Digital signatures were designed to allow secure, confidential communication between two parties.
As Wikipedia describes it: “A user may digitally sign messages using his private key, and another user can check that signature (using the public key contained in that user’s certificate issued by a certificate authority). This enables two (or more) communicating parties to establish confidentiality, message integrity and user authentication without having to exchange any secret information in advance.”
Are digital signatures legally binding? Usually. Check your local statutes.
Are they foolproof? Not usually.
For years, Prof. Ferenc Leitold of the University of Veszprem has been explaining the dangers of digital signatures to the world at large. This week, he’s doing it again at the 15th EICAR Annual Conference in Hamburg, Germany.
The problem revolves around general purpose personal computers. Once an attacker penetrates a PC, any knowledge transferred through that system is friable.
For example, the alphanumeric characters you see on your computer screen are not graphics. Instead, they are typically fonts residing on your system that are called by the application software charged with displaying or printing a page.
By redirecting application font requests or replacing the onboard font set, an attacker or virus can change the meaning of a document without regard to the status of any digital signatures. Font substitution software is readily available on the web.
Leitold adds that, since BSD, Linux, OSX, Windows and other operating systems all grab fonts off their local file systems, they are all more-or-less equally vulnerable to font-jacking.
This would be true, if all operating systems were equally penetrable. But of course, they are not.
He also notes that firewalls configured to let encrypted messages pass through unhindered can also let encrypted malware pass, as long as it’s using the recipient’s public key.
So how can you protect your general purpose computer from malevolent digital signatures?
Leitold says you can’t, as long as the computer itself is not secure. To that end, he recommends that you keep your firewall and antivirus software up-to-date, and develop a solid security policy.
Whenever practical, your primary firewall should be a separate device guarding the network border. That’s especially important when using a Windows-based computer, as hackers report that they are easily breached.
The same goes for email protection. A standalone device or service can be configured to knock out most malware before it ever gets a chance to infect your computer.
Both devices help you set a protective security policy that, Leitold suggests, should include accepting only non-editable, graphic-style documents via email, wherein the the alphanumerics are just arrangements of bits on the page… if you can stand it. Imagine how useful email would be if every message was a graphic you couldn’t edit, paste or search. Yuck.
Other standard security procedures include encrypting your local hard drives, not sharing local folders and never running your computer as Administrator, except as needed. Penetrators can’t commandeer what they can’t see.
As for getting digital signatures… a signature is designed to prove you are you. It’s only as good as the outfit that issued it. While Comodo, Entrust, and Verisign are well-known issuers, prices vary wildly. And Comodo even offers signatures totally free for personal use.
Email Battles Backgrounder:
- Apache “owns” Microsoft IIS; NewsByte; Email Battles; 28 April 2006.
- Authorize.Net gets high security PKI-based SSL; NewsByte; Email Battles; 20 April 2006.
- State of E-Mail Authentication: SPF Dead, Others on Life Support; Email Battles; 20 April 2006.
- Study says email authentication’s the answer, so why the slow adopt?; NewsByte; Email Battles; 18 April 2006.
- Low Assurance SSL-based Phishing Attacks Against Banks and Credit Unions on the Rise; NewsByte; Email Battles; 17 February 2006.
- Phisher proves SSL Certificates can’t be trusted; NewsByte; Email Battles; 14 February 2006.
- Security Fix: Firefox, IE, Opera, Outlook & other Browsers & Email Clients; Email Battles; 04 January 2006.
- Why Service Providers Reject Sender-ID; Email Battles; 08 August 2005.
- Digital Sign: The Next Target? [pdf]; Ferenc Leitold; Virus Bulletin; September 2003.
5 comments
Comments feed for this article
May 2nd, 2006 at 5:59 am
Sean Smith
Having signed documents change in usefully malicious ways is not a new topic. See:
K. Kain, S.W. Smith, R. Asokan.
“Digital Signatures and Electronic Documents: A Cautionary Tale.”
Advanced Communications and Multimedia Security.
Kluwer Academic Publishers. Pp. 293–307. September 2002.
http://www.cs.dartmouth.edu/~sws/pubs/ksa02.pdf
Auden Josang had a paper on this, with a different set of attacks, back in 2001-2002 as well. “What You See is Not always What You Sign.”
May 2nd, 2006 at 3:08 pm
BJ Gillette
Hi Sean.
RE: “Having signed documents change in usefully malicious ways is not a new topic.”
Leitold presented a similar paper in 2003.
Methinks the current timing is related to all the authenticators who are heralding digital signatures as the final solution for phishing.
Lots of financial-types are desperate to convince web users that email from them is perfectly safe.
Some folks apparently needed an unambiguous reminder that “perfectly safe” isn’t quite accurate.
May 3rd, 2006 at 11:36 am
Tracy R Reed
I believe that proper use of digital signatures are the way to stop spam and fishing. But I am loathe to let any big company put a stranglehold on my email by being a Trusted Authority to issue signatures. I am much more in favor of the “web of trust” model. It is more secure, more scalable, and less subject to political maneuverings of the few Authorities that exist in the other model. Just look at the completely artificial mess and expense caued by the secure web site Certificate Authorities.
May 3rd, 2006 at 3:45 pm
BJ Gillette
Hi Sean.
Unfortunately, most of the security gurus I track have given up on any single factor authentication, and moved on to two factor authentication, which typically requires a smartcard reader, fingerprint / eyeball scanner, USB flash drive, dongle, etc.
Problem is, anything you do is going to a) cost money, b) complicate management, and c) require sentient users.
I’m not sure sentient users are a possibility.
May 5th, 2006 at 4:39 am
WebUrs
“For years, Prof. Ferenc Leitold of the University of Veszprem has been explaining the dangers of digital signatures to the world at large.”
This statment is not terribly accurate. Surely Dr. Leitold would prefer to be seen as malware expert and not a cryptographer as his personal Webpage would suggest
http://www.fleitold.com/index.php?CN=20&CIE=0
It appears that the author of this posting was not in attendance at the EICAR 2006 nor did he have access to the paper Leitold presented. Two of the questions raised in the audience clearly indicated that there are some conditions required to make Leitolds attack work. Again this is outlined here in more detail (technical and regulatory issues as well as social engineering).
http://blog.casescontact.org/?p=53