RE: Signing before Encryption and Signing after Encryption


Fairly much.

There are hash based signature schemes for example, but having ones that
may not be repudiated are difficult.

Also comes to good practice. Why sign a message if it may be repudiated
later (though there may be some reasons)?

Craig

-----Original Message-----
From: Gregory Rubin [mailto:grrubin@xxxxxxxxx]
Sent: 25 March 2006 7:15
To: Craig Wright
Cc: gillettdavid@xxxxxxxx; shyaam@xxxxxxxxx;
security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Signing before Encryption and Signing after Encryption

So it sounds to me that this is more a legal and contractual issue than
a technical issue, or am I misreading this?

Greg Rubin

On 3/22/06, Craig Wright <cwright@xxxxxxxxxxxxx> wrote:

Hi David,
Non-repudiation has different requirements in different legal
jurisdictions.

There needs to be a manner to verify the keys (i.e. PKI). I can get a
verisign certificate calling myself Bill Gates. This does not mean for

the purpose of legal contractual negotiations that I am Bill Gates. I
could sign an email as such though.

For non-repudiation to work, there needs to be an attestation by the
operator of the certificate authority.

The following are some guidelines for non-repudiation, based on
locality of course:
Australia National Electronic Authentication Council,
Liability and other Legal Issues in the Use of PKI
Digital Certificates (May 2002).
EC, Directive 1999/93/EC of the European Parliament and of
the Council
Austria, Signature Law, 2000
England, Scotland and Wales
Electronic Communications Act, 2000 Germany Signature
Law, 2001 Sweden Qualified Electronic Signatures Act (SFS 2000:832)
(in swedish).


India Information Technology Act, 2000
New Zealand Electronic Transactions Act, 2003 sections 22-24
USA Electronic Signatures in Global and National Commerce
Act (E-SIGN),
at 15 U.S.C. 7001 et seq
Switzerland Federal Law on Certification Services Concerning the
Electronic Signature, 2003

To take a quote from the English Ministry associated with Digital
Signature law:
"A private key authenticated by a digital certificate generated within

a PKI can be considered as the electronic equivalent of a passport.
Both establish identities for persons who have met the requisite
identity checks. The community accepts the validity of the holder's
identity because it trusts the issuer. The identity can be used to
authenticate the holder in subsequent transactions without directly
involving the issuer."

Web of trust models such as PGP can result in a signature, but the
issue of non-repudiation is not fulfilled in that the issuer can not
be held to account separately (as it is a self signed certificate).

In situations where the parties have had prior dealings, it may be
possible to verify the owner of the public key, for example, at a
personal meeting, parties may exchange public keys on floppy disks (eg

key signing parties). However, if the parties are unknown to each
other, and perhaps in different jurisdictions, the requisite level of
confidence is not present. The solution to this lies in the public key

infrastructure and is governed by different levels of trust.

Regards
Craig

-----Original Message-----
From: David Gillett [mailto:gillettdavid@xxxxxxxx]
Sent: 23 March 2006 8:24
To: Craig Wright; shyaam@xxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Signing before Encryption and Signing after Encryption

Does non-repudiation require anything more than assurance that the
private key (a) MUST have been used, and (b) HASN'T been compromised?
Are you just alluding to the measures which support those assertions,
or to some additional requirement(s) that escapes me?

[If your private key isn't really private, all bets are off.]

David Gillett


-----Original Message-----
From: Craig Wright [mailto:cwright@xxxxxxxxxxxxx]
Sent: Wednesday, March 22, 2006 12:56 PM
To: gillettdavid@xxxxxxxx; shyaam@xxxxxxxxx;
security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Signing before Encryption and Signing after Encryption


True, but the argument was not one as to which is the better method.
There are several secure hashing algorithms.


Further there is more to verification to source than just asymmetric

keys. Non-repudiation is a complex field in itself and requires a
entire range of associated infrastructure.

Regards
Craig


Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is
confidential. If you are not the intended recipient, you must not use or
disclose the information. If you have received this email in error,
please inform us promptly by reply email or by telephoning +61 2 9286
5555. Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual
sender. You may not rely on this message as advice unless it has been
electronically signed by a Partner of BDO or it is subsequently
confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its
attachments due to viruses, interference, interception, corruption or
unauthorised access.

----------------------------------------------------------------------
----- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The
Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning, Computer Emergency Response Teams, and Digital
Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------
-----



------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning, Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • Where can I get a certified security audit? and how much do they cost?
    ... I have a client that is looking for a certificate to verify their server's security level. ... The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. ... Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)
  • Re: Soft signatures
    ... now, digital signature, typically just represents that you (in ... For some time there were arguments that if a certificate contained the ... certificate with your public key and the non-repudiation flag in it. ... for a number of different business purposes. ...
    (sci.crypt)
  • Re: electronic signature in Microsoft Word
    ... you need a digital certificate. ... status bar with a tooltip that says "This document has been digitally ... Double-clicking the icon opens the Digital Signature dialog again. ... but be asked for a password before inserting ...
    (microsoft.public.word.docmanagement)
  • Re: Verifying a Signed Executable before running it on a remote machine.
    ... At the very top of the Digital Signature Details property dialog I see ... If I had hacked a certificate generator and entered your name ... Is there a way to verify the actual root ... > Therefore, technically, the signature and cert (according to default Microsoft Authenticode ...
    (microsoft.public.platformsdk.security)
  • Re: Security flaw in how Outlook verifies digital signatures
    ... I use my own Verisign digital certificate to sign an email. ... I then alter the from in the email to make it appear from Microsoft. ... Microsoft, digitally signed, with a valid signature, but unfortunately he's ... certificate (if he had only used Mozilla or Outlook Express he'd see flags ...
    (microsoft.public.outlook)