2

http://en.wikipedia.org/wiki/Digital_signature#Using_digital_signatures_only_with_trusted_applications warns about the possibility of "malicious application to trick a user into signing any document by displaying the user's original on-screen, but presenting the attacker's own documents to the signing application."

With an eye on non-repudiation, how can one truly ensure that the document viewer, or signing application, or both have not been replaced by malicious code?

Even if the binaries were signed, there doesn't seem to be a way to prevent the code from being modified in memory. Even if there way, couldn't the attacker simply modify both the viewer and the signing application?

This question is not Windows-specific. I am willing to entertain the use of any operating system.

Community
  • 1
  • 1
Gili
  • 86,244
  • 97
  • 390
  • 689

2 Answers2

2

With an eye on non-repudiation, how can one truly ensure that the document viewer, or signing application, or both have not been replaced by malicious code?

The security of the user machine is essential for everything concern security. If you can't trust your operating system and installed applications, then every signature mechanism could be broken or tricked.

Even if the binaries were signed, there doesn't seem to be a way to prevent the code from being modified in memory. Even if there way, couldn't the attacker simply modify both the viewer and the signing application?

Yes he can.

The security of your computer could be evaluated considering the weakest of your security mechanism. Build up strong cryptographic effort, isn't useful at all if your operating system has been compromised.

EDIT:

So how do I ensure the operating system has not been compromised?

Well, you could never be absolutely certain that your OS is secure. There are many different things to take in consideration:

  1. how many people have access to that operating system?
  2. which operating system are you talking about?
  3. which tasks are performed by users of that OS?
  4. Is that OS connected to Internet? If yes, how is organized your network infrastructure?

Can I boot the operating system and my application off a read-only drive?

I don't know about that. Maybe you can. But if someone can exploit a service running on your machine (for example a server application with root privileges), than read-only drive won't save you.

What do you recommend?

First of all try to evaluate the level of security that your system really need. Probably you can't achieve perfect security. Then try to get a good compromise.

Remember that security and usability could become a trade-off. If you enforce your security policy, usability of your system may decrease.

For what concern my personal advices:

  1. Use a open-source operating system. Otherwise you can't be secure of what's really happening inside your machine.
  2. Try to configure a restrictive firewall. Deny the network access to every service except which ones you really need.
  3. If your system is used by many people (specially if they don't know anything about security), try to teach them some security principles. Human are often the weakest part to exploit (es. social engineering).
  4. Install only open-source software or software that you really trust. Keep your system updated.
Heisenbug
  • 38,762
  • 28
  • 132
  • 190
  • Excellent. So how do I ensure the operating system has not been compromised? Can I boot the operating system and my application off a read-only drive? What do you recommend? – Gili Aug 20 '11 at 01:09
  • @Gili: I edited my answer with only a few advices. It's impossible to give you a perfect answer. – Heisenbug Aug 20 '11 at 11:36
  • @Gili: Let's try to reduce the problem focusing on one example. The OS is the part of the system that is responsible for read/write even from your hipotetical read-only hd storing the key. If the OS is compromised, could you be sure that the read key is the one stored into your read-only location? Or if the attacker compromised your system and inject his key in your ram memory, couldn't the key retrieved by the hacked OS be the faked one? Tell me if I'm wrong. – Heisenbug Aug 20 '11 at 13:57
  • "if someone can exploit a service running on your machine [...] then read-only drive won't save you". If I instruct the user reboot off the drive for every session (and prevent others from using the computer during his session) then the exploit is only possible with the user's knowledge (hence non-repudiation is assured). – Gili Aug 20 '11 at 13:59
  • It looks like there is no way of securing a writable medium if someone gains physical access to it: https://twopointfouristan.wordpress.com/2011/04/17/pwning-past-whole-disk-encryption/ -- the problem I see with read-only tokens is how do you prove someone didn't swap the entire token? – Gili Aug 20 '11 at 13:59
  • "First of all try to evaluate the level of security that your system really need." The problem is that I'm selling this to non-technical government officials. As far as they're concerned, if there is **any** risk (and there always is) then they'll stick to pen and paper (even if we both know that's less secure). I can try to sell them on the idea that my approach **is** secure (even if it's not perfect) but I'm afraid of what will happen if someone cracks it one day. This could ruin a person's life (they could get convicted in a court of law for something they didn't really do). – Gili Aug 20 '11 at 14:02
  • @Gili: actually I'm only speak with you about pessimistic and remote possibilities, so the read-only hd could be a good choice. But just to continue the discussion: as far as I undestood your PC is network connected. Then suppose there is an infected machine on your local network segment. Everytime your target machine connect to the network, one of its network service is exploited in order to inject the faked key. Isn't that possible too? – Heisenbug Aug 20 '11 at 14:04
  • @Gili let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/2692/discussion-between-0verbose-and-gili) – Heisenbug Aug 20 '11 at 14:05
0

Non-repudiation is a very debatable subject. In the EU there exists a Directive (1999/93/EC) that stipulates something along the lines of "What You See Is What You Sign" for such non-repudiation signatures. The tricky part is, as you already mentioned - how can we give this guarantee?

If your OS is compromised, that is an attacker can mess with your machine at the OS level, then a secure signature device (e.g. smart card) alone can't save you. Although the device is secure, an attacker can display something on the screen that is very different from what you are finally signing.

Signed and therefore trusted code is also no solution to this dilemma. The software may be exemplary secure, but still you can fiddle with the inputs and outputs, be it on the file system, in memory etc.

So the only really secure way to ensure this WYSIWYS principle would be a secure hardware device that does both signing and displaying the data out-of-band, that is disconnected from the prying eyes of your infected OS. Ideally it also takes care of entering the PIN (a pin pad or s.th.), because entering a PIN on a machine with a key logger installed - not secure. Only then can users be sure that what they see on the display was exactly what was transferred to the device - and can then decide whether to apply their non-repudiation signature or not.

These devices exist (at least I've seen them in real life minus the display aspect - about those I've only heard people talking) but for now they remain rare because still being too expensive for rolling them out to the masses.

emboss
  • 38,880
  • 7
  • 101
  • 108