• Keine Ergebnisse gefunden

Malware attacks on electronic signatures revisited

N/A
N/A
Info
Herunterladen
Protected

Academic year: 2022

Aktie "Malware attacks on electronic signatures revisited"

Copied!
12
0
0

Wird geladen.... (Jetzt Volltext ansehen)

Jetzt herunterladen ( 12 Seite )

Volltext

(1)
(2)
(3)
(4)
(5)
(6)
(7)
(8)
(9)
(10)
(11)
(12)

All applications lack a Trusted path or a similar mechanism to ensure that presentation of data in the viewer or in dialogs during the signing process cannot be manipulated by malicious software. All applications depend on organisational measures as regards access permissions to their modules. No application checks if access permissions are set reasonably after installation. Some applications allow the user to choose card terminal driver libraries and hence allow arbitrary code to be executed in their address space. No revolutionary new mechanisms are needed to prevent or detect attacks. Some security measures discussed in section 5 are already incorporated in some products.

The test results give an indication of the resistance of an application against malicious software attacks. However, our tests are not meant to replace thorough examination of a product in an evaluation scheme, e.g., the Common Criteria. It must neither be construed as a proof of absence of vulnerabilities nor as an endorsement of a specific product.

References

[Bu05a] Bundesnetzagentur (2005). Einheitliche Spezifizierung der Einsatzbedingungen für Signaturanwendungskomponenten. Version 1.4, 2005-07-19. http://www.bundesnetzagentur.de/

media/archive/2648.pdf

[Bu05b] Bundesamt für Sicherheit in der Informationstechnik (2005). Jahresbericht 2004.

[Ce01] CEN/ISSS WS/E-Sign Workshop (2001). “Security Requirements for Signature Creation Applications”. CEN Workshop Agreement CWA 14170:2001.

[Ce04] CEN/ISSS WS/E-Sign Workshop (2004). “Security Requirements for Signature Creation Applications”.CEN Workshop Agreement CWA 14170:2004 Version 2.1.5.

[Fo98] Fox, D. (1998). “Zu einem prinzipiellen Problem digitaler Signaturen”. DuD Datenschutz und Datensicherheit 22(7):386-388.

[Is04] ISO 18045:2004 (2004). Methodology for IT security evaluation.

[JPH02] Jøsang, A., Povey, D., and Ho, A. (2002). “What You See is Not Always What You Sign”. Proceedings of 2002 Annual Technical Conference of the Australian UNIX and Open Systems User Group.

[La04] Langweg, H. (2004). “Building a Trusted Path for Applications Using COTS Components”. NATO RTO IST Panel Symposium on Adaptive Defence in Unclassified Networks (to appear).

[MR04] Murmann, T. and Rossnagel, H. (2004). “How Secure Are Current Mobile Operating Systems?”.Proceedings of Eighth IFIP/CMS 2004. IFIP, Vol. 175. Pp. 47-58.

[Po93] Pordesch, U. (1993). “Risiken elektronischer Signaturverfahren”. DuD Datenschutz und Datensicherheit 17(10):561-569.

[Po00] Pordesch, U. (2000). “Der fehlende Nachweis der Präsentation signierter Daten”. DuD Datenschutz und Datensicherheit 24(2):89-95.

[SCL01] Spalka, A., Cremers, A.B. and Langweg, H. (2001). “Protecting the Creation of Digital Signatures with Trusted Computing Platform Technology Against Attacks by Trojan Horse Programs”.Proceedings of IFIP/SEC 2001. Pp. 403-419.

[SCL02] Spalka, A., Cremers, A.B., and Langweg, H. (2002). “Trojan Horse Attacks on Software for Electronic Signatures”. Informatica 26:191-204.

[Si05] Signature Alliance (2005). “SigAll-API (SASCIA): Specification of the Application Programming Interface to the Signature Card ”. Version 1.2.

[Tc03] TC TrustCenter AG (2003). Press release titled “TC TrustCenter selected by the German Federal Office for Information Security (BSI)”, 2003-06-26 http://www.trustcenter.de/press/en/

releases/tc-trustcenter_news_sisi_en.htm

Sicherheit 2006 - "Sicherheit - Schutz und Zuverlässigkeit"

255

Referenzen

Jetzt herunterladen ( PDF - 12 Seite - 6.15 MB )

ÄHNLICHE DOKUMENTE

Cyber-attacks against companies in Germany

(Nearest police station; Police cybercrime unit; Office for the Protection of the Consti- tution; Federal Office for Information Security (BSI); State Data Protection Commis-

Re-assessing the threat of replay spoofing attacks against automatic speaker verification

This paper aims to investigate the threat of replay attacks with large databases and to compare the effectiveness of replay spoofing with the most effective medium- and

The Challenge of Protecting CriticalInfrastructure against Cyber-Attacks

requisite know-how. The explosion in the use of personal devices and the ubiquity of technology and connectivity in all aspects of life have made systems increasingly vulnerable.

Economic impact of acid attacks in the UK

▪ We use a variety of sources to inform the model, including (a) police figures on the number of attacks reported, number of arrests made etc.; (b) government data on wages, the

Defending Against Probe-Response Attacks

Lastly, we proposed a method for the detection of a PRA based on certain statistical properties as well as a mitigation mechanism that performs adaptive reporting via sampling the

POSTER: The Quest for Security against Privilege Escalation Attacks on Android

In this paper we present the design and implementation of a security framework that extends the reference monitor of the Android middleware and deploys a mandatory access control

Enabling Fairer Digital Rights Management with Trusted Computing⋆

For using (stateful) licenses the user invokes DC, which loads the corresponding license, checks if all conditions for the corresponding usage-rights are fulfilled, and opens a

Characterizing the Strength of Software Obfuscation Against Automated Attacks 

Finally, we have leveraged the information regarding the most relevant software features for symbolic execution to propose novel obfuscation techniques, which raise the bar against