The problem of ambiguous presentation of electronic documents has been deeply investigated in the recent literature mainly in the context of digital signature. Indeed, despite the intended goal of digital signature to guarantee the integrity of any signed document, the above problem demonstrates that the visualization of its content might vary, depending on the context. The main source of ambiguity known in the literature is the feature of many document formats to have a dynamic presentation depending on the execution of some embedded instruction. This is for example the case of PDF files which may incorporate java scripts. A similar problem may occur whenever a document can import external fonts. It is widely accepted that some formats like image (bitmap, tiff, etc.) and plain text (beside some specific format like PDF/A) are extremely safe from this point of view, since documents in these formats cannot be dynamic. As a consequence they are strongly recommended by technical rules of most countries for documents being signed in case a high level of trust is required. In this paper we present a new source of ambiguity of electronic documents which may regard also image files, allowing us to implement a new type of attack on digital signature aimed to obtain signed documents with potential (legal) effects different from those desired by the signer. The paper proves the attack by example and gives a possible way to contrast it.

The Dalì Attack on Digital Signature

BUCCAFURRI, Francesco;LAX, Gianluca
2008

Abstract

The problem of ambiguous presentation of electronic documents has been deeply investigated in the recent literature mainly in the context of digital signature. Indeed, despite the intended goal of digital signature to guarantee the integrity of any signed document, the above problem demonstrates that the visualization of its content might vary, depending on the context. The main source of ambiguity known in the literature is the feature of many document formats to have a dynamic presentation depending on the execution of some embedded instruction. This is for example the case of PDF files which may incorporate java scripts. A similar problem may occur whenever a document can import external fonts. It is widely accepted that some formats like image (bitmap, tiff, etc.) and plain text (beside some specific format like PDF/A) are extremely safe from this point of view, since documents in these formats cannot be dynamic. As a consequence they are strongly recommended by technical rules of most countries for documents being signed in case a high level of trust is required. In this paper we present a new source of ambiguity of electronic documents which may regard also image files, allowing us to implement a new type of attack on digital signature aimed to obtain signed documents with potential (legal) effects different from those desired by the signer. The paper proves the attack by example and gives a possible way to contrast it.
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/20.500.12318/5341
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact