Abstract
The purpose of this document is to explain specific properties that a digital signature should have. This document also provides an explanation of the differences between direct and arbitrated digital signatures. Lastly this document explains what a suppress-replay attack entail. This document is intended for anybody looking to gain a basic understanding or a general knowledge about different types of digital signatures and vulnerabilities.
Content
When working with computer security, information assurance, information privacy, etc. there may be a time when you may have to deal with digital signatures. It is good to know a little bit about digital signatures including the properties of a digital signature. There may also be a time that you might want to know differences between digital signatures. You may also want to know about security vulnerabilities when dealing with digital signatures. Instead of going out and finding trusted sources for information and then having to research each specific item, you can look no further and find the information you are looking for right here.
There are some properties that a digital signature must have in order to serve its purpose. A digital signature must be authentic (Leiwo, 2003). This means that person who signed the document deliberately did so. A digital signature must be unforgeable. This means that somebody else cannot act on behalf of a person and only the signer is the individual who signed the document. The signed document must be unaltered. This means that after the document was signed, nothing within that document has changed. Digital signatures must not be reusable. This means that after a document has been signed, any part of the document cannot be used elsewhere. Digital signatures cannot be repudiated. This means that once a document is digitally signed, the signer of the document cannot say that they did not sign the document. If any of these properties do not exist for a digital signature the whole digital signature scheme collapses and is essentially unusable. The properties that a digital signature must have pertain to the sender of the document is who they say they are, the receiver of the document is who they say they are and that no part of the document was changed, altered, or allowed to be used at a later point in time.
In order to better understand direct digital signatures and arbitrated digital signatures, it is first important to know what the differences are. A direct digital signature is a signature that a sender of a message contacts the receiver and gives the receiver the sender’s public key. The sender then sends a secure message to the receiver where the receiver uses the sender’s public key to unencrypt the message and read the contents. Although this method seems more secure than having a 3rd party involved, however there are some drawbacks to it. One major drawback is that the sender can deny sending a message simply by claiming that their key was compromised (Yoon, 2004). Another major drawback is that the security of the message being sent is only as good as the security of the sender’s private key. Lastly, if a digital key was compromised a message could be sent with a compromised key. An arbitrated digital signature is a signature in which a sender sends a message, and a receiver receives a message and that there is a 3rd party that validates the sender is who they say they are, the receiver is who they say they are, and that the message was not compromised in any way. Much like the direct digital signature, the arbitrated digital signature has some drawbacks to it too. A major drawback to an arbitrated digital signature is that there must be a trusted 3rd party involved. The trusted 3rd party needs to maintain an active role in validating entities and contents of messages and therefore provides a bottleneck in message traffic. The arbitrated method does, however, solve the problems seen in the direct digital signatures. Direct and arbitrated digital signatures are methods used to send data from one validated person to another validated person without any data being changed.
A message replay attack is where a legitimate data transmission is delayed or captured and then replayed by an adversary in attempts to gain unauthorized access to data or resources. A replay attack can be used in conjunction with a masquerade where an unauthorized user pretends to be somebody else. There are countermeasures that can be taken in order to prevent these types of attacks from happening. One countermeasure is to use a timestamp on data or a message. Another countermeasure is by using tokens to verify timestamps of messages. Another countermeasure is to use a message authentication code (MAC). They’re using proper precautions these attacks, however, can prevent attacks that are designed to retransmit or delay data in attempt to gain unauthorized access.
In conclusion, digital signatures have certain properties to them that are part of the digital signature design scheme that is aimed at validating a sender, recipient, and a message and the contents of the message. A direct digital signature is where a sender of a message is responsible for ensuring the receiver obtained the sender’s public key securely and the sender’s private key is secure so that a message transfer can take place without any compromise, however there are some drawbacks to this method. An arbitrated digital signature is a method that uses a trusted 3rd party to validate the sender, the receiver, and the message contents and this method was designed to fix some of the drawbacks in the direct digital signature method. One security vulnerability is called a message replay attack, this is where a legitimate transmission of data is delayed or captured and replayed at a later point in time in order to gain unauthorized access, however if the proper security precautions are taken this attack can be prevented.
References
1. Leiwo, Jussipekka (2003, June 16h). Digital Signatures. Retrieved March 5th, 2009, from Cyptologic Protocols Web site: http://www.tml.tkk.fi/Studies/T-110.498/2003summer/Slides/lecture04.pdf
2. Yoon, H (2004, August 26th). Digital Signatures. Retrieved March 8th, 2009, from Digital Signatures and Authentication Protocols Web site: [URL Removed Broken link]