128 bits is probably too short to be illegal in all but the most repressive of regimes.
In Germany there is an illegal string which is 11 ascii chars long. It is a big one too, they come down pretty hard on it. At the very least if a user posts it on a server you control the server can get shut down.
In Germany there is an illegal string which is 11 ascii chars long.
You can’t say that and not post the string!
Edit: OK, OK, fine… ;) It would be so funny if someone posted a string, which by an incredible coincidence, could or could not hash into something readable by some out of an infinite number of possible hashing algorithms… so funny, really… how ironic that would be, such a coincidence!
Unlikely, since the third sentence in the linked section states
Usage for art, teaching and science is allowed unless “the existence of an insult results from the form of the utterance or the circumstances under which it occurred.”
There exists a seemingly innocent piece of data - an image, an MP3, a text file - which when fed to MD5 produces these 128 bits: … Decoded into ASCII, that spells I hate the queen.
This is pretty unlikely to be noticed because a digest/hash is binary data and won’t be displayed as ASCII unless someone’s scanning it for strings. And in that case, it’s just as likely for that string to occur in some other binary data like JPEG or ZIP.
What’s more problematic is that digests are commonly displayed in hex or base64 (or base58 or base32 or…) With hex you have to get pretty creative to construct an illegal message — maybe DEADBEEF would get you in trouble in a hypothetical Hindu theocracy? — but the others include the full English alphabet. And as a bonus, they result in longer strings than an ASCII dump (⅓ longer for base64), so more room to hang yourself.
I’ve actually thought about this issue for reals…
So, in the P2P social network I’m building, a user’s secure global identity is an Ed25519 public key. This is for most purposes a random 256-bit number. It isn’t the ID users normally see, but it is visible because it’s the source of truth of identity. My software displays it as a 43-character base64-encoded string (usually only the first 8 chars but you can point at it to show the rest.)
On first launch, the program randomly generates a key-pair that will be your public ID. The question is, should the program’s setup UI show you its visible base64 form and allow you to reroll the dice? Because there’s a nonzero chance that your key contains something offensive/embarrassing/illegal like “ieaTbo0gerS”, maybe even in the first 8 characters. Is that likely enough for me to accommodate it in the UI?
As I understand it, one of the benefits of Ed25519 over RSA is that the keys can be random numbers. Depending on how many of the bits you actually need for security, you could allow the user to choose a few characters. I’ve never seen this done with crypto keys, but Facebook puts faceb00c in most of their IPv6 addresses, which makes them very recognisable as hex strings.
The private key is a random number. Almost any 256-bit number will work; you just give the key-generator 32 bytes from /dev/random and it tweaks a few bits and that’s the private key.
The public key gets derived from that by a bunch of math. So none of the bits of the public key can be chosen; it’s for all intents and purposes random.
I do have some experimental code that sets all CPU cores to generating key pairs until they find one where the public key’s base64 encoding has a desired prefix. It’s pretty slow — even on my M1 MacBook Pro it takes 10-20 minutes* if you give it a 4-char prefix. You could argue that this has some value as a proof-of-work, i.e. someone with a “vanity public key” is less likely to be a spam/bot account. Unfortunately the last thing I want to do is inject a 20-minute delay into onboarding — it’s terrible for user adoption. And by the time you’ve used the network long enough for a cool ID to be valuable, you’ve tied yourself socially to your existing non-cool ID.
* I’m sure this could be sped up a lot if the keygen function ran on the GPU, but I guess typically keygen isn’t considered worth optimizing that much; I only found one such implementation and IIRC it looked like it would only run on some GPUs and not on Macs.
I liked this, but at the same time, I take some exception to the idea that the number itself is illegal. I guess I’m a Secret Platonist or something, because to me the number is perfectly innocent of any violations and only when combined with a very specific context does it become the carrier of information.
I would say most judges would have the same interpretation as you do.
Consider this: if the number is small enough, then by the sheer laws of probability it will naturally appear in many places at random (e.g. an unrelated movie file or a large compressed ISO image of some unrelated software), which is hard to argue that it would make such a file illegal to possess, especially because nobody would be searching for that number inside the file unless that person already knew the number or someone else pointed out the offset (knowing what the number represents).
