Schneier on Security
A blog covering security and security technology.
« Keccak is SHA-3 |
| Tradecraft and Terrorism »
October 3, 2012
Anecdotes from Asia on seals versus signatures on official documents.
Posted on October 3, 2012 at 10:00 AM
• 40 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I tried to get a signed book authenticated once, what a confusion. You can essentially get two answers "We have lots of examples of the author's signature, because he signed a lot of books, and this is a ( good | bad ) example. Either way it's not worth much." or "Oh, this signature is very rare because the author didn't sign many books, so it could be really valuable, but since it's not exactly like the two highly different exemplars known it's impossible to tell if it's authentic."
Seals are much more suitable for forensics, which means that having a seal stolen is a much bigger problem. Sometimes I think it would be progress, someone would at least have to drive over to your house to steal your identity. Today banks will authenticate people on pretty slim evidence.
"I tried to get a signed book authenticated once, what a confusion."
Last week, I got several copies of Liars and Outliers in the mail, which I had ordered back on August 15 2012.
The books were allegedly signed by the author (I forget his name at the moment), but other than trusting the sender, I don't know how to authenticate that the signatures are genuine.
As someone living in Japan I can back up the anecdotes, especially the one about the signature at the bank. I had a case where I had to re-sign something 3 times because my signature didn't look exactly like the way it did when I originally made my signature from however many months prior. To me they were exactly the same, but to the administrators said there was some crazy little nuance that I myself couldn't pick out of my own signature that made it different. Finally they agreed it was correct, but it was definitely a painfully long experience.
That said and done, I now use my own seal on all official documents. There's never any question about me using it since the seal itself is imprinted with symbols representing my foreign family name. I imagine it could be forged in some way, but also imagine there are decent forensics to detect forgeries of seals as well.
In the end it falls under the physical security clause; one has to make sure it doesn't fall into the wrong hands, otherwise access to private information could be obtained unwillingly.
The question about seals and seal forgery is the question of duplication.
With modern hobbyist tools, and a seal from someone, I could likely make a duplicate as similar as any other group could.
If people only have one seal, that would be sensible, but the second someone loses their seal, forgeries become harder to detect (or has multiple organizational seals). It seems this would not functionally increase security, or cause lineups for the office seal.
If each person in an organization has their own seal with a unique pattern, even that would be a nightmare, since the person would simply need to be on a long authorized sealers list.
Generally - this doesn't seem to protect against forgery, although other benefits may exist.
It's only relatively recently that unique signatures were used in the west.
Most documents used to be signed with a cross, not because the person couldn't write their name - but because a christian had to sign with a christian cross to show that the were being truthful.
It was the job of the witness to confirm that the particular person was the one making the statement.
When you get right down to it, humans have a tremendous genius for deception, and there's really nothing you can do about it. The development of new authentication techniques, or new ways of getting around them, just pushes the eternal arms war along.
I remember hearing that there were only something like 4000 unique(ish) seals available in Japan. Sadly, I have no link to back that up.
I don't know about Japan in particular, but in Korea, good quality seals are hand made to order.
There might be a limited number of actual names, but you're no more likely to find two people with the same names and identical seals than you are to find a pair of westerners with identical names and indistinguishable signatures.
Isn't the unique-ness of a seal - or any other device - only good if it can be checked ... and is questioned?
I could have my 7 year old make a 'seal' out of a carved potato, and use it to 'authenticate' documents in your name, and if the person who is receiving the document accepts the seal as authenticate it really doesn't matter how good the quality of your original handmade South Korean seal is.
Yes, that's the concept. You open a bank account and you seal the agreement and the bank digitizes it and stores it in their cloud somewhere. When you come to conduct some significant piece of business, they call up their copy on the screen and see that the impression you just made matches. Sure, there are procedures for replacement seals and the like, Brian described them as "a painfully long experience".
Could it be cooler and use high-tech image processing, maybe. What's the forgery rate and what are the losses? Technology's got to balance against insurance premiums. In a low value transaction having a well worn, professionally made seal with the right name gives medium confidence, like checking the signature on the back of the credit card, that's totally adequate and with no real point-of-sale cost. Deluxe ideas like chip-and-pin don't give more assurance, and may give significantly less if they are flaw-riddled, and the have high point-of-sale costs.
"...it also reveals what seems to be an emphasis on form over function in sinographic cultures."
