Insider Risk at the Certification Authority
19 September 1999
While the last two decades were the age of the computer, the next decade will be the age of the Internet. The Internet is quickly growing, expanding, and penetrating our daily life and the way we communicate with the world. With the growth of the Internet, there comes electronic commerce where business entrepreneurs are looking at it as a new channel for market expansion. On the surface, e-commerce does offer new opportunities. The web knows no geographic border. It can communicate with customers in real time. However, e-commerce does not promise a rose garden as it appears. There are a lot of issues such as intellectual property, copyright, contract forming and privacy which are very much under debate and hinder the growth of e-commerce. This column will provide articles related to e-commerce and law. To start with, this paper will give an overview of "Public Key Infrastructure" in Hong Kong.
How PKI works
There are three basic components to public key infrastructure (PKI): cryptography technique, digital signature and certification authorities (CA). Cryptography technique encrypts the message where only authorised persons with the necessary key are able to decrypt it. A popular type of cryptography is public key cryptography where each person is assigned two keys: one public and one private. When Anna writes to Bessie, Anna encrypts the original message using Bessie's public key, and Bessie uses her private key to decrypt the message. In addition, Anna "signs" the message with her private key and the result of a "hash function", and Bessie decrypts the signature with Anna's public key, thereby verifying that it really came from Anna. The hash function is used to generates a unique code based on the document text, which can be used to verify that the document has not been intercepted and altered in transit.
PKI in Hong Kong
In Hong Kong, cryptographic technique, management, and audit process are largely imported from the United States. Currently, Hong Kong does not restrict domestic use of cryptography. However, the import and export of cryptographic hardware and software, except personalised smart cards which are not capable of message traffic encryption or encryption of user-supplied data or related key management functions, are restricted under Hong Kong's Import and Export Ordinance. Potential importers or exporters must obtain a license from the Department of Trade.
A digital signature is a combination of binary numbers (0 and 1), whereas an electronic signature is usually a copy of a regular hand written signature which is scanned into the computer. A digital signature contains information on the sender of an electronic document and provides data integrity by encrypting the data message in such a way that the data will be kept unchanged as when it was transmitted.
A Certification Authority is an agent or Trusted Third Party (TTP) who is given a licence to produce digital certificates authenticating digital signatures. All these components are essential to electronic commerce because they are measures to safeguard security and integrity.
In Hong Kong, an Electronic Transaction Bill was gazetted on 9-Jul-99 which will become the basic structure of PKI. The Bill recognises that a digital signature will satisfy the law as a hand written signature, when the digital signature is supported with a valid certificate from the licensed CA, except for a deed, conveyance, assignment, mortgage or legal charge and court judgement, where a hand written signature is still required. The Bill clearly states that the CA is not liable for any loss caused by reliance on a false or forged digital signature of a private digital key supported by a recognised certificate issued by that CA, if the CA acted and complied with the Ordinance and code of practice. Therefore, the private key has to be kept very restricted.
Security Concerns
The Bill also stipulates that those who rely on the services of the licensed CA must be able to hold the CA used legally liable for any loss suffered as a result of their error. The CA will be liable on the conditions that the user (a) uses a licensed CA, (b) holds a valid certificate, and (c) has evidence that he/she was not at fault. Condition (c) is the most difficult to prove. There are past experiences from both the UK and USA of the difficulties in "proving oneself is not at fault" with the Automatic Teller Machines (ATM). Bankers simply deny that their encryption systems are ever at fault. Customers who complain about debits on their accounts for which they were not responsible (colloquially known as "ghost withdrawals") are told that they are lying, or mistaken, or that they must have been defrauded by their friends or relatives, despite the fact is that most ATM fraud cases are conducted with inside knowledge or access.
The Sunday Times reported on 22-Mar-92 a case in Scotland where a bank ATM maintenance engineer, knowing that complaint from customers would probably be ignored, fitted his laptop to an ATM to record customers PINs and account numbers. He then made up counterfeit cards and looted their accounts. Customers who complained to the bank were stonewalled. The bank was later publicly criticised by one of Scotland's top law officers.
If a bank is prone to insider attack, then so is a CA. In Hong Kong, a CA is legally well protected under the Electronic Transaction Bill. However, clients of a CA are at a disadvantage. When things go wrong, it is very difficult for an average CA user to prove that the CA is at fault, especially if the fault is caused by insider attack. The CA would probably do what the Scottish bank did and deny liability. Additionally, the Hong Kong CA is only liable to valid users up to the amount of a "recommended reliance limit", and each CA user will have a different reliance limit on the certificate.
Therefore, how to prevent insider attack, consumer protection and privacy become key issues in the development of e-commerce.
© Laurie Lau Yiu Chung, 1999.
Mr. Lau is a PhD student in I.T. law at City University of Hong Kong. Click here to send him feedback. If you would like to contribute articles to Webb-site.com, then contact the Editor.
Topics in this story
Sign up for our free newsletter
Recommend Webb-site to a friend
Copyright & disclaimer, Privacy policy