Preventing specific cases of digital signature forgery and repudiation

[tade]

We're looking at some specific cases here, and I'm interested in how mathematics can prevent certain problems from arising.

So let's say that a party is requesting peoples' signatures. And one problem is that said party might attempt to forge the signatures.

And another problem is that a signatory might want to deny and repudiate that he gave his signature and claim that that party forged the signature, while the actual fact is that he really did give his signature.

So I was wondering about when it comes to the mathematical methods of creating digital signatures, how do they prevent these mentioned problems from arising?

I guess its also a given that any method which solves one of the problems also solves the other one.

 

[jedishrfu]

One could use RSA technology for the signature.

https://www.docusign.com/how-it-works/electronic-signature/digital-signature/digital-signature-faq

 

[FactChecker]

This sounds like something that a blockchain would be good for. It can make the transactions/communications permanently recorded in an immutable way. It would help to verify whether a signature has been forged and whether a real signature had been sent. Because it is decentralized, it is hard for any one person to cheat.

 

[tade]

This sounds like something that a blockchain would be good for. It can make the transactions/communications permanently recorded in an immutable way. It would help to verify whether a signature has been forged and whether a real signature had been sent. Because it is decentralized, it is hard for any one person to cheat.

oh i see
what about something which doesn't rely on a whole network

 

[tade]

One could use RSA technology for the signature.

https://www.docusign.com/how-it-works/electronic-signature/digital-signature/digital-signature-faq

i see, how safe is it from the party requesting signatures trying to forge them

 

[Hornbein]

i see, how safe is it from the party requesting signatures trying to forge them

As far as someone claiming a false identity I don't see what can be done about that. Even implanting a chip in every brain at birth wouldn't do it, as the parents might be faking it.

 

[tade]

As far as someone claiming a false identity I don't see what can be done about that. Even implanting a chip in every brain at birth wouldn't do it, as the parents might be faking it.

hmm, i was thinking about, let's say that a company tells you, "Look Hornbein, you agreed to this deal, here's your signature!", and they produce their issued document with your signature on it, which they forged. And they're trying to apply some type of pressure tactic on you.

now the topic that i'm thinking about is digital signatures, how to mathematically deter such forgery

 

[Nugatory]

hmm, i was thinking about, let's say that a company tells you, "Look Hornbein, you agreed to this deal, here's your signature!", and they produce their issued document with your signature on it

If you are not generally familiar with public-key cryptography, you will want to read up on it.

Without knowing the signer's private key, it is mathematically impossible to create an RSA signature for a document, to modify a document after it has been signed, or to copy a valid signature from a properly signed document to a fraudulent one. Thus, when you are presented with a document with your signature on it, there are only three possibilities:
1) You signed it
2) Someone else signed it using your private key
3) The person presenting the document has broken the public key encryption scheme and is taking a break from the more lucrative activity of draining the entire world's financial systems for their benefit just to hassle you.

The math ensures that these are the only possibilities. The realistic possibility for fraud is #2 - the math can't protect if you don't keep your private key private.

 

[FactChecker]

If you are not generally familiar with public-key cryptography, you will want to read up on it.

Without knowing the signer's private key, it is mathematically impossible to create an RSA signature for a document, to modify a document after it has been signed, or to copy a valid signature from a properly signed document to a fraudulent one. Thus, when you are presented with a document with your signature on it, there are only three possibilities:
1) You signed it
2) Someone else signed it using your private key
3) The person presenting the document has broken the public key encryption scheme and is taking a break from the more lucrative activity of draining the entire world's financial systems for their benefit just to hassle you.

The math ensures that these are the only possibilities. The realistic possibility for fraud is #2 - the math can't protect if you don't keep your private key private.

I am not an expert on this subject, but I'm not sure that this addresses the problems that the OP mentions. If the recipient claims that he has received the signature, then he has a signature of some kind. One question is whether he can (or must) show that it was once encrypted at all. Does this solve that issue?

