Reputation: 89983
Signed binaries for digital signatures
http://en.wikipedia.org/wiki/Digital_signature#Using_digital_signatures_only_with_trusted_applications warns about the possibility of "malicious application to trick a user into signing any document by displaying the user's original on-screen, but presenting the attacker's own documents to the signing application."
With an eye on non-repudiation, how can one truly ensure that the document viewer, or signing application, or both have not been replaced by malicious code?
Even if the binaries were signed, there doesn't seem to be a way to prevent the code from being modified in memory. Even if there way, couldn't the attacker simply modify both the viewer and the signing application?
This question is not Windows-specific. I am willing to entertain the use of any operating system.
Upvotes: 2
Views: 961
Answers (2)
Reputation: 39164
With an eye on non-repudiation, how can one truly ensure that the document viewer, or signing application, or both have not been replaced by malicious code?
The security of the user machine is essential for everything concern security. If you can't trust your operating system and installed applications, then every signature mechanism could be broken or tricked.
Even if the binaries were signed, there doesn't seem to be a way to prevent the code from being modified in memory. Even if there way, couldn't the attacker simply modify both the viewer and the signing application?
Yes he can.
The security of your computer could be evaluated considering the weakest of your security mechanism. Build up strong cryptographic effort, isn't useful at all if your operating system has been compromised.
EDIT:
So how do I ensure the operating system has not been compromised?
Well, you could never be absolutely certain that your OS is secure. There are many different things to take in consideration:
- how many people have access to that operating system?
- which operating system are you talking about?
- which tasks are performed by users of that OS?
- Is that OS connected to Internet? If yes, how is organized your network infrastructure?
Can I boot the operating system and my application off a read-only drive?
I don't know about that. Maybe you can. But if someone can exploit a service running on your machine (for example a server application with root privileges), than read-only drive won't save you.
What do you recommend?
First of all try to evaluate the level of security that your system really need. Probably you can't achieve perfect security. Then try to get a good compromise.
Remember that security and usability could become a trade-off. If you enforce your security policy, usability of your system may decrease.
For what concern my personal advices:
- Use a open-source operating system. Otherwise you can't be secure of what's really happening inside your machine.
- Try to configure a restrictive firewall. Deny the network access to every service except which ones you really need.
- If your system is used by many people (specially if they don't know anything about security), try to teach them some security principles. Human are often the weakest part to exploit (es. social engineering).
- Install only open-source software or software that you really trust. Keep your system updated.
Upvotes: 2
Reputation: 39620
Non-repudiation is a very debatable subject. In the EU there exists a Directive (1999/93/EC) that stipulates something along the lines of "What You See Is What You Sign" for such non-repudiation signatures. The tricky part is, as you already mentioned - how can we give this guarantee?
If your OS is compromised, that is an attacker can mess with your machine at the OS level, then a secure signature device (e.g. smart card) alone can't save you. Although the device is secure, an attacker can display something on the screen that is very different from what you are finally signing.
Signed and therefore trusted code is also no solution to this dilemma. The software may be exemplary secure, but still you can fiddle with the inputs and outputs, be it on the file system, in memory etc.
So the only really secure way to ensure this WYSIWYS principle would be a secure hardware device that does both signing and displaying the data out-of-band, that is disconnected from the prying eyes of your infected OS. Ideally it also takes care of entering the PIN (a pin pad or s.th.), because entering a PIN on a machine with a key logger installed - not secure. Only then can users be sure that what they see on the display was exactly what was transferred to the device - and can then decide whether to apply their non-repudiation signature or not.
These devices exist (at least I've seen them in real life minus the display aspect - about those I've only heard people talking) but for now they remain rare because still being too expensive for rolling them out to the masses.
Upvotes: 0
Related Questions
- digital signature
- Signed executables under Linux
- File signature C
- Signing binary files (not code signing)
- How can I digitally sign an executable?
- How important is it to digitally sign our executables?
- Signing binaries of open-source projects
- Digital signature: sample code for verification and for extracting certification information
- Simple digital signatures for regular users
- Open and verify signed documents