Abstract
Often, the main motivation for using PKI in business environments is to streamline workflow, by enabling humans to digitally sign electronic documents, instead of manually signing paper ones. However, this application fails if adversaries can construct electronic documents whose viewed contents can change in useful ways, without invalidating the digital signature. In this paper, we examine the space of such attacks, and describe how many popular electronic document formats and PKI packages permit them.
This work was supported in part by by the Mellon Foundation, by Internet2/AT&T, and by the U.S. Department of Justice, contract 2000-DT-CX-K001. The views and conclusions do not necessarily represent those of the sponsors.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35612-9_23
Chapter PDF
Similar content being viewed by others
References
C. Brenn. Summary of the Austrian Law on Electronic Singatures. [http://www.rechten.kub.nl/simone/brenn.htm/download/set_bkl.pdf]
Digital Signature Trust. CertainSend Security: A Brief Technical Overview. [http://www.trustdst.com/prod_sery/certainsend/tech_overview.html/download/set_bkl.pdf]
D. De Maeyer. Interoperability at Utimaco Safeware: Digital Transaction Security.[http://www.utimaco.de/eng/content/download/set_bkl.pdf] _pdf/pkic.pdf
DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 13 December 1999 on a Community framework for electronic signatures.[http://www.europa.eu.int/ISPO/ecommerce/legal/documents/1999/download/set_bkl.pdf] 93/1999_93_en.pdf
E-Lock Technolpgies. E-Lock Technologies Assured Office. http: //www. elock com/ pdf/ao_entrust.pdf
E. Felten, D. Balfanz, D. Dean, and D. Wallach. “Web Spoofing: An Internet Con Game.” 20th National Information Systems Security Conference. 1996.
S. Haber and W. Stornetta. “How to Time-Stamp a Digital Document.” Journal of Cryptology. 2: 99–111. 1991.
A. Herzberg. Personal communication.
Lexign Incorporated. The Lexign Suite. [http://www.lexign.com/resources/white/download/set_bkl.pdf] _ papers.htm
D. McKibben. Silanis Technology: Signature Technology for E-business. [http://www.silanis.com/download/set_bkl.pdf] /download/whitepapers/silanis\_gartner.pdf
U. Pordesch. `Der fehlende Nachweis der Präsentation signieter Daten“ DuDDatenschutz und Datensicherheit. 2/2000.
U. Pordesch and A. Berger. “Context-Sensitive Verification of the Validity of Digital Signatures.” Multilateral Security for Global Communication ( Müller, Rannenberg, eds.). AddisonWesley-Longman, 1999.
A. Rossnagel. “Digital Signature Regulation and European Trends.” de/news/DSregulation.PDF
R.M. Smith. `Distributing Word Documents with a locating beacon.“ SecuriTeam. August 2000.[http://www.securiteam.com/download/set_bkl.pdf] /securitynews/5CP13002AA.html
U.S. General Services Adminstration. Access Certificates for Electronic Services.[http://www.gsa.gov/aces//download/set_bkl.pdf]
Z. Ye, S.W. Smith. “Trusted Paths for Browsers.” USENIX Security. 2002.
E. Ye, Y. Yuan, S.W. Smith. Web Spoofing Revisited: SSL and Beyond. Technical Report TR2002–417, Department of Computer Science, Dartmouth College. February 2002.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Kain, K., Smith, S.W., Asokan, R. (2002). Digital Signatures and Electronic Documents: A Cautionary Tale. In: Jerman-Blažič, B., Klobučar, T. (eds) Advanced Communications and Multimedia Security. IFIP — The International Federation for Information Processing, vol 100. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35612-9_22
Download citation
DOI: https://doi.org/10.1007/978-0-387-35612-9_22
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-4405-7
Online ISBN: 978-0-387-35612-9
eBook Packages: Springer Book Archive