another example of the Credit Card industry's deceptive advertising targeting children
cartoon of the month

Monday, May 23, 2005

IT Minister's digital signature hacked

(Source: The Hindu Business Line)

The digital signature is here to stay but must be tested for efficacy to suit the Indian context. The more secure a prison, the greater the thrill in breaking it. The spirit of the erstwhile Alcatraz is testimony to this.

This seems to apply to digital signatures now in cyber world. The passage of the Information Technology Act on October 17, 2000, legalised digital signatures in India. Various standards and infrastructures involving cryptography have also been put in place. This signature is intended to be unique to the individual and to serve as a means to identify, authorize and validate. But if so important a signature can be misused or misrepresented, is it not time to take notice?

The debut of digital signatures in India was in February this year when the Prime Minister received a digital e-mail from Pramod Mahajan, the Minister of Information Technology. According to the mail received, the digital signature was assured to be that of Mahajan.

A digital signature is used to authenticate the identity of the person who sends an electronic message. With the use of digital signatures, electronic transactions on the Internet can have a legal standing. So, the promise of the paperless revolution is still a possibility.

But the Indian Government does not seem to be too keen on digital signatures. Otherwise, when the controversy on the use of the MD5 (message digest 5) hash function and the SHA 1 hash function came to light, the Government should have been the first to ensure that it did not go through.

The MD5 hash function, which was brought out by RSA Inc of the US, has been found to be breakable which has been testified by the company itself way back in 1996. According to CryptoBytes, a technical newsletter of the RSA Data Security Inc, hash functions are frequently used cryptographic primitives and in digital signature schemes, a message is hashed before signing.

This signature should be collision-resistant in the sense that there should not be another hash function, which is similar in nature but has a totally different meaning to it.

According to the journal, it was found that this MD5 hash function could be broken and at that point of time, "we suggest that in the future MD5 should no longer be implemented in applications such as signature schemes, where a collision-resistant hash function is required."

Digital signatures are the only practical solution for electronic communication. A digital signature by nature is such that it binds the signatory, the signature and the message. Tampering with the original message can be immediately detected if the message has been digitally signed. This leaves very little scope for forging a signature, Nagpal says.

To get your digital signature, you first need to apply to a certifying authority (CA). The company will then allocate a private key and a public key to you. These "keys" are mathematically related and are used to encrypt and decrypt your digitally-signed documents. This procedure is referred to as public key cryptography. You use your private key to "digitally sign" or encrypt a message and at the other end the recipient who already has your public key uses it to decrypt your message. Two things are essential - as the name suggests, only you and the public key to the recipient should know the private key.

"The MD5 hash function, which has been prescribed by Indian law, has been globally recognized as being insecure for use in digital signatures. In light of this, the decision to prescribe the MD5 hash function for use by the Certifying Authority in India is erroneous and could have serious repercussions for the proposed Public Key Infrastructure in India. It would also imperil national security," says Nagpal.

Additionally the police departments are gearing to accept digitally-signed complaints online. "If there is discrepancy in the law, just think of the number of disputes that it would throw up. As it is we are under pressure to resolve litigation. This kind of a problem will only result in more work for us," police officials say.

Online banking transactions are gaining ground in India and in future these will use digital signatures.

What are the other areas where digital signatures can be used? Contracts, Government communications (e-governance), Defence organizations and law enforcement. Digital signatures are used to authenticate any kind of electronic communication.

The present attack does not yet threaten the practical applications of MD5, but it comes rather close to it. It appears to be the right time to look at the implications of such a problem rather than just seek to blindly apply technology.

2 Comments:

Blogger Andrea said...

You have very well explained the complete concept of digital signature in this article. After reading it I got a complete understanding about it. Nowadays digital signature are widely used in every sector and this technology serves as the base for electronic communication.
digital signature software

1:31 PM  
Blogger Unknown said...

Valuable for information Digital signature. Is there any further reading you would recommend on this? Digital signature in Delhi

5:12 PM  

Post a Comment

<< Home