Jump to content

Search the Community

Showing results for tags 'signature'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

Found 2 results

  1. 1. Introduction Electronic signatures were used for the first time in 1861 when agreements were signed by telegraphy using Morse code. In 1869, the New Hampshire Court confirmed the legality of such agreements by stating that: “It makes no difference whether [the telegraph] operator writes the offer or the acceptance in the presence of his principal and by his express direction, with a steel pen an inch long attached to an ordinary penholder, or whether his pen be a copper wire a thousand miles long. In either case the thought is communicated to the paper by the use of the finger resting upon the pen; nor does it make any difference that in one case common record ink is used, while in the other case a more subtle fluid, known as electricity, performs the same office.” In the past, electronic signatures were accepted with mixed feelings. Nowadays, they are considered as a secure way of authentication and are often used for signing legal documents, such as contracts and tax declarations. The European Union (EU) and the United States (US), the two largest financial markets, have adopted legislation recognizing the enforceability of electronic signatures. This article provides an overview of the laws concerning electronic signatures in the EU (Section 2) and the US (Section 3). Afterward, it examines the similarity and difference between the EU and the US laws (Section 4). Next, this article analyses the validity of EU electronic signatures in the US and vice versa (Section 5). Finally, a conclusion is drawn (Section 6). Before proceeding with Section 2, it is necessary to clarify the difference between the electronic signature and digital signature. Any signature in electronic form can be generally defined as an electronic signature. The digital signature is a type of electronic signature that is created by using cryptographic techniques. Such cryptographic techniques are typically based on Public Key Infrastructure (PKI) systems. The term “PKI” refers to the set of computer systems, individuals, policies, and procedures necessary to provide encryption, integrity, non-repudiation, and authentication services by way of public and private key cryptography. 2. EU electronic signature laws The EU Electronic Signatures Directive 1999/93/EC (the “Directive”) currently regulates the electronic signatures in the EU. However, on July 1st, 2016, the Directive will be replaced by a new European Regulation which will ensure the cross-border operability of electronic signatures within the EU. The Directive defines three types of electronic signature, namely, basic electronic signature (Section 2.1), advanced electronic signature (Section 2.2), and qualified electronic signature (Section 2.3). These three types of electronic signature are discussed below. 2.1 Basic electronic signature The term “basic electronic signature” refers to “data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication.” This type of electronic signature is considered as weak in terms of reliability and security of authentication. For example, a scanned signature which is attached to a document will be regarded as a basic electronic signature. The basic electronic signatures can be easily faked. Actually, there are numerous malware programs that use fake electronic signatures, including basic electronic signatures. A 2012 McAfee report stated that, at that time, there were 200,000 malware programs that used valid electronic signatures. A large number of those signatures were faked or based on stolen certificates. Some of the faked signatures indicate that the signature is made by Microsoft, whereas it is actually made by a hacker. Advanced electronic signature An advanced electronic signature allows the unique identification and authentication of the signer of a document. Moreover, the advanced electronic signature enables the check of the integrity of the signed data. In most cases, asymmetric cryptographic technologies (e.g., PKI) are used for advanced electronic signatures. There is no difference between the legal value of the electronic signature and the advanced electronic signature. Both types of electronic signature can have a legal effect if they offer sufficient guarantees with respect to authenticity and integrity. According to the Directive, an advanced electronic signature should meet four requirements, namely: (1) it is uniquely linked to the signatory; (2) it is capable of identifying the signatory; (3) it is created using means that the signatory can maintain under their sole control; and (4) it is linked to the data to which it relates in such a manner that any subsequent change in the data is detectable. Pertaining to the first requirement, the uniqueness of an electronic signature depends on how unique a signature key is to an individual. Signature keys should be unique if they are generated properly. For instance, the recommended parameters for RSA (a widely used digital signature algorithm) should provide at least the equivalent security of a 128-bit symmetric key, which means that there should be 1040 possibilities for a signature key. Because this number exceeds the number of the people in the world, it is very unlikely that two individuals will be able to generate the same signature key. Concerning the second requirement, a signatory can be “identified” by verifying an electronic signature created by the signatory. Such a verification can be done, for example, by a PKI system. With regard to the third requirement, the confidence that an electronic signature could only be produced by the designated signatory requires confidence in: (1) the processes that surround the generation of signature keys; (2) the ongoing management of signature keys; and (3) the secure operation of the computing device that was used to compute the electronic signature. In relation to the fourth requirement, the only form of electronic signature that is capable of complying with this requirement is the private key of electronic signature. 2.3 Qualified electronic signature According to the Directive, the qualified electronic signature is an advanced electronic signature which is based on a qualified certificate and which is created by a secure-signature-creation device. In practice, the qualified electronic signature relates to a PKI-based electronic signature for which the signature certificate and the device used to create the signature meet certain quality requirements. The qualified electronic signature benefits from an automatic legal equivalence to a hand written signature within the territory of the European Union. If a non-qualified signature is used, it will be necessary to assess the following two factors before accepting it for the specific context in which it is used: (1) the characteristics of this electronic signature; and (2) whether it offers sufficient guarantees regarding authenticity and integrity. For the qualified signature, such an assessment is not necessary. 