4

So, when i do an online payment transaction i "sign" my transaction with my digipass using some sort of a MAC (HMAC) with a shared key and some information that is unique for this transaction.

But using this scheme, how can a bank "proof" later (in court for example) that you did this tranaction? The bank has to store the same shared key? With RSA digital signatures they can claim that only i could sign this transaction because only i have the private key matching the public key. But here the key is symmetric (the shared key between you and the bank)?

How is this done? Can it be done? Is there some sort of formal standard that banks use?

Thanks (as always) for your help!

Community
  • 1
Anonymous
  • 333
  • 2
  • 11

2 Answers2

5

It doesn't prove that you initiated the transaction. It may be evidence, but not proof that you initiated the transaction.

Read up on non-repudiation, as explained elsewhere on this site: e.g., How to achieve non-repudiation? and What is the difference between authenticity and non-repudiation? Those pages will explain the many limitations and challenges of achieving non-repudiation. In particular, you cannot achieve non-repudiation through technical means alone. Even a digital signature (like RSA) would not be enough for non-repudiation.

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572
  • Thanks for your response! A follow up question, what is the exact difference between "vertification" and "non-repudiation"? The problem is binding some form of identity proof to a digital equivalent (e.g like certificates. – Anonymous Apr 05 '13 at 09:11
1

Non-repudiation is a legal notion, and the Law is not context-free. From the restrictive, cryptographic view of things, a MAC shows that someone knowing the MAC key was involved at some point; but both the customer (you) and the bank technically "know" that key (you "know" it by virtue of it being embedded in your digipass token, while the bank server contains the same value in order to verify the value you enter). Therefore, the cryptographer says: the MAC won't help to prove things in case of litigation between the two key owners, you and the bank.

Judges and lawyers are not cryptographers, though. What they want is to make an holistic assessment of who is most probably the fraudster in that context. The bank server contains the secret, but that server might be located in a bunker with heavy access controls (video cameras, smart cards for sysadmin connections, hardware security modules...). The bank will try to give ample evidence that circumventing their own protection systems without leaving any track would cost them much more than the amount under litigation, thus making it highly implausible that they used the bank-known MAC key to compute the contested MAC value. But the MAC value exists -- so it must have been computed on the customer side.

It is all a matter of burden of proof and it highly depends on the country. When countries establish laws for "electronic signatures", they usually take great care not to be too specific about the technical elements involved in the process. Instead, they declare that there are "good systems" which have been duly certified under the control of a governmental body, or an accredited audit firm, to be "hard to subvert"; so that, in case of litigation, it will be up to the customer to find evidence that the signature is forged, rather than requiring proof from the bank that the signature is genuine. A lot of technical means can be employed to achieve this "certified good" status; cryptographic digital signatures (like RSA or DSA) are convenient for that, but they are neither strictly necessary or sufficient.

(If you read French, see how France does it.)

Another side of the problem is threats. This is the cornerstone of "signatures", the kind you do with a pen on a piece of paper. Such signatures can usually be counterfeited, much more easily than actually cracking open a digipass token or hacking into a bunkerized server. And, indeed, the bank necessarily contains in its vaults, somewhere, a reference model for your signature, so they could imitate it. Manuscript signatures still "work", legally speaking, because of the following twist: counterfeiting a signature, or, conversely, repudiating your own signature, is a severely punished criminal offence. Risking years of prison for a matter as trivial as a business transaction would be irrational.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • Thank you for the response! So the term "vertification" in the online banking world depends on his context. eg "we can verify that someone who had acces to the shared secret 'signed' this transaction". Where 'signed' means computing the HMAC. Because we cant do digital signatures using RSA/DSA with digipasses. – Anonymous Apr 06 '13 at 12:14