Advertisement

The Role of Data Integrity in EU Digital Signature Legislation — Achieving Statutory Trust for Sanitizable Signature Schemes

  • Henrich C. Pöhls
  • Focke Höhne
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7170)

Abstract

We analyse the legal requirements that digital signature schemes have to fulfil to achieve the Statutory Trust granted by the EU electronic signature laws (“legally equivalent to hand-written signatures”). Legally, we found that the possibility to detect subsequent changes is important for the Statutory Trust. However, detectability was neither adequately nor precisely enough defined in the technical and legal definitions of the term “Data Integrity”. The existing definition on integrity lack a precise notion of which changes should not invalidate a corresponding digital signature and also lack notions to distinguish levels of detection. We give a new definition for Data Integrity including two notions: Authorized changes, these are changes which do not compromise the data’s integrity; and their level of detection. Especially, the technical term “Transparency” introduced as a security property for sanitizable signature schemes has an opposite meaning in the legal context. Technically, cryptography can allow authorized changes and keep them unrecognisably hidden. Legally, keeping them invisible removes the Statutory Trust. This work shows how to gain the Statutory Trust for a chameleon hash based sanitizable signature scheme.

Keywords

European Union Signature Scheme Data Integrity Electronic Signature European Union Regulation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Agrawal, S., Kumar, S., Shareef, A., Rangan, C.P.: Sanitizable Signatures with Strong Transparency in the Standard Model. In: Bao, F., Yung, M., Lin, D., Jing, J. (eds.) Inscrypt 2009. LNCS, vol. 6151, pp. 93–107. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Alsaid, A., Mitchell, C.J.: Dynamic content attacks on digital signatures. Information Management & Computer Security 13 (2005)Google Scholar
  3. 3.
    Ateniese, G., Chou, D.H., de Medeiros, B., Tsudik, G.: Sanitizable Signatures. In: di Vimercati, S.D.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 159–177. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Bishop, M.: Computer Security: Art and Science. Addison-Wesley Professional (2002) ISBN: 0201440997Google Scholar
  5. 5.
    Boyer, J.: Canonical XML V 1.0 (March 2001)Google Scholar
  6. 6.
    Brzuska, C., Fischlin, M., Freudenreich, T., Lehmann, A., Page, M., Schelbert, J., Schröder, D., Volk, F.: Security of Sanitizable Signatures Revisited. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 317–336. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Bundesverfasssungsgericht (BVerfG). Urteil vom. 1 BvR 370/07, 1 BvR 595/07 - NJW, 822 (February 27, 2008)Google Scholar
  8. 8.
    Caplan, R.M.: HIPAA. health insurance portability and accountability act of 1996. Dent Assist. 72(2), 6–8 (1997)Google Scholar
  9. 9.
    Clark, D.D., Wilson, D.R.: A comparison of commercial and military computer security policies. In: IEEE Symposium on Security and Privacy, p. 184 (1987) ISSN: 1540-7993Google Scholar
  10. 10.
    Clark, J.: XSL Transformations (XSLT) version 1.0, www.w3.org/TR/xslt
  11. 11.
    Dumortier, J.: Legal status of qualified electronic signatures in europe. In: ISSE 2004 - Securing Electronic Business Processes. Vieweg (2004)Google Scholar
  12. 12.
    Eastlake, Reagle, Solo.: XML-signature syntax and processing. W3C recommendation (February 2002), www.w3.org/TR/xmldsig-core/
  13. 13.
    EU. Directive 2009/140/EC of 25 November 2009 amending Directives 2002/21/EC on a common regulatory framework for electronic communications networks and services, 2002/19/EC on access to, and interconnection of, electronic communications networks and associated facilities, and 2002/20/EC on the authorization of electronic communications networks and services. Official Journal L 337/8 (December 2009)Google Scholar
  14. 14.
    EU. Regulation 460/2004/EC of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency. Official Journal L 77/1 (March 2004)Google Scholar
  15. 15.
    EU. Regulation 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. Official Journal, L 8/1 (January 2001) Google Scholar
  16. 16.
    EU. Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. Official Journal L 12, 12–20 (2000)Google Scholar
  17. 17.
    EU. Consolidated version of the treaty on european union. Official Journal of the European Union (March 2010)Google Scholar
  18. 18.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing 17 (1988)Google Scholar
  19. 19.
    Gollmann, D.: Computer Security 2e. John Wiley & Sons (2005)Google Scholar
  20. 20.
    Herkenhöner, R., Jensen, M., Pöhls, H.C., de Meer, H.: Towards automated processing of the right of access in inter-organizational web service compositions. In: IEEE Int. Workshop on WebService and Business Process Security (WSBPS). IEEE (2010)Google Scholar
  21. 21.
    De Hert, P., Gutwirth, S.: Privacy, data protection and law enforcement. Opacity of the individual and transparency of power. In: Privacy and the Criminal Law, pp. 61–104. Intersentia nv (2006)Google Scholar
  22. 22.
    Hill, B.: Attacking xml security. Black Hat Briefings USA (2007)Google Scholar
  23. 23.
    Latham, D.C.: Department of defense trusted computer system evaluation criteria (1985)Google Scholar
  24. 24.
    Miyazaki, K., Iwamura, M., et al.: Digitally signed document sanitizing scheme with disclosure condition control. IEICE Transactions (2005)Google Scholar
  25. 25.
    EU Court of Justice. Judgment of the court Case C28/08P (June 29, 2010)Google Scholar
  26. 26.
    Pöhls, H.C., Tran, D., Petersen, F., Pscheid, F.: MS Office 2007: Target of hyperlinks not covered by digital signatures (December 2007), www.securityfocus.com/archive/1/485031/30/0/
  27. 27.
    Pöhls, H.C., Samelin, K., Posegga, J.: Sanitizable Signatures in XML Signature — Performance, Mixing Properties, and Revisiting the Property of Transparency. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 166–182. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  28. 28.
    Posegga, J., Vogt, H., Kehr, R.: Eine Vorrichtung zur Erhöhung der Sicherheit bei Digitalen Signaturen. German Patent (Akz 199 23 807.3); European Patent (EP 1 054364 A2), Patentblatt 2000/47 (1999)Google Scholar
  29. 29.
    Stallings, W.: Network Security Essentials: Applications and Standards, 3rd edn. Prentice-Hall (2006) ISBN: 0132380331Google Scholar
  30. 30.
    Steinfeld, R., Bull, L., Zheng, Y.: Content Extraction Signatures. In: Kim, K. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 285–304. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  31. 31.
    Zanero, S.: Security and Trust in the Italian Legal Digital Signature Framework. In: Herrmann, P., Issarny, V., Shiu, S.C.K. (eds.) iTrust 2005. LNCS, vol. 3477, pp. 34–44. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Henrich C. Pöhls
    • 1
  • Focke Höhne
    • 1
  1. 1.Institute of IT Security and Security LawUniversity of PassauGermany

Personalised recommendations