessly now, but drops the restrictions.

Wet signatures

Okay. I'm going to be honest here ... As a crypto geek, I have zero confidence in "wet signatures". The failing is to with the legal system, and most companies, not trusting electonic systems, and the PKI/email system has a great deal to do with it. Why in the Cyber Age can we not have proper signatures on email? Why do we still get restricted documents, when most people will accept my signature on a PDF document?

For my Amazon deliveries I now just to a single straight line, and they seem to think that it okay. I could have been an ape signing for me, as far as the proof of delivery goes. For cryptography, signing with my private key is a billion, billion, billion ... billion times more secure than a silly line on a piece of paper.

I still have to sign for things in document, though, as it's costly in time (as you have to print a document out, and put it in the post). So for most of the things I do now, I just take a scan of my wet signature, and the paste it into the document, and create a PDF from that. Again the crediability of this is around zero, as someone else could grab a scan of my signature, and do the same thing. But most people will accept this, especially if it comes from my email address. So you must ask if authenication by email is better? And it is, but only just slightly better, as email can be easily spoofed, and mocked up to look like valid emails.

Poor restrictions on Word

We have some internal documents that are so difficult to edit, as someone has restricted editing on them. While at one time the export of a Word document was good in terms of taking the contents of the file and inserting it into database, in most cases the document is just protected for the sake of it. You end up with horrible editing, and can't add things like you signature.

At one time I used to save as an XML format, and then go and edit a few of the XML properties, and that was it, but there's a much simplier way now, where you just save to PDF format, import into Adobe Acrobat, and then save as a Word file, and all the rights have disappeared. Adobe is now much better at exporting into Word, so it is mostly seamless. I can then do my PhD reports, and lots of other things that someone thinks I need to be using .... paper!

Is it legal?

We have some spin-out companies, and every so often there's a few legal things to sign, so it always comes as a bit of a shock when I'm asked to create a scroll of a hint of my name across a page, and then ask someone to add their scroll and date and sign it. The farce too is that this is the final page of the document, and I could quite happily attach a completely different set of pages to it.

When my Amazon package too arrives at the door, I'm prompted for a signature, and there's no way they are getting my real signature so I now just add a straight line:

Then, to make things worse, I have to date when I sign the document, and the signature and date become legal for the whole document.

In a day when the scanning of a signature is so easy, and then to match this as a wet signature, it really is a farce. I often now take a scan of a document with my signature and send it, which again has very little credibility, as it is fairly easy to modify the PDF. And, even if I protect the PDF and sign it electronically, it can still be printed out and recovered back into another format:

As most industries have moved fast to adopt electronic methods, the legal system seems archic in its methods. In most cases a wet signature only really provides evidence that some ink touched a piece of paper at some time. The art of tracing signatures goes back many years, and these days the tracing can easily be done electronically.

What about trust?

As we become more dependent on the Cloud, we can never be 100% sure that everything is correct and as it should be. This might relate to receiving an email from someone who says that they know you, but how can you tell if the person is genuine? The email address looks fine, but the email content does not have the same writing style as the person who normally writes from that email address.

Unfortunately there is very little that we can do, at present, to determine if this is genuine, but things are changing, and it is trust that is becoming the key element of how we interact with the Web.

Bruce Schneier highlights this, in that we are entering a new phase, and defines that:

Trust and cooperation are the first problems we had to solve before we could
become a social species. In the 21st century, they have become the most important problems we need to solve— again. Our global society has become so large and complex that our traditional trust mechanisms no longer work.

So, he highlights that our traditional methods of trust, such as wet signatures, no longer work.

A new world of trust is evolving naturally, though. If, for example, you go into Starbucks you see a strong trust relationship between the customer and the company, and where coin transactions are often been replaced by electronic payment methods.

Few would have thought a few years ago that we would be paying for a cup of coffee with our mobile phone. In this the customer trusts Starbucks to take the right amount for the bill, and your mobile phone provider to protect the transaction, and the software vendor for making sure the transaction is setup correctly, and your bank to move the correct funds for you. We now have many identities working together ... you ... Starbucks ... your mobile phone ... the software app ... the transaction (yes ... a transaction has an identity too!) ... your mobile phone provider ... your bank. There's no wet signatures involved anywhere!

So who can we trust?

So let's relate this to a more modern usage of mutual authentication. For this we assume that Bob and Alice and going through a difficult time, and now they only communicate through their lawyer (Trent), who they both trust, but want a way to identify each other and communicate in a secret way (and so that Trent doesn’t actually see them messages). Unfortunately they cannot afford any expensive lawyer fees for their communications, so how do they use Trent to create a secret box for their communications? Well they can use a proposal known as Kerberos.

Trent Gets a Box and a Key

So Alice goes to Trent and says that she has to prove her identity to Bob, and vice-versa. For this Trent will make a special key for a box, and will make a copy for Bob and Alice (he might also keep a copy for himself, just in case they lose them – this technique is known as key escrow). Trent will then take a photograph of Alice, and write down the date and time on it, and the amount of time he can verify Alice for.

He will then put it into the box, and gives the box to Alice, along with the key. Along with this he will give her a sealed letter for the attention Bob which has his stamp on it. Inside will be a photograph of Alice that he took, and the secret key, along with the date/time that he created the key. With key escrow, Trent will keep a copy of the key, just in case that Bob and Alice lose their keys, but if even Bob and Alice do not want this, then Trust must prove that he does not have any other keys. In this way Trent will not be blamed for any leakage of the information in the box.

