All of us know about digital signature but for whom that did not know digital signature is a piece of data that identifies the beginner of a document. It utilizes asymmetric encryption, where one key (private key) is used to create the signature code and a different but related key (public key) is used to verify it.
BUT as you know it has some problems: Security and confidentiality of private key, possible misuse and the legal implications which arise.
Usually criminal use it for hijacking: first an authenticated user had established with a remote service for this attack, the target was chosen to be the e-government portal. The web application that handles access to the financial information of a citizen requires the user to digitally sign a document to prove her /his identity. If a digital signature is used to authenticate a user to a remote application, the relaying server can let the packets through until the login process is complete. Then, it can interrupt the communication to the victim, thereby hijacking the user’s session; when the login is successful the server issues a session cookie. This cookie is used in subsequent requests by the browser to tag these requests as being sent by the previously authenticated user. The first attack uses Internet Explorer to steal the session cookie after a successful login procedure, thus allowing an attacker to duplicate the session. To steal the session cookie, the attacker requires local access to the victim’s machine with the privileges of the user running the browser. The easiest way to perform the attack is a malicious browser plug-in!
With browser helper objects, one can write components (specifically, in-process Component Object Model (COM) components) that Internet Explorer will load each time it starts up. Such objects run in the same memory context as the browser and can perform any action on the available windows and modules. Through a special interface, the browser helper object can access the functions of Internet Explorer, thus being able to read and manipulate data.(read more :http://www.iseclab.org/papers/citizen_technical.pdf)
As you know anybody can put you in trouble if they could easily access to your signature and they can contract with many parties and abuse it to self interest!
I am surprised to know that digital signatures can be hijacked. From the information which I read so far about this technique I learn that its the safest and most secure technique. I am confused !!
ReplyDeleteelectronic signatures