The ABC's of Authentication   
A is for Atom, B is for Bit and  
C is for Care 
David G. Masse 
© 1997
Text of a background paper presented by the author at a national summit conference held under the auspices of the Canadian Association of Law Libraries ("CALL") in Toronto on * 1997 and published with the Summit proceedings on CALL's Web site at: 
Canadian Association of Law Libraries
Summit 97
Background Paper(1)
on Authentication
David G. Masse(2)
The ABC's of authentication
A is for Atom
B is for Bit
C is for Care
    [1]  Atoms are atoms

    [2]  Everything one needs to know for survival and prosperity in the brave new information age is subsumed in the title of this paper. It bears a little explanation however.

    [3]  If the reader is reading these words as ink printed on paper, the reader is having an analog experience. The analog information world is by and large the world we know, and it is a world of atoms. Both the ink and the paper used to convey the information you are reading are very real and tangible. They have a physical presence which will not be denied. They are constituted of atoms. Analog methods are the methods the world has grown accustomed to since the dawn of human civilization.

    [4]  If the reader is reading these words from a computer screen, the reader is having a digital experience. The digital experience, like the word "digital" itself, has only been with us a very, very, short time. It has been with us long enough however, that it needs to be explained in order to be properly understood.

    [5]  There has been no shortage of "digital" things in our lives. The first digital products were digital clocks. They made their appearance in the late sixties and early seventies in clock radios and kitchen stoves. Later, in the mid-seventies, we were able to buy digital watches. Truly marvels of modern science. Somewhat later, digital watches became commonplace. Soon, every consumer product known to mankind was striving to proclaim that its new and improved incarnation was digital in some way.

    [6]  All of those 'digital' products indeed heralded a new world, but most were only superficially digital. The real impact of digital technology did not really make itself felt until the mid to late eighties when digital information began to be commonplace. The compact disc ushered digital sound into our homes and the personal computer, successor to the 'home computer', introduced digital information first into our offices, and then into our homes. It is this use of the word 'digital' that we really need to understand in order to appreciate the changes taking place in the world around us.

    [7]  In order truly to appreciate the impact of digitization, it is essential to understand the analog information paradigm.

    [8]  In the analog world we know, the purpose for which information is designed always dictates the form the information takes. Thus, the need to distribute the news daily in printed form, quickly, in large volume, cheaply, and over a relatively large geographical area, inevitably gives rise to the newspaper format which is universally known and used for that purpose. On the other hand, when the time constraint is somewhat more relaxed, when deadlines are monthly, more time and attention can be brought to the presentation and delivery of the information, and we then witness the phenomenon of the magazine. Once again the magazine format is a universal format for the publication of information. When conservation over long periods of time is thought to be necessary and the document is to be prepared by a diverse group of people, filed and stored, the requirement gives rise to the 'deed' format which was traditionally, and in large measure still is, used in real property conveyancing.

    [9]  In this sense, Marshall McLuhan was right when he expressed his now famous thought to the effect that the "medium is the message".(3) In the analog word, the information we convey is inescapably tied to the medium in which it is expressed and the two are therefore inextricably bound together.

    [10]  The notion of the essential originality of documents is a manifestation of the molecular bond between information and the medium in which it is expressed. The originality of any given document is that which we rely upon to authenticate the information it contains. The most striking examples of this are of course bank notes. Paper currency as we know it exploits a number of physical traits of paper and ink so as to authenticate the intrinsic value which the bank note represents. The atoms, which comprise the document, attest to its authorship and hence to its authenticity.

    [12]  Applied to legal information, the analog authentication paradigm works in the following way: law reports are prepared and published by reliable sources such as private and government-owned legal publishers, for the most part type-set, printed in large numbers, and bound in volumes distributed to hundreds of law libraries operated under the authority of university law faculties, bar associations, government ministries and law firms. The act of locating information concerning a given judgment of the Supreme Court of Canada, in a bound volume of the Supreme Court Reports, in a law library, automatically authenticates the information contained on the pages. No one is going to question in a serious way the provenance or truth of the report. This is so because the act of systematically assembling the information, binding it to so many atoms of paper using complicated and expensive processes, and then distributing those atoms from coast to coast and beyond, can only be accomplished under the watchful eye of the Canadian legal establishment. While it would be possible for a mean-spirited individual to forge a volume of Supreme Court Reports quite effectively, it would not be possible to replace all the volumes likely to be consulted in the context of a given case. The analog process, therefore, automatically authenticates the content of the law report.

    [13]  Bits are bits
      [58]  While the foregoing example simplifies the processes used in public key cryptographic techniques in use today for authenticating data in open networks, it accurately sets forth the basic mechanisms at play in authenticating data.

    [59]  Public Key Infrastructures

    [60]  In order to perform their authentication magic, public key cryptography and digital signatures must rely on the existence of an infrastructure designed to permit public keys to be widely disseminated with a high degree of assurance. Digital signatures work very effectively to authenticate digital records in otherwise insecure environments. In order to work well however on a large-scale basis, it is necessary for all users to know, with a relatively high degree of assurance, the public keys of the persons with whom they wish to exchange authenticated data. Without reliable access to the author's public key, there is simply no way to verify a digital signature.

    [61]  Public key infrastructures (or simply "PKI") are the amalgam of software, standards and institutions which, taken together, allow for the dissemination of the encryption software and the dissemination and management of public keys. It is beyond the scope of this paper to explain in detail the functioning of public key infrastructures(7) or to mention all of the companies which offer public key infrastructure related products. The description which follows is merely intended to give a rough idea of the breadth of the implementation of this technology at this time.

    [62]  Reduced to its simplest expression, a public key infrastructure comprises the following:

    [70]  Primary examples of public key management services are those offered in the United States(18) by BBN,(19) Certco,(20) CivicLink(21) (a US government service operated by AmeriTech), Cybertrust ,(22) GTE,(23) IBM,(24) NetDox,(25) Open Market Inc.,(26) Terisa Systems,(27) and Verisign.(28) In Canada, the Stentor alliance of telecommunications companies(29) offers public key management services under the name OnWatch.(30). Xcert Software Inc.(31) also provides public key management services in Canada under the name Sentry CA.(32) In Europe public key management services are offered by COST in Sweden,(33) by EuroSign(34) and by R3 (r³ Security Engineering AG).(35)

    [71]  It is important to consider that the software industry and the community of major software users, including government and large corporations, are very much committed to the development and deployment of public key infrastructures. Examples of this commitment on the part of state governments in the United States can be seen on the PKI website operated by the State of Masschusetts.(36) In Canada, the development and deployment of PKI was stated as a key recommendation of the federal information highway task force. The Information Highway Advisory Council established by Industry Canada to make recommendations in relation to the deployment of the information highway in Canada, recommended to the minister of Industry that measures be taken to establish public key infrastructures in Canada.(37) The Canadian government is currently implementing a public key infrastructure based on Nortel's Entrust application.(38)

    [72]  Other data authentication methods

    [73]  Digital signatures are not the only technique by which data can be authenticated. Other technology exists as well. For example, there is the technique of the electronic signature, which is software designed to allow the user to manually sign a digital record using a stylus on a pen-enabled computer screen or on a digitizing tablet. Such systems use biometric techniques to analyze the handwritten signature so as to obtain a measure of its unique attributes. The digital record, the digitized image of the manual signature, the user's identity profile and the handwriting analysis are then bound together using cryptographic techniques so that the user's signature, their profile and their signature authenticate the document.(39)

    [74]  There are also weak authentication systems which, for lack of a better expression, may be referred as digital paper.(40) The technique in digital paper systems, is to replace the binary file containing the information in machine and human readable form (i.e. a binary ASCII, desktop publishing or word processing format file) with an image of the document identical to the image created when the document is printed using the application with which it was produced. Digital paper provides a tamper resistant envelope for digital information in the sense that it would not be a trivial exercise to alter the digital record so as to change the message "a,b,c" to read "c,b,a". Some degree of authentication is thereby provided. Nothing of course prevents the digital record from being completely replaced by a forgery, in the same way that a paper record can be forged. Such systems serve a very useful purpose, particularly where it is important to transmit the exact equivalent in digital form of a paper record, but they do not in and of themselves satisfy an authentication function.

    [75]  In the end, all data authentication techniques must come to rest on some form of encryption, whether the encryption is formal encryption as in symmetric or asymmetric encryption techniques, or informal in the sense that any binary file in a proprietary format can be said to be 'encrypted' because it necessitates the recipient having a 'key' in the shape of the software capable of reading the file format.

    [76]  At the present time, the most robust, scalable, and effective means for authenticating digital records is that of the digital signature and its related applications.

    [77]  A word about digital watermarking

    [78]  Digital watermarking describes a series of digital techniques designed to address another problem associated with the malleability and lack of originality which are the hallmarks of digital records.

    [79]  Digital watermarking imbeds within a digital record a substream of information which tends to identify the origin or authorship of a digital record. Digital watermarking does not, in and of itself, really address the issue of the integrity or authenticity of a digital record. It does not authenticate the document because it does not create a reliable and verifiable link between the identity of the author of the digital record and the digital record itself as is the case with digital signatures employed in a public key infrastructure. A digital watermark is so difficult to separate from the content it marks that economically it is not worth doing. Nothing however precludes forged watermarks from being created. While the digital watermark may therefore provide a powerful tool for the protection of intellectual property in digital records, it is not really suited to authenticating content per se.

    [80]  Depending on the technique employed (and there are several techniques in existence) either the entire sequence of bits, or a random sampling of strings of bits, of a digital record, have inserted among them, an additional sequence of bits containing the information relating to the origin of the record. They are the equivalent of burying a covert message as "noise" in an analog sound recording. The digital watermark conveys its information without being perceived when the resulting work is played or displayed.(41)

    [81]  By its very nature, digital watermarking only works with digital records which reproduce an image or sounds by a process of sampling,(42) and will not work where the document has to be literally rendered, as is the case with a document which renders machine readable text (like a digital record of text in ASCII, proprietary word processing or HTML format) or with executable files which contain a computer program. It is a technique which can be employed for text but only in conjunction with digital paper techniques since in the case of digital paper, the words in the document are an image or visual sample of the text rather than the text itself.(43)

    [82]  Digital signatures may be used either as a means of digital watermarking for text or executable files or as an adjunct to other digital techniques used in digital watermarking. Where digital signatures are used, strong authentication of the digital record becomes an option.


1.     The purpose of this paper is to explore the nature of digital records and the challenges and opportunities they present when we seek to replace paper-based processes with ones based on digital records. The primary focus of this paper is on the question of authentication. In this context the word "authentication" is used in its normal dictionary sense as follows (Pocket Oxford Dictionary):

"authentic a. (~ally). Trustworthy, entitled to acceptance, (authentic statement); of undisputed origin, not forged etc., (authentic documents, pictures); ~ate v.t. (~able), estatblish truth or authorship or validity of (statement, document, claim); ~ation, ~ator, authenticity, ns. [F.f. L f. Gk authentikos genuine]"
There are other uses of the term, in particular in the law of evidence as regards the production of documents, where more or less precisely defined criteria apply and where a manual signature may play an important role. The term is used here in its common most broad sense to describe the ability of a recipient of information to know, with reasonable certainty, the origin and integrity of a given digital record.

The paper is not intended to propose any particular course of action, merely to supply background information intended to facilitate informed discussion of the authentication issues raised by digital records.

2. The author is a member of the Bar of the province of Quebec and Assistant Corporate Secretary of BCE Inc. and Bell Canada.

3. Marshall McLUHAN,

4. The term "ASCII" stands for American Standard Code for Information Interchange. The ASCII standard is a table defining, in binary form, 128 standard characters comprising the alphabet, punctuation, the number set and certain control characters such as carriage returns, line-feeds and the like.

5. Ron Rivest, Adi Shamir and Len Adleman. They put the "RSA" in RSA Data Security Inc. See

6. By large-scale data authentication the author means that the infrastructure necessary to permit it would be ubiquitous, on a national, international and even global scale. In other words, all publishers and authors of legal information would have the choice of digitally signing their published data if they wished to do so, and that all readers would be able to verify the digital signatures related to the data they receive, if they chose to do so.

7. For the reader who wishes to acquire a deeper knowledge of the working of public key infrastructures the author suggests the following materials: Michael FROOMKIN, The essential role of trusted third parties in electronic commerce 75 Oregon L. Rev. 49 (1996) available online at; C. Bradford BIDDLE, Misplaced Priorities: The Utah Digital Signature Act and Liability Allocation in a Public Key Infrastructure, 33 San Diego L. Rev., available in an earlier version at; David MASSE, Economic Modelling and Risk Management in Public Key Infrastructures, text of a conference given by the author at the RSA Data Security Conference on January 31, 1997 in San Francisco, available online at











18. Information Week, E-commerce gets real, December 9th, 1996.










28. and in particular


30. The Bell Sygma OnWatch service is described at







37. See recommendations 10.12 and following of the report published in September of 1995 entitled Connection, Community, Content - The challenge of the Information Highway, available online at The recommendations relating to the establishment of PKI may be found at

38. See section 8.2 Encryption and Digital Signatures in the report entitled Standardized Electronic Forms Information Interchange: Pilot Project Summary Report prepared for the Electronic Document Standards Working Group (EDSWG) of the Treasury Board Secretariat of the Government of Canada available on the Treasury Board Website by searching the keywords "public key infrastructure" at

39. See for example the PenOp authentication system at

40. For a leading example, consider the Adobe Acrobat system which generates files in 'portable document format' or simply PDF. See See as well the Common Ground application offered by Hummingbird Communications Inc.

41. See Business Week, Copyright's new digital guardians, available online at and Byte Look, it's not there - Digital watermarking is the best way to protect intellectual property from illicit copying, available online at

42. Sampling is the process used to produce a digital rendering of images or sound. In the case of an image, bits are used to map the image which appears on a screen or which is sent to a printer. While an object's image is made up of an infinite number of points of light, a picture of the object in a newspaper is comprised of a number of dots (picture elements or pixels) which form the image by being switched on (let's say to black) or off (in this case to white). Each pixel has coordinates within the matrix (screen or display area) and may thus easily be represented by a "1" or "0". Each individual bit contributes very little to the overall result. There is therefore "room" to insert extra bits to carry other information without disturbing the ability to render a likeness of the original image (just as the scanning bar of a fax machine often introduces black streaks on faxes which most often don't interfere with the readability of the message itself). In the case of sound, the sound wave is similarly placed on a graph and the resulting wave is sampled by taking reference points along the curve. Just as an image is made up of an infinite number of points of light, the analog sound wave is made up of an infinite number of points on the wave. Digital sampling cannot record all points on the wave, nor does it need to in order to render an acceptable likeness of the sound. Just as in the case of the image, it is possible to insert extra bits in the transmission which do not interfere with the resulting sound when it is replayed.

43. See for example the more detailed and technical information made available by The DICE Company, developers of Argent, digital watermarking software available from their web site at

© David Masse - October 1997