June 28, 2007

"Trusted-Hardcopy" -- more experiments with digitising paper and signatures

RAH points to WSJ on security and paper from HP:

H-P Designs 'Digital Signature' Against Forgeries

BANGALORE, India -- As anyone who does business in India knows, you can't get very far without the right piece of paper. That makes forgery a big problem and one of the most common types of fraud. ... In a research and development laboratory here in Bangalore, India's tech hub, Hewlett-Packard Co. is researching a way of marking new paper documents with a bar code that helps prevent forgeries....

With Trusted Hardcopy, which is just one of the tailored efforts, rather than requiring holograms or watermarked paper, the system uses equipment no more complicated than some software, a scanner and a computer. The bar code is designed to act like a digital signature, "thus bringing network level security to the world of paper," says H-P in a company document. H-P envisages government entities, public offices and companies as potential users, such as for the registration of land ownership.

... Yet India also is famously bureaucratic and forms-ridden. So the company has focused some of its efforts on trying to bridge the gap between tech and paper.... "We sort of assume that paper's not going to go away," said Mr. Kuchibhotla. "And we say that if paper's not going to go away, what technology do you need to bridge what's happening in the paper world with what's happening in the IT world?"

H-P's goal was to make a product that allowed paper to be read by a machine and secure against forgery. An early version of Trusted Hardcopy puts a bar code on paper that is similar to the bar codes on groceries. It contains the data that are also printed on the document and can be read by a scanner. It also encodes the data in the bar code to prevent tampering.

Because the bar code contains the authentic data, any changes to the document should be identifiable. The bar codes can't be easily copied. The bar code is printed at the bottom of a page of regular size copier paper....

Posted by iang at June 28, 2007 01:23 PM | TrackBack

Why would you just post an article verbatim? Why not add a few comments of your own?

My question is ... it seems that this is like a microdot which takes a click of the paper and stores it compressed in the bar code. Now the problem is ... will this still work if the paper gets damaged a little , a little dust falls on the paper ... paper becomes yellow ... how good an image processing algo would be required to check whether the two things match? What advantages are there to this? I mean, the signature requires human intervention, it is stored physically and not digitally , and everytime something is edited a new signature would be required. And there is no scope of digital filters (signature filters, where you say that you are not signing the office use only part of the form ).... so everything is just like the present , only that instead of signing with pen you are signing with a bar code and paying for HPs horrendously costly ink?

Posted by: dev at July 2, 2007 05:11 AM

Main reason for no comments: travelling ...

Main reason for posting: it is a sort of poignant example of how digsigs in their obvious form have failed to make much headway, and how the old mechanisms still seem to be dominating.

In contrast, see Germany's attempts to kick-start use of digsigs by offering VAT reductions on invoices. They may eventually get it to work, but at such cost that people will eventually wonder what happened to the dream...

Posted by: Iang at July 2, 2007 07:04 AM

but this is frankly ridiculous ! IMHO, it is a step back! this isn't a dig sig... it is a physical signature! and TFA article talks about it as if it is some really new thing and a new discovery!

Am I too cynical? have you realised any advantages of this?

Is my understanding that it is like a microdot of the document on the document itself wrong?

Posted by: dev at July 2, 2007 07:13 AM

It's only a step backwards if you believe that digsigs are a step forwards. If instead digsigs are a step backwards, or simply don't work, then it is more an expression of evolution / experimentation.

The sad fact that is to be discovered every time someone invests in digsigs is that they do not work. At least, they don't do what they claim to be able to do. There are some other advantages to digsigs, but first we have to get over the myth of digsigs as being useful human signatures.

As to whether it is a microdot ... I don't know any more than the article.

Posted by: Iang at July 4, 2007 03:51 AM

while that is true , they certainly achieve something. I mean, afaik, dsigs are the only methods of making sure of data integrity when the data is stored on the server db. and I think that is very important cos an attacker/someone with nefarious puposes can't edit the data in the db and put blame on you then, so easily.

Other than that , evidence against non-repudiation is also given. So dsigs do have their advantages. Whether they justify the investment and training required is a question beyond me.

Posted by: dev at July 4, 2007 04:59 AM

digsigs ... if you mean that reverse-encryption method from public-private key cryptography ... are not the only means of data integrity. We can use a range of devices for that: a simple checksum, a hash, or a keyed-hash (HMAC). All of these do data integrity to some extent or other.

Another way of looking at this is whether the digsig is entirely about data integrity. In this case, a hash stored in a secure and published repository "isa" digsig, as it ensures the existance of a document at a certain point in time. If we make sure that the signatory is in fact aware of the event, then we can also ensure that she signed. (This is more or less what the Ricardian Contract does, although it also includes a public-private keyed reverse encryption digsig.) For more on this, search on "hash entanglement".

As to non-repudiation, that's a myth. There is no such thing as non-repudiation, and no way to invent or create it. Click on the link on more on that.

What exists is "evidence" and a digsig can achieve that. But so can a lot of other things, it all depends on what you are trying to create evidence on, and that depends on a proper understanding of the application. Digsigs create evidence of something, but that isn't good enough, we need to know what it creates evidence of, and whether that is useful.

Posted by: Iang (repudiating non-repudiation) at July 4, 2007 05:12 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.