Sunday, December 11, 2016

Electronic Signatures - Snake Oil

Electronic signatures are commonly used in the more advanced enterprises to sign documents - PDF files mostly.  Unfortunately, the implementation is broken and it doesn't work.  The broken implementation reduces it to snake oil.

A typical IT system is set up and managed by one or two overworked computer geeks who clicked through a setup wizard to configure a key server on the company LAN.  The public and private keys are distributed on the company workstations and laptop PCs by Active Directory and GPG and once it looks like it is working and some users can sign a document, the whole universe shakes, angels and birds sing, flowers fall down from heaven and all is well... or is it?

I wanted to be able to sign documents on my engineering laptop PC which runs Linux, not just my office PC, which runs Windows (and which usually has some problem or another).  So I asked IT for a copy of my Private key.  After a few months, they emailed me my Public key.  So clearly, the IT geeks don't understand the basics of public/private key systems, yet they are entrusted with managing it...

Consequently, I spent a few minutes looking into the setup and as far as I can figure, the Private key resides somewhere on my Windows PC, but I don't have administrator rights to it, so I cannot recover it and I don't want to have admin rights on a Windows PC, since then I would be responsible for everything that goes wrong with it.

Thinking about it a bit more, I realized that it is my key, so only I should have access to it, but on a Windows PC, the IT administrators can do anything, so the key is not mine only, it is theirs too.  They can take my supposedly private key and do with it what they want.

The only thing that prevents the corporate IT administrators from misusing my private key and impersonating me, is their incompetence.

Therefore, I can sign a document on my office PC and everyone will then think that it was me, but it could have been someone else, because IT has access to the private keys of everybody and Windows machines are not exactly known for their security.

Furthermore, since the PDF reader can only verify signatures when the LAN and Key Server work properly, it frequently happens that one opens a document and gets a warning that the signatures cannot be verified - so all users are used to ignoring that.  The result is that anyone can subvert the keys and sign anything with any made up key and no-one will notice, or care.  Also, since the company key server is private, anyone outside the company, cannot verify the signatures at all, which considering, is probably a good thing.



No comments:

Post a Comment

On topic comments are welcome. Junk will be deleted.