Why everyone should sign digital documents
Sign up to receive this and other networking newsletters in your inbox.
Why should everyone sign e-mail and other forms of electronic communication?
The problem is that forging messages is ridiculously easy in today's technical environment. Take word-processing documents, for example. The properties sheet can be filled out any way you want; it is simple to enter somebody else's name or somebody else's company in the appropriate fields. Send such a document to a recipient who assumes that the identification of the author must be correct, and you can have a real problem.
In a famous case from the 1990s, a secretary at a large firm complained of sexual harassment. As evidence of systematic discrimination, she presented e-mail from the company system showing that her boss had fired her to protect the CEO against her claims of sexual harassment. The e-mail was convincing enough to win a $100,000 settlement from the company. However, a few months later, records of her boss' cellular phone calls strongly suggested that he had not been in the office when the incriminating e-mail had been written. It turned out that the secretary possessed her boss' e-mail account password; she was convicted of perjury for having forged that incriminating message using her boss' e-mail account.
One obvious lesson is that absolutely nobody should have anyone else's e-mail account password. If one of your users needs to let someone else read and answer their e-mail, you should arrange for proxy privileges so that the colleague can help without being able to forge e-mail.
Another problem that facilitates forgery is the ease with which anyone can forge e-mail headers for Internet delivery. Spammers do this all the time; junk e-mail arrives from countries all over the world - at least, so the headers would fraudulently indicate. Some criminals use easy forgery to cause trouble for their victims; they insert someone else's reply addresses in offensive or annoying e-mail so that recipients effectively mail bomb innocent people.
There was a case in Texas a few years ago where a clueless junk mailer called Craig Nowak stupidly used the reply address "flowers.com" in his junk e-mail. As a result, the legitimate firm flowers.com received over 5,000 e-mail messages complaining about the junk. The company's angry CEO Tracy LaQuey Parker sued Nowak and won a $19,000 judgment against him for damage to her company's good name.
Until we see authentication integrated into TCP/IP, it will be difficult to prevent criminals from forging e-mail sent through the 'Net. However, with a little effort, it is possible to make life harder for forgers. Wherever possible, everyone should sign their electronic messages using a digital signature.
There are many products available that allow every message to be signed so that its integrity and authenticity can be confirmed. Personally, I have used pretty good privacy (PGP) for many years and sign my messages so that anyone can check to see that they are unchanged and really mine. Because I use digital signatures consistently, I could reasonably repudiate any message that is not digitally signed with my PGP private key.
I also accept that I will not be able to repudiate authorship of these messages. However, honest people need have no fear of nonrepudiation. As long as I can be sure that no one has compromised the pass phrase that protects my PGP private key, I can be sure that no one will successfully forge communications in my name.
There are still problems preventing widespread acceptance of digital signatures. For one thing, most signature software tools do not successfully interoperate with each other. For another, the tools fail to support all e-mail packages.
I urge producers of popular cryptographic software to insure that competing products can verify their digital signatures. I also hope that digital signatures will become completely automatic for users of popular e-mail and document preparation software.
M. E. Kabay, Ph.D., CISSP, is Security Leader, INFOSEC Group, at Adario, Inc. He can be reached at firstname.lastname@example.org. Adario specializes in all aspects of information security consulting and training, including e-commerce, enterprise security policies and communications security.