Preventing specific cases of digital signature forgery and repudiation

  • I
  • Thread starter tade
  • Start date
In summary, digital signatures, specifically RSA technology, can prevent problems such as signature forgery and false identity claims. By using public-key cryptography, it is mathematically impossible to create a forged signature or modify a signed document without the signer's private key. However, it is important for individuals to keep their private key secure in order for the digital signature to be effective.
  • #1
tade
702
24
We're looking at some specific cases here, and I'm interested in how mathematics can prevent certain problems from arising.

So let's say that a party is requesting peoples' signatures. And one problem is that said party might attempt to forge the signatures.

And another problem is that a signatory might want to deny and repudiate that he gave his signature and claim that that party forged the signature, while the actual fact is that he really did give his signature.

So I was wondering about when it comes to the mathematical methods of creating digital signatures, how do they prevent these mentioned problems from arising?

I guess its also a given that any method which solves one of the problems also solves the other one.
 
Last edited:
Mathematics news on Phys.org
  • #3
This sounds like something that a blockchain would be good for. It can make the transactions/communications permanently recorded in an immutable way. It would help to verify whether a signature has been forged and whether a real signature had been sent. Because it is decentralized, it is hard for any one person to cheat.
 
  • #4
FactChecker said:
This sounds like something that a blockchain would be good for. It can make the transactions/communications permanently recorded in an immutable way. It would help to verify whether a signature has been forged and whether a real signature had been sent. Because it is decentralized, it is hard for any one person to cheat.
oh i see
what about something which doesn't rely on a whole network
 
  • #6
tade said:
i see, how safe is it from the party requesting signatures trying to forge them
As far as someone claiming a false identity I don't see what can be done about that. Even implanting a chip in every brain at birth wouldn't do it, as the parents might be faking it.
 
  • #7
Hornbein said:
As far as someone claiming a false identity I don't see what can be done about that. Even implanting a chip in every brain at birth wouldn't do it, as the parents might be faking it.
hmm, i was thinking about, let's say that a company tells you, "Look Hornbein, you agreed to this deal, here's your signature!", and they produce their issued document with your signature on it, which they forged. And they're trying to apply some type of pressure tactic on you.

now the topic that i'm thinking about is digital signatures, how to mathematically deter such forgery
 
  • #8
tade said:
hmm, i was thinking about, let's say that a company tells you, "Look Hornbein, you agreed to this deal, here's your signature!", and they produce their issued document with your signature on it
If you are not generally familiar with public-key cryptography, you will want to read up on it.

Without knowing the signer's private key, it is mathematically impossible to create an RSA signature for a document, to modify a document after it has been signed, or to copy a valid signature from a properly signed document to a fraudulent one. Thus, when you are presented with a document with your signature on it, there are only three possibilities:
1) You signed it
2) Someone else signed it using your private key
3) The person presenting the document has broken the public key encryption scheme and is taking a break from the more lucrative activity of draining the entire world's financial systems for their benefit just to hassle you.

The math ensures that these are the only possibilities. The realistic possibility for fraud is #2 - the math can't protect if you don't keep your private key private.
 
  • Like
Likes jbriggs444, FactChecker and Filip Larsen
  • #9
Nugatory said:
If you are not generally familiar with public-key cryptography, you will want to read up on it.

Without knowing the signer's private key, it is mathematically impossible to create an RSA signature for a document, to modify a document after it has been signed, or to copy a valid signature from a properly signed document to a fraudulent one. Thus, when you are presented with a document with your signature on it, there are only three possibilities:
1) You signed it
2) Someone else signed it using your private key
3) The person presenting the document has broken the public key encryption scheme and is taking a break from the more lucrative activity of draining the entire world's financial systems for their benefit just to hassle you.

The math ensures that these are the only possibilities. The realistic possibility for fraud is #2 - the math can't protect if you don't keep your private key private.
I am not an expert on this subject, but I'm not sure that this addresses the problems that the OP mentions. If the recipient claims that he has received the signature, then he has a signature of some kind. One question is whether he can (or must) show that it was once encrypted at all. Does this solve that issue?
 
  • #10
FactChecker said:
One question is whether he can (or must) show that it was once encrypted at all
Digital signing is different from encryption, if that is what you mean. Usually you form a secure hash of the content you want to sign and then encrypt the hash with your private key. Anyone else getting a copy of this signed hash can then decrypt it with your public key (proving someone with access to the private key signed it), and then compare the unencrypted hash with the calculated hash of the content.
 
  • Like
Likes FactChecker
  • #11
FactChecker said:
I am not an expert on this subject, but I'm not sure that this addresses the problems that the OP mentions. If the recipient claims that he has received the signature, then he has a signature of some kind. One question is whether he can (or must) show that it was once encrypted at all. Does this solve that issue?
The signature is a string of gibberish-looking bits that when decrypted with the alleged signer’s public key yields a valid hash of the document. This string of bits can only have been created by someone possessing the signer’s private key.
 
  • Like
Likes FactChecker
  • #12
Nugatory said:
The signature is a string of gibberish-looking bits that when decrypted with the alleged signer’s public key yields a valid hash of the document. This string of bits can only have been created by someone possessing the signer’s private key.
So the actual "signature" is the still encrypted data. The readable signature does not count.
The fact that the public key can decrypt the "signature" implies that it must have been you who encrypted it with the private key.
 
  • #13
FactChecker said:
So the actual "signature" is the still encrypted data.
Technically you can say it is encryption because is uses an cryptographic cipher, but since the goal is to allow anyone to decrypt the signature it does not provide confidentiality like encryption schemes normally would imply for lay-persons.
FactChecker said:
The readable signature does not count. The fact that the public key can decrypt the "signature" implies that it must have been you who encrypted it with the private key.
I assume you here refer to information identifying the signer. For digital signatures to provide non-repudiation you need a separate trust system to establish the connection from, say, your name and other information identifying you as a legal person, to your public key. You can of course simply include the public key in the signature so anyone can checked it to be "well-formed", but for non-repudiation someone else trusted by both participants also needs to establish your public key by a separate mean, like using certificate chains (i.e. a trusted third-party that signs your public key certificate to prove you are an identified entity with that party).
 
  • Like
Likes FactChecker
  • #14
Filip Larsen said:
Technically you can say it is encryption because is uses an cryptographic cipher, but since the goal is to allow anyone to decrypt the signature it does not provide confidentiality like encryption schemes normally would imply for lay-persons.

I assume you here refer to information identifying the signer. For digital signatures to provide non-repudiation you need a separate trust system to establish the connection from, say, your name and other information identifying you as a legal person, to your public key. You can of course simply include the public key in the signature so anyone can checked it to be "well-formed", but for non-repudiation someone else trusted by both participants also needs to establish your public key by a separate mean, like using certificate chains (i.e. a trusted third-party that signs your public key certificate to prove you are an identified entity with that party).
Good point. I think I understand it. So, a better version of my statement would have been:
The fact that EDIT the public key your public key, verified as assigned only to you by some authority, can decrypt the "signature" implies that it must have been you who encrypted it with the private key.
 
  • #15
FactChecker said:
The fact that [..] your public key, verified as assigned only to you by some authority, can decrypt the "signature" implies that it must have been you who encrypted it with the private key.
Yes, as Nugatory listed up that is one of the possibilities, and its the possibility any practical useful signature scheme (complete with choice of hash, cipher and protocols) intends to be the most overwhelmingly likely to be true.

There are in fact a few more possibilities a scheme must address for non-repudiation, namely public key revocation (often solved by using both a trusted revocation service and time notary service) and considerations for the secure hash to be susceptible for hash collisions. On top of that the practical signature scheme should also consider operational security as a whole. For instance, in my country it was deemed too unsafe for the general public to have our private keys for the public identity and signature system on our own computers (because this would then be an obvious attack vector for, say, criminals) so instead they are all stored on special hardware at the operator of the public infrastructure for this. All this is just to say that in these days there is a lot of details in a practical signature scheme that needs to fit together in order for it to convincingly provide actual non-repudiation with virtually zero chance of false positives or negatives.
 
  • Like
Likes FactChecker

1. How can digital signature forgery be prevented?

Digital signature forgery can be prevented by using strong encryption methods, such as asymmetric cryptography, to create a unique digital signature for each document. This makes it extremely difficult for hackers to replicate or alter the signature.

2. What is repudiation in terms of digital signatures?

Repudiation in terms of digital signatures refers to the ability of a signer to deny that they have signed a document. This can occur if the signer's private key has been compromised or if the signature was created without their knowledge or consent.

3. How can repudiation be prevented in digital signatures?

Repudiation can be prevented by using a trusted third party, such as a certificate authority, to verify the identity of the signer and ensure that the signature is valid. Additionally, keeping private keys secure and using multi-factor authentication can also help prevent repudiation.

4. What are some common methods of digital signature forgery?

Some common methods of digital signature forgery include copying and pasting a legitimate signature onto a different document, intercepting and altering the signature during transmission, and using a computer program to generate a fake signature.

5. Are there any legal implications for digital signature forgery and repudiation?

Yes, there can be legal implications for digital signature forgery and repudiation. In many countries, digital signatures have the same legal standing as physical signatures, so forging a digital signature can be considered a form of fraud. Additionally, repudiation can lead to disputes and legal action if the authenticity of a signature is questioned.

Similar threads

A Shinichi Mochizuki's ABC Conjecture and Replication Crisis in Maths
    • General Math
Replies
33
Views
5K
A The abc conjecture and Virasoro algebra
    • General Math
Replies
1
Views
1K
B Is the Geometry/Topology of Mazes a thing?
    • General Math
Replies
18
Views
1K
I Problems involving combinatorics of lattice with certain symmetries
    • General Math
Replies
2
Views
632
I Optimization problem with multiple outputs: impossible?
    • General Math
Replies
6
Views
1K
MHB Find Constant % of Annual Salary to Reach Retirement Goal
    • General Math
Replies
9
Views
2K
B “Fixed mindsets” might be why we don’t understand statistics
    • General Math
Replies
3
Views
2K
How to prove authorship of my idea/work?
    • STEM Career Guidance
Replies
8
Views
2K
I Calculating Cooling Effect in Gas Cylinder Expansion
    • Thermodynamics
Replies
3
Views
1K
News USSC Ruling: Releasing Petition Signers' Names Does Not Violate First Amendment
    • General Discussion
Replies
12
Views
2K

Hot Threads

Recent Insights

Back
Top