|
The PKI/Workflow Minefield
|
www.cs.dartmouth.edu/~pkilab/demos/workflow/index.shtml
Last modified: Wednesday, 13-Feb-2002 11:46:57 EST
|
Disclaimers
Please note that this is a preliminary demo... we're still
working out some bugs here, and we're also working out the full
implications.
Also, please note that we do not intend this work to disparage
E-Lock---we used their tools only because word-of-mouth said
they had the best PKI/Office package.
The Issue
A mantra I keep repeating is: "the mismatch between user perceptions
and the underlying technology continually causes trouble." This
mismatch creates a minefield for integration of PKI with common
electronic workflow.
- Users think about the object as what they see when they open
or print it.
- When they "sign" such an object, they intend to commit to what
they have seen.
However...
- These objects are computational in nature: what is
seen when opened depends on a number of input parameters.
- PKI tends to treat these objects as the binaries themselves.
This can lead to some surprising behavior: objects changing in unanticipated
ways after they have been signed, without invalidating the siganture.
Preliminary Demo
Here are some files:
- signed_demo.doc,
a digitally signed Word document.
- signer.cer, the demo certificate
with which the above document was signed.
- spoof_demo.doc.
When you view signed_demo.doc, it replaces its contents
with spoof_demo.doc.
Here
is a link to get E-Lock's Assured Office software.
What to Do
If you don't have Assured Office:
- Before the Super Bowl:
- Download signed_demo.doc
- Mark it as read-only. (Heck, sign it yourself!)
- Make sure your Word has Tools->Macro->Security set to "Low"
(so our Macro will run)
- After the Super Bowl:
- Open up signed_demo.doc
- Be amazed at our accurate prediction :)
If you have Assured Office:
- Before the Super Bowl:
- Download signed_demo.doc
- Mark it as read-only
- Make sure your Word has Tools->Macro->Security set to "Low"
(so our Macro will run)
- Download signer.cer
- Configure Assured Office to validate sigs on opening
- After the Super Bowl:
- Open up signed_demo.doc
- See that the certificate verification shows
that the document has not been altered since it was signed long
before the Super Bowl. (However, the verification will still fail,
since we used an untrusted demo certificate).
- Be amazed at our accurate prediction :)
Depending on your platform and net connection, the rewrite might
be noticable. One countermeasure here might be to use the old 1x1 pixel
image trick to get the spoof_demo.doc into your cache before you open
the real document.
Some Scenarios
For an academic scenario, imagine:
- a student submits an assignment
- the university timestamping service timestamps it.
- the professor posts the solutions
- the professor checks the timestamp on the student's document (it's OK!)
- the professor then opens the document, and sees their own solutions
Follow-on Work
The Word Macro trick is
admittedly crude. Experienced VBA coders could probably do things
much more slickly.
Furthermore, if you want to turn macros off.... there are still things like
"insert date" in Word... and who knows what else?
Excel is even more of a wonderland. Just a few examples:
- One can write functions
based on NOW() that changes the numbers after my boss has approved the form.
- Excel permits cells to be loaded from external files,
and refreshed automatically upon file open.
(Excel throws a warning up.)
- One can also make Web queries (although we need to check if one can
make it update automatically, after the sig is verified...)
- Tthere also appear to be some "GetCurrentDirectory" and "GetFullPathName"
functions that could permit some interesting malleability.
but poking around, there's not much documentation....
- In academic environments, folks might very well have spreadsheet
macros turned on, because that's what NSF budgets require...
PS, PDF, and Powerpoint also look promising.
Stay tuned!
Here
is a link to some of the demos for Excel.....
(And, comments welcome!)
