Cryptography Reference
In-Depth Information
negligible. If Alice is very careful, she changes every document submitted to
her for signature just a little. Appropriate care can help exclude the threat
described.
Moreover, Alice should use a different private key for signing and for decrypt-
ing session keys, as mentioned earlier.
However, if Alice digitally signs a favorable lease contract for a 20-year period,
then the prime factors (i.e., her private key) have to remain hard to compute
over this period of time. Who can tell what methods mathematics will use in
20 years from now?
This problem is much more critical for digital signatures than it is for key
exchange. When encrypted information becomes worthless after only one year,
then hybrid methods would be our choice. Conversely, we often sign documents
that are supposed to remain valid over long periods of time.
I can currently think of only one solution: all digitally signed documents with
long-term validities should be countersigned by a trustworthy party periodically
based on the latest state-of-the-art in cryptology. You probably can imagine
what kind of cost this means. Perhaps there are already usable cryptographic
protocols that can handle the 'aging' of digital signatures. Perhaps the fail-stop
signatures mentioned in Section 6.6.5 could be a suitable approach. I think that
this problem will play a major role in the future.
In practice, however, public keys remain valid over long periods of time. The
Web of Trust in PGP (see Section 7.1.2), for example, even prevents frequent
key changes. The risk that Alice's private key could be compromised one day
is, therefore, not to be neglected. Theoretically, all her signatures would then
become worthless at once. If you compare this risk with how conventional
signatures are handled, cold shivers will probably run down your spine.
The trouble is that we will need digital signatures in the near future. In Ger-
many, the first set of regulations for legal recognition of digital signatures have
already been ratified (see Section 8.2.5). Cryptologists simply
must
develop and
offer secure protocols and methods for digital signatures; otherwise, insecure
methods will make the race.
Attacking the One-Way Hash Function—The Birthday Attack
A 'softer' forging method is to outsmart the hash function. This can look like
this: Alice and Mallory sign a work-for-hire agreement. Mallory fabricates
a second contract with financial terms more to his liking, which supplies the
