Home / Blogs

Ailing ETO-2002 and the Demise of PKI

The only Cyber law passed in Pakistan till date is the famous ETO-2002 (Electronic Transaction Ordinance - 2002). It required Ministry of IT&T to set up a Central Repository for all digital certificates and in addition to set up a body to be named as Electronic Certification Accreditation Council (ECAC) to accredit Electronic Certification Authorities to be established in the country.

The ECAC was set up and this body at certain point figured out that it was not possible for the ministry to set up the promised Repository. The ECAC itself was designed to one day become a white elephant. Of course it was not viable to have four or five full fledged departments fully equipped with necessary infrastructure to set up and maintain a Central Repository of all digital certificates and their associated public/private keys. Even the ETO-2002 is of no importance to the government any more the only thing they needed at that time was to provide all digital/electronic documents a full legal cover.

Now the ECAC has vanished due to lack of interest from the ministry. Though the accreditation of certification authorities was declared optional in the ETO-2002 Act but one always thought that when government advises use of digital certificates for communicating with its departments it would mandate certificate issuing authority to get accredited by ECAC, this of course would be to keep a close check on the certificate authorities set up and operated by private parties.

In this regard, government has not only closed its eyes and has blindly trusted the only certificate authority (CA) in the country operated by a private business group, it has also mandated the citizens and business to trust it. Case in point is Central Board of Revenue (CBR) that has told all taxpayers to digitally sign the emails using the certificates issued by this private party. The blind trust comes from the fact that the issuing authority is an affiliate of a US based CA without realizing that US based CA is also operated by private party and nothing can go wrong there. Probably CBR does not know that one of the directors of the mentioned business was indicted by SEC (USA) for options fraud. In absence of ECAC probably there is nothing one can do.

Now my question to CBR would be: Why do we have to submit our returns through digitally signed emails? Is it for cost saving, convenience or just an announcement to show the world that we are keeping abreast with the developed world.

Let’s make this more interesting to the reader. To digitally sign a electronic document we need a piece of software that is called a “Document Signer” this piece of software could be part of the application software you are using or not. In the later case of course you will need a separate signer that will have an additional cost to the party signing an electronic document. CBR took a short cut there and advised taxpayers to attach the document (tax return form) to email, digitally sign it, encrypt it and send it.

The question here is: Why send the return attached to a digitally signed email? Well the answer is simple and easy almost all popular email client software have Document Signer included as default. Oops - again CBR did not realize that such signers only sign the email and not the attachments. So funny part of the story is that the tax return (electronic format) is not digitally signed for which the taxpayers are spending good amount of money to get the best of all digital certificates (Class 3) with highest level of encryption and strongest signing keys. Do not worry your self if you do not understand this jargon just keep using the certificates that CBR has recommended.

To have a twist in the story let’s go back to the ETO-2002 and its interpretations, if a reasonable trail can be demonstrated to associate an electronic document to an individual it is enough to prove the association in a court of law. Oops - is CBR maintaining all the emails it is has received to some day demonstrate that needed trail. And, if yes, at what cost to the citizens of this country.

Since we are discussing ETO-2002 and its interpretations, clicking any button on any webpage to agree or to accept is regarded as digitally signing it as long as a trail can be demonstrated to associate that “Click” to an individual. But this is different from “Advanced Digital Signature” that requires digital certificate and PKI (Public Key Infrastructure). That is not enough the digital signature should also demonstrate the reason for signing and consent of the individual who signed the electronic document.

This requirement must have some importance to other jurisdictions that is why all good digital document signers have this feature available in them. Unfortunately the popular email clients (software) do not have this feature in their signers. And even if they did, still the document (tax return) cannot be interpreted to have an advanced digital signature. I am sure all my readers will remember the well-known statement “I ___________ hereby declare/ certify….....” which you do not see in any of the email clients.

If the system we use has so many flaws in it then: Why are we using digitally signed emails for serious matters like tax return filing? Why are we spending US $42.00 annually per taxpayer just for the certificate? Are we maintaining the legally needed trail? Answers to all these questions are a mystery to me as they would be to you.

Some years back I had read an essay by Carl Ellison and Bruce Schneier on 10 risks of PKI. Carl has been Senior Security Architect at Intel Corp. with special focus on cryptography and cryptographic access control, Bruce has been CTO at Counterpane Internet Security Inc. and author of applied cryptography, blow-fish and two-fish cryptography algorithms. Below I would like to reproduce a couple of paragraphs from their essay published in year 2000:

Computer security has been victim of the “year of the…” syndrome. First it was firewalls, then intrusion detection systems, then VPNs, and now certification authorities (CAs) and public key infrastructure (PKI). “If you only buy X,” the sales pitch goes, “then you will be secure.” But reality is never that simple, and that is especially true with PKI.

[...]

There are risks in believing this popular falsehood. The immediate risk is on the part of investors. The security risks are borne by anyone who decides to actually use the product of a commercial PKI.

In the essay the “Ten Risks” of PKI are put to us as simple and short questions and the authors also provide arguments to strengthen the need to ask to self. To shorten this writing I would only list out those questions and very brief explanation:

Risk #1: “Who do we trust, and for what?”
There’s a risk from an imprecise use of the word “trust.” A CA is often defined as “trusted.”

Risk #2: “Who is using my key?”
One of the biggest risks in any CA-based system is with your own private signing key.

Risk #3: “How secure is the verifying computer?”
Long keys don’t make up for an insecure system because total security is weaker than the weakest component in the system. The same applies to the verifying computer - the one that uses the certificate.

Risk #4: “Which John Robinson is he?”
Certificates generally associate a public key with a name, but few people talk about how useful that association is. Imagine that you receive the certificate of John Robinson. You may know only one John Robinson personally, but how many does the CA know?

Risk #5: “Is the CA an authority?”
The CA may be an authority on making certificates, but is it an authority on what the certificate contains?

Risk #6: “Is the user part of the security design?”
Does the application, using certificates, take the user into account or does it concern itself only with cryptography?

Risk #7: “Was it one CA or a CA plus a Registration Authority?”
Some CA(s), in response to the fact that they are not authorities on the certificate contents, have created a two-part certification structure: a Registration Authority (RA), run by the authority on the contents, in secure communication with the CA that just issues certificates.

Risk #8: “How did the CA identify the certificate holder?”
Whether a certificate holds just an identifier or some specific authorization, the CA needs to identify the applicant before issuing the certificate.

Risk #9: “How secure are the certificate practices?”
Certificates aren’t like some magic security elixir, where you can just add a drop to your system and it will become secure. Certificates must be used properly if you want security.

Risk #10: “Why are we using the CA process, anyway?”
One PKI vendor employee confided in us a few years ago that they had great success selling their PKI solution, but that customers were still unhappy. After the CA was installed and all employees had been issued certificates, the customer turned to the PKI vendor and asked, “OK, how do we do single sign-on?” The answer was, “You don’t. That requires a massive change in the underlying system software.”

Last year FFIEC (Federal Financial Institution Examination Committee - USA) mandated banks to use two factor authentication for online and banking and payments but soon realized that the products (One Time Password devices) mushrooming in the market were not secure enough so it came back with recommendations that banks must look beyond. Today there are solutions available that will only cost a dollar per individual and only once unlike digital certificate’s annual charge. So moral of the story is that “if we decide to do something—we should do it in a properly planned and smart way”.

Conspiracy Theory

Since all along I have tried to demonstrate my humor let me list out few important facts about post ETO-2002 happenings to develop a conspiracy theory:

  • PTA Act amendment has taken back control of encryption in a vague manner while ETO-2002 had provided free access to citizens to this technology.
  • ECAC does not exist any more to have some control over Certification Authorities.
  • There is no notification under ETO-2002 to use signers for signing digital documents.
  • There is no notification under ETO-2002 to specify some best practices for usage types of certificates specifying encryption and signature strength associated with financial transactions or important non-financial transactions.
  • No mandate for banks to use strong authentication or digital signatures to safeguard customers.
  • Last but not the least - no extension of ETO-2002 has occurred since its passing and it still does not cover the following:
    • A negotiable instrument as defined in section 13 of the Negotiable Instruments Act, 1881 (XXVI of 1881);
    • A power-of-attorney under the Powers of Attorney Act, 1881 (VII of 1882);
    • A trust as defined in the Trust Act 1882 (II of 1882), but excluding constructive, implied and resulting trusts;
    • A will or any form of testamentary disposition under any law for the time being in force; and
    • A contract for sale or conveyance of immovable property or any interest in such property.

It seems ETO-2002 is slowly and systematically being nullified and it will remain somewhere in distant memory.

By Mustafa Syed, Director

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign