Trust, non-repudiation and digital signatures

Trust is an essential element required for the smooth functioning of much of civilised society. We need a level of trust when going about normal daily life – driving down the road entails trust that other motorists will obey road rules, an air flight requires trust in the pilot and traffic controllers. Relationships are built on trust, transactions require trust.

Legal contracts provide much of the trust required for commerce to function. If Alice agrees to purchase a car from Bob for $30,000, the agreement is only worthwhile if Alice cannot later say that she did not agree, and if Bob does not subsequently change the price to $40,000. Legal contracts fulfil this function – having signed a legal contract Alice cannot later repudiate and Bob cannot later change the terms. Legal contracts give us trust in commercial transactions that are of sufficient value to warrant the cost/time effort of a legal contract. But what about other aspects of day-to-day living which do not meet this criteria? How can we simply and cheaply enjoy some of the trust benefits of legal contracts without the cost and hassle?

Digital signatures provide integrity and authentication. Together, these two form non-repudiation, an important element of trust.

How digital signatures work
Let’s say Alice wants to send an important document to Bob:
1. When she initiates the digital signature process, Alice’s computer generates a hash of the document she wants to send. A hash, or message digest, is a digital footprint using a process such as SHA-2 or MD6 for example. Hashes are a method of one-way encryption, they do not require a key, and the fixed-length hash cannot be reversed to reveal the document. Hashes provide integrity.
2. Alice’s software then encrypts the document hash, using Alice’s private key. The result is a digital signature.
3. Alice then sends the document together with the digital signature to Bob.
4. Bob’s computer decrypts the digital signature using Alice’s public key. This reveals the document hash generated by Alice. Bob’s computer also generates it’s own hash of the document received from Alice using the same hash algorithm. Bob’s computer then compares the hash it has generated with the hash Alice generated – if they are identical, it means that the document has not changed.

By using a digital signature process, Bob is assured of two important elements:
1. Authentication. Bob knows that it was indeed Alice who digitally signed the document (as only Alice can encrypt with her private key), and
2. Integrity. Bob knows that the document has not been altered since Alice generated her digital signature. These two elements – authentication and integrity – are the two essential ingredients for non-repudiation. Together they increase the level of trust involving this transaction.

Information technology makes the use of digital signatures very simple and convenient. Information technology allows us to enjoy the trust benefits of non-repudiation more frequently. The technology can (and should) be used to expand the level of trust between people to a broader group of transactions than those where we traditionally tend to use legal contracts.

Apart from high-value commercial transactions, what other aspects of day-to-day life would be useful to have non-repudiation (authentication and integrity) and use digital signatures? For example, booking a hotel room online, does not warrant the cost/time effort of a legal contract, but trust would be higher if accompanied by a digital signature.

Leave a Reply

%d bloggers like this: