The increased sharing of electronic CAD data (ala BIM) holds a lot of promise, but it also exposes companies and individuals to additional liability and risk. This additional risk is coming into focus more and more as actual cases of costly legal battles confront engineers and architects.

The June 2008 AUGI wishlist results contain "Design File Locking" as the top wish by a substantial margin, and Shaan Hurley lists it as number 3 in the AU 2008 AutoCAD wish list. Clearly, interest in file and IP security has been growing steadily.

As demand for IP security grows, there are sure to be snake oil security vendors trying to cash in on it. I received a spam email a few days ago from SafeNet, Inc. promising "a cost-effective and easy to integrate solution that provides reliable and effective security through the use of digital signatures." Whenever I see such statements with a long string of buzzwords, my snake oil alarm goes on alert. Digital signatures are for authentication and establishing trust -- they cannot and do not provide "reliable and effective security", although I suppose they could be used by a system that does.

In the last year or two, a number of companies have claimed to market software that "secures" AutoCAD DWG files. When I see such a claim, it invariably refers to software that creates an anonymous unequally scaled MINSERT entity. These can be created or "exploded" with a few lines of AutoLISP code. Frequently these companies claim to "encrypt" the drawing, which may sound sexy, but is an outright lie. If this is a level of "security" that meets your needs, at least use one of the many free versions posted throughout the internet (DETER.VLX from DotSoft is one I know of).

There are solutions, but they always require changes in the workflow process that involve difficult tradeoffs and careful evaluation of what is technically feasible and practical versus the costs of implementing the changes. There is no such thing as installing a single piece of software to instantly solve the problem. If you are looking for ways to protect intellectual property in your drawing files, don't be fooled by snake oil security vendors.

Disclaimer: One of my hats is the president of CADLock, Inc., makers of CADVault for AutoCAD.

Labels: AU 2008, CADLock, CADVault, digital signature, encryption, legal, security

The basic requirements of a digital signature are that it must uniquely identify the signatory, it must be independently verifiable, and it must be invalidated if the signed data has changed. To understand how these objectives are achieved, let's start with the foundation of modern digital signature technology: public key encryption and the public key infrastructure, or PKI.

In public key encryption, a "key pair" consists of two parts: a public key and a private key. In simplistic terms, the public key is mathematically derived from the randomly generated private key using an algorithm known as a "one way function". A one way function makes it easy to calculate a public key if the private key is known, but extremely difficult to deduce the private key if the public key is known. The end result is a secret private key and an openly shared public key that are mathematically related in such a way that the public key can be used to decrypt data that was encrypted with the private key, and the private key can be used to decrypt data that was encrypted with the public key.

This interesting property of such a key pair gives rise to a number of useful capabilities. In the case of digital signatures, the act of signing data is essentially nothing more complicated than encrypting the data with a private key. If the data can be decrypted successfully with the signer's public key, then only the signer's private key could have been used to do the encrypting. In practice, this process is simplified so that the signer encrypts only a secure hash, or checksum, of the data to be signed. The recipient then calculates the hash from the raw data and compares the result with the "signed" hash after it is decrypted. If the values match, the digital signature and data are validated.

For this process to work properly, there need to be standard ways to package information about the algorithms used, and to provide important information about the keys themselves. This need is fulfilled by digital certificates. A digital certificate is a file or block of memory containing a public key along with ancillary data about the key and its owner. The certificate is itself digitally signed by the entity, usually a mutually trusted third party, that issued the certificate. This enables users to verify that the public key is valid and trustworthy.

A digital ID is the private key component of a key pair. Normally the private key is not stored together with the public key, but instead is stored in a separate physical location for security, usually requiring a password to access it. A key manager maintains links between the digital certificate and its associated private key. In many cases, it is convenient to use the term "digital ID" to mean both the public and private keys, even though they are physically separated.

It is almost always a good idea to time stamp digital signatures. Time stamping involves sending the digital signature to a time stamp authority, who then creates and returns a digitally signed time stamp that is uniquely and securely associated with the original digital signature. The time stamp can then be verified by third parties in the future by using exactly the same technique used to verify a digital signature.

I think these important terms deserve a review. A "digital certificate" is a public key, which is itself digitally signed by a mutually trusted third party. Your digital certificate represents your public digital identity, and it should be made freely available to anyone who wants or needs it. A "digital ID" is a digital certificate and the private key associated with the digital certificate. It isn't difficult to create your own self-signed digital ID, but a digital ID is only as good as the issuing authority that signs it. When you purchase a digital ID from a third party like VeriSign or Thawte, their reputation makes your digital ID more trustworthy.

Labels: digital signature, encryption, protection

For many, the word "encryption" has a mysterious quality that invokes images of math virtuosos in secret bunkers working feverishly during wartime to break the enemy's coded communications. My first exposure to encryption came in 1996 when I began working with Paul Kohut on the first version of CADLock software for locking AutoCAD drawing files. After overcoming my initial struggle to understand the terminology and get a handle on the mathematics behind encryption, I realized that it wasn't nearly as mysterious and complicated as it first appeared.

I knew it would take a long time for encryption terminology to become standardized and commonly understood by laypersons. From the first days of CADLock, we recognized that the key to success for our software was going to be our ability to educate consumers about our technology, it's possibilities and its limitations, its strengths and its weaknesses, what it could do and what it could not do. I felt that we needed to be realistic and patient while we waited for the market to catch up with our technology at its own pace. In the meantime, we needed to resist any temptation to needlessly bandy about sexy buzzwords like "encryption" lest we delay our mission by further muddying the waters in an already crowded ocean of technical jargon.

This recognition of the need for patience and perseverance has led me on a personal crusade to prevent encryption terminology from being perverted or hijacked by overeager marketing departments and uninformed experts. I've also tried to nudge the learning process along by adding my two cents whenever the opportunity arises. With this last goal in mind, I have prepared the following three part essay about digital signatures, tailored for the CAD industry. This is not written to academic standards, nor do I claim to be the final authority on the subject. Let me be clear about my agenda: I hope that furthering the common understanding of encryption related technology such as digital signatures will indirectly help sell more CADLock software!

Labels: CADLock, digital signature, encryption