If this is a paystub and I'm inserting false income data so I can fool a landlord into thinking I make more money than I do so he'll feel comfortable renting me one of his nice apartments, the watermark will be far more effective than the sig at stopping me from tampering.

Agreed. It is shocking how little people actually leverage cryptographic signatures for basic security or non-repudiation purposes. And it seems that they few times they do use it, they get tunnel vision and believe that the only purpose is for XML documents. Worse yet is when they reinvent the square wheel.

NG,

While it is true in that one case the watermark will be the first "go to", signing goes far beyond protecting the issuer. It actually will serve non-repudiation purposes and actually protect both parties. The signer is protected by a proof that the information was unaltered (say giving yourself a 50% payraise) but in turn it protects the holder as they have proof that they did have the paystub (which is handy in labor disputes)

Are you talking about encrypting the file or actually watermarking the image with the key?

At first this looks brilliant - without knowing the private key we can't fake the signature, and anyone having access to well-known public key can verify that signature. But there are some problems making digital signature difficult to use in paper documents:

• there's no standard procedure for computing the hash of document content

• It's impossible to do manually, and in order to automate it you would have to digitalize the document (advanced OCR?) or re-type the document into some text file, normalize it and calculate the signature. Errors would be inevitable.

• I doubt any judge (assume a 50-60 years old man with gray hair) would believe that some series of random characters is a proof of document authenticity, they would have to trust some organization to perform the validation

Anyway, I really would like our lawmakers to notice that paper documents, manual signatures or rubber stamps are totally worthless as a security measure in the era of high quality scanners and Photo Shop. Digital documents are much easier to secure and can be automatically verified without forensic analysis.

I'd just generate a new watermark and replace the original with the new one in photoshop.

I like your idea, but it is no more secure, just a bit more work.

Rafal,

You don't have to compute a hash for the document, only the data that's subject to be altered.

In this example you only have to make an hash of the numbers. The hash will prove that the numbers are changed or not. You can explain and show this to a judge, without any problem.

The second link is broken.

If you used the crypto signature to generate a 2d "bar" code like QR code ( http://www.codeproject.com/KB/cs/qrcode.aspx), you'd have something that can be put on the page and easily pulled up with a camera phone or other handheld device.

Depending on how much data you need to verify, you could put the hash along with the data itself right into the 2d code. Many of the formats will hold a reasonable amount of data.

Or, put a URL and the hash in the code and have the QR code essentially pull up a verification page that retrieves and verifies the hash as genuine.

@Remy: you have to compute the hash of entire document if you want to prove its integrity. Otherwise the numbers + signature might just be copied from another person's document.

@J.Wynia You need the actual content of the document in digital form, not only its signature, to verify it. So the QR will not help much. The problem is to prove that what the reader sees hasn't been modified, so in case of paper documents the verification path must contain 'reading' the paper - with someone's eyes or with an OCR.

@Rafal: I am talking about a user senario where only the data on the printed document is important, not the exact placement and layout of the document.

If the numbers are bound to a person, than I would hash the numbers + person. If I need the numbers + person + date to be bound, then I would hash that. I only have to validate the data on the document, not the layout or placement on the document.

That is exactly what I recommended when someone came up with this question some time ago on StackOverflow or some mailinglist I think.

That's how my University (University of Klagenfurt) handles it's exam results you can print out yourself.

(As students we frequently need to show some legal paper to authorities about what grade we have etc).

And the solution our University has is to simply put a signature URL in the bottom of every printout that will lead you to the online version of every PDF you download.

Tamper with the data and anyone can still display the original form by typing in the URL from the paper.

That's also obviously more tamper-resistant since even casual users could verify the content of a document (not just the signer who knows what data went into the signature)

greetings Daniel

I was actually going to suggest what J Wynia suggested, using the income data to create the 2d barcode.

If you were to lift it i would assume you get the income values, and could easily match that against the income on the payslip. If they differ, it's been tampered with.

Yet another case of Shit's Easy Syndrome.

Ah okay, I thought it was just signed with an MD5 hash or something.

Hi Ayende,

Interesting solution - and from a legal point of view, something which we will probably consider. The way the law stands, we can provide a simple payslip with no checksums, watermarking or anything - however the thinking (by our customers) is that anything we can do to "discourage" tampering would be good, rather than proving if someone tampered with the data or not.

Of course, a determined user might just fake a payslip in Photoshop or remove the verification URL altogether; to the casual observer (mortgage advisor, bank clerk or whatever) the payslip looks genuine.

I think the real issue stems from the fact that almost every Employer provides different payslips - there is so single type (if there was, determining a fake would be easier), and there is no central repository for verifying authenticity. However, saying that, the work that I'm looking into would affect some 100,000 people, so there is a good chance to provide a standard, verifiable payslip format. I do suspect that the electronic payslip will be left out of version 1.0, for better or worse.