Answer the question
In order to leave comments, you need to log in
Smart card security
Hello!
Problem statement:
There is a smart card that can sign documents with an electronic signature. To sign, you need to insert the card into the card reader and enter the PIN code.
Questions:
1. How can you be sure that the PIN code will not be intercepted by any malicious software and this software will not be able to sign documents later without the user's knowledge? Any options besides using an external card reader keyboard?
2. How can you be sure that malware has not replaced the signed document with another one?
Similar systems are used in many places (in Estonia, for example, at the state level), how do developers get around these problems?
Answer the question
In order to leave comments, you need to log in
> how developers get around these problems
You need to have a separate screen and a separate button on the device. The main fields of the payment document are displayed on the screen, and if the user agrees, he presses the button, thereby giving the command to create an EDS.
If this is a smart card, without a screen and without a button, then there is no protection. The pin code is just a protection if the smart card is lost.
1. Nothing. The smart card is accessed via an API provided by the driver. If the malware has intercepted the PIN, then it can just as well perform operations with the smart card via the API. Everything can be done in the background.
2. Nothing. The smart card does not know if the document is valid or not. She is given the hash of the document, she encrypts it with her private key, and gives the result back. If you transfer the hash of the left document, then the smart card will encrypt it without additional questions.
Conclusion: the only advantage of a smart card is that it is impossible to extract the private key from it (if everything is configured correctly) and that when it is not in the reader, then nothing is physically possible to sign. And if the working environment is compromised and the malware has a PIN and access to the API, then as they say: “There is no reception against scrap.”
All of the above applies to ordinary smart cards, for Java cards you can add an applet with tricky logic, then just the API may not be enough for signing. This is a protection option, but requires additional actions on the part of developers and client software.
But what about all sorts of certification centers, three-node authentication (or whatever they are called there) and all that?
Surely there must be a way.
For example, you can force a smart card to sign only those documents that are sent by the server. To do this, the document must be signed by the server (certifying authority) before signing with a smart card.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question