The larger the number is, the more unlikely it is to appear out of sheer randomness, so it would be harder to justify that you didn’t come into its possession due to exactly the specific illegal context.
The number itself isn’t illegal, but it can be encoded into human-readable form that’s illegal to express. Or the number can represent information that’s considered a secret.
In other words the act of communicating a numeral can be illegal .
I remember learning about normal numbers in a math class way back when,
and making the comment that pi might be illegal because it contains every work of intellectual “property”
ever produced, every work to be produced in the future, and so on.
The whole idea of illegal information is just kinda batty.
In a different take on the title, I recently contacted a company to ask what hash algorithm they used to “store” some user data. After a lot of back-and-forth, I was told that
We’re so sorry to say that this information is confidential. We can not reveal it due to the rules of our secret [sic] business.
Well, of course! If you contacted an NSA subcontractor which is developing a new highly-secure quantum hashing algorithm to hash government top-secret data, what did you expect?
Oh, it was just some random company? Oh well…
Now seriously, I totally understand you, heh… I’ve had and heard of so many of these types of exchanges!
That reminds me of something that really happened to me just today (believe it or not!):
I was told by my lawyer (don’t ask) that since you couldn’t digitally sign every page of a PDF document separately (I don’t even know what that means), that she was going to separate all the pages of the document into separate PDF documents and requested me to digitally sign all the PDFs (one page each). Here’s how the telephone conversation went:
Me: but you know, if you separate all the pages into separate documents and I sign them separately, then you could just replace some pages by other pages signed by me from another document and fool the judge into thinking I signed them as a whole.
Lawyer: No, but I wouldn’t do that, I will only send these pages!
Me: Yes but I mean, even if you do that, when the judge receives the pages he will not be able to tell whether you sent all the pages of the document or whether some pages are conveniently missing. Are they at least numbered as in “1 of 10”, “2 of 10”, etc?
Lawyer: Well, no, we don’t number them like that in our legal documents, we only put the first number! But I will send them all! The judge asked us to do it this way!
Me: Uhm, yes, but you should really tell the judge this is a bad idea! You should always digitally sign the entire document as a whole, as that’s what the digital signatures are designed to do, otherwise the digital signatures can be misinterpreted to mean something they don’t.
Lawyer: OK, I will speak with the other lawyer and then I’ll send you an email.
Lawyer’s email: Here’s the document. I sent you the document as separate pages and also as a whole. Please sign them all. When you digitally sign the PDF that contains the document as a whole, please digitally sign only the last page!
Back in 2007 (I think), I had the contract for my first book. I was emailed the PDF and was asked to digitally sign it. This was very exciting, I’d never been asked to do that before! So I dutifully created a key signed by my CACert identity, hashed the document, and sent them back a copy of the hash signed by my certificate and a copy of the certificate. They had no idea what to do with this. It turns out, they wanted me to scribble a signature on the PDF and send it back. Now, the fun thing about PDF is that the format is designed for non-destructive editing: the signature is added as a separate object and is rendered on the top. Given this document, it’s trivial to extract that object and replace any of the layers underneath. Total security value of this dance: zero.
More recently, I’ve been asked to sign something for LLVM’s relicensing using DocuSign. This required me to type my name into a text field. At no point in the process did it do anything that verified my identity. If I knew someone’s email address (public, in the git logs) then I could easily sign on their behalf (I didn’t need to be able to receive emails there, I just needed to enter it).
Legally, in English common-law countries, the requirement for a contract to be legally binding is that a ‘meeting of minds’ has occurred: i.e. both parties have a reasonable chance of understanding what they’ve agreed to (they don’t have to exercise this chance - if I give you a contract and you sign it without reading it then that’s your fault, if I give you a contract and don’t let you read it until you’ve signed then that’s not binding) and have indicated agreement. Last time I checked, there was absolutely nothing in statute law in the UK or USA about what constitutes a valid signature, but there was a lot of precedent that a hand-written signature (especially a witnessed one) is a strong indication of a meeting of minds. I would love to see what happens when someone challenges DocuSign in court: we may find that a lot of ‘signed’ documents are not, in fact, legally binding.
