Digital Signatures: Another Tool for Court Reporters
Journal of Court Reporting (Apr 1999)
Includes these sidebars:
You've just finished editing a transcript from a large, nasty civil litigation. Since the attorneys have requested electronic copies of the transcripts, you make a quick ASCII diskette from your CAT system. It's a rush, and the attorney's office is on your way home, so you decide to hand-deliver it. You drop it at the front desk. A third party, waiting in the attorney's lobby, grabs the diskette and runs.
You're an official reporter, who has been asked to email an ASCII copy of a transcript to the prosecutor's office. You create the email and hit the "send" button. Downstairs, a malicious cracker (what the press mistakenly calls a "hacker") intercepts the email. She changes key testimony, and re-sends it from her computer, forging the return address to look like it came from you.
You work in a large depo firm. It's lunchtime, and you've stepped away from your computer. A "courier," waiting in the lobby, watches you leave. He slips unnoticed down the hall, and sits down at your computer. After a few minutes of work, the original of a big transcript is changed. After lunch, you print copies for both sides and ship them off with the reporter's cert page attached.
Can things like this really happen? You bet! Has it ever happened? Not to the best of my knowledge. Can you prevent it? Absolutely.
Delivery of transcripts in electronic form has become ubiquitous. Requests for ASCII or WordPerfect transcripts are the rule, not the exception. Unfortunately, ASCII text is easy to modify and hard to validate. Anyone using an electronic copy of a transcript needs to know where that transcript came from, and they need to be assured that the integrity of the document itself hasn't been compromised.
Digital signatures, known generically as electronic authentication, meet both of these needs.
Public key encryption
Your signature on one piece of paper looks basically like your signature on any other piece of paper. If someone adds something to the paper, there's no way to tell whether it was done before or after you signed it. If you sign the last page of a document, nothing prevents someone from changing earlier pages. A digital signature, on the other hand, incorporates information about the document you're signing, encrypted into the signature. If the document is modified after you sign it, your digital signature will no longer validate.
All of this is accomplished using a technology called "public key encryption." Yes, it's the same technology you read about in the spy novels. When a document is encrypted, it is turned into unreadable gibberish that is only useful to the person who can decrypt it. A digital signature uses this technology in a slightly different way.
When you digitally sign a document, the program producing the signature converts your whole document into a stream of numbers. It then performs a sequence of mathematical operations on those numbers, producing a "fingerprint" for the document. Then, it encrypts the fingerprint using your unique key, and attaches it to the end of the document.
Anyone wishing to validate the document is given a key to unlock (decrypt) the signature. They create a fingerprint the same way you did, and compare their fingerprint to yours. If they don't match, then either the document was changed, or it wasn't you that signed it.
Public and private keys
There's still a missing piece to the puzzle. If you give somebody the key to decrypt your results and verify your signature, how do you prevent them from using that key to forge your signature? Herein lies the magic of public key encryption.
The concept of public key encryption was invented in 1976 by Whitfield Diffie and Martin Hellman, and turned into a working system the following year at MIT. Their concept uses two keys - a public key and a private key. Your public key can be given out to anybody and everybody. In fact, the more people you give it to, the more useful it is. Your private key is just that - private. Nobody should ever have your private key, or they could use it to forge your signature.
Your two keys work as a pair. Anything locked with one key must be unlocked with the other. If you sign a document with your private key, the signature can only be verified using your public key. If someone encrypts a transcript using your public key, then it can only be decrypted using your private key.
As an example, if I wanted to send you a confidential transcript, I could scramble it with your public key. Only your private key could descramble it, so it would be safe from prying eyes. If I wanted to make sure you knew the transcript really came from me, I'd sign it with my private key. With my public key, you would verify the signature to see that you have an unaltered copy of my original document.
A chain of trust
This leads to another question: How do I know that your public key is really yours? To verify my signature, you need my public key. What if someone else created a new set of "Gary Robson" keys, signed a message with the private key, and handed out the public key? It would look completely authentic. They would be real keys - they just wouldn't be my keys.
One way to solve this problem is by using a trusted central repository for keys, known as a Certificate Authority, or C.A. The C.A. encodes your email address into the keys when they're generated, and adds the public key to a publicly accessible database. Anyone wishing to check you out looks for a public key in the database matching your name and email address.
One C.A., called VeriSign, will issue you a key pair (what they call a "digital ID") for $9.95 per year, or give you a 60-day trial for free. VeriSign made arrangements with Microsoft, Netscape, and others to provide digital IDs to their customers, which swiftly made them the leading certificate authority.
Another solution is to sign keys. I'd start with someone we both trust - maybe the editor of the Journal of Court Reporting. I'd have him sign my public key using his private key. When you got my key, you'd check the signatures. Assuming you had a valid copy of his public key (hand-delivered, or maybe downloaded from the NCRA Web site), you would use his digital signature to validate my key. Now you know mine is authentic. I, in turn, could sign other people's keys, and so on.
Back in 1991, Phil Zimmermann came up with a public key encryption product modestly called PGP, for Pretty Good Privacy. He distributed the product for free, and soon became the target of a criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread all around the world (see sidebar). Zimmermann was elevated to the status of Net Hero, PGP became the leading encryption and digital signature product, and his signature on your key meant you were 100% completely validated. Of course, he can't verify you personally, but PGP's new owner, Network Associates, has a C.A. database similar to VeriSign's.
Standards
Now everything is coming together nicely, except for one problem. PGP is the leading encryption product, VeriSign is the leading C.A., and they are incompatible.
There are two different standards in use now for digital signatures. OpenPGP is used by PGP, and S/MIME is used by Microsoft's Outlook Express and Netscape's Communicator. OpenPGP's big advantage is that it's hugely widespread, and it's free. There is no cost for the freeware version of PGP, which plugs into common email programs like Eudora, Outlook Express, and Netscape Communicator, and there's no cost to create keys.
