Quick quiz. Does the icon at left represent
 (A) second prize at the state fair
 (B) bad clip art of a holiday wreath
(C) a solution to the fake email problem?

We hope the answer is C, although currently most consumers would choose A or B. The little-known icon is used by Outlook to indicate an authentic digitally signed email (see screenshot below).

Despite the recent proliferation of mass phishing, it’s a problem that is largely solvable. The technology to send and receive verifiable email messages is already robust and affordable. Receiving is a little trickier since the major webmail providers (e.g., Yahoo, Hotmail) do not currently support digitally signatures (the message is delivered with an oddball attachment). But even among Outlook users, there is little awareness of the feature. And that’s no small issue.

Since large organizations, especially financial institutions and other trusted advisors, must have a means of communicating electronically with users, it is only a matter of time before verifiable messaging becomes commonplace. Within two years, most financial institutions will add some type of authenticating code to messages so that recipients, ISPs, and spam filters will know the message is genuine (not a spoofed From address).

For users of newer versions of Microsoft Outlook and other email systems that support S/MIME, the technology is already available, though seldom used. In Outlook digitally signed messages have an icon in the upper right portion of the preview pane (see screenshot left). Curious users can click through the icon to verify the certificate. The only downside for users is a several-second delay as their PC authenticates the key.

While the use of digital signatures doesn’t completely eliminate phishing; crooks could still send fraudulent, digitally signed messages from look-alike companies, e.g., www.WellsFargoBaking.com . However, it would be much more difficult, since the crook would have to obtain a fraudulent digital certificate and they would not be able to spoof the email From address.

In fact, until you provide a basic level of user education, sending signed messages could be counterproductive. Wary users, seeing an unusual message, may deem it to be a hoax. So you need to send a series of educational emails prior to implementing digitally signed messages.

Industry Initiatives

The problem has sprouted a cross-industry workgroup, Anti-phishing.org <antiphishing.org> sponsored by email solutions provider Tumbleweed Communications. The group’s first meeting was Nov. 18 in San Francisco. OBR subscriber Ken Beer, Director of Product Development of Tumbleweed, called us the next day and summarized the discussion (see below). The next meeting will take place in January in London; watch its website for details on the exact time and place.

The meeting, attended by large ISPs such as Yahoo as well as banks such as Wells Fargo and Bank of America, discussed broad-based solutions to the problem. According to Beer, the industry is working to fight phishing both at the ISP and browser level.

Emailers would like to see controls in place at the gateway level that would verify that emails were actually sent by the company indicated in the email address. This would eliminate most phishing attempts from ever being viewed by the intended recipients.

ISP-level solutions are considered to be the best way to put an immediate end to phishing. End-user solutions will take longer to implement since many users don’t have the necessary software (e.g., later versions of Microsoft Outlook), or use webmail services that don’t currently support digitally signed email.

At press time, Yahoo announced a major initiative to block email messages with fake From addresses (the majority of unauthorized spam). Its open source Domain Key system would use a public system to verify that the email came from the domain contained in the From address. Emailers would need to sign their messages with a key. Yahoo hopes to implement the system sometime in 2004. It’s too early to tell whether the broad industry support required to make it work will materialize.                       

The Process of Verifying the Sender
(Outlook in IE 6)

On Jan. 1, 1998, Washington became the first state to legally recognize digital signatures. Here is a look at the law and the ramifications of digital signatures on electronic commerce. For the latest state, national, and international developments in digital signature legislation, visit www.mbc.com/ds_sum.html .

Definitions

Authenticate: To prove genuine.

Encrypt: To put messages into code.

Decrypt: To retrieve the coded message.

Public Key Encryption: Two-key system invented in 1975 for hiding messages. Anyone can encrypt a message to you using your public key, and you can simply decrypt it by using your private key. The hard part is authenticating the sender. That’s where certificate authorities come in to play.

Certificate/Certification Authority: Issues digital certificates that attest to the owner’s identity. A certificate authority has five primary functions:
1. Accepting applications for certificates
2. Verifying the identity of applicants
3. Issuing certificates
4. Revoking certificates
5. Providing certificate status information

Digital Certificate: Electronic information containing:
1. The owner of the key pair
2. The organization of the owner
3. The owner’s public key
4. Expiration information
5. A digital signature, created using the CA’s private
key, proving that the certificate has not been altered

Digital Signature: Like pen and ink, digital signatures establish identity. But the digital variety can also establish the authenticity of whatever they are affixed to – in effect, creating a tamper-proof seal.

Source: “Encyclopedia of the New Economy,” Wired, March 1998; Understanding Digital Signatures by Gail L. Grant, McGraw Hill, 1998.

