Cryptography Reference
In-Depth Information
such fraud by many experts. Not for nothing is its source text digitally signed!
However, PGP is not usable for every purpose, and it was subject to license
fees for commercial use in connection with IDEA (Section 5.3.1). But there is
also GnuPG, which will be discussed in Section 7.1.4.
Known channels can be 'plugged up'. Perhaps somebody will discover new
ones that will also be plugged up. Here we are again: the eternal race between
cryptography and cryptanalysis. However, there is the additional problem that
plugging up channels is hard to check in software. We will discuss this issue
further in Sections 6.7 and 8.3.
Bottom Line
Let's briefly return to conventional signatures. They cannot be forged to per-
fection. 'Wait a minute', you will say, 'there are enough con artists who master
this!' True, but never entirely perfectly. You can have a modern graphologist
study things like the geometry of a signature, the writing pressure and the writ-
ing speed, the ink, and perhaps even one day microscopic palm-sweat traces.
In short, more and more characteristics of a signature can be determined as the
state-of-the-art in criminal-investigation techniques grows.
Let's sum things up: as perfectly as a conventional signature may be imitated,
there will always be one little detail the forger just won't get right. They can
never be sure their forgeries might be provable one day.
It is a fact from the outset that digital signatures cannot offer this kind of
'dynamically expandable' security. There will never be sweat traces on elec-
tronic files. If somebody manages to get your private key by computation, or
trickery, or extortion, then he can forge
all
your digitally signed contracts, and
you
cannot
prove it no matter how hard you try.
It is not sufficient to use cryptologically secure methods and protocols. Also, the
problem of determining whether or not a public key presented really belongs
to Alice has to be solved safely. PGP and PKI show two possible solutions
(Chapter 7). The private key has to be protected securely enough. Your capa-
bility of signing in a certain way cannot be stolen from you. The 'theft' of
two large prime numbers, in contrast, can be a kid's game. It is not suffi-
cient to PIN-protect them. In the near future, biometric methods will surely
emerge — we will deal with this issue in Section 6.6.9.
And there is yet another problem: when manually signing you see the document
you sign. Whether or not the text on the screen is really the text you sign is
doubtful if a hacker has visited the system.
