Beyond chip and PIN
Report on a project which aims to guarantee the security of electronic signatures such as used in the ARTL system, for use in any legal transaction concluded over the internet
We live in a very security conscious world. In the majority of cases it is true to say that no longer can we, or someone we know, vouch for the identity of the person or organisation that we are dealing with. Furthermore, we are much less likely to take someone’s word regarding their identity. This is especially true in regard to electronic communications: emails, file transfers, commercial transactions and banking, to name a few.
A project that will provide an identity solution that will be usable in most, if not all, situations where identity is a concern is currently being funded by the Knowledge Transfer Partnership scheme. A collaboration between Serendipity Interactive and Glasgow Caledonian University’s Law School, it will allow for the combination of the company’s technical expertise and the university’s legal expertise. The identity solution will provide a means by which identity can be authenticated online: an identity which is secure, reliable, private and unique.
Identity, in the realm of business, is typically a signing of one’s name, i.e. a signature. However, in this digital age, this is no longer always possible. A large percentage of communication, business and personal, is no longer done face to face, but electronically, over the internet. The law has gone some way to accommodate this digital age, most notably with ARTL (see Journal, January 2006, 50 and July 2007, 52), the process of automated registration of title to land.
The Electronic Communications Act 2000 allows for the use of an electronic signature where traditionally a written signature was required, with restrictions on what is acceptable (see s 7). The Electronic Signatures Regulations 2007 provide a definition of what constitutes an “advanced electronic signature”, that is, an electronic signature acceptable to the law in place of an ink signature. “Advanced electronic signature” requires that the electronic signature must be: uniquely linked to the signatory; capable of identifying the signatory; created using means that the signatory can maintain under their sole control; and linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.
These requirements give us the basis for the concepts we want our identity solution to encompass: authentication and integrity, leading to non-repudiation. The technology required to implement this project already exists – PKI (public key infrastructure) as used for ARTL, and the addition of biometrics. The novelty in this combination of PKI and a biometric brings about a secure, non-repudiatable signing – BioPKI.
Chip and PIN’s Achilles heel
PKI consists of two non-identical but connected codes or “keys”, known commonly as public and private keys. Each key pair issued to a user is unique. The private key is usually kept private, known only to the person it was issued to, and the public key can be used by anyone.
At first glance, PKI should be satisfactory; it allows for both integrity and authentication. The problem arises with how the private key is stored. In most cases it is stored on a password protected device, usually a PC. This meets two of the three security criteria: it is something you know (the password) and something you have (the private key on the PC). In most cases, this level of security is acceptable – it is the level of security implemented for the majority of personal banking (chip and pin).
However, in consideration of the number of passwords people are required to have today, it is not unusual to find an ATM card with the PIN number written next to it, or a post-it note with a network login ID stuck to the PC monitor. Many people will also leave their PCs logged on when they leave their desk for a break. This means that rather than a private key being secure, anyone with access to a PC could use the private key to sign documents; and a simple delegation of authority to use the key is quite possible.
The bio bit
We have taken the view that to be truly secure, and non-repudiatable, the solution requires the use of a biometric: something you are. Unlike a password, this is something that cannot be forgotten, nor is it something that someone else can steal. The method of implementation is a USB bio-token with a built-in fingerprint scanner. To use the bio-token, fingerprint authentication is required prior to the PKI signature. If the fingerprint scanned does not match the enrolled fingerprint, you cannot use the data on the bio-token.
The bio-token does not require a central repository of biometric data; the data for the fingerprint originally enrolled is stored in the bio-token and all matching (for future authentication/access to the bio-token) is done by match-on-card. This means that your fingerprint data never leaves the token, which should alleviate concerns associated with the need for secure facilities and central storage of personal biometric data. The only information that leaves the token is a “verified/not-verified” signal when a fingerprint is scanned, in response to a request for authentication.
The final aspect of this project pinpoints the actual identity of the person “signing” the documents. The combination of PKI and the bio-token allows the receiver to be certain that it always the same person using the signature, but does not allow the receiver to know the identity of this person. As part of the identity solution we have created a process which, as well as issuing the bio-token and signature to a recipient, also takes measures to identify the recipient. So not only does the private key signify a consistent source, but a consistent known source, meaning you can no longer pretend to be someone else.
Digital signing has already been implemented to some extent in the form of ARTL. Transactions carried out via ARTL are signed digitally by both parties. ARTL brings some significant improvements, notably that the Land Register is updated almost instantaneously. It also negates the need for all parties to be present at the same time.
However, there are some disadvantages. As very few people in Scotland have a digital signature, ARTL allows the client to authorise their solicitor to sign on their behalf. Further, the PKI keys issued as part of the ARTL system are only valid within the ARTL framework, not anywhere else, which makes the digital signatures issued of very limited use – not an ideal use of resources.
It is envisaged that the BioPKI will be a standalone product, not tied to any specific application as with ARTL – therefore the possibilities for this project are endless. The process can be treated as an identity solution that can be used anywhere there is a USB port and both parties are using biometric keys.
The most obvious use of this identity solution is in cases where a trusted signatory is currently required, including notarising, witnessing and signing contracts, and disclosure in criminal law. Currently contracts and other paperwork need to be completed in person as a signature is required. ARTL has illustrated a significant time saving, both in terms of time required in meeting with clients, and in the length of time a process takes to complete. If this can be spread to other areas, business could be significantly more efficient. Likewise, BioPKI may also operate to trace authorisation within an organisation. This is especially relevant to companies where safety is of high priority, for example oil rigs, power stations, and the airline industry. A chain of authorisation to proceed with a process can be documented, time stamped and verified to ensure that compliance with a particular procedure is being met.
This identity solution is in the latter stages of development and we hope that it will provide a cost effective, secure, non-repudiatable identity that can be used anywhere that electronic communication comes together with the requirement for proof of identity.
Laura Reid is a knowledge transfer partnership associate with Serendipity Interactive.
Michael Bromby is a research fellow with the Joseph Bell Centre for Forensic Statistics and Legal Reasoning in the Division of Law at Glasgow Caledonian University.