Laws rarely affect the development of new technology. Although the U.S. Justice Department’s antitrust lawsuit against Microsoft may become a high-profile exception, a less well-known example is the enactment of laws recognizing the use of digital signatures. Not surprisingly, Washington state is leading the development of these new laws. On Jan. 1, 1998, the Washington Electronic Authentication Act (WEAA) became effective, making Washington the first state to legally recognize digital signatures.

Digital-signature laws such as the WEAA have the potential of dramatically increasing electronic commerce. Although the Internet has grown at a phenomenal pace, electronic commerce has been slower to develop. The question everyone would like to answer is “What are the barriers to electronic commerce, and how can we overcome these barriers?” There is no simple answer because a variety of factors are affecting its development. For example, one barrier may be simply psychological — it takes time for individuals and businesses to feel comfortable conducting business over the Internet. Fundamentally, however, the barriers to electronic commerce are both technical and legal. Digital-signature technology and recently enacted legislation establishing rules governing the use of digital signatures may help overcome these barriers.

The challenge posed by a public communication system such as the Internet is the establishment of trust. For example, if you receive an email message from someone claiming to be John Smith, how do you know that the person sending the email is in fact John Smith? The truth is that you cannot know for sure. Even if you know John Smith and that his email address is johnsmith@abc.com you still don’t know whether someone has accessed John Smith’s account and sent an email message claiming to be John Smith.

Although this example is rare, it has occurred, causing significant problems for the persons involved. It is also possible (and more common) to “forge” a return email address to make a message appear to be from someone else. In our example, this can be done without actually accessing John Smith’s real account. Trust is more problematic if you have never met John Smith. Although trust may not be particularly important for using email to chat, it is critical for individuals and companies who want to use the Internet to conduct business.

Existing laws also create problems. Assume you are a business and you receive an order for a variety of parts via email. At the bottom of the order is typed “John Smith.” You then ship the parts to John Smith and demand payment. John Smith, however, denies having sent the email. Under our laws, a person relying on a signature has the burden of proving the validity of the signature. This would be relatively simple in a paper-based transaction, because you could show that John Smith actually signed the order (unless his signature was forged). In a paperless transaction, however, the task is much more difficult. It is not clear how you could prove that John Smith typed “John Smith” on the order. You could argue that the email came from John Smith’s account and that evidence is sufficient to satisfy your burden of proving John Smith actually signed the email message, but it is unclear how a court would rule in such a case. In any event, few businesses want to take that risk. This issue is known legally as nonrepudiation.

Digital signatures can solve both problems of trust and nonrepudiation. Digital signatures create a means by which a person may verify that John Smith actually signed an email message. What is more significant, however, is that digital-signature legislation like the WEAA shifts the burden of proof regarding the validity of the signature. A person relying on John Smith’s digital signature is not obligated to prove that John Smith actually digitally signed the email message to be able to legally enforce the offer contained in the email message. Instead, the WEAA provides that John Smith has the burden of demonstrating that in fact he did not sign the email. By shifting the burden of proof, businesses are much more likely to be willing to rely on digital signatures to conduct business over the Internet. To better understand how digital signatures can solve the problems of trust and nonrepudiation, it is helpful to describe how digital signatures work.

A digital signature is simply a unique series of characters that is generated for an electronic document. Here’s how it works. A person wishing to “sign” an electronic document must first have software capable of creating a digital signature. Companies such as CertCo www.certco.com and Entrust Technologies www.entrust.com produce digital-signature software. For electronic mail, upcoming versions of Microsoft’s Outlook 98 and Netscape Mail will also have digital-signature capabilities. The software uses a mathematical calculation known as a hash function to create a unique identifier for the document. For example, the unique identifier for this article might look something like 3ojf93je8uvnme09u$fed&rdOJjifwDoi. This unique identifier is known as the hash result. Although it is theoretically possible that two different documents could have the same hash result, for practical purposes it is safe to say that each document has a unique hash result.

Although the hash result is a unique identifier of the document, it does not identify the “signer” of the document. Here’s where encryption technology comes into play. A person wishing to digitally sign a document must also have a pair of “keys” known as a “private key” and a “public key.” These keys are related to each other through the mathematical principle known as asymmetric cryptography. As stated in the Digital Signature Guidelines published by the American Bar Association www.abanet.org/scitech/ec/isc/dsgfree.html , an asymmetric cryptosystem is “a system which generates and employs a secure key pair consisting of a private key for creating a digital signature and a public key to verify a digital signature.” The principle feature of this key pair is that although the public key can be used to verify a digital signature created by the private key, it is nevertheless not feasible to use the public key to compromise the security of the private key.

