ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Fortifying the dalì attack on digital signature
Full text PdfPdf (636 KB)
Source
International Conference on Security of Information and Networks archive
Proceedings of the 2nd international conference on Security of information and networks table of contents
Famagusta, North Cyprus
SESSION: AC.3 AC: access control and security assurance table of contents
Pages 278-287  
Year of Publication: 2009
ISBN:978-1-60558-412-6
Authors
Francesco Buccafurri  University of Reggio Calabria, Reggio Calabria, Italy
Gianluca Caminiti  University of Reggio Calabria, Reggio Calabria, Italy
Gianluca Lax  University of Reggio Calabria, Reggio Calabria, Italy
Sponsor
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 32,   Downloads (12 Months): 32,   Citation Count: 0
Additional Information:

abstract   references   index terms  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1626195.1626262
What is a DOI?

ABSTRACT

In the recent literature a new vulnerability of digital signature has been addressed, based on a novel mechanism (denoted Dalì attack) allowing ambiguous presentation of electronic documents. This mechanism operates by a non-trivial inclusion into a single polymorphic file of a pair of different contents, encoded through two different format types. In this paper we overcome the main limitation of the above attack, consisting in the necessity of having html among the two involved formats. Here, exploiting an unusual feature of the pdf standard, we are able to enhance the attack in such a way that the two filetypes, namely pdf and tiff, embedded into the polymorphic file are both extremely safe, allowing the attacker to produce a fake document that appears in a format widely accepted in the context of e-government activities both whenever it is signed and whenever it is fraudulently exploited. This significantly increases both the danger and the plausibility of the Dalì attack.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Adobe Systems Incorporated. http://www.adobe.com.
 
2
Adobe Systems Incorporated. TIFF 6.0 Specification, 1992. Avaliable at: http://partners.adobe.com/public/developer/en/tiff/TIFF6.pdf.
 
3
Adobe Systems Incorporated. Digital Signatures in the PDF Language, 2006. Available at http://www.adobe.com/devnet/acrobat/pdfs/DigitalSignaturesInPDF.pdf.
 
4
Aloaha Sign. http://www.aloaha.com/.
 
5
A. Alsaid and C. Mitchell. Dynamic content attacks on digital signatures. Information Management & Computer Security, 13(4):328--336, 2005.
 
6
F. Buccafurri, G. Caminiti, and G. Lax. The Dalì attack on digital signature. Journal of Information Assurance and Security, 3(3):185--194, 2008.
 
7
D. Clarke, B. Gassend, T. Kotwal, M. Burnside, M. van Dijk, S. Devadas, and R. Rivest. The untrusted computer problem and camera-based authentication. In Proceedings of the First International Conference on Pervasive Computing, volume 2414 of Lecture Notes in Computer Science, pages 114--124. Springer-Verlag, 2002.
 
8
CNIPA. http://www.cnipa.gov.it.
 
9
S. Dalì. The image disappears. Gala-Salvador Dalì Foundation web site, 1938. Avaliable at: http://www.salvador-dali.org/media/IMATGES/i0336r.jpg.
 
10
ETSI. Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES). ETSI Technical Specification TS, 2008.
 
11
EU Directive 1999/93 of the European Parliament. Official Journal of the European Communities, December 13th 1999.
 
12
European Committee for Standardization. General guidelines for electronic signature verification. 2004.
 
13
European Committee for Standardization. Security requirements for signature creation applications. 2004.
 
14
N. Freed and N. Borenstein. Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies, 1996.
 
15
P. Hoffman. Enhanced Security Services for S/MIME, 1999.
 
16
R. Housely, W. Ford, W. Polk, and D. Solo. Internet X.509 Public Key Infrastructure (IETF RFC 2459), 1999.
 
17
R. Housley. Cryptographic Message Syntax (IETF RFC 3852), Vigil Security, 2004.
 
18
International Organization for Standardization. ISO 19005-1:2005. Document management--Electronic document file format for long-term preservation--Part 1: Use of PDF 1.4 (PDF/A-1), 2005.
 
19
International Organization for Standardization. ISO 32000-1:2008. Document management--Portable document format--Part 1: PDF 1.7, 2008.
 
20
A. Jøsang, D. Povey, and A. Ho. What you see is not always what you sign. In Proc. of the Australian UNIX and Open Systems User Group, Melbourne, Australia, Sep 4--6 2002.
 
21
B. Kaliski. PKCS#7: Cryptographic Message Syntax (IETF RFC 2315), RSA Laboratories, 1998.
 
22
National Institute of Standards and Technology. Digital Signature Standard (DSS). FIPS Publication 186, 2008.
 
23
D. Pfeif and G. Richard. Scalpel: A frugal, high performance file carver, 2006. Available at: http://www.digitalforensicssolutions.com/Scalpel/.
 
24
D. Pinkas, N. Pope, and J. Ross. CMS Advanced Electronic Signatures (CAdES), 2008.
 
25
K. Scheibelhofer. Signing XML Documents and the Concept of What You See Is What You Sign. Master's thesis, Institute for Applied Inf. Processing and Communications, Graz University of Technology, 2001. Available at: http://www.iaik.tu-graz.ac.at/teaching/11_diplomarbeiten/archive/scheibelhofer.pdf.
 
26
A. Spalka, A. Cremers, and H. Langweg. Protecting the creation of digital signatures with trusted computing platform technology against attacks by trojan horse programs. In Proc. of the IFIP SEC 2001, pages 403--420, Paris, France, Jun 11--13 2001.
 
27
Kluwer Academic. United States Air Force Office of Special Investigations and The Center for Information Systems Security Studies and Research. Foremost. Available at: http://foremost.sourceforge.net/.

INDEX TERMS

Primary Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Authentication

Additional Classification:
  K. Computing Milieux
  K.5 LEGAL ASPECTS OF COMPUTING
      K.5.2 Governmental Issues
          Subjects: Regulation


General Terms:
Legal Aspects, Security


Keywords:
E-signature, digital signature, vulnerability analysis


The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player