How to unwittingly sign non-repudiable documents with Java applications

How to unwittingly sign non-repudiable documents with Java applications

Digital signatures allow us to produce documents whose integrity and authenticity, as we generated them, is verifiable by anybody who has access to our public key. Furthermore, we cannot repudiate those documents as something we never saw, let alone signed, since nobody else but us could access our...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Bruschi, D., Fabris, D., Glave, V., Rosti, E.
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Application software
Banking
Computer architecture
Digital signatures
Electronic mail
Java
Public key
Public key cryptography
Runtime environment
Writing
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 196
container_issue
container_start_page 192
container_title
container_volume
creator Bruschi, D.
Fabris, D.
Glave, V.
Rosti, E.
description Digital signatures allow us to produce documents whose integrity and authenticity, as we generated them, is verifiable by anybody who has access to our public key. Furthermore, we cannot repudiate those documents as something we never saw, let alone signed, since nobody else but us could access our private key. We show how the previous statement can be proved wrong when carefully crafted malicious software is installed on a machine running a Java digital signature application. By using such a software, a user may unwittingly sign another document besides the one he/she intends to digitally sign or sign a different document altogether. Our attack exploits a known vulnerability of the security architecture of the Java run-time environment that allows nonJava malicious software to replace some Java system classes with malicious ones, which then alter the victim application behavior.
doi_str_mv 10.1109/CSAC.2003.1254324
format Conference Proceeding
fullrecord <record><control><sourceid>ieee_6IE</sourceid><recordid>TN_cdi_ieee_primary_1254324</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>1254324</ieee_id><sourcerecordid>1254324</sourcerecordid><originalsourceid>FETCH-LOGICAL-i175t-3a86dc718195bfa88ac2f336978cbec99dbdea513fc68eb9aff3e020a0367b53</originalsourceid><addsrcrecordid>eNotj99KwzAchQMiKLMPIN7kBVrzt0kuR9HNMfDC3Y9f0mRGurS0qWNvb8Gdm3PzcfgOQs-UVJQS89p8rZuKEcIryqTgTNyhwihNVG0kI4KKB1RM0w9ZIqRQnD6izba_4NzjOV1izjGduiue4inh1Kdy9MPcRrCdx23v5rNPecIL94138AsYhqGLDnLs0_SE7gN0ky9uvUKH97dDsy33n5uPZr0vI1Uylxx03TpFNTXSBtAaHAuc14uls94Z09rWg6Q8uFp7ayAE7gkjQHitrOQr9PI_G733x2GMZxivx9tb_gcaiEvp</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>How to unwittingly sign non-repudiable documents with Java applications</title><source>IEEE Electronic Library (IEL) Conference Proceedings</source><creator>Bruschi, D. ; Fabris, D. ; Glave, V. ; Rosti, E.</creator><creatorcontrib>Bruschi, D. ; Fabris, D. ; Glave, V. ; Rosti, E.</creatorcontrib><description>Digital signatures allow us to produce documents whose integrity and authenticity, as we generated them, is verifiable by anybody who has access to our public key. Furthermore, we cannot repudiate those documents as something we never saw, let alone signed, since nobody else but us could access our private key. We show how the previous statement can be proved wrong when carefully crafted malicious software is installed on a machine running a Java digital signature application. By using such a software, a user may unwittingly sign another document besides the one he/she intends to digitally sign or sign a different document altogether. Our attack exploits a known vulnerability of the security architecture of the Java run-time environment that allows nonJava malicious software to replace some Java system classes with malicious ones, which then alter the victim application behavior.</description><identifier>ISBN: 9780769520414</identifier><identifier>ISBN: 0769520413</identifier><identifier>DOI: 10.1109/CSAC.2003.1254324</identifier><language>eng</language><publisher>IEEE</publisher><subject>Application software ; Banking ; Computer architecture ; Digital signatures ; Electronic mail ; Java ; Public key ; Public key cryptography ; Runtime environment ; Writing</subject><ispartof>19th Annual Computer Security Applications Conference, 2003. Proceedings, 2003, p.192-196</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/1254324$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,776,780,785,786,2052,4036,4037,27902,54895</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/1254324$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Bruschi, D.</creatorcontrib><creatorcontrib>Fabris, D.</creatorcontrib><creatorcontrib>Glave, V.</creatorcontrib><creatorcontrib>Rosti, E.</creatorcontrib><title>How to unwittingly sign non-repudiable documents with Java applications</title><title>19th Annual Computer Security Applications Conference, 2003. Proceedings</title><addtitle>CSAC</addtitle><description>Digital signatures allow us to produce documents whose integrity and authenticity, as we generated them, is verifiable by anybody who has access to our public key. Furthermore, we cannot repudiate those documents as something we never saw, let alone signed, since nobody else but us could access our private key. We show how the previous statement can be proved wrong when carefully crafted malicious software is installed on a machine running a Java digital signature application. By using such a software, a user may unwittingly sign another document besides the one he/she intends to digitally sign or sign a different document altogether. Our attack exploits a known vulnerability of the security architecture of the Java run-time environment that allows nonJava malicious software to replace some Java system classes with malicious ones, which then alter the victim application behavior.</description><subject>Application software</subject><subject>Banking</subject><subject>Computer architecture</subject><subject>Digital signatures</subject><subject>Electronic mail</subject><subject>Java</subject><subject>Public key</subject><subject>Public key cryptography</subject><subject>Runtime environment</subject><subject>Writing</subject><isbn>9780769520414</isbn><isbn>0769520413</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2003</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNotj99KwzAchQMiKLMPIN7kBVrzt0kuR9HNMfDC3Y9f0mRGurS0qWNvb8Gdm3PzcfgOQs-UVJQS89p8rZuKEcIryqTgTNyhwihNVG0kI4KKB1RM0w9ZIqRQnD6izba_4NzjOV1izjGduiue4inh1Kdy9MPcRrCdx23v5rNPecIL94138AsYhqGLDnLs0_SE7gN0ky9uvUKH97dDsy33n5uPZr0vI1Uylxx03TpFNTXSBtAaHAuc14uls94Z09rWg6Q8uFp7ayAE7gkjQHitrOQr9PI_G733x2GMZxivx9tb_gcaiEvp</recordid><startdate>2003</startdate><enddate>2003</enddate><creator>Bruschi, D.</creator><creator>Fabris, D.</creator><creator>Glave, V.</creator><creator>Rosti, E.</creator><general>IEEE</general><scope>6IE</scope><scope>6IL</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIL</scope></search><sort><creationdate>2003</creationdate><title>How to unwittingly sign non-repudiable documents with Java applications</title><author>Bruschi, D. ; Fabris, D. ; Glave, V. ; Rosti, E.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i175t-3a86dc718195bfa88ac2f336978cbec99dbdea513fc68eb9aff3e020a0367b53</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2003</creationdate><topic>Application software</topic><topic>Banking</topic><topic>Computer architecture</topic><topic>Digital signatures</topic><topic>Electronic mail</topic><topic>Java</topic><topic>Public key</topic><topic>Public key cryptography</topic><topic>Runtime environment</topic><topic>Writing</topic><toplevel>online_resources</toplevel><creatorcontrib>Bruschi, D.</creatorcontrib><creatorcontrib>Fabris, D.</creatorcontrib><creatorcontrib>Glave, V.</creatorcontrib><creatorcontrib>Rosti, E.</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP All) 1998-Present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Bruschi, D.</au><au>Fabris, D.</au><au>Glave, V.</au><au>Rosti, E.</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>How to unwittingly sign non-repudiable documents with Java applications</atitle><btitle>19th Annual Computer Security Applications Conference, 2003. Proceedings</btitle><stitle>CSAC</stitle><date>2003</date><risdate>2003</risdate><spage>192</spage><epage>196</epage><pages>192-196</pages><isbn>9780769520414</isbn><isbn>0769520413</isbn><abstract>Digital signatures allow us to produce documents whose integrity and authenticity, as we generated them, is verifiable by anybody who has access to our public key. Furthermore, we cannot repudiate those documents as something we never saw, let alone signed, since nobody else but us could access our private key. We show how the previous statement can be proved wrong when carefully crafted malicious software is installed on a machine running a Java digital signature application. By using such a software, a user may unwittingly sign another document besides the one he/she intends to digitally sign or sign a different document altogether. Our attack exploits a known vulnerability of the security architecture of the Java run-time environment that allows nonJava malicious software to replace some Java system classes with malicious ones, which then alter the victim application behavior.</abstract><pub>IEEE</pub><doi>10.1109/CSAC.2003.1254324</doi><tpages>5</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier ISBN: 9780769520414
ispartof 19th Annual Computer Security Applications Conference, 2003. Proceedings, 2003, p.192-196
issn
language eng
recordid cdi_ieee_primary_1254324
source IEEE Electronic Library (IEL) Conference Proceedings
subjects Application software
Banking
Computer architecture
Digital signatures
Electronic mail
Java
Public key
Public key cryptography
Runtime environment
Writing
title How to unwittingly sign non-repudiable documents with Java applications
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-31T13%3A53%3A28IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_6IE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=How%20to%20unwittingly%20sign%20non-repudiable%20documents%20with%20Java%20applications&rft.btitle=19th%20Annual%20Computer%20Security%20Applications%20Conference,%202003.%20Proceedings&rft.au=Bruschi,%20D.&rft.date=2003&rft.spage=192&rft.epage=196&rft.pages=192-196&rft.isbn=9780769520414&rft.isbn_list=0769520413&rft_id=info:doi/10.1109/CSAC.2003.1254324&rft_dat=%3Cieee_6IE%3E1254324%3C/ieee_6IE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=1254324&rfr_iscdi=true