SHA-1 Perspective, minus two
George Ou makes two very reasonable paragraphs worth of analysis of the cracking of the SHA-1 hash algorithm used by many digital signature products. He's absolutely correct that "the finding of a hash collision" [ed: a method of finding a shortcut that identifies the key used to encrypt a document] "does not mean the end of the world if your current security products use the SHA-1 hashing algorithm." He's also correct that because you can crack an SHA-1-generated digital signature does not mean you could substitute a falsified document with the same signature with any ease. MD5, a companion algorithm from RSA Data Security, was cracked at least two years ago without any disruption of well-managed systems using that algorithm.
George should have stopped there, because those are the facts of the matter and he is right that we need to keep this cryptological feat in perspective. Instead, he goes on to add two spurious points that a.) ignore the reality that increasingly complex technology raises the standards of evidence when they are used, and b.) inject a political spin on his examples that would support an increasingly isolationist approach to the evolution of U.S. law.
First, George says:
The problem is that lawyers can certainly try to use the argument that SHA-1 is flawed and juries and even courts have proven to be extremely gullible in the past regardless of what science says. Take the infamous case of the "MD5 defense".
Lawyers, as I am explaining in my current series of postings on trying to reach new shared frameworks for understanding legal principles in the digital age, find changes in, and break, the system whenever they can. That is their job, because it leads to ongoing repairs of the system as it ages and falls out of relevance. Not all of that is for the good, but it has a purpose.
In George's example, he cites one court in Sydney, Australia, throwing out a speeding ticket because the state could not prove its traffic cameras were secure.
When you add digital signatures for extra security, presumably raising the bar in terms of the evidentiary value of a photograph produced by a system, you also have to accept a higher standard of IT management. The challenge to the Sydney system was one that, had the new cameras with their digital signatures been implemented correctly, should have been easy to respond to, but like many things in the legal infrastructure it was botched. An IT process for managing keys and confirming the accuracy of digitally signed photographs periodically would have erased the objection to the veracity of the photographic evidence.
In short, IT people became part of the process of collecting evidence and needed to understand key management and put in place a system for demonstrating their competence. They didn't, and the court, presented with a lack of evidence that the photo was forced to toss the speeding conviction. It was hardly an infamous case, it was the law and technologists catching up to new technology, as the magistrate made clear in the article George points to: "What I'm advised occurred was that a lawyer acting on our behalf indicated he'd only been briefed the day before and he wasn't in a position to proceed."
George then makes silly statements that the defense hadn't "proved any actual tampering by the police or explained how hash collisions could possibly be used to fake photographs," ignoring that it is the prosecution that has to answer these questions while the defense merely needs to George should have stopped there. Those are the facts of the matter and he is right that we need to keep this cryptological feat in perspective.raise a reasonable doubt. Look at what the magistrate, who you call "ignorant," said, George: "a lawyer acting on our behalf indicated he'd only been briefed the day before and he wasn't in a position to proceed." He's not stupid, he just knows the law requires answers to inconvenient questions raised by new technology.
Finally, George projects this case into the United States, without citing any situation where it has actually been mentioned by a U.S. court, to make the case that our legal system is lacking sanity, despite the determined efforts of Associate Justice Antonin Scalia to inject his own brand of sanity. The reason? Well, George says "The problem is that the US Supreme Court recently cited a foreign legal precedent though not without protest from Justice Scalia and other constitutionalists." Insane!
Unfortunately, citing foreign decisions is neither rare, actually having increased under recent Conservative-led courts, nor bad for the law of the United States, which is intricately tied up with international law and the contending national juridical systems around the globe (here's the U.S. Library of Congress' guidelines for citations to international and other non-U.S. rulings). Some interaction between U.S. and "foreign" law is inevitable and necessary if we are to find legal bases for the fast-evolving global marketplace. Steven G. Calabresi and Stephanie Dotson Zimdahl of the Northwester University School of Law say in The Supreme Court and Foreign Sources of Law:
The use of foreign sources of law is often thought to be an issue that creates a clear division between conservative and liberal justices on the Supreme Court. This is due, in part, to the strong opposition to the use of foreign sources of law in constitutional adjudication of two conservative Supreme Court Justices, Justices Scalia and Thomas, and the loud resistance of many conservative commentators and politicians. However, this is not an issue that necessarily divides quite so neatly along political lines. Chief Justice Rehnquist, though he did join Justice Scalia's dissents in Lawrence v. Texas and Simmons v. Roper, once stated that now that constitutional law is solidly grounded in so many countries, it is time that the United States courts begin looking to the decisions of other constitutional courts to aid in their own deliberative process. Moreover, as we discuss below, Chief Justice Rehnquist is the author of a major opinion in the assisted suicide case, Washington v. Glucksberg, which cites and discuss how the practice of assisted suicide has led to abuses in the Netherlands. Justices Scalia and Thomas joined Glucksberg without commenting on its citation to foreign legal practices on assisted suicide.
And, later in the article: Our analysis of the Court's practice leads us to several conclusions. First, we believe those who say the Court has never before cited or relied upon foreign sources of law are clearly and demonstrably wrong. In fact, the Court has relied on such sources to some extent throughout its history. Second, the Court has, however, cited foreign sources of law with much more frequency in far more important constitutional cases in recent years, as Justice Scalia has suggested, and in addition the Court has tended to cite foreign sources of law in some of its most problematic opinions such as Dred Scott, Reynolds, and Roe v. Wade. This suggests Scalia is right to be wary of the Court's new trend in this direction.
George's scenario assumes the dreaded "MD5 defense" can show up as a positive precedent for throwing out digital signatures, but it could as easily appear in a U.S. ruling as a negative precedent supporting George's position, that use of technology opens the courts to abuse of loopholes and gaps in knowledge created by new technology, but the problem would still be the same: New technology requires the state be prepared to back it up with solid IT practices that refute any reasonable doubt of the authenticity of the evidence. That court in Australia was right to demand a higher standard of evidence because of the new technology.
Thinking that the United States can evolve its legal system in isolation from the world and without any increased accountability on the part of IT professionals who are gathering evidence using new technologies is the insane idea in George's article. But he's correct that the SHA-1 cracking is not the end of the world for people using this technology—as long as they practice sound key management and regular monitoring of performance.
That's all the perspective we need. Leave the Constitutionalist spin out of it.