Technologies for Non-Repudiation
From Blindside
Contents |
[edit] What is it
Public key cryptography:
Public key cryptography, also known as asymmetric cryptography, is a form of cryptography in which a user has a pair of cryptographic keys - a public key and a private key. The private key is kept secret, while the public key may be widely distributed. The keys are related mathematically, but the private key cannot be practically derived from the public key. A message encrypted with the public key can be decrypted only with the corresponding private key. Wikipedia
Public-key cryptography facilitates the following tasks:
- • Encryption and decryption allow two communicating parties to disguise information they send to each other. The sender encrypts, or scrambles, information before sending it. The receiver decrypts, or unscrambles, the information after receiving it. While in transit, the encrypted information is unintelligible to an intruder.
- • Tamper detection allows the recipient of information to verify that it has not been modified in transit. Any attempt to modify data or substitute a false message for a legitimate one will be detected.
- • Authentication allows the recipient of information to determine its origin--that is, to confirm the sender's identity.
- • Nonrepudiation prevents the sender of information from claiming at a later date that the information was never sent. [1]
One-way hashing:
One-way hashing uses a complex mathematical formula to convert input (such as a card number) that, when run through the formula (algorithm), will always produce the same output. This allows you to use a hash as a record key, much like you would use a credit card number. [2]
With one-way hashing, once a value is encrypted, the original value can never be determined even if the encryption key is known. With two-way encryption, the encryption is reversible so the system can determine the original value by using the encryption key.
One-way hashing is useful for values that the user must enter during every session (such as an authentication password) but are otherwise not very useful to know. Instead of comparing two plain-text values, you hash the user-entered string and then compare it to the stored value. You'll never know the plain text value and, in the case of the password, if you want to change it, you'll need to reset it to a known value (instead of sending users their password via e-mail, for example). [3]
Digital signatures:
In cryptography, a digital signature or digital signature scheme is a type of asymmetric cryptography used to simulate the security properties of a signature in digital, rather than written, form. Digital signature schemes normally give two algorithms, one for signing which involves the user's secret or private key, and one for verifying signatures which involves the user's public key. The output of the signature process is called the "digital signature." Wikipedia
A digital signature is the term used for marking or signing an electronic document, by a process meant to be analogous to paper signatures, but which makes use of a technology known as public-key cryptography. Additional security properties are required of signatures in the electronic world. This is because the probability of disputes rises dramatically for electronic transactions without face-to-face meetings, and in the presence of potentially undetectable modifications to electronic documents. Digital signatures address both of these concerns, and offer far more inherent security than paper signatures. [4]
[edit] Impact & Maturity assessment
We assign this an Impact Level of 2, as the current generation of cryptographers is slightly ahead of the current generation of code-breakers. This is likely to continue until widespread use of either quantum or biological computing systems is adopted. (Note that quantum computing will in all likelihood benefit cryptographers even more than code breakers.) Hence, from an information assurance point of view, cryptography is robust enough to protect information when correctly implemented. From a criminal justice or anti-terrorist point of view, the existence of commercially available cryptographic solutions is probably quite worrying, although terrorist organisations to date do not seem to be using current generation cyrptographic tools. We assign this a Maturity Level of 1, as radical changes to the ways messages are sent as well as encrypted, and radical changes to the tools available to both sides of this ongoing struggle, are just around the corner.
[edit] Information Assurance issues
Privacy Implications of Digital Signatures
A pair of security bugs in cryptography software could allow an attacker to insert content into a digitally signed message or forge signatures on files. Open-source bugs undermine digital signatures
[edit] Timescale
Is the impact of this emerging technology felt - now (less than 18 months) - in 2-5 years? - in 5-25 years - longer-term than that even
[edit] Examples
Encryption, hashing, and obfuscation
[edit] Comments (attributed)
What people say about this emerging technology (attributed)
[edit] Organisations
Groups which have a particular contribution or point of view about this emerging technology, eg tech businesses, user organisations or advocacy groups
[edit] Documents & research papers
Introduction to Public-Key Cryptography
Non-Repudiation in the Digital Environment
Nonrepudiation in Network Communications
A Primer on Public-Key Cryptography
Entity Authentication Using Public Key Cryptography
Public-Key Cryptography - Theory and Practice
A comparison between traditional Public Key Infrastructures and Identity-Based Cryptography
Eliminating Card Numbers to Minimize PCI Exposure
Knowledge discovery without knowledge disclosure – IBM Whitepaper
A Method for Obtaining Digital Signatures and Public-Key Cryptosystems
[edit] Experts (academic, practitioner)
Links to academic experts or expert practitioners and commentators on this emerging technology