3. US electronic signature laws The US Electronic Signatures in Global and National Commerce Act (E-Sign Act) allows the use of electronic signatures to “satisfy any statute, regulation, or rule of law requiring that such information be provided in writing, if the consumer has affirmatively consented to such use and has not withdrawn such consent.” According to the E-Sign Act, the electronic signature means “an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.” Consequently, the electronic signature as defined by the E-Sign Act may include, but is not limited to, encryption-based signatures, signatures created by electronic signing pads, and scanned signatures. The E-Sign Act does not apply to every type of documentation. Certain types of records and documents are not covered by the E-Sign Act. These documents include, without limitation, adoption paperwork, divorce decrees, court documents, documentation accompanying the transportation of hazardous materials, foreclosures, prenuptial agreements, and wills. It should be noted that 48 US States have adopted the Uniform Electronic Transactions Act (UETA) with the aim to create more uniformity in relation to electronic signatures. The UETA and the E-Sign Act overlap significantly. However, UETA is more comprehensive than the E-Sign Act. Similarly to the E-Sign Act, the UETA does not distinguish different types of electronic signatures. 4. Similarity and difference between the EU and the US laws The similarity between the e-Sign Act and the Directive is that both laws recognize the enforceability of electronic signatures. The difference between the two laws is that, whereas the Directive distinguishes three types of electronic signatures, the E-Sign Act provides a broad definition of electronic signature that encompasses signatures made through various technologies. 5. The validity of the EU electronic signatures in the US and vice versa In most cases, electronic signatures meeting the requirements of the Directive would also comply with the E-Sign act because the e-Sign Act defines the electronic signature broadly. However, electronic signatures complying with the e-Sign Act would need to meet additional requirements in order to comply with the requirements of the Directive in relation to advanced electronic signatures and qualified electronic signatures. 6. Conclusions This article has shown that the electronic signatures are legally enforceable in both the EU and the US. However, the EU and the US have adopted different legislative approaches with regard to electronic signatures. While the US provides a broad definition of electronic signature, the EU distinguishes three types of electronic signatures, namely, (1) basic electronic signature, (2) advanced electronic signature, and (3) qualified electronic signature. Each of these three types allows the authentication of electronic communications. The advanced electronic signature and the qualified electronic signature ensure greater security as to the authenticity of electronic communications than the basic electronic signature. The qualified electronic signature benefits from an automatic legal equivalence to handwritten signatures. Although the EU has a comprehensive legal framework regarding electronic signatures, the framework does not ensure the cross-border interoperability of electronic signatures throughout the entire EU. The new EU Regulation which would enter into force on 1st July 2016 would address this issue by ensuring that electronic trust services (e.g., electronic signatures, electronic seals, time stamp, electronic delivery service, and website authentication) will work across all EU countries. The EU Commissioner Neelie Kroes justified the new Regulation as follows: “People and businesses should be able to transact within a borderless Digital Single Market, that is the value of Internet. Legal certainty and trust is also essential, so a more comprehensive eSignatures and eIdentification Regulation is needed.” * The author would like to thank Rasa Juzenaite for her invaluable contribution to this article. References 1. Abelson, H., Ledeen, K., Lewis, H., ‘Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion‘, Addison-Wesley Professional, 2012. 2. ‘Community framework for electronic signatures’, a webpage published by the European Commission, last updated on 6th of July 2011. Available at Community framework for electronic signatures . 3. Chander, H., ‘Cyber Laws and IT Protection‘, PHI Learning Pvt. Ltd., 3.04.2012. 4. De Andrade, N., ‘Electronic Identity‘, Springer, 2014. 5. Howley v. Whipple 48 N.H. 487 (1869). 6. Liard, B., Lyannaz, C., ‘Adoption of a new European legal framework applicable to cross-border electronic identification and e-signatures’, September 2014. Available at Bad Request . 7. Mason,S., ‘Electronic Signatures in Law‘, Cambridge University Press, 2012. 8. Menna, M., ‘From Jamestown to the Silicon Valley, Pioneering A Lawless Frontier: The Electronic Signatures in Global and National Commerce Act’, 6 VA. J.L. & TECH 12, 2001. 9. Miller, R., ‘Cengage Advantage Books: Fundamentals of Business Law: Excerpted cases‘, Cengage Learning, 2012. 10. Orijano, S., ‘Cryptography InfoSec Pro Guide‘, McGraw Hill Professional, 16 August 2013. 11. Savin, A., ‘EU Internet Law‘, Edward Elgar Publishing, 2013. 12. Savin, A., Trzaskowski, J., ‘Research Handbook on EU Internet Law‘, Edward Elgar Publishing, 2014. 13. Schmugar, C., ‘Signed Malware: You Can Run, But You Can’t Hide‘, 23 March, 2012. Available at https://blogs.mcafee.com/mcafee-labs/signed-malware-you-can-runbut-you-cant-hide . 14. Srivastava, A., ‘Electronic Signatures for B2B Contracts: Evidence from Australia‘, Springer India, 2014. 15. Wang, F., ‘Law of Electronic Commercial Transactions: Contemporary Issues in the EU, US and China‘, Routledge, 2014. Source
  2. 1. Introduction In this third part of the series, we will see something similar to the second article but a little bit more advanced. This article will cover the Digital Signature Algorithm (DSA) and Digital Signature Standard (DSS). 2. Tools Needed The target file (CryptoChallenge3.exe) DSAK: My own DSA/DSS Keygenerator (requires dotNetFx4) PEiD .NET Reflector Reflexil 3. What is DSA/DSS? Digital Signature Algorithm (DSA) is a public-key signature scheme developed by the U.S. National Security Agency (NSA). It was proposed by the U.S. National Institute of Standards and Technology (NIST) back in 1991 and has become a U.S. Federal Information Processing Standard (FIPS 186) called the Digital Signature Standard (DSS). It is considered to be the first digital signature scheme recognized by any government. DSA is a variant of the ElGamal Signature Scheme. A. Parameters P = A prime number in range 512 to 1024 bits which must be a multiple of 64 Q = A 160 bit prime factor of P-1 G = H^((P-1)/Q) mod P. H is any number < P-1 