stackoom
  简体   繁体   中英

Digital Signature: security issue between signing on client or on server?

 原文  2012-05-05 18:18:39       java/ security/ encryption/ certificate/ digital-signature

Question

With Adobe Reader you can sign a document locally. Is it theorically more secure than if the document was transported to the server and signed on the server (not especially using adobe technology) ? Could the user contest that the document could have been tampered later on if done on server ? How to prove him wrong technically that it is impossible even when signed on server - for legal issue to be taken into account.

3 answers

solution1
 2  2012-05-05 18:21:44

Anything could happen to the document on its way to the server. The connection could be MitM attacked, the server could have tampered with, etc. etc.

The #1 rule in crypto signatures is, that it must happen on a trusted machine in a trusted environment, preferrably before it even reaches a connected machine (ie offline, then transferred on a offline medium).

So in short: It should be signed on the client and nowhere else.

solution2
 2 ACCPTED  2012-05-06 03:49:54

Are you living in the EU? I can describe the situation here. The legal aspects of signatures are sort of regulated by Directive 1999/93/EC. There will be an updated version of this, so there will be some changes in the details, but generally the Directive does distinguish between server-based signatures and signatures made by an individual locally, having sole control over the process.

Being in sole control of a local process has a lot of security advantages, among them:

  • Using what the Directive calls a Secure Signature Creation Device (SSCD), such as a smart card. Using a tamper-proof device is definitely considered an advantage, although it can still be exploited when the attacker is eg in control of the computer/OS the SSCD is attached to.

  • The "What you see is what you sign" principle that was vaguely described in the Directive. Ideally, you should be able to view the data you are about to sign on a trustworthy device. This is impossible to guarantee with server-side signatures.

  • Key escrow. If the server signs, the key is most likely also stored on the server. And it's very, very hard to implement a solution where a key is on the server where only clients may access it, it's much more often the case that you need to trust the party operating the server.

That said, it is possible to secure the transport from client to server using eg TLS and still having a reasonably secure service. But pertaining the law (at least in the EU), the notion of a "non-repudiation" signature, a signature which is meant to be issued by an individual person, is only possible in the context of "local signatures". Accredited CAs here won't issue non-repudiation certificates to legal entities for example, such a certificate will only be issued to a real person, typically on an SSCD.

The downside of SSCDs has been that it is very hard to roll out large-scale deployments of software that would make use of them, especially across company/state boundaries because there are still a lot of interoperability issues with the myriads of hardware, the cost and the plain and simple fact that it's just less convenient.

solution3
 1  2012-05-06 04:31:55

If the signature is made by the user (human operator), then it's a question of trust to the server where the key resides.

Normally "signature is made by the user on behalf on the user" means that the user owns the key which is used for signing. In this case it makes little sense to put the private key on the server. And if you need this scheme, then either the signature is made not by the owner or the signature is made not on behalf of the individual making it.

But technically signing the data on the server (as you describe) is possible and in properly implemented architecture the user should be able to get the signed copy back and manually validate the signed document to ensure that this is what he (or the server on his behalf) intended to sign.

Another question is whether the server doesn't (intentionally or due to security breach) use the private key of the user to sign anything besides the requested documents. This is extremely hard to ensure unless you have a server specifically crafted for exactly one operation (signing of something) and in this case you would probably deal with specialized hardware device (such as one offered by SafeNet), not with a generic Windows/Linux/... server operating system.

We have a distributed cryptography module in our SecureBlackbox product, which implements similar scheme to what you describe, but roles are usually reversed: the user possesses the key and uses it to locally sign the document which resides on the server and is not transferred to the client. In that module we use TLS to ensure security of the channel and signing is performed on the computer of the user, so the private key remains strictly secret. However, the scheme you describe is also possible to implement using that module.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Implement Digital Signature in Client /Web Server Architecture Java: digital signature different on linux server than on windows client Signing with DSS Desktop App (Digital Signature Service) Signing a hash with DSS (Digital Signature Service) java.security.Signature,object not initialized for signing Explain the difference between Java *client* security concerns and *server* security concerns I have a 3rd party digital signature Java applet that is having issue on "some" client computers, I know how to verify the version but . Signing with javax.crypto.Cipher vs java.security.Signature What is the best cross-browser solution for browser based document signing (w/ digital signature)? Digital signing jar file
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM