A long time ago I wrote about the security fundamentals of the CIA (confidentiality, integrity and availability) along with authentication. Another fundamental is Authorization, which we will discuss later. But a concept some consider a fundamental is “Non-Repudiation”. It’s a combination of integrity and authentication, so it isn’t a true fundamental, but is an important concept and one some people may still be fuzzy about.
Consider this:Bob sends a message to his employee Alice informing her of a big raise. Alice is excited, but when her paycheck arrives, there’s no raise. She confronts Bob and he denies sending the message. That’s “repudiation” or disavowing the message contents. If Bob had digitally signed the message, he would not have been able to repudiate it and Alice would have had her raise.
A digital signature contains two essential features, but may (and generally does contain more). The first is a hash of the message being signed. The second is that the hash is signed by the sender using her private key, thus authenticating the sender (if the key hasn’t been compromised, of course). The most prominent standard for digital signatures is the Digital Signature Standard
Here is a message (using GnuPG):
Hi John -- I got word that I'm to teach 468 in Washington in a couple of months. That's great! I'll stay over in the city the following week and do some consulting work for the Folger Library. Bob -- This message was digitally signed. If you are curious, or worried about an "unknown attachment", see http://cromwell-intl.com/digsig/ _---___-_-_-_-___-______-_---_---___-_---___-_---_-_-___-_---_-_-___-_-_-_ All unencrypted communication by Internet, telephone, and fax is subject to interception and archiving. Corporate announcements of desire for deletion by unintended recipients accomplish nothing. ______-_-_-_-___-_---___-_-_-_---___-______-___-_---___-_---_-___-_-_-____ PGP key fingerprint: 6EBE A241 1131 573C 944E 7FC3 1343 C15E 62FE 4DD1
And here is the corresponding signature:
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.11 (OpenBSD)
—–END PGP SIGNATURE—–
If I can verify the signature and I trust that the key is indeed Bob’s, he cannot repudiate the message. Bob Cromwell has a good discussion on verifying signatures here: http://www.cromwell-intl.com/security/verify-digital-signature.html. I use Thunderbird for my email so I imported Bob’s key into my public keyring (collection of keys I know). When I loaded his message, Thunderbird said, “Good signature from Bob Cromwell <email@example.com>”. (I had to go to the message source to see the signature as the Thunderbird-GnuPG combo automatically checked and verified the signature.)
Had Firefox not known Bob’s Key, I would have received a warning such as the one below (which was from a different sender):
Interestingly, Bob is the only person with whom I regularly correspond who signs his email. But I’m not the one to be talking as I don’t tend to do so myself. My email is not set up to sign automatically. It’s simple to do, though check a checkbox and publish my key. Here are the instructions for setting up signing and encryption in Thunderbird: https://support.mozillamessaging.com/en-US/kb/digitally-signing-and-encrypting-messages. The most time-consuming part is generating the key itself. There is one issue, though — signing is an issue for HTML email which is what I tend to send by default, so I don’t sign by default.
My Thunderbird is set up to reply to signed messages with signed messages and to encrypted messages with encrypted ones. Thunderbird uses OpenPGP via GnuPG so the signatures are not compatible with DSS.
Of course there is a lot more to digital signing than just implementing it. There is the issue of trusting keys, for instance. Many public key systems rely on a Public Key Infrastructure while GnuPG uses a web of trust. I’ll cover those issues more in future posts, but you can learn much more about them in Learning Tree course 468, System and Network Security. And one can sign files in addition to email, too.
When do you sign messages and what tools do you use? Let us know in the comments below.