Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole Analysts. My guest today is Mike Small. He's a Senior Analyst with KuppingerCole and he's working for us closely, close to Manchester in the UK. Hi, Mike. Good to have you.
Hi Matthias, pleased to be here. Thank you for inviting me.
Yes, and it was a perfect choice to invite you. We want to do another of these basics episode where we go back to things where everybody thinks they know what they are and they don't and where there's a lot to learn about, although we think we know it already. And this time we want to talk about digital signatures. So the story and the history of digital signatures, their role and what will happen to them, how they will evolve in the future, if they will go away or if they won't. So that will be the content of this episode. So everything digital signatures. And to start with, of course, Mike, what is digital signature?
Okay, well, so a digital signature is something that we're all using all the time and most people don't have the faintest idea that either they're using it or how it works. So every time you use a bank card, every time you do a transaction on the internet, every time your app connects to a secure site like a banking site, it depends upon a digital signature. And digital signatures are the modern day equivalent of what indelible ink was to a physical written signature. And so this is absolutely fundamental to the internet and everything that we use and everything that we do digitally. They all depend upon digital signatures. And they depend upon digital signatures because these things provide a way for you to authenticate who has sent a message or a document, to confirm that when you receive the document, that it wasn't changed on the way. And if you want, you can also make sure, using these digital signatures, that the only person that can read this document is the intended recipient. And so these are enormously powerful factors involved in the security of really everything that we do on the internet.
It's authentication, it's trust, it's non-repudiation. I hope I get that right. So, and all of these are key components of everything we do on the internet now, and especially of business, online business, digital business. When we come to the foundation, what is below that? What enables that? What makes it possible to have these signatures?
Yes, so the history of digital signature is rather interesting and you have to trace back first of all to the 1960s when in the UK a man called, I think it was Clifford Cox, was trying to solve the problem of how to securely exchange encryption keys to send secret messages from government to government, from army to army. And he came up with an idea that it would be really good if you could have two encryption keys, one which was used to encrypt the message and a different one that was used to decrypt it. Now, he had this idea, but he didn't know how to do it. And so in around 1973, GCHQ, the UK's encryption and security group, employed a young mathematics graduate and just as an aside said to him, oh, do you have a solution to this? And he went home and the next morning came in and provided a mathematical solution because he was just a mathematician straight out of Cambridge. And so this was something that was secret in the UK. Now, in 1977, three gentlemen from, I think it was MIT, Rivest, Shamir and Adleman came up with pretty much the same idea, but because it was America, they realized they could make money out of it. And so they published it and set up this company, which became known as RSA Security. And this basically is a system which allows you to have two keys to encrypt things. One key you can keep private and you can use this to encrypt messages and the other key you can publish. And so anyone who gets a message from you can use your public key to check that it's come from you. So that's part of the challenge. The second part is for it all to work, you need another mathematical trick, which is a way to create a digest, a summary of a piece of data, which isn't a piece of data, but is much shorter, but is pretty much guaranteed to change if in fact the message is tampered with in any way. And some people would recognize this as a checksum, which is a very crude form of what is called in computer terms a hash algorithm. Now, with those two things, you've got the technological basis to be able to securely exchange messages. However, as with all things in security, everything comes down to trust. So how can you trust that the public key is the public key that you expect. Now, to give a little bit more of a detailed explanation as to how you use these two things. So let's say, Matthias, that I want to send a message to you. So what I do is I start off and I create a hash of that message. So I now have the message and I have the hash. And I then encrypt, the hash using my private key, which is secret to me. I then send the message to you along with the encrypted hash. When you receive the message, you take the message and you can create the hash of that message using a public algorithm. And you then decrypt the encrypted version of the hash using my public key. And if those two, the hashes that you've created is the same as the hash that I sent, you know two things. One is that the message was not changed. And the second thing is, you know that it must have been me that sent it, providing I still had control of my private key. And so that is a piece of mathematical magic that is basically used throughout. Now you can go further and you can do another trick which involves the same thing where if when I sent the message to you I encrypted the message using your public key then when it arrived at you you would be the only person who could decrypt it using your private key. So there we have a way to send a message that can't be changed or that you can prove has not been changed in a way that only you can read it using the magic of public-private key pairs. And again, to carry the story on, in the 1990s, there were various companies that grew up around all of this called certificate authorities. And one of them, I remember, was called VeriSign. And this was the leading edge of technology. And these companies had values before the technology bubble that were probably larger than most small African nation states. Now, the interesting thing is that there was an enormous amount of hype around this at that time. But the hype's gone away. But this stuff is used everywhere. It is absolutely fundamental. So the next challenge is about trust. Because in effect, the value of all of this in a commercial environment comes from the fact that if I make an agreement with you, for example, that I'm going to pay you something, or that if I make an agreement with my credit card provider that I'm buying this thing for a certain sum of money, you don't want to be able for me to repudiate that transaction. That is to say, for me to say, no, it wasn't me. So all of this comes down to basically how can you trust in the public key and how can you trust that I've kept my private key private? And there are different ways of establishing that trust. And at least two of them involve third parties. So again, in the 1980s, having come up with this idea, there were people who proposed a thing called Pretty Good Privacy. And in this, basically what happens is that you share your trust with certain people. So, for example, you and I know each other. And so if you, Matthias, came to me and said, look, here's a chap I know, you can trust him, then I will trust him. And so you become a trusted introducer. So if you say to me, well, here, if you trust this chap, here is his public key, and I will verify it. That works, but it isn't particularly scalable. But it does allow you to create a circle or a web of trust. The other way of doing this is to base on what are called certificate authorities. These are organizations whose value added is to say that they will verify people's identities or organizations' identities. And therefore they will do a certificate, which is a kind of assigned document, which says that, yes, we have gone through a process of proving that this bank or this retailer or this organisation is who they say they are and that we will underwrite the security of their public key. And so that is good until of course they get hacked and of course there are some signs, some examples of people, people of certificate authorities being hacked. And there was the famous case of... it was a certificate authority which basically the whole of the Dutch public service depended upon was hacked by Iranian hackers who managed to obtain the private keys for Google and that allowed them to see what people were doing using Google. So, ultimately, it comes down to one or both of those things. And indeed, if you then look at, in fact, actually, in many cases, there is a combination of the two. So in the credit card business, in Europe, there is an organization called EMV, which is Europay, MasterCard and Visa. And they effectively issue the certificates which go on your smart credit cards. So it isn't just like a general public issuing of a certificate, but Europay, MasterCard and Visa is a trusted web organization that is trusted by the banks and the payment card issuers. If you take another example, another example is the trust in the identities of people within financial services who are entitled to make very large transactions, you know, sending multiple millions of dollars between organizations. So in a way, how it works is a combination of certain trusted suppliers of this using the certificate authority. So that's basically the way that that does it. Now, the problem, of course, is that you have, therefore you have to have a trusted third party involved. And so the interesting thing is that blockchains which use digital signatures, interestingly, in fact, have different ways of trying to get around this problem of trust. And the most famous one is the one of Bitcoin, where, in a sense, what Bitcoin was trying to do was to remove the need for a trusted third party. And so they invented this wonderful competition where basically so-called crypto miners, compete to be the first to figure out how to add a number used once, a thing called a nonce, to a block of transactions in such a way that the hash of that block of transactions will come out with a certain number of leading zeros, which is very interesting. The only trouble is that actually that computational thing uses the same amount of energy as a small city. And so it is not really a very green and friendly way of doing it. And whereas we normally expect in the financial services area to process 50 to 100,000 credit card transactions a second, blockchain transactions are sort of measured in the tens per second, as well as this enormous overhead. So this is all... really good. But to sort of wind back to where I started off, in the 19th century, a person could write a promissory note to their bank, and they could write it on any kind of piece of paper, and they would write, Mike Small promises to pay you five pounds, in indelible ink and sign it Mike Small. And this was brilliant until the Germans invented chlorine bleach. And once you had invented chlorine bleach, you could no longer be sure that a signature made in indelible ink on a piece of white paper could not be changed. And so the invention of chlorine bleach led to a step change in the security that surrounded a piece of paper with a signature on it. In the same way, today we have a gathering storm called quantum computing. And quantum computing has the possibility to crack the mathematical code that lies behind the RSA and other public-private key algorithms in a relatively short period of time because they are based on factorization of enormous prime numbers. And so if and when quantum computing comes along, it has the potential to completely destroy the trust that we use based on public-private key encryption as currently exists. And so it is important for the future, for people to start to plan and to adopt the so-called quantum safe computing algorithms that are now being developed by the clever mathematicians across the world. And there are several projects, including one being run in America by NIST, the National Institute of Standards for Technology. So ultimately, to look at this and since digital signatures form the very basis of proof of identity across many technologies and many systems and since things are in this constant change of flux in this area, I think it would be good to attend our conference in Berlin in June. called the European Identity and Cloud Conference, where you will be able to hear more about identity and the risks and the future of IT and computing for all of us.
That's really a great summary and a great way of putting things. When we look at the "I" in EIC, we have identification and we have identity. And you've mentioned that everything that is around authentication, authorization, identification, and even trust, think of the HTTPS in your browser. Think of, you've mentioned the MasterCard, you've mentioned nationally issued ID cards and everything of that is at stake. Currently we're still using it. Now we understand it now that you've explained it. The question is what will happen the next time and I really can only encourage the audience to join us at EIC to follow of course this podcast because we will do more of these basic episodes, these 101 episodes as well to explain more technologies. but they are at stake and that's really an interesting topic. So thank you again, Mike, for being my guest today for explaining everything around digital certificates. And I hope we can have you soon as a guest in our podcast explaining more of these technologies that are around on the basics for our cybersecurity today. So thanks again, Mike, for being my guest today and looking forward to having you soon.
Thank you for the invitation and I'm delighted to have been able to help.
Absolutely. Thank you very much and it was a great episode. Thank you. Bye bye.
