Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Valentine's Day Patch Tuesday: Microsoft to issue 9 patches, 4 critical
Mobile World Congress sneak peek: Quad-core smartphones, Ice Cream Sandwich & more
Microsoft details 'Windows on ARM' program
March debut of 'iPad 3' a sure bet, says analyst
FBI unbolts Steve Jobs 1991 investigation file
Cisco boosted profit, sales in Q2 while cutting costs
Macs take on the enterprise
Four crazy tech ideas from Google's Solve for X project
Obama 2012 campaign playlist revealed courtesy of Spotify
Oracle buying Taleo for US$1.9 billion in direct hit at SAP
Amazon attacks Apple: You get 3 Kindle products for price of iPad 2
Pre-rendered pages highlight latest Google Chrome release
Microsoft exec: Lync-Skype integration a 'compelling opportunity'
The future of hypervisors
/

Why everyone should sign digital documents

Related linksToday's breaking news
Send to a friendFeedback

Sign up to receive this and other networking newsletters in your inbox.

By M. E. Kabay
Network World Security Newsletter, 02/14/00

E-mail and electronic documents have become a normal part of today's business. Unfortunately, signing those documents using digital signatures is still relatively rare.

Why should everyone sign e-mail and other forms of electronic communication?

The problem is that forging messages is ridiculously easy in today's technical environment. Take word-processing documents, for example. The properties sheet can be filled out any way you want; it is simple to enter somebody else's name or somebody else's company in the appropriate fields. Send such a document to a recipient who assumes that the identification of the author must be correct, and you can have a real problem.

In a famous case from the 1990s, a secretary at a large firm complained of sexual harassment. As evidence of systematic discrimination, she presented e-mail from the company system showing that her boss had fired her to protect the CEO against her claims of sexual harassment. The e-mail was convincing enough to win a $100,000 settlement from the company. However, a few months later, records of her boss' cellular phone calls strongly suggested that he had not been in the office when the incriminating e-mail had been written. It turned out that the secretary possessed her boss' e-mail account password; she was convicted of perjury for having forged that incriminating message using her boss' e-mail account.

One obvious lesson is that absolutely nobody should have anyone else's e-mail account password. If one of your users needs to let someone else read and answer their e-mail, you should arrange for proxy privileges so that the colleague can help without being able to forge e-mail.

Another problem that facilitates forgery is the ease with which anyone can forge e-mail headers for Internet delivery. Spammers do this all the time; junk e-mail arrives from countries all over the world - at least, so the headers would fraudulently indicate. Some criminals use easy forgery to cause trouble for their victims; they insert someone else's reply addresses in offensive or annoying e-mail so that recipients effectively mail bomb innocent people.

There was a case in Texas a few years ago where a clueless junk mailer called Craig Nowak stupidly used the reply address "flowers.com" in his junk e-mail. As a result, the legitimate firm flowers.com received over 5,000 e-mail messages complaining about the junk. The company's angry CEO Tracy LaQuey Parker sued Nowak and won a $19,000 judgment against him for damage to her company's good name.

Until we see authentication integrated into TCP/IP, it will be difficult to prevent criminals from forging e-mail sent through the 'Net. However, with a little effort, it is possible to make life harder for forgers. Wherever possible, everyone should sign their electronic messages using a digital signature.

There are many products available that allow every message to be signed so that its integrity and authenticity can be confirmed. Personally, I have used pretty good privacy (PGP) for many years and sign my messages so that anyone can check to see that they are unchanged and really mine. Because I use digital signatures consistently, I could reasonably repudiate any message that is not digitally signed with my PGP private key.

I also accept that I will not be able to repudiate authorship of these messages. However, honest people need have no fear of nonrepudiation. As long as I can be sure that no one has compromised the pass phrase that protects my PGP private key, I can be sure that no one will successfully forge communications in my name.

There are still problems preventing widespread acceptance of digital signatures. For one thing, most signature software tools do not successfully interoperate with each other. For another, the tools fail to support all e-mail packages.

I urge producers of popular cryptographic software to insure that competing products can verify their digital signatures. I also hope that digital signatures will become completely automatic for users of popular e-mail and document preparation software.

M. E. Kabay, Ph.D., CISSP, is Security Leader, INFOSEC Group, at Adario, Inc. He can be reached at mkabay@compuserve.com. Adario specializes in all aspects of information security consulting and training, including e-commerce, enterprise security policies and communications security.

RELATED LINKS

Check out the new "Computer Security Handbook, 4th Edition" edited by Seymour Bosworth and Michel E. Kabay; Wiley (New York), ISBN 0-4714-1258-9. Available now at your technical bookstore or visit Amazon.

M. E. Kabay, Ph.D., CISSP is Associate Professor of Information Assurance in the Department of Computer Information Systems at Norwich University in Northfield, Vt. Mich can be reached by e-mail by clicking here. He invites inquiries about his information security and operations management courses and consulting services. Visit his Web site for papers and course materials on information technology, security and management.

E-mail security products to launch at RSA show
Network World, 01/17/00.

The Uniform Electronic Transactions Act
Network World, 01/17/00.

Protecting electronic transactions
Network World, 01/12/00.

Digital watermarking
Network World, 01/03/00.

Archive of Network World on Security newsletters

Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.