What S/MIME has going for it, on the other hand, is that it's backed by Microsoft (which is not to be taken lightly), and that it's built in to programs like Outlook Express.
What can you do in the meantime? Make sure that your clients use the same scheme you do, or just use bot h. It's not that complex.
A remote approach
A two-year-old company called PubNETics created a solution specifically for court reporters, called the e-transcript, which is being used by about 700 court reporting firms. It encrypts the transcript and wraps a viewer program around it. As the transcript is encrypted, it is also compressed to about 50% of its original size. The court reporter assigns a password to each e-transcript, without which you can't use it. The downside to this is keeping track of all the passwords. Either the court reporters have to use the same password all the time, in which case every attorney in town knows it, or somebody has to maintain a list of all the passwords used for the different attorneys and cases.
"There are no digital signatures available in e-transcripts yet," PubNETics CEO Marty Steinberg told me, "because we're waiting to see what the courts will accept." PubNETics is also looking into the "electronic notary" approach, where reporters could have a date and time stamp encrypted into the e-transcript, legally verifying when it was created.
The Digital Notar y® system was created by Surety Technologies. Their Internet server acts as a central repository for authentication information. To use the Digital Notary, you put a simple piece of software on your computer that generates a fingerprint from your original document. Your computer transmits this to Surety, where a serial number, a date/time stamp, and other information are added. Surety encrypts it and sends it back as a digital certificate you can add to the document. To verify the certificate, a program generates a new fingerprint from the document copy and sends the certificate and fingerprint to Surety's server, where they are compared and checked against the central repository. If they match, it's a clean copy with authenticated timestamp.
How safe is all this?
For the mathematically inclined out there, your two keys represent the two prime factors of a huge number. While it is theoretically possible to work backwards to crack your private key, it can't be done with the technology available today.
In January of last year, a 40-bit code was cracked using 250 computers for three hours. The way the system works, each additional bit doubles the complexity. If a 40-bit key takes three hours to crack, a 41-bit key would take six hours. Extrapolating this, even a 100-bit key would take one hundred million computers almost a billion years to crack.
PubNETics uses a 128-bit key for their encryption, and PGP users typically have 1,024-bit keys - the equivalent of a 300-digit number. These are effectively unbreakable with today's technology.
Applying digital signatures
Remember how this article began? Someone stole a copy of your transcript on a floppy diskette. If you had encrypted that transcript using the attorney's public key, it would be unreadable (and worthless) to the party that stole it.
How about the intercepted email? If you were using digital signatures, the attorney would know immediately that the transcript you supposedly sent didn't really come from you.
The modified original? If the reporter digitally signed the original before turning it in to the depo firm, any modifications could be detected before the transcript was delivered.
This technology may sound like something out of a spy novel, but it's here now, and it can solve real-world problems for court reporters. Even if a malicious party never attempts to intercept, modify, or forge an electronic transcript, won't your clients sleep easier knowing it can't happen?
Digital Signatures and the LawIs a digital signature legal? To date, the Federal government has not adopted any legislation specifically allowing digita l signatures to be used in lieu of ink signatures on paper documents. However, it is clear that this is the direction we're going. At least two states (California and Utah) have enacted legislation authorizing digital signatures. California Code Section 16.5.(a) states that, "In any written communication with a public entity...in which a signature is required or used, any party to the communication may affix a signature by use of a digital signature that complies with the requirements of this section." VeriSign, the leading issuer of certificates for digital signatures, states that, "Some preliminary legal research has also resulted in the opinion that digital signatures would meet the requirements of legally binding signatures for most purposes, including commercial use as defined in the Uniform Commercial Code (UCC)." As of this writing (November 1998), there are at least three bills before Congress that would authorize (or in some c ases, mandate) digital signatures. The Computer Security Enhancement Act of 1997 (H.R. 1903), would create a National Policy Panel for Digital Signatures. The mandate of the Electronic Commerce Enhancement Act of 1997 (H.R. 2991), is to "enhance electronic commerce by requiring agencies to use digital signatures," and to "enable persons to submit Federal forms electronically." Perhaps the most significant sign that digital signatures are being taken seriously is the Digital Signature and Elec tronic Authentication Law (SEAL) of 1998. If it passes, it will facilitate the use of digital signatures in the banking industry. Acceptance by the financial world will provide an entrée into virtually every other industry. Already, however, there are clear signs of how seriously the Federal Government takes "strong encryption" (keys longer than 40 bits) and digital signatures. Up until 1996, export laws classified encryption programs like PGP as munitions, and prevented them from being used or shipped internationally. Even now, strong encryption software may only be exported with the permission of the Federal Government, and the only way to get that permission is to provide the government with a "key escrow system" that allows government officials to decrypt anything encrypted with those programs. Even though digital signatures are real and usable today, there are a number of complications if you wi sh to use them with clients outside the United States. |
Sample Signed MessageNOTE: This is not the same as the example printed in the magazine. This example was signed using my actual PGP key, and the one in the magazine used a sample key. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bob - Consider this your formal authorization for a 1,000-copy print run on the new book. - -=- Gary -=- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0 for non-commercial use <http://www.pgp.com> iQA/AwUBNxJcOCpjTFjSfoFYEQKnywCcCWhHJxCXziSg4FftWnBvbikNjecAmwRG ikIunSBzPQHg6G/A6eRZneF9 =rMnV -----END PGP SIGNATURE----- |
Copyright ©1999 by Gary D. Robson. All rights reserved.
Email me for permission to copy or reprint.
Site template last updated 02/01/2005
This page last updated 12/5/2000