Alice Sends the Box

Alice then goes home, and then puts her photograph in the box, and locks it with the secret key. She then passes the box, without the key, along with the sealed letter to Bob. Bob opens the sealed letter, which has a key inside to open up the box, and which has the photograph that Trent took of Alice. Bob then opens the box with the secret key provided by Trent, and takes out the photograph that Alice has provided. If it is the same as the one that Trent put in the sealed letter, Bob thus verifies Alice’s identity.

Now we have a Secret Box … and no lawyer

Bob and Alice now have the same key to open and close the secret box, and can now use it to send secret messages to each other. No-one else will have that unique key, thus any messages in there must have been provided by Bob and Alice. Now they can both define the terms of the divorce without being billed for more solicitor fees for their messages.

If you are interested, here is the protocol:

https://asecuritysite.com/Encryption/ker

Multi-factor authentication

The Kerberos method is strong in mutual authentication, but it is not high on getting the trust of users, so the focus must be on system which uses find trust worthy for checking identity, and then using multiple factors. In identity checking, we often check someone's driving licence, but then if they show us their utility bill, we increase our trust in the person's identity.

So, it's all about who we mutually trust. If I send you an SMS text message from my phone, so you trust the network to send it so that it has not been modified. And then if I send you and email to give you a hashed method to the message. Do you know trust that more?

A mobile phone and your main email address are now the two most trusted parts of your identity. It is unlikely that someone will gain access to both your mobile phone and the password for your email address, and for it not to be known. Thus a signed email, with an electronic timestamp, with the backup of a mobile phone message, along with the location that they message was sent on, is a much strong way of authenticating the person than a wet signature and some text with the date.

Time stamping

So why not just send an email, as the date sent is within the email? This has many problems, especially that the protocol for sending and receiving emails is typically done with text messages and with no form of verification that it has been changed. So how do we properly time stamp something? Well the answer is standardized in TSP - Time Stamp Protocol.

https://asecuritysite.com/encryption/time

So let's take my great title of "Everything Is Now In The Cyber Age - Apart From The Legal System" and time stamp it for the time I wrote this (6am on 29 Sept 2015):

I now get complete verification of the time and the contents of the message, and which cannot be changed:

Serial Number: 1694709761822180611052696344716
Gen Time: 9/29/2015 6:00:21 AM
Policy 1.2.643.2.2.38.4
Encoded timestamp: 305702010106072A8503020226043021 300906052B0E03021A05000414EF2E30 0F05AB7E6C80BBCE62A486FE0D336B5A 63020D1563E70F13000000000031988C 180F3230313530393239303630303231 5A3003020164020164

Sticky policies and Identity-based encryption

So, please don't think this is a great moan against those who lock down documents for no reason, or against the legal system for not accepting electronic signatures. The blaim is mainly that we have terrible alternatives, and the crypto world is still a million miles from creating something that actually works.

The binding of the rights to access a document (for read, create, update and delete) are often ("always"), unbound with the right of a user, and it is up to the operating system to define the restricts. This is an archiac approach, as you should provide your identity and the document itself should know which parts you are allowed to read, change, update and delete. But we have terrible formats for this, and I can now simply save my Word document as a PDF document, and then save it back as a Word document, and all the restrictions are going.

So we have been working on sticky-policies within Word document, where you can restrict parts of it based on the identity of the person, and also avoid the horrible mess of PKI with the usage of Identity Based Encrytion (IBE). If you are interested, we have a great researcher (Greg Spyra) working on the problem, and have a research paper here:

Conclusions

It has taken us 40 years to build a new society, but parts of it still think we are in the 1970s. With health and social care now being revolutionize, with things like e-Red Book for children's health [here], will the legal system be the next to follow, or will be still be signing our names with a feathered pen at the end of this century?

The blocker, of course, is the lack of trust in much of the cryptography we have created, as few people really understand it. Where the trust will lie is with the real things which identify us ... our mobile phone ... our email addresses ... our Facebook page ... our Twitter account ... all these today are infinitely more trusted than a scroll. Security professionals and the news media perhaps don't help with continual stories of hacks, where individuals feel under threat from hackers on a continual basis.

Just in case you copied my previous scroll, here's my new signature:

For all the text in this LinkedIn post, here is the SHA-1 thumbprint [Here]:

dd6c022ce573ed4d475634865ec73824

If someone changes one character in the text, the thumbprint will change completely.

Conclusions

So, here's to companies like miiCard [here] for focusing on making identity more trustworthy. Like it or not, every single person in the world can now have a proven identity, and where society can build trust in the systems that they create. If we need it, biometrics offers the ultimate in verifying identities, and I would quite happily trust my fingerprint scanner on my iPad before a work trust my wet signature.

For me, my iPad fingerprint scanner is 99.9999...% safe, especially if I add other forms of authentication checking, and my wet signature is 0.00000..01% safe. The key to the creditability of many systems is both multi-factor authentication (something that you have, something that you are, somewhere where you are, and something that you know), and using out-of-band communications for the different authentication methods. We see out-of-band methods when we add a new device to our Dropbox network, where you get an out-of-band SMS message on your phone to enter into a Web page.

The legal system has moved slowly in the past, for good reasons, but the rapid change over the past 40 years provides a challenge for it, especially in how it can understand the strengths and weaknesses of all the methods involved. Everyone of our industries has been changed in some way, but there are still a few which need to catch-up.

I leave it to the amazing miiCard (Edinburgh based identity company):