The US and UK both have statutes specifically to the effect that typing your name counts as a “digital signature”.
Of course this is much more easily forged and repudiated. In practice this makes them suitable only for what American lawyers call contracts of adhesion. In general those limit the liability of one party (usually a company), impose an obligation to pay fees on the other party, and often imposes an arbitration clause. If identity of the consumer matters to the company, it can be verified separately from the signature.
Accordingly, the main remedy of the company is to cease supplying services, and they only really care about identity when there is a significant debt to be repaid, ie the main problem is identity theft. I haven’t followed what actually happens in identity theft cases, both in and out of court. In general the party suing on the contract has the burden of proving that the other party entered into the contract. So, interesting litigation on proof of identity around digital signatures is probably not looming, but if it does come around the background will be wildly and foreseeably inappropriate use of docusign-type signing.
I forgot to mention that just before that part of our conversation, we had clearly established that by “digitally sign”, we meant to sign using the (cryptographic) client certificate issued by the government authority, which is used by everyone in the country who wishes to authenticate themselves to all of the government’s websites that need authentication (e.g. to pay taxes, to change your legal tax residence, to get your birth certificate, etc).
In fact, a few days before, I had already signed that document by doing what you mentioned: adding a scribble to the PDF, which I had hand-drawn with my finger on my smartphone. This was rejected by the judge, although I’d really be interested in knowing why, because I don’t think it was due to mismatched signatures (otherwise they either could’ve just asked me to repeat my signature, knowing perfectly well that I’m me and not someone else trying to forge my signature, or if they suspected I’m not me, they wouldn’t offer to send me the document by snail mail to an address of my choosing). My lawyer clearly said that alternatively, we could send the judge an original copy of the document with hand-drawn signatures by all parties (although this would be very inconvenient because I’m currently in a different country).
I understand what you mean by what is considered a legally binding contract, and I’m sure there are relatively similar laws on the countries I’ve lived (although perhaps the specifics can be different).
But what is also interesting to me is that hand-drawn signatures don’t actually seem to mean anything in almost any context except if you interpret it as a symbolic act, or a mere formality. Why? Because nobody ever checks or rejects my signature, even though very often, I sign in very different ways. Nobody ever checks whether the signature matches my government ID, including lawyers and government clerks! Actually, that’s a lie: I’ve had my signature rejected a couple of times many years ago, in very absurd situations where they were forcing me to repeat drawing my signature several times until my new signature matched my old signature, in which I was actually allowed to look at my old signature to try and copy it as perfectly as possible (which is what I was trying to consciously do, unsuccessfully according to them). They were basically forcing me to forge my own signature.
There’s also the issue that my hand-drawn signature, including a copy of my government ID, has been sent to hundreds of parties over the years, including many private individuals and private companies, which they could just digitally copy or manually recreate to forge my signature if they wanted to (although of course, that’s illegal and they’d suffer severe penalties if caught in some other way).
Finally, because of the absurd/weird requests they made, it’s obvious to me that neither my lawyer nor the judge understand what guarantees a cryptographic signature gives you and I think, almost surely because of the similar name, that they just think it’s similar to a hand-drawn signature which you should do page by page. I mean, I don’t blame them, as they’re not technical people and these things can be hard to understand (even for many, if not most technical people).
But I sure think the government should have more strict standards regarding how digital signatures are used and accepted, given that although they don’t 100% guarantee it was you who signed the document, they do allow you to (and usually do) give you stronger guarantees than hand-drawn signatures, while making fewer assumptions and simultaneously being more convenient (especially if you’re physically far away).
Edit: Just a few weeks ago, someone also requested me to do something interesting: instead of adding a hand-drawn scribble of my signature to the PDF document in black (where the document’s text was in black), they told me the scribble needed to be in blue (?!).
In Germany there is an illegal string which is 11 ascii chars long. It is a big one too, they come down pretty hard on it. At the very least if a user posts it on a server you control the server can get shut down.
You can’t say that and not post the string!
Edit: OK, OK, fine… ;) It would be so funny if someone posted a string, which by an incredible coincidence, could or could not hash into something readable by some out of an infinite number of possible hashing algorithms… so funny, really… how ironic that would be, such a coincidence!
https://en.m.wikipedia.org/wiki/Nazi_salute#Post-1945
Wow. I was joking before, but seriously, I had no idea.
I hope Germany doesn’t take Wikipedia down.
Unlikely, since the third sentence in the linked section states
Edit: here’s an explainer from PBS on how these laws are implemented: https://www.pbs.org/wgbh/frontline/article/germanys-laws-antisemitic-hate-speech-nazi-propaganda-holocaust-denial/
I’ve heard it can happen without any warnings, too … the admins did NAZI it coming.
This is pretty unlikely to be noticed because a digest/hash is binary data and won’t be displayed as ASCII unless someone’s scanning it for strings. And in that case, it’s just as likely for that string to occur in some other binary data like JPEG or ZIP.
What’s more problematic is that digests are commonly displayed in hex or base64 (or base58 or base32 or…) With hex you have to get pretty creative to construct an illegal message — maybe DEADBEEF would get you in trouble in a hypothetical Hindu theocracy? — but the others include the full English alphabet. And as a bonus, they result in longer strings than an ASCII dump (⅓ longer for base64), so more room to hang yourself.
I’ve actually thought about this issue for reals…
So, in the P2P social network I’m building, a user’s secure global identity is an Ed25519 public key. This is for most purposes a random 256-bit number. It isn’t the ID users normally see, but it is visible because it’s the source of truth of identity. My software displays it as a 43-character base64-encoded string (usually only the first 8 chars but you can point at it to show the rest.)
On first launch, the program randomly generates a key-pair that will be your public ID. The question is, should the program’s setup UI show you its visible base64 form and allow you to reroll the dice? Because there’s a nonzero chance that your key contains something offensive/embarrassing/illegal like “ieaTbo0gerS”, maybe even in the first 8 characters. Is that likely enough for me to accommodate it in the UI?
As I understand it, one of the benefits of Ed25519 over RSA is that the keys can be random numbers. Depending on how many of the bits you actually need for security, you could allow the user to choose a few characters. I’ve never seen this done with crypto keys, but Facebook puts faceb00c in most of their IPv6 addresses, which makes them very recognisable as hex strings.
The private key is a random number. Almost any 256-bit number will work; you just give the key-generator 32 bytes from /dev/random and it tweaks a few bits and that’s the private key.
The public key gets derived from that by a bunch of math. So none of the bits of the public key can be chosen; it’s for all intents and purposes random.
I do have some experimental code that sets all CPU cores to generating key pairs until they find one where the public key’s base64 encoding has a desired prefix. It’s pretty slow — even on my M1 MacBook Pro it takes 10-20 minutes* if you give it a 4-char prefix. You could argue that this has some value as a proof-of-work, i.e. someone with a “vanity public key” is less likely to be a spam/bot account. Unfortunately the last thing I want to do is inject a 20-minute delay into onboarding — it’s terrible for user adoption. And by the time you’ve used the network long enough for a cool ID to be valuable, you’ve tied yourself socially to your existing non-cool ID.
* I’m sure this could be sped up a lot if the keygen function ran on the GPU, but I guess typically keygen isn’t considered worth optimizing that much; I only found one such implementation and IIRC it looked like it would only run on some GPUs and not on Macs.
why not? I’m sure some people will find it fun to try to get a funny base64 id.
There are already vanity crypto wallet ID generators for this purpose.
I liked this, but at the same time, I take some exception to the idea that the number itself is illegal. I guess I’m a Secret Platonist or something, because to me the number is perfectly innocent of any violations and only when combined with a very specific context does it become the carrier of information.
I would say most judges would have the same interpretation as you do.