 

[Filip Larsen]

One question is whether he can (or must) show that it was once encrypted at all

Digital signing is different from encryption, if that is what you mean. Usually you form a secure hash of the content you want to sign and then encrypt the hash with your private key. Anyone else getting a copy of this signed hash can then decrypt it with your public key (proving someone with access to the private key signed it), and then compare the unencrypted hash with the calculated hash of the content.

 

[Nugatory]

I am not an expert on this subject, but I'm not sure that this addresses the problems that the OP mentions. If the recipient claims that he has received the signature, then he has a signature of some kind. One question is whether he can (or must) show that it was once encrypted at all. Does this solve that issue?

The signature is a string of gibberish-looking bits that when decrypted with the alleged signer’s public key yields a valid hash of the document. This string of bits can only have been created by someone possessing the signer’s private key.

 

[FactChecker]

The signature is a string of gibberish-looking bits that when decrypted with the alleged signer’s public key yields a valid hash of the document. This string of bits can only have been created by someone possessing the signer’s private key.

So the actual "signature" is the still encrypted data. The readable signature does not count.
The fact that the public key can decrypt the "signature" implies that it must have been you who encrypted it with the private key.

 

[Filip Larsen]

So the actual "signature" is the still encrypted data.

Technically you can say it is encryption because is uses an cryptographic cipher, but since the goal is to allow anyone to decrypt the signature it does not provide confidentiality like encryption schemes normally would imply for lay-persons.

The readable signature does not count. The fact that the public key can decrypt the "signature" implies that it must have been you who encrypted it with the private key.

I assume you here refer to information identifying the signer. For digital signatures to provide non-repudiation you need a separate trust system to establish the connection from, say, your name and other information identifying you as a legal person, to your public key. You can of course simply include the public key in the signature so anyone can checked it to be "well-formed", but for non-repudiation someone else trusted by both participants also needs to establish your public key by a separate mean, like using certificate chains (i.e. a trusted third-party that signs your public key certificate to prove you are an identified entity with that party).

 

[FactChecker]

Technically you can say it is encryption because is uses an cryptographic cipher, but since the goal is to allow anyone to decrypt the signature it does not provide confidentiality like encryption schemes normally would imply for lay-persons.

I assume you here refer to information identifying the signer. For digital signatures to provide non-repudiation you need a separate trust system to establish the connection from, say, your name and other information identifying you as a legal person, to your public key. You can of course simply include the public key in the signature so anyone can checked it to be "well-formed", but for non-repudiation someone else trusted by both participants also needs to establish your public key by a separate mean, like using certificate chains (i.e. a trusted third-party that signs your public key certificate to prove you are an identified entity with that party).

Good point. I think I understand it. So, a better version of my statement would have been:
The fact that EDIT the public key your public key, verified as assigned only to you by some authority, can decrypt the "signature" implies that it must have been you who encrypted it with the private key.

 

[Filip Larsen]

The fact that [..] your public key, verified as assigned only to you by some authority, can decrypt the "signature" implies that it must have been you who encrypted it with the private key.

Yes, as Nugatory listed up that is one of the possibilities, and its the possibility any practical useful signature scheme (complete with choice of hash, cipher and protocols) intends to be the most overwhelmingly likely to be true.

There are in fact a few more possibilities a scheme must address for non-repudiation, namely public key revocation (often solved by using both a trusted revocation service and time notary service) and considerations for the secure hash to be susceptible for hash collisions. On top of that the practical signature scheme should also consider operational security as a whole. For instance, in my country it was deemed too unsafe for the general public to have our private keys for the public identity and signature system on our own computers (because this would then be an obvious attack vector for, say, criminals) so instead they are all stored on special hardware at the operator of the public infrastructure for this. All this is just to say that in these days there is a lot of details in a practical signature scheme that needs to fit together in order for it to convincingly provide actual non-repudiation with virtually zero chance of false positives or negatives.