I don't think it reveals any such thing. A seal is an identity-confirming security feature, a signature is more of a formal indication of intent ("I attest that the above, just exactly as stated, is complete and correct"). The properties of paper and ink are then relied upon to make sure the document is not subsequently changed (but deliberate changes can simply be initialed -- again a mark of intent rather than a security feature). It serves a function analogous to TCP's three-way handshake -- making sure the content was deliberate and everyone's on the same page. For actual security (authentication, non-repudiation), witnesses or physical security features are used.
Treating a signature as a seal, and requiring it to be exactly the same as other representations of the name or the signature, makes sense for people who normally assess seal-based security features, and are uncomfortable with their absence in documents that are merely signed.
I wonder if we could modernize the idea by mixing some low-level radioactive isotopes into the seal. Then you can authenticate by matching the radiation pattern, perhaps even discerning a rough date of stamping, too.
Unless the fineness of the seal approaches banknote engraving, I would think a scanner and a Rep-Rap would be the ticket for forging one.
What about just using finger prints?
There's also DNA impregnated ink, but that won't show up on a scanned document uploaded to the cloud.
Assuming you have a physical document, a thumb print from an ink pad loaded with DNA labeled, UV ink with a signature over the top would make a fairly secure seal.
And what's wrong with a PGP/GnuPG signature on a document? That at least gets over the scanning problem.
In case anyone thinks that technology savvy people will change this:
To transfer a .ca domain from one person to another, CIRA (the Canadian Internet Registration Authority) requires the original of a form signed with "wet blue ink."
So what about when you sign your name on one of those pressure sensitive pads with a stylus for a credit card purchase at the supermarket (in the US, anyway). You can sign any old rubbish. I usually sign "Mickey Mouse". Sometimes, if I'm in a grumpy mood, I sign things like "Eat My Shorts," or worse. Since you can sign ANYTHING, of what possible value is it? And even if if someone were actually paying attention, is it actually possible to detect a forgery on one of those pads? I can't believe they have anywhere near the resolution of a pen-and-ink signature, and there's no pressure sensitivity, no characteristic thickening of the ink when the signer slowed down, and all the other little nuances that make signatures hard to forge. I think those devices are just there because people are used to having to sign, so they somehow seem important to people.
While we're on the subject of signatures and "form over function," I once had to have a doctor's signature on a form certifying that I was healthy enough to work out in a company gym, before I was allowed to use the facility. I just signed the form "Dr. Smith" and turned it in. Everyone was happy. :-)
As I understand it, a seal is a form of stamp. Being subject to wear and tear might provide some form of validation, provided the seal isn't over inked. Missing scratches on a recent imprint would indicate forgery.
There are two kinds of name seal in Japan: (1) the cheapo ones you buy from a newsagent (or have made for you if your name is unusual) which are used for day to day matters, up to bank accounts, and (2) larger, custom-made ones that you must register at your local city hall to become your official authentication. The latter type are used for more serious business contracts, buying a car, getting a mortgage, etc. and are usually more ornate and more difficult to copy.
To be honest I prefer the seal, which is actually legible as a name and always looks the same, unlike most signatures. The only problem is I'm always leaving the damn thing at home when I need it.
Seals? Now, when 3D printing is on the rise? When anyone can have a Makerbot for $1800, and in 3 years it will likely be $500? I bet with a Makerbot I can duplicate a seal using only an imprint as a source.
I know avocado is forbidden in Colombian jails because the seed can be use to forge seals.
DNA - hmmm. I guess signing in blood provides both "formal indication of intent" and the only scientifically based forensic measure of identity. Although I guess it doesn't establish you were actually alive at the time...
@ Dave M,
I guess signing in blood provides both "formal indication of intent" and the only scientifically based forensic measure of identity
You guess wrong.
Obviously after a recent blood transfusion (of which I've had more than my fair share) "your blood" is not your blood but a mixture of yours and the donors (the same applies to various blood products as well). This mixture will persist and can have a half life of well over a month depending on many factors and which part you measure.
But if you have a bone marrow transplant, which generates some of your blood products or a liver transpart which generates others then you likewise will end up with DNA that's not your own.
Finaly getting usefull DNA from long dried out blood that is also likely to have been subject to environmental effects is not going to be the easiest thing in the world to get reliable DNA off of.
I am minded of an excellent real-life example of over-reliance on a unique physical indicator of identity, given by Tom Hundley, sometime questioned-document examiner at the US Treasury.
The US Government has/had a pension scheme for Filipino irregular fighters in WW2. Each month, these fine folks would get a check from Uncle Sam - not a lot of money (the figure of $18 a month sticks in my mind), but a nice little bonus for those in the poorer parts of the country. Because many of the recipients are/were illiterate, the check would be endorsed with a thumbprint.