The software uses the signer’s private key to encrypt the hash result for the document. The encrypted hash result for this article would look something like dljme_E&ioj@-sejoecUksfjFD#fgM&@klj. This encrypted hash result is appended to the end of the document, and it is the signer’s digital signature for the document. In summary, it is an identifier that is unique to both the document and the person signing the document.

To verify the authenticity of a digital signature, the recipient’s software also calculates the hash result for the document. Then, using the public key of the signer, the software confirms that the hash result was encrypted (or “signed”) by the person holding the private key. If the encrypted hash result can be confirmed, the recipient of the digital signature knows that the document has not been altered, and that John Smith signed the document. (Editor’s note: This presumes, of course, that John Smith has properly safeguarded his private key.)

Although digital-signature technology makes this process possible, it assumes that the recipient knows the public key actually belongs to John Smith. This is where the Washington Electronic Authentication Act is important. Entities known as “certification authorities” issue certificates that confirm the public key belongs to the person signing the document (in this case, John Smith). Thus, these certification authorities act as independent third parties that certify the identity of the signer.

• The WEAA establishes standards for licensing certification authorities. The certification authority must:
•  Use a trustworthy system in the issuance of keys and certificates.
•  Obtain a bond or other suitable guaranty.
•  Show that its employees have a minimum level of competence and have not been convicted of fraud or a recent felony.
•  Satisfy annual auditing requirements.

Although the licensing requirements attempt to provide some assurances to a relying party that the certification authority is trustworthy, the reputation and financial stability of the certification authority should also be considered before obtaining or relying on a certificate.

Although certification authorities are not required to obtain a license to conduct business in Washington, the WEAA creates special rules for licensed certification authorities that affect all ties. For example, licensed certification authorities enjoy limited liability under the WEAA. A person who uses a private key to digitally sign documents is liable for any loss if the person negligently loses control of his or her private key. This is significantly different than the federal laws governing the loss of credit cards, which limits consumer liability to $50 per card.

Finally, as discussed previously, not all digital signatures are presumed valid under the WEAA—only those in which the signer obtained a certificate from a licensed certification authority. Further, presumption is not applicable if reliance on the certificate was not reasonable. For example, a recipient of a digital signature must check the certification authority’s repository to make sure that the certificate has not been revoked. (The repository is an electronic database that includes a list of all certificates that have been suspended or revoked. Software that verifies a digital signature automatically checks the repository that is specified in the certificate.) If the certificate has been suspended or revoked, but the recipient nevertheless decides to rely on the certificate, the presumption of validity is lost.

There are other factors that may affect the validity of a digital signature or the liability of ties, so all ties should know and understand the provisions of the WEAA before using or relying on a digital signature. (The WEAA is codified in Chapter 19.34 of the Revised Code of Washington, and can be found at leginfo.leg.wa.gov/pub/rcw/title_19/chapter_034 Other Revised Code of Washington titles can be found at leginfo.leg.wa.gov/www/rcw.htm.

The Washington Secretary of State is the governmental authority issuing licenses to certification authorities. It has not yet issued a license to a certification authority, although it is anticipated that Integrated Electronic Authorization Inc., a Washington corporation, will be one of the first companies to obtain a license. Other national certification authorities such as Verisign www.verisign.com will probably apply for a license in the near future. Although other states have enacted digital-signature laws, Washington is the first to broadly implement such legislation.

For electronic commerce to flourish, the transfer of electronic information must be trustworthy and cost effective. The WEAA opens the door for the widespread use of digital signatures. Initially, the biggest user of digital signatures may be state and local governments. In the near future it will be possible to electronically file documents with Washington state or local government. For example, individuals will be able to file corporate documents, real estate deeds, and court pleadings electronically.

As the use of digital signatures becomes more widespread, private businesses will also discover the benefits of digital signatures. Some industries may be radically transformed by the ability to simultaneously and reliably transfer information. For example, transaction costs will be significantly reduced for international deals, which will be able to close with the click of a mouse even though the parties are thousands of miles apart. Because of the opportunities created by digital signatures, Pacific Rim countries are working with Washington state to develop uniform standards for the use of digital signatures.

In this dawn of electronic commerce, Washington
state is trying to create new opportunities for electronic commerce by enacting legislation to remove barriers. Ultimately, national legislation may be required
before digital signatures become widely used. It is conceivable, however, that Washington’s new law may become the model for future national standards.

Tom Melling, an attorney with Hillis Clark Martin & Peterson, P.S., in Seattle, is a member of the Washington Digital Signature Implementation Task Force and the Information Security Committee of the American Bar Association. He can be reached at (206) 623-1745 or tgm@hcmp.com .