Consider this: if the number is small enough, then by the sheer laws of probability it will naturally appear in many places at random (e.g. an unrelated movie file or a large compressed ISO image of some unrelated software), which is hard to argue that it would make such a file illegal to possess, especially because nobody would be searching for that number inside the file unless that person already knew the number or someone else pointed out the offset (knowing what the number represents).
The larger the number is, the more unlikely it is to appear out of sheer randomness, so it would be harder to justify that you didn’t come into its possession due to exactly the specific illegal context.
Related reading: https://en.wikipedia.org/wiki/Illegal_number
This is why strict liability possession laws are bad.
The number itself isn’t illegal, but it can be encoded into human-readable form that’s illegal to express. Or the number can represent information that’s considered a secret.
In other words the act of communicating a numeral can be illegal .
I remember learning about normal numbers in a math class way back when, and making the comment that pi might be illegal because it contains every work of intellectual “property” ever produced, every work to be produced in the future, and so on.
The whole idea of illegal information is just kinda batty.
In a different take on the title, I recently contacted a company to ask what hash algorithm they used to “store” some user data. After a lot of back-and-forth, I was told that
Well, of course! If you contacted an NSA subcontractor which is developing a new highly-secure quantum hashing algorithm to hash government top-secret data, what did you expect?
Oh, it was just some random company? Oh well…
Now seriously, I totally understand you, heh… I’ve had and heard of so many of these types of exchanges!
That reminds me of something that really happened to me just today (believe it or not!):
I was told by my lawyer (don’t ask) that since you couldn’t digitally sign every page of a PDF document separately (I don’t even know what that means), that she was going to separate all the pages of the document into separate PDF documents and requested me to digitally sign all the PDFs (one page each). Here’s how the telephone conversation went:
Me: but you know, if you separate all the pages into separate documents and I sign them separately, then you could just replace some pages by other pages signed by me from another document and fool the judge into thinking I signed them as a whole.
Lawyer: No, but I wouldn’t do that, I will only send these pages!
Me: Yes but I mean, even if you do that, when the judge receives the pages he will not be able to tell whether you sent all the pages of the document or whether some pages are conveniently missing. Are they at least numbered as in “1 of 10”, “2 of 10”, etc?
Lawyer: Well, no, we don’t number them like that in our legal documents, we only put the first number! But I will send them all! The judge asked us to do it this way!
Me: Uhm, yes, but you should really tell the judge this is a bad idea! You should always digitally sign the entire document as a whole, as that’s what the digital signatures are designed to do, otherwise the digital signatures can be misinterpreted to mean something they don’t.
Lawyer: OK, I will speak with the other lawyer and then I’ll send you an email.
…………… Oh for the love of God!!!
Back in 2007 (I think), I had the contract for my first book. I was emailed the PDF and was asked to digitally sign it. This was very exciting, I’d never been asked to do that before! So I dutifully created a key signed by my CACert identity, hashed the document, and sent them back a copy of the hash signed by my certificate and a copy of the certificate. They had no idea what to do with this. It turns out, they wanted me to scribble a signature on the PDF and send it back. Now, the fun thing about PDF is that the format is designed for non-destructive editing: the signature is added as a separate object and is rendered on the top. Given this document, it’s trivial to extract that object and replace any of the layers underneath. Total security value of this dance: zero.
More recently, I’ve been asked to sign something for LLVM’s relicensing using DocuSign. This required me to type my name into a text field. At no point in the process did it do anything that verified my identity. If I knew someone’s email address (public, in the git logs) then I could easily sign on their behalf (I didn’t need to be able to receive emails there, I just needed to enter it).
Legally, in English common-law countries, the requirement for a contract to be legally binding is that a ‘meeting of minds’ has occurred: i.e. both parties have a reasonable chance of understanding what they’ve agreed to (they don’t have to exercise this chance - if I give you a contract and you sign it without reading it then that’s your fault, if I give you a contract and don’t let you read it until you’ve signed then that’s not binding) and have indicated agreement. Last time I checked, there was absolutely nothing in statute law in the UK or USA about what constitutes a valid signature, but there was a lot of precedent that a hand-written signature (especially a witnessed one) is a strong indication of a meeting of minds. I would love to see what happens when someone challenges DocuSign in court: we may find that a lot of ‘signed’ documents are not, in fact, legally binding.
The US and UK both have statutes specifically to the effect that typing your name counts as a “digital signature”.
Of course this is much more easily forged and repudiated. In practice this makes them suitable only for what American lawyers call contracts of adhesion. In general those limit the liability of one party (usually a company), impose an obligation to pay fees on the other party, and often imposes an arbitration clause. If identity of the consumer matters to the company, it can be verified separately from the signature.
Accordingly, the main remedy of the company is to cease supplying services, and they only really care about identity when there is a significant debt to be repaid, ie the main problem is identity theft. I haven’t followed what actually happens in identity theft cases, both in and out of court. In general the party suing on the contract has the burden of proving that the other party entered into the contract. So, interesting litigation on proof of identity around digital signatures is probably not looming, but if it does come around the background will be wildly and foreseeably inappropriate use of docusign-type signing.
I forgot to mention that just before that part of our conversation, we had clearly established that by “digitally sign”, we meant to sign using the (cryptographic) client certificate issued by the government authority, which is used by everyone in the country who wishes to authenticate themselves to all of the government’s websites that need authentication (e.g. to pay taxes, to change your legal tax residence, to get your birth certificate, etc).
In fact, a few days before, I had already signed that document by doing what you mentioned: adding a scribble to the PDF, which I had hand-drawn with my finger on my smartphone. This was rejected by the judge, although I’d really be interested in knowing why, because I don’t think it was due to mismatched signatures (otherwise they either could’ve just asked me to repeat my signature, knowing perfectly well that I’m me and not someone else trying to forge my signature, or if they suspected I’m not me, they wouldn’t offer to send me the document by snail mail to an address of my choosing). My lawyer clearly said that alternatively, we could send the judge an original copy of the document with hand-drawn signatures by all parties (although this would be very inconvenient because I’m currently in a different country).
I understand what you mean by what is considered a legally binding contract, and I’m sure there are relatively similar laws on the countries I’ve lived (although perhaps the specifics can be different).
But what is also interesting to me is that hand-drawn signatures don’t actually seem to mean anything in almost any context except if you interpret it as a symbolic act, or a mere formality. Why? Because nobody ever checks or rejects my signature, even though very often, I sign in very different ways. Nobody ever checks whether the signature matches my government ID, including lawyers and government clerks! Actually, that’s a lie: I’ve had my signature rejected a couple of times many years ago, in very absurd situations where they were forcing me to repeat drawing my signature several times until my new signature matched my old signature, in which I was actually allowed to look at my old signature to try and copy it as perfectly as possible (which is what I was trying to consciously do, unsuccessfully according to them). They were basically forcing me to forge my own signature.
There’s also the issue that my hand-drawn signature, including a copy of my government ID, has been sent to hundreds of parties over the years, including many private individuals and private companies, which they could just digitally copy or manually recreate to forge my signature if they wanted to (although of course, that’s illegal and they’d suffer severe penalties if caught in some other way).
Finally, because of the absurd/weird requests they made, it’s obvious to me that neither my lawyer nor the judge understand what guarantees a cryptographic signature gives you and I think, almost surely because of the similar name, that they just think it’s similar to a hand-drawn signature which you should do page by page. I mean, I don’t blame them, as they’re not technical people and these things can be hard to understand (even for many, if not most technical people).
But I sure think the government should have more strict standards regarding how digital signatures are used and accepted, given that although they don’t 100% guarantee it was you who signed the document, they do allow you to (and usually do) give you stronger guarantees than hand-drawn signatures, while making fewer assumptions and simultaneously being more convenient (especially if you’re physically far away).
Edit: Just a few weeks ago, someone also requested me to do something interesting: instead of adding a hand-drawn scribble of my signature to the PDF document in black (where the document’s text was in black), they told me the scribble needed to be in blue (?!).