Signature Verification Methodology
By Peter Nikiper, Director, Technical Compliance
Your signature, it is on every vital piece of information that identifies you. Your driver’s license, social security card, passport and countless other documents are not complete without a signature. Your signature puts you in debt when you buy a house and out of debt when you sign the last mortgage check. It is the first thing you ask for when meeting a sports star or celebrity. What makes a signature so important is that it is as unique in design as the person that wrote it.
The uniqueness of signatures is equally important for verification of gaming software. The ability to distinguish and uniquely identify gaming software media is paramount regardless of whether it is resident on EPROM, flash, CD, DVD or an electronic file. The verification process starts when a manufacturer submits software to a testing laboratory for regulatory compliance verification. The signatures generated by the manufacturer are verified by the laboratory before testing begins to ensure that the software received is the same as represented in the documentation. If an update or modification to the software is submitted during the testing process, the signatures would again be verified to validate the software. Upon completion of testing, the signatures generated by the laboratory are included in the final certification report. These reports are distributed to both tribal and state gaming agencies that use the information in these reports to verify the signatures of software received separately from the manufacturers for installation on the gaming floor. Establishing accuracy of the signatures is proof that the software verified is identical to that which was tested in the laboratory and provides evidence that that the media has not been tampered, physically damaged, and or manipulated. Through the entire testing process from submission to installation on the gaming floor, the game media signature is the most critical aspect of the testing for establishing the integrity of the software.
The magic behind the creation of an electronic signature is called a “cryptographic hash algorithm” that is used to generate what is called a “one-way” digest. An ideal cryptographic hash algorithm has four main properties; it is easy to compute the signature value for any given input, it is infeasible to generate an input that has a given signature, it is infeasible to modify an input without changing the signature, and it is infeasible to find two different inputs with the same signature (often called a collision). Some of the most popular algorithms today are MD5, SHA-1, and SHA-256. The MD5 algorithm uses 128-bit encryption to generate a 32 hexadecimal character signature based on the message digest algorithm developed by Ron Rivest, PhD MIT/RSA Data Security in 1992. The SHA-1 algorithm uses 160-bit encryption to generate a 40 hexadecimal character signature based on the secure hash algorithm developed by the National Security Agency (NSA) originally published in 1995. The newer SHA-256 algorithm uses a 256-bit encryption to generate a 64 hexadecimal character signature based on the secure hash algorithm developed by the NSA originally published in 2002. It is important to note that law enforcement and courtrooms nationwide have accepted the MD5 and SHA-1 signatures as the industry standards and have thrown out anything with less than 128-bit cryptographic strength.
These algorithms are considered secure, and the specifications on how they work have been placed in the public domain. They are currently in use for signature verification by other technology sectors, and have been verified by trusted organizations such as NIST.
There are many ways to obtain signature verification tools that use these algorithms. Test laboratories write their own, like BMM Signature Tool, as well as other gaming entities, such as the Washington State Gambling Commission’s Eagle Check tool. There are also other open source and commercial tools as well such as Hash Calc or Kobetron. All of these tools can generate matching MD5 and/or SHA-1 signature values to the ones listed on certification reports, with one notable exception with folder signatures. While the specifications list out how to handle devices and files, directories or folders are left to each developer to determine how best to support them.
The most important thing to remember is that the regulatory agency determines what signature verification programs, tools, or algorithms are suitable for use within their jurisdiction. As a testing laboratory, we are happy to provide advice on picking an appropriate algorithm or tool, and to use the items as specified by the regulatory agency. There are many different signature verification options available in today’s marketplace. It is important that regulatory agencies look at all options, do the research, ask questions, and request training from the laboratory before making a decision as to what devices, tools, or algorithms are right for your situation.