Cryptography Reference
In-Depth Information
Thus the arbitrated digital signature scheme as depicted in Figure 7.1 does
satisfy our notion of a digital signature scheme. However, this is not a scheme
seen that often in practice. The main practical difficulty with implementing
arbitrated signatures is the potential 'bottleneck' of having to pass every
single signature generation process through the arbitrator. It is worth noting
that in the physical world there are many processes that have a similar
message flow to arbitrated digital signature schemes, for example, many legal
processes.
7.2.2
Asymmetric trust relationships
A simpler example of MACs being used to provide non-repudiation arises in
situations where the signer and the verifier are in very different positions regarding
their perceived level of trust. For example, suppose that the signer is the client of
a major bank, who is the verifier. The client 'signs' data using a MAC that was
based on a MAC key, which in turn was generated by the bank and issued to the
client on a smart card. We assume that the bank in control of the underlying key
management of this system has a strong reputation for honesty and integrity with
respect to its underlying infrastructure.
Now suppose that the client tries to deny 'signing' (generating a MAC on)
some data on which there appears to be a valid MAC. If the MAC algorithm
is strong and the underlying security architecture is properly implemented then
the client's only defence can be that the bank must have created this MAC and
is trying to 'frame' the client. However, how likely is it that a judge will rule
in favour of the client in this case? Even though both entities could, in theory,
have generated the MAC, the bank is a more powerful entity in this scenario and
one in which there is normally a much greater degree of perceived trust. This
could
therefore be regarded as a relationship between a relatively untrusted entity
(the client) and a trusted entity (the bank). In such cases it might be arguable
that a MAC suffices to provide non-repudiation, because one party will never
'cheat'.
Of course, the above scenario allows plenty of room for debate! In fact, such a
debate has played itself out in courtrooms over the years when clients have accused
banks of 'phantom withdrawals' from Automatic Teller Machines, which utilise
symmetric cryptography to protect transactions. It should be clear by now that
the cryptography is unlikely to be at fault in such a scenario. Thus the challenge
for the client is to persuade the court that the banking accounting infrastructure
is flawed in some way. The bank, on the other hand, will be trying to persuade
the court that either the client is lying or, more likely, a genuine transaction took
place without the client being aware (the card was 'borrowed' by a family member,
for example). It is not common in such court cases for anyone to suggest that the
MACs on the ATM transaction are not true non-repudiation mechanisms and
could have been forged by the bank.
