Enterprises’ employees and third parties exchange an abundance of confidential documents, both internally and externally, and through a variety of means, including email and file-sharing platforms. These employees and third parties are often advised to secure these documents by attaching a digital signature. A digital signature is a trace attached by the author of a document to attest to its authenticity. Digital signatures create an outgoing hash that can only be decrypted by a public or private key that is held by the receiving party.
How digital signatures work
Let’s quickly cover how digital signatures actually work. The encryption processes of digital signatures can be divided into two categories: asymmetric (or public) and symmetric encryption. The first refers to using different keys for encryption and decryption, while the second alludes to systems where both keys are similar. Since it is the most widespread, we are going to break down the asymmetric system. The process can be divided into two steps: signing and verification.
When a file is signed, the used software applies an encryption method to create a hash out of the initial data. This hash, in turn, is encrypted by attaching the signer’s private (or public) key. After the encryption, the signer attaches the developer’s certificate to affirm the authenticity of the signature. Therefore, the signed document contains both the signature of its creator and that of the software (or authority).
It is important to note that certificates are distributed to software developers by a certification authority. They can attribute the developer’s possession of a domain name, without necessarily making sure that it is a trusted source.
Upon receipt of a document, your software deciphers the signed data into two blocks: raw data and the signature itself. Both of these parameters undergo a decryption mechanism: the first one is to hash the data itself and the second to decrypt the signature using the receiving party’s public or private decryption key.
As a result, two types of hashes are produced (see image below). If these hashes end up being equal, the signature becomes verified and thus considered valid.
Source : Center for Advanced Studies, Research and Development in Sardinia (CRS4), available here
Digital signature cybersecurity vulnerabilities
Data integrity is the main purpose for digital signatures. They make it possible for users to ensure the safety and authenticity of the data that they are dealing with. Moreover, they make sure that any request sender can be verified in order to avoid sending information to an untrusted party. Their final goal is to ensure that any party to a communication can be held liable for accepting the authenticity of the signature they apply on any document.
However, digital signatures introduce several security vulnerabilities. One classic strategy employed by threat actors involves stealing private trusted keys in order to sign fake documents to make them appear trustworthy. The methods extend from a simple theft through network infiltration to extensive research attacks (stuffing different key combinations to guess the correct one).
Taking Advantage of Vulnerabilities
A less conventional method to overturn digital signatures is exploiting the vulnerabilities that occur during their execution. When executing a digital certificate, algorithms seem to overlook the header storage size. This leaves extra space for software developers to add links to updates and new content without having to sign it again. However, this storage space (of roughly 8 bits) can be exploited by hackers in order to plant extra data that can be dangerous to the user without changing the outcome of the signature itself. Therefore, algorithms could potentially execute dangerous content.
Although hackers can use illegal methods in order to exploit digital certificates, there is a gray area that allows them to remain in the realm of legality while being malicious. This can be demonstrated through the process of attribution of digital certificates by certification authorities. In fact, most of these authorities attribute a certificate to organisations on the basis that they have a domain name, along with other minor criteria.
This means that not all certificates can be trusted, which explains a surge in untrusted certificate attribution in the last decade. In addition to this, certification authorities tend to be relatively slow on certificate revoking processes. To put it succinctly, it is possible that people open files that are signed with untrusted certificates and that could potentially infect their systems.
Verisign, an internet infrastructure company, underwent a serious attack caused by the signature faking malware called Troj/BHO-QP (Browser Helper Object). The malware was hidden under the appearance of a flash player extension from Microsoft, that was installed to accompany the game automation software QQ. This malware was used to install a fake “VeriSign Class 3 Code Signing 2009 CA” trusted root certificate, which allows Troj/BHO to avoid being declared as “not verified”.
This malware can pose several types of threats, from phishing and adware up to collecting data through installing undesirable extensions (web browsers being easy access installers). Although the attack was complex, the hackers actually overlooked several details. A closer look from an individual with basic cybersecurity knowledge would notice that the nomenclature on the rogue certificate is filled with mistakes. However, the backdoor installation of malware could not have been easily spotted.