Analysis of Part III of the (draft) Electronics Communications Act 1999

Signature keys

The Bill distinguishes signature keys from encryption keys - to meet the concerns expressed many times in previous consultations about the undesirability of giving up signature keys to anyone for any reason. But there are doubts that the way this is given expression is good enough and besides, what is the remedy if a signature key is the subject of a Section 10 notice.

David Swarbrick
There is an interesting lacuna in the bill.

A key is not to be 'recovered' under the Bill, if it has only been used for signature purposes. I have mentioned before what I think is an unsafe distinction between privacy purposes and signature purpose. The fundamental public key system is blind to this and the two concepts are more closely linked than it seems at first (PK cryptography has only revealed a link, not created one)

When a chap comes to my office delivering a parcel, I sign for it. I demonstrate my authority to receive it by signing my name.

When I receive a document encrypted with my public key, do I not 'demonstrate my authority to receive it' by signing the encrypted message with my private key?

Is it not the case that my private key is only ever intended to be used to sign a document? I have no intention of hiding the contents since I have published by public key as widely as I can. My intention is that anyone may read my message, and be assured (before the e-commerce act in any event) that my private key is private?

What is my private key ever used for except, in some way or another, to sign?

I fully acknowledge the complexity of cryptography software. I am only talking here about principles only.

Caspar Bowden
If I publish an RSA key with a statement to the effect that I only intend it to be used for signature-verification of stuff I sign with my private key, heaven forfend some rascal should actually use it to send me an encrypted message. But if they do, is my right to keep my private-signature-key private to be forfeited because of someone else's actions?

Guess so.

Of course that would tend to reduce the forensic value of any (seized rather intercepted - assuming IOCA s.9) digitally signed evidence which the police wished to attribute to me. I could claim it had been forged-up after I disclosed the key (in abscence of crypto timestamps etc.)

Richard Lucock
Section 19 defines a key as (paraphrasing) 'something that allows access to the encrypted data'. This can only refer to the private part of the key-pair in this case, since the public part does *not* allow access to the (now encrypted) message. So if you have not used the private part to decrypt any messages (ever) it is safe.

But I would like to see the bill spell this out more explicitly, just for safety, perhaps together with some indication of what level of proof would needed to show that you have been using the signature key for encryption.

Caspar Bowden
Exactly. Where is the burden of proof here ? On the one hand, it's not a defence, on the other hand the Notice arguably should not have been issued. Perhaps it could trigger Sch.2 (8):

Nicholas Bohm
As clause 10(5) stands, if the defendant credibly raises the issue that they key is a signature key and that what he is required to hand over (the private key) has never been used to decrypt, then it is for the Crown to prove the contrary beyond reasonable doubt.

In some cases that may be easy (e.g. if I reply to a message quoting plaintext when it has been sent to me encrypted under my signing key); in other cases not.

David Swarbrick
I cannot see it working that way. You are faced with a notice. You either comply or you do not. If you do not, then you are prosecuted under s12. In that case, six months later you are either convicted or acquitted, according to the facts as they turn out to have been the case.

There is no particular process of negotiation 'We can prove this' 'Go'rn then'

It is left as an extremely high risk strategy to refuse.

You are right to the extent that the burden of proof is explicitly on the defendant under s12 defences, but is not so apportioned under s10.

Nicholas Bohm
For the reasons given in a separate message, the burden is on the Crown whenever it is not by statute placed on the defendant.

David Swarbrick
I suspect also that the wording of s10 (5) might refer to form of the notice, rather than the substance of what the key has been used for. How otherwise can the section be workable? Would it mean that before serving a notice the police had to gather evidence that a private key had been used for privacy purposes? In practice that would prove an impossibly high barrier.

Nicholas Bohm
Not at all. The key must be intended for signature, as by being labelled and issued as a signature key, which goes to appearances. And if the defendant has decrypted and replied to messages encrypted under it, those intercepting the messages might well have evidence of that fact.

No doubt the defendant would have to give evidence that he had never used the private key to decrypt a message, but as the Bill stands it would be for the Crown to prove that the notice complied with clause 10(5) if challenged. I do not see a conviction being upheld that was based on non-compliance with a ntoice which itself failed to comply with clause 10(5).

Whether the Bill will remain in its present form if this correspondence is studied closely is another matter. One can only hope that the Home Office is not interested in our views.

David Swarbrick
[returning to the original point] What I am getting at is that every act of signing involves encrypting, and every act of decrypting is in effect an act of signing (I identify myself with something only I know )

I apply exactly the same technology in exactly the same way. The only difference is in the choice of key, and whether it is applied to text which has already been encrypted.

I confess that I do not feel I have yet got to the heart of it, but that the whole distinction between signing and encrypting is quite artificial, superficial and dangerously weak.

It can be achieved technically, but each technical solution I have seen described (I do not pretend to be technically adequate) fails fundamentally to achieve any distinction of principle.

It is born out of a fond hope that Mr Nasty Privacy can be divorced Mrs Nice Signature, so that e-commerce can be saved from the Gooks.

Paul Crowley
In other words, decrypting an encrypted message is simply a special case of authenticating yourself to a "clueless agent", in the vocabulary of Riordan and Schneier's paper of that name; see http://www.counterpane.com/clueless-agents.html

Back to the analysis of part III