Risks of PKI: Electronic Commerce

C. Ellison and B. Schneier

Inside Risks 116, Communications of the ACM, vol 43, n 2, Feb 2000.

Open any popular article on public-key infrastructure (PKI) and you're likely to read that a PKI is desperately needed for E-commerce to flourish. Don't believe it. E-commerce is flourishing, PKI or no PKI. Web sites are happy to take your order if you don't have a certificate and even if you don't use a secure connection. Fortunately, you're protected by credit-card rules.

The main risk in believing this popular falsehood stems from the cryptographic concept of ``non-repudiation''.

Under old, symmetric-key cryptography, the analog to a digital signature was a message authentication code (MAC). If Bob received a message with a correct MAC, he could verify that it hadn't changed since the MAC was computed. If only he and Alice knew the key needed to compute the MAC and if he didn't compute it, Alice must have. This is fine for the interaction between them, but if the message was ``Pay Bob $1,000,000.00, signed Alice'' and Alice denied having sent it, Bob could not go to a judge and prove that Alice sent it. He could have computed the MAC himself.

A digital signature does not have this failing. Only Alice could have computed the signature. Bob and the judge can both verify it without having the ability to compute it. That is ``non-repudiation'': the signer cannot credibly deny having made the signature. Since Diffie and Hellman discussed this concept in their 1976 paper, it has become part of the conventional wisdom of the field and has made its way into standards documents and various digital signature laws.

However, practice differs from theory.

Alice's digital signature does not prove that Alice signed the message, only that her private key did. When writing about non-repudiation, cryptographic theorists often ignore a messy detail that lies between Alice and her key: her computer. If her computer were appropriately infected, the malicious code could use her key to sign documents without her knowledge or permission. Even if she needed to give explicit approval for each signature (e.g., via a fingerprint scanner), the malicious code could wait until she approved a signature and sign its own message instead of hers. If the private key is not in tamper-resistant hardware, the malicious code can just steal the key as soon as it's used.

While it's legitimate to ignore such details in cryptographic research papers, it is just plain wrong to assume that real computer systems implement the theoretical ideal. Our computers may contain viruses. They may be accessible to passers-by who could plant malicious code or manually sign things with our keys. Should we then need to deny some signature, we would have the burden of proving the negative: that we didn't make the signature in question against the presumption that we did.

Digital signatures are not the first mechanical signatures. There have been check-writing machines for at least 50 years but in the USA their signatures are not legally binding without a contract between two parties declaring them acceptable. Digital signatures are proposed to be binding without such a contract. Yet, the computers doing digital signatures are harder to secure than mechanical check-writers that could be locked away between uses.

Other uses of PKI for E-commerce are tamer, but there are risks there too.

A CA signing SSL server certificates may have none of the problems described above, but that doesn't imply that the lock in the corner of your browser window means that the web page came from where it says it did. SSL deals with URLs, not with page contents, but people actually judge where a page came from by the logos displayed on the page, not by its URL and certainly not by some certificate they never look at.

Using SSL client certificates as if they carried E-commerce meaning is also risky. They give a name for the client, but a merchant needs to know if it will be paid. Client certificates don't speak to that. Digital signatures might be used with reasonable security for business-to-business transactions. Businesses can afford to turn signing computers into single-function devices, kept off the net and physically available only to approved people. Two businesses can sign a paper contract listing signature keys they will use and declaring that digital signatures will be accepted. This has reasonable security and reflects business practices, but it doesn't need any PKI -- and a PKI might actually diminish security.

Independent of its security problems, it seems that PKI is becoming a big business. Caveat emptor.

For more details, see http://www.schneier.com/paper-pki.html.

Carl Ellison is a security architect at Intel in Hillsboro Oregon. Bruce Schneier is the CTO of Counterpane.

earlier essay: Voting Security
later essay: IDs and the illusion of security
categories: Business of Security, Computer and Information Security
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..