Site navigation

OPINION: Estonia Shows The World How To Work in a Cyber Age

Prof. Bill Buchanan OBE

,

Talinn Estonia - Where Cryptographic identity is flourishing

Recent I signed-off a PoA (Power of Attorney) with a wet signature on the last page of a print-out and then emailed a photograph of it. I had the signature of a witness who it is unlikely would ever be contacted to prove their ID. So how this can in any way be seen as a credible method of verifying my ID?

If nations of the world do not move to making every signature transacted in a digital form (with cryptographic methods), they will fall behind, and expose themselves to every increasing bureaucratic processes and risk, while failing to take advantage of scaling a trust architecture which puts the citizen at the core.

I feel the debate in the UK is a million miles from where it should be, especially as some in the government believe cryptography to be the enemy, rather than the saviour for our public services.

Rob Joyce, the US cybersecurity czar in the White House, recently defined that the US may replace the 80-year old Social Security Number (SSN) with a cryptographic equivalent. In the US, the SSN is used to track individuals for their earnings, and use this to determine their pension, but has become the de-facto ID in tracking individuals across the public sector. It means that the SSN is often used as a pseudo-ID and that a breach which used the identity is likely to reveal the individual. While this would truly transform the existing data infrastructure in the US, it is actually well behind other countries in the world.

Estonia is a shining light in implementing a cryptographic ID system, and where, over the past 20 years, the country has implemented a Tiger Leap programme. This has led to digital voting and where digital signatures are used for virtually every transaction. As a nation they have even looked into the future where their data infrastructure was attacked, and have created complete back-ups of the data within other regions of the world. For them, Estonia can exist, without the need for a physical location.

As part of their programme they issued a smart card/mobile SIM to every individual and which links to a public key pair (a private key for signing and a public key for identifying). It is then used to gain access to public and private services, and in signing contracts. Overall their focus was to make Estonia one of the most digital-focused countries in the world, and which could benefit citizens in their lives. The focus too has continued with a continual updating of the system as vulnerabilities have been found, and where a large-scale data breach would not reveal the ID of the individuals involved.

For providing identity, the PKI (Public Key Infrastructure) uses a key pair for identity and where Trent – the trusted ID provider – produces a key pair for Alice, who then signs for things with her private key, and Bob proves her ID with his public key:

Wet signatures in the 21st Century?

The craziness of wet signatures in the 21st Century cannot be sustained, especially as they have almost zero level of trust. When my Amazon package arrives, I have now perfected the wavy line across the screen for signing for the package (my cosine wave signature), and the delivery person takes one look at it, and smiles, and leaves. I have even given up on trying to write my name, so I often just do a straight line. Other times I will draw a sawtooth signature, but most of the time it’s a straight line. No-one ever checks your signature these days!

So what’s the point of me signing for my Amazon package? That a human received the package? If UPS asked me if it was my signature, I would say “No!”, but I’d say, “I did add a straight line there”:

So I have just been signing-off on some legal aspects for one of our spin-outs, and I really can’t believe that in the 21st Century that something like this is seen as something that can be trusted:

You can see I make a great effort on the “W” (for William), but I just lose it after that

I still cannot understand how it is credible that I sign the last page of a legal document, which has a staple in it, and where other pages can easily be inserted or changed. So to overcome this I get asked to initial each page … Doh!

The credibility of signatures, especially when these days you just take a photo, is almost zero. The ability to capture a hi-res and then integrate it into any document. Why can’t we have trusted methods that we could use for the most creditable to authentication methods? As a crypto Prof, I just can’t believe why we can’t have something that, at least, proves my identity, and that only I can verify.

Any when was the last time that someone checked your signature on your bank card? Why is it still there

Conclusions

I can’t believe the way that wet signatures are used these days. No-one ever checks them, and they are now integrated into electronic documents. We often have to submit a research proposal with a signature integrated into the document, and which we just take a JPEG of the signature and integrate it.

What has happened to proper crypto signatures? If it works in Bitcoin world, where I sign with my private key, why not in the real world? And … crypto key pairs still hold risks (ask anyone who has had their bitcoins stolen), so why can’t we have properly biometric methods of authentication for high-risk transactions, and can we have a bit of control, please?

Please, in Scotland/UK, can our “czar for digital technology” put in-place a citizen focused ID system?

Interested in the debate, come along to the next Data Science Meetup in Edinburgh on 26 October 2017 and we’ll outline how we could improve our public services using data.

Professor Bill Buchanan OBE

Prof. Bill Buchanan OBE

Professor - Edinburgh Napier University

Latest News

%d bloggers like this: