From a new features overview of Autodesk Design Review 2010 comes the following snake oil claim:

Digital Signatures
To help secure your data, you can now digitally sign DWFx files.

As I've explained before, digital signatures do not provide data security; they simply authenticate the person that applied the signature. Digital signatures are a welcome feature with many potential uses, but data security is not one of them.

Labels: Autodesk, digital signature, DWF, protection, security

The basic requirements of a digital signature are that it must uniquely identify the signatory, it must be independently verifiable, and it must be invalidated if the signed data has changed. To understand how these objectives are achieved, let's start with the foundation of modern digital signature technology: public key encryption and the public key infrastructure, or PKI.

In public key encryption, a "key pair" consists of two parts: a public key and a private key. In simplistic terms, the public key is mathematically derived from the randomly generated private key using an algorithm known as a "one way function". A one way function makes it easy to calculate a public key if the private key is known, but extremely difficult to deduce the private key if the public key is known. The end result is a secret private key and an openly shared public key that are mathematically related in such a way that the public key can be used to decrypt data that was encrypted with the private key, and the private key can be used to decrypt data that was encrypted with the public key.

This interesting property of such a key pair gives rise to a number of useful capabilities. In the case of digital signatures, the act of signing data is essentially nothing more complicated than encrypting the data with a private key. If the data can be decrypted successfully with the signer's public key, then only the signer's private key could have been used to do the encrypting. In practice, this process is simplified so that the signer encrypts only a secure hash, or checksum, of the data to be signed. The recipient then calculates the hash from the raw data and compares the result with the "signed" hash after it is decrypted. If the values match, the digital signature and data are validated.

For this process to work properly, there need to be standard ways to package information about the algorithms used, and to provide important information about the keys themselves. This need is fulfilled by digital certificates. A digital certificate is a file or block of memory containing a public key along with ancillary data about the key and its owner. The certificate is itself digitally signed by the entity, usually a mutually trusted third party, that issued the certificate. This enables users to verify that the public key is valid and trustworthy.

A digital ID is the private key component of a key pair. Normally the private key is not stored together with the public key, but instead is stored in a separate physical location for security, usually requiring a password to access it. A key manager maintains links between the digital certificate and its associated private key. In many cases, it is convenient to use the term "digital ID" to mean both the public and private keys, even though they are physically separated.

It is almost always a good idea to time stamp digital signatures. Time stamping involves sending the digital signature to a time stamp authority, who then creates and returns a digitally signed time stamp that is uniquely and securely associated with the original digital signature. The time stamp can then be verified by third parties in the future by using exactly the same technique used to verify a digital signature.

I think these important terms deserve a review. A "digital certificate" is a public key, which is itself digitally signed by a mutually trusted third party. Your digital certificate represents your public digital identity, and it should be made freely available to anyone who wants or needs it. A "digital ID" is a digital certificate and the private key associated with the digital certificate. It isn't difficult to create your own self-signed digital ID, but a digital ID is only as good as the issuing authority that signs it. When you purchase a digital ID from a third party like VeriSign or Thawte, their reputation makes your digital ID more trustworthy.

Labels: digital signature, encryption, protection

The title sums up the puzzling conclusion in a recent 6th Circuit Court of Appeals ruling (CA6 Grusenmeyer Decision.pdf) in a decision about a copyright infringement claim filed by Cleveland architect Jeffrey Grusenmeyer.

Grusenmeyer had contracted to provide a "master plan" for Magnificat High School. The master plan was provided to Magnificat in hardcopy format, Magnificat paid the architect $15,000 as agreed in the contract, and the project was apparently concluded. Some time later, a Magnificat facility manager requested DWG files for "personal use". Grusenmeyer asserted at the time that he retained all rights to the DWG files but agreed to provide them on the condition they only be used internally and not be further distributed.

Fast forward to the eventual "request for proposal" for an anticipated new building at the school. Upon request, Magnificat provided the Grusenmeyer files to the defendants (a competing architectural firm), who then used portions of the files in their winning proposal. The defendants were aware that Grusenmeyer claimed copyrights to the files, but they used the files anyway. The appeals court notes that "[a]ccording to the individual DSC architects, such reliance on drawings of existing conditions is routine in the industry."

In affirming the district court's summary judgement in favor of the defendants, the appeals court noted that the contract between Grusenmeyer and his client (Magificat High School) provided that Grusenmeyer would "provide a master plan for the implementation of the capital improvements program, including plans, renderings, and perspectives suitable for use in presentation and future reference during master plan implementation." They concluded that this "plain language" gave Magnificat permission to send the AutoCAD DWG files to Grusenmeyer's competitor.

The district court had previously ruled that Grusenmeyer's drawings were not sufficiently original to warrant copyright protection, but the appeals court did not address the copyrightability issue at all, dismissing the infringement claim out of hand with their opinion that Grusenmeyer had already given Magnificat carte blanche copyrights to the files vis a vis the quoted clause in their contract -- even though the files were never provided as part of the contract!

I think the court erred in determining that the DWG files were subject to the terms of the master plan contract (its incorrect interpretation of the contract notwithstanding), but what I find really surprising in the ruling is the appellate court's complete disregard of the plaintiff's claimed and federally registered copyrights.

The moral of the story
If you are providing electronic files, don't rely on copyright law alone to protect your intellectual property. This case reinforces the 3 C's for protecting AutoCAD DWG files: copyright, contract, and CADLock.

Update
William Patry (Senior Copyright Counsel, Google Inc.) writes about this case at The Patry Copyright Blog: Make Sure the Contract is Signed.

Labels: AutoCAD, CADVault, legal, protection

If you were at AU this year, you may have seen some of my take5 and AUGI friends wearing blue T-shirts with this tag line on the back. This year my CADLock compatriots (Dietmar Rudolph of Germany and Steve Johnson of Australia) were both at AU, so we decided to have a little fun with this protection theme. We brought some "protection" to go along with the shirts (no, those little matchbooks did not contain matches).

Now that you're back home, I hope you'll take a few minutes to learn how to protect your AutoCAD drawings. You can download CADVault for AutoCAD from the CADLock web site and run it in fully functional evaluation mode to see for yourself how CADVault can securely lock your AutoCAD drawing content.

Help fight IP theft: practice safe CAD!

Labels: CADVault, protection