Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Digital Evidence:
Dream and Reality
Digital evidence is inherently weak. New evidence-gathering
technologiesdigital black boxesmust be developed
and deployed to support investigations of irreproducible
events such as digitally signing a document or electronically
casting a ballot.
ROLF OPPLIGER
R UEDI
RYTZ
Swiss Federal
Strategy Unit
for
Information
Technology
AND
Digital Forensics
issue. Although some people can read and interpret specific bitstrings (such as Morse code), bits and bitstrings
generally have no meaning for humans unless a computer
system renders them and gives them sense. This rendering involves hardware and software and is by no means
unique. It is, for example, possible to write a program
(that is, a bitstring) that does something reasonable if executed on one computer system, but crashes another, perhaps running a different operating system. An attacker
might even digitally sign the program and send it to
someone he or she wants to attack. Unlike someone who
attacks a person with a knife, the attacker could simply
argue before court that he or she hadnt intended to harm
anyoneafter all, the code worked fine on his computer.
Bitstrings might differ from their final perception in
other instances; for example,
A person claims that a bitstring (say an image file) resulted from a random experiment. Sure, some potentially asymmetric (and not uniform) probability distribution for each interpretation exists and some
interpretations might appear unlikely; however, such
claims are possible and might be challenged in court.
Different bitstrings represent the same document. For
example, a word-processing file usually includes a lot of
hidden information. From the human users viewpoint,
several files represent the same document even though
the respective bitstrings are completely different.
Consequently, we must strive for complementary technologies to improve bitstrings overall credibility, notably
if their generation is a one-time event. This is where digital black boxes come into play.
It seems reasonable that we design, implement, and
deploy digital black boxes on an application-specific
basis, as is the Network Flight Recorder Network Intrusion Detection (NFR NID, www.nfr.com/products/
Generating a digital
signature, however, is a
one-time event, as is signing
a paper document with a pen.
nid/) for network traffic analysis. In other cases, implementing a black box might be tricky (in the context of
digital signatures, for example), or even illegal (such as in
remote Internet voting).
Irreproducible events
Irreproducible events are very common in daily life. Exhttp://computer.org/security/
45
Digital Forensics
Digital signatures
Introduced in the 1970s, digital signatures still are considered a major application of public key cryptography.2
In public key cryptography, each user holds a pair of keys
(k, k-1), one private (k-1) and the other public (k). The
two keys are mathematically related, but we assume
computing the private key from the public key is computationally infeasible.
In a digital signature system (DSS), one user digitally
signs messages with the private, or signing key, while another user verifies the digital signatures using the public,
or verification key (see the sidebar for a more detailed discussion of DSS). Many DSSs have been proposed, and
RSA, the first public-key cryptosystem for digitally signing electronic documents,3 still is widely used.
Developers often use digital signatures to implement
nonrepudiation servicesservices that make it impossible or
useless for communicating peers to repudiate their participation. For example, the sender of an email message
might digitally sign the message using his or her private
key. Anyone in possession of the public key can later verify the messages origin, making it difficult to repudiate.
Consequently, digital signatures often serve as electronic
analogs of handwritten signatures. To put these two signature types on par, many countries and organizations
have enacted legislation, such as the Community Framework for Electronic Signatures in Europe and the Electronic Signatures in Global and National Commerce Act
in the US (commonly known as E-SIGN). As of this
writing, the legal status of digital signatures is unclear.
Because digital signatures are based on mathematical
46
SEPTEMBER/OCTOBER 2003
formulas, intuition tells us that the digital signature generation and verification processes are reproducible computations. This is true for verification. Once successfully
verified, subsequent computations verifying the same
digital signature (provided you know the correct public
key) will likely be successful.
Generating a digital signature, however, is a one-time
event, as is signing a paper document with a pen. Note
that the irreproducible nature of digital signatures is not
properly reflected in the mathematical definition of a
DSS (see the sidebar). Clearly, in principle you can digitally sign as many copies of your document as you wish.
However, sending a copy to your contracting party makes
that copy your (digitally) signed electronic document,
which you cannot take back later.
Against this background, its interesting to ask how secure digital signature systems and their implementations
are. A total break of a DSS would include computing the
signing (private) key from the verification (public) key.
This is very hard (or impossible) to do as it would require
solving an intractable mathematical problem (such as factoring a large integer or computing a discrete logarithm).
Obviously, anyone can totally break a DSS by stealing
the signing key. A key stored on a file system is only as secure as the file system. If the key is encrypted, it is as secure as the encryption. Most encryptions use a password
or passphrase. In this case, the key is at most as secure as
the password or passphrase. A partial break of a DSS involves combining digital signatures of different messages
to come up with a valid digital signature for a new message (that is, a message the signatory never signed). Partial
breaks are selective if an attacker can determine this new
message, or existential if the attacker cannot. Some DSSs
have been shown to be resistant against existential
forgeryeven if one considers chosen-message attacks.4,5 The mathematical basis for the DSSs in use
today is assumed to be relatively secure.
As for the implementation, bear in mind that the sign-
Digital Forensics
47
Digital Forensics
7.
8.
9.
10.
References
1. K.R. Popper, Conjectures and Refutations: The Growth of
Scientific Knowledge, 5th ed., Routledge, 1992, p. 192.
2. W. Diffie and M.E. Hellman, New Directions in Cryptography, IEEE Trans. Information Theory, vol. 22, no. 6,
1976, pp. 644654.
3. R.L. Rivest, A. Shamir, and L. Adleman, A Method for
Obtaining Digital Signatures and Public-Key Cryptosystems, Comm. ACM, vol. 21, no. 2, Feb. 1978, pp.
120126.
4. S. Goldwasser, S. Micali, and R.L. Rivest, A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks, SIAM J. Computing, vol. 17, no. 2, 1988,
pp. 281308.
5. C. Dwork and M. Naor, An Efficient Existentially
Unforgeable Signature Scheme and Its Applications, J.
Cryptology, vol. 11, no. 3, 1998, pp. 187208.
6. C. Ellison, Improvements on Conventional PKI Wisdom, Proc. 1st Ann. PKI Research Workshop, Natl Inst.
11.
12.
Get access
to individual IEEE Computer Society
documents online.
More than 67,000 articles and conference papers available!
US$9 per article for members
US$19 for nonmembers
http://computer.org/publications/dlib
http://computer.org/
48
SEPTEMBER/OCTOBER 2003