In the 80's, some bright statistician at the Treasury noticed that the recipients of these pensions were apparently enjoying a life expectancy out of all proportion to the rest of the nation. Somebody was sent to investigate, and reported back that, in many cases, while it was fairly obvious that the actual recipient of the pension had passed away some time ago, the endorsement thumbprints were unquestionably genuine.
Mr Hundley made sure that the actual example of one of the endorsed checks (which he had passed around the audience) happened to be in the hands of a particularly young and pretty member of the audience before dropping this last little bit of information. She dropped it like it was on fire.
Perhaps Colombian jails would do better to ban the knives that are used to carve seals from Avocado seeds. Just a thought.
@Duncan the Great
I think the purpose of those pressur sensitive pads is not so someone else can authenticate your signature, but so you can. If you called your credit card company and said 'this item on this bill was not purchased by me' they could, in theory, show you the signature from the pad and ask you if you had signed it. If you sign 'Micky Mouse' and the pad signature says 'Micky Mouse' you might just remember having bought that cart load of junk food at the grocery store after all. However my experience with credit card companies doesn't give me any confidence that they would ever actually ask a customer to verify the hen scratches saved from a pressure pad signature.
@Marc Thibault - the Canadian govt used to require you to attach a seal, but then Greenpeace made a fuss about it
@Duncan the Great
IJB is semi-correct, a reading of the paper copies of credit card forms that you sign would provide more details. Essentially it doesn't matter what you sign there at all as long as you sign, it simply says that the signer agree to pay the money for the purchase that was just made. By the same token you can sign the card itself whatever way you want as well, because that signature isn't for reference, it's making the card itself legally binding and once again only states that it must be signed, not that it be signed with your name.
Somewhat related to the comments about signed books, I have photographer friends who are unsure how to add some sort of signature to the "art" prints they sell. Most of their clients will not purchase prints that have any additional markings, including the photographer's signature, on the front or back of the print.
I've got two ideas:
1. A two part seal used for authenticating against a bank, similar to debt boards. You craft one seal then split it in half with sufficient entropy. The bank keeps one half and you keep the other half. When you go to sign a bank form you provide your half of the seal and the bank provides its half. The seals are put together and used to stamp the form. The resulting mark is then tested for integrity, that the two seal parts match up. This prevents someone from forging a seal using only the impression but does not handle theft, permanent or temporary. The real problem, however, is that the bank has to securely store hundreds or thousands of seals.
2: Use a QR code to encode a GnuPG/PGP signature. Seal with QR code. This would require you to print a document, create the signature, program a dynamic stamp with the QR code, stamp the document.
Testing the signature would require OCR, verification that the OCR matches the contents, testing OCR signature against seal. Omitting punctuation and reducing casing could help and I doubt it would seriously affect collision chances.
You could write "this is not a fake" on the blank paper before you printed the print on top of it - then X-ray it to authenticate
Idea stolen from Dr Who story involving the Mona Lisa, Leonardo and a time machine.
You are saying that a signature in blood does not identify you correctly. I would argue that it does identify you, but since your identity has changed, the authentication would need to be updated. Just like changing a password.
When the "something you are" factor of the authentication triad changes, you are still, well, you. Biometric authentication needs to account for changes, just as we do with "something you have" and "something you know."
It may be that discrepancies can also be addressed with multiple "something you are" factors, such as dna + retina scan, but that doesn't change the underlying mechanics of authentication.
I don't really get the continued reliance on new methods of authentication based on mere physical objects. It's kind of sad that there's better security available on my World of Warcraft account than my bank account (Blizzard made two-factor authentication a thing years ago through either a physical token or app). I've actually taken to authentication through Google for more things where it matters just because of their two-factor scheme. None of it is perfect, but it's a big step.
I'm personally waiting for more complex second factors via QR code on some type of eInk device now that screens and cameras are cheap enough to make it feasible.
@fearbi: Exactly, that's what I was trying to describe in my first sentence.
I've often thought that a hanko could be made to incorporate (in addition to its usual features) a set of actuatable pins and enough CPU to produce a signed date/serial number. This would resolve some of the problems: it would be hard to duplicate in person and near-impossible to duplicate from impressions; the date/serial information could be useful; it could even incorporate a simple PIN/combination lock to bring it closer to two-factor authentication. Of course there's a limit to how far you can take this before it's not seal-like enough to fit into existing practice.
A physical seal will have a unique pattern of imperfections that would be nearly impossible to forge. By using ink and paper that will retain an imprint of these imperfections so that they'll be visible under a microscope, it's possible to verify the authenticity of a seal imprint to a high degree of accuracy. Ideally the material used to make the seal would have a complex texture with a high degree of randomness - maybe a strong wood, or a slightly porous stone - and be resistant to new scratches or erosion by use. I don't know how this is actually implemented in everyday transactions in countries that use this system, but it wouldn't be financially or technologically prohibitive to create automatic scanning and analysis machines/software that could verify imprints with speed and efficiency.
With today's authentication technology, forging a seal is no longer as easy as carving a duplicate impression out of a turnip.
What would you rather trust: handwriting analysis, or analysis of imperfections in the seal impression under a microscope?
Ideally the material used to make the seal would have a complex texture with a high degree of randomness - maybe a strong wood, or a slightly porous stone
The problem with this idea is it does not work well with inks. The problem is that an ink has to be sufficiently visscous to stick to the seal whilst also being relativly fast drying to preserve the micro/nano features without "bleed out" into the paper of the document. The side effect is unfortunatly that such ink will quickly clog the micro/nano features. It's one of the reasons that a proper wax seal is way way preferable if you want to use micro/nano features.
As for hardness the best substance to carve seals out of is actually jade, however it is not easy to get suficiently prominent random pattern on it.
Another way to get a fairly good random pattern that is fairly robust is to take a base metal seal that is machined to the required basic pattern then enamel it with an appropriate mixture of powdered glassess with different particle sizes and melting points. Unlike traditional enamels that have a smoth surface you end up with a rough surface that closely follows the basic pattern machined onto the base metal.
A similar process can be done at home again using a base metal seal with basic pattern that has also had angled holes driled in it to act as keyways. You then take finely choped glass fibre of various diameters and stir into an appropriate hard setting epoxy, you then "stipple" the mixture onto the face of the seal sufficient to drive the epoxy into the keyways to ensure that it has permanent adehsion whilst also thining out the apoxy around the glass fibers on the raised pattern of the seal to give your truly random raised pattern on top of the basic base pattern of the seal.
You can also use other materials such as course quartz dust or fine sharp sand in the epoxy.
Another technique which is relativly simple to do is to make a reverse master seal basic pattern then using a bundle of fine wires or fibers the same diameter as the seal and vibrated down "normal to the plane" of the seal so the take up the profile of the basic pattern of the seal. Then lock them in place mechanicaly befor wicking them with an appropriate fixant to finaly lock in place to make the actual seal with a randomised micro pattern. You can try this at home using fine coper wire from 20/0.2 hookup wire cut it into about a one inch length to make a bundle the same size as a coin. Put the coin on a flat surface and tap the bundle down verticaly onto it such that the bundle takes the profile of the coin then lock the bundle in place using a twisted wire strap around the outside of the bundle, then using silver/lead solder wick it into the surface with a little practice you will end up with just enough solder to hold the face of the bundle in place without obscuring the profiles of the individual wires. When used as a seal on hot wax you will get a reasonably faithful reproduction of the coins surface but when looked at with a lense or microscope the profiles of the individual wires can be seen.
> A seal is an identity-confirming security
> feature [whereas], a signature is more
> of a formal indication of intent
This. Yes, in the modern West we _also_ use signatures for authentication, but that's a secondary function. It is primarily a declaration. When you sign something, you are indicating that you agree to it.
This is why important legal documents have to be both signed and sealed. Most people here don't have a personal seal, because they don't need one, because the sealing is done by a third-party licensed witness, called a "notary", who is required to check the signer's identification and watch them sign the document to witness that they signed it personally.
Banks don't usually require that level of authentication to cash a check, because they can just look at your ID and verify that you are the person to whom the check is written. (In small towns banks don't always bother to look at your ID, but they certainly have the option to do so if there are any questions about your identity.) With your identity established, then, you *do* still have to sign the check, declaring that you are formally passing it along (to the bank in this case) in exchange for its value. No signature, no transaction. Until electronic banking became common in the last fifteen years or so, it used to be that if you did not sign the check, the bank could not exchange it for money with the check-writer's bank, because they legally did not have your permission to do so -- and for this reason they would not take the check and give you currency for it unless you signed the check, because a check not signed by the recipient was no good to them. (These days, they don't always do the exchange anyway; often the cashing bank simply _informs_ the check writer's bank that they have received and cashed and voided the check, and the funds are released to them electronically. So the signature of the person who cashed the check is arguably less critical now, although I think it may technically still be required.)
@Clive Robinson: Saw this late, but thanks for the reply! Very interesting and illuminating run-down of possible techniques.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.