Design File Locking and Snake Oil Security

The increased sharing of electronic CAD data (ala BIM) holds a lot of promise, but it also exposes companies and individuals to additional liability and risk. This additional risk is coming into focus more and more as actual cases of costly legal battles confront engineers and architects.

The June 2008 AUGI wishlist results contain “Design File Locking” as the top wish by a substantial margin, and Shaan Hurley lists it as number 3 in the AU 2008 AutoCAD wish list. Clearly, interest in file and IP security has been growing steadily.

As demand for IP security grows, there are sure to be snake oil security vendors trying to cash in on it. I received a spam email a few days ago from SafeNet, Inc. promising “a cost-effective and easy to integrate solution that provides reliable and effective security through the use of digital signatures.” Whenever I see such statements with a long string of buzzwords, my snake oil alarm goes on alert. Digital signatures are for authentication and establishing trust — they cannot and do not provide “reliable and effective security”, although I suppose they could be used by a system that does.

In the last year or two, a number of companies have claimed to market software that “secures” AutoCAD DWG files. When I see such a claim, it invariably refers to software that creates an anonymous unequally scaled MINSERT entity. These can be created or “exploded” with a few lines of AutoLISP code. Frequently these companies claim to “encrypt” the drawing, which may sound sexy, but is an outright lie. If this is a level of “security” that meets your needs, at least use one of the many free versions posted throughout the internet (DETER.VLX from DotSoft is one I know of).

There are solutions, but they always require changes in the workflow process that involve difficult tradeoffs and careful evaluation of what is technically feasible and practical versus the costs of implementing the changes. There is no such thing as installing a single piece of software to instantly solve the problem. If you are looking for ways to protect intellectual property in your drawing files, don’t be fooled by snake oil security vendors.

Disclaimer: One of my hats is the president of CADLock, Inc., makers of CADVault for AutoCAD.

Digital Signatures: Under the Hood

The basic requirements of a digital signature are that it must uniquely identify the signatory, it must be independently verifiable, and it must be invalidated if the signed data has changed. To understand how these objectives are achieved, let’s start with the foundation of modern digital signature technology: public key encryption and the public key infrastructure, or PKI.

In public key encryption, a “key pair” consists of two parts: a public key and a private key. In simplistic terms, the public key is mathematically derived from the randomly generated private key using an algorithm known as a “one way function”. A one way function makes it easy to calculate a public key if the private key is known, but extremely difficult to deduce the private key if the public key is known. The end result is a secret private key and an openly shared public key that are mathematically related in such a way that the public key can be used to decrypt data that was encrypted with the private key, and the private key can be used to decrypt data that was encrypted with the public key.

This interesting property of such a key pair gives rise to a number of useful capabilities. In the case of digital signatures, the act of signing data is essentially nothing more complicated than encrypting the data with a private key. If the data can be decrypted successfully with the signer’s public key, then only the signer’s private key could have been used to do the encrypting. In practice, this process is simplified so that the signer encrypts only a secure hash, or checksum, of the data to be signed. The recipient then calculates the hash from the raw data and compares the result with the “signed” hash after it is decrypted. If the values match, the digital signature and data are validated.

For this process to work properly, there need to be standard ways to package information about the algorithms used, and to provide important information about the keys themselves. This need is fulfilled by digital certificates. A digital certificate is a file or block of memory containing a public key along with ancillary data about the key and its owner. The certificate is itself digitally signed by the entity, usually a mutually trusted third party, that issued the certificate. This enables users to verify that the public key is valid and trustworthy.

A digital ID is the private key component of a key pair. Normally the private key is not stored together with the public key, but instead is stored in a separate physical location for security, usually requiring a password to access it. A key manager maintains links between the digital certificate and its associated private key. In many cases, it is convenient to use the term “digital ID” to mean both the public and private keys, even though they are physically separated.

It is almost always a good idea to time stamp digital signatures. Time stamping involves sending the digital signature to a time stamp authority, who then creates and returns a digitally signed time stamp that is uniquely and securely associated with the original digital signature. The time stamp can then be verified by third parties in the future by using exactly the same technique used to verify a digital signature.

I think these important terms deserve a review. A “digital certificate” is a public key, which is itself digitally signed by a mutually trusted third party. Your digital certificate represents your public digital identity, and it should be made freely available to anyone who wants or needs it. A “digital ID” is a digital certificate and the private key associated with the digital certificate. It isn’t difficult to create your own self-signed digital ID, but a digital ID is only as good as the issuing authority that signs it. When you purchase a digital ID from a third party like VeriSign or Thawte, their reputation makes your digital ID more trustworthy.