Based in Huntsville, Alabama, Grady Paul Gaston, III co-founded A defense contracting company in 1990, which became a leader in the tech industry, and co-founded a digital signature company in 1995. Gaston served as an officer of both companies for over 25 years. The companies were trusted by government agencies and commercial enterprise clients to deliver solutions to complex problems and oversee large-scale projects.
The First Solution – Electronic Signatures
Gaston says people mistakenly refer to him as the inventor of digital signatures when, in fact, he is a pioneer of cryptographic technology and a pioneer of the use of smart cards in the USA. He points out that signing documents is a centuries-old practice that is more art than technology. All that he did was link the verification of a signature to the signer and the information that is signed and did it by introducing the computer-chip on a card to the Department of Defense. He first implemented this technology in 1993 in cooperation with the National Institute of Standards and Technology (NIST) and the Governmental Accountability Office (GAO).That solution was developed under Government contract and belonged to the Department of Defense (DoD). It was called ESIG, an abbreviation for Electronic Signature. However, he copyrighted his digital signature solution that is based on Public Key Infrastructure (PKI), and it is the most widely used in the Department of Defense and has over four million users.
Pioneering digital signatures while developing a financial management system for The U.S. Army Corps of Engineers is his most proud accomplishment. Waiting on wet signatures had been the biggest bottleneck of the Corps financial workload, sometimes with as much as six-month delays waiting on signed documents to be mailed.
Obstacles to the solution
The US Army Corps of Engineers (USACE) is a vast agency with many accomplishments to its name. For instance, the Manhattan Project that developed the first atomic bomb was the work of USACE.
Therefore, a solution to the biggest problem facing the finance and accounting for the Corps required upper brass buy-in, as well as Congressional support. USACE is the only DoD agency that receives both military and civil funds. So, USACE has to answer to both the Governmental Accountability Office (GAO) and the Office of Management and Budget (OMB).
Legally Binding Signatures
Gaston met with the Deputy Director of GAO while his government client met with OMB.The bottom line was that the National Institute of Standards and Technology (NIST) had to provide the standards for USACE to follow before GAO would sanction the digital signature solution as legally binding. Timing is everything. It just so happened that NIST was drafting FIPS Pub 140-1. This Federal Information Processing Standard was addressing the problem of ensuring that a message is authentic. Four very important rules were 1) the signing had to be under the signer’s control, 2) the signer had to see all the data he/she was signing, 3) the signature had to be verifiable, and 4) the signature verification had to fail if any bit of data was changed. This was late 1991, by early 1992, the USACE financial system had a prototype of electronic signatures called “ESIG”. By 1993, GAO had sanctioned Grady’s implementation as “legally binding”.
How it worked
Grady Paul Gaston had a meeting with GAO to figure out what was needed before his solution could be officially approved. The biggest concern was fraud. The ESIG system used a special key technology. In simple words, the same key is used to lock and unlock the message. The message or document is turned into a small piece of data. Then, this data is locked with a key. GAO wanted to make sure that no one could sign a document with just their own key. Two keys had to be combined to make a third key, and the document was signed with this third key.
Security of the Keys
Just knowing a password wasn’t enough to keep the technology safe, especially since a lot of money was at stake. A stronger key protection system was needed. In Europe, people were using plastic cards with computer chips, called smart cards, as wallets. This was the solution, but it was new in the US. Gaston had to learn about this new technology quickly. NIST gave out specifications, and many companies made cryptographic boards that had to be put in the computer and connected to the smart card through a card reader. The computer had to pass a test by the smart card before it could be used. This was done with a password, but the password never went through the computer’s main processor. Instead, a special cable sent the password through the cryptographic board, keeping it safe from spy software. The cryptographic board had a special cover that would erase the keys if it was tampered with. It also required two smart cards to be logged in. The first, known as the Security Administrator (SA card) was logged in and removed. Its key was held in memory on the cryptographic board, and the SA card was removed. Then, the user’s smart card was logged in and left in the reader to function. The bits of the two keys were combined to create a unique key. The 40-byte hash was then encrypted with the unique key.
Smart cards and their keys and passwords were generated at a “Key Translation Center” by a highly secured computer that held a copy of all the keys. To verify a signature, the data had to be hashed and signed again by the same unique key to see if the two encryptions matched. To recreate the unique key, requests were sent to the Key Translation Center. Gaston’s team built two Key Translations Centers to service USACE, an organization with 30,000 smart card users.
Since the passwords were a one-time, never changing code, NIST wanted them to be memorized and never written down. Thus, they wanted the Key Translation Center to generate 6-character pronounceable passwords. These were printed on an inkless, impact envelope that the SA and User would open, memorize and destroy. Unintentionally, some very offensive passwords were made.
The success of this system brought more customers to Gaston’s companies, making him the de facto point-of-contact for Federal use of smartcards and digital signatures. More about this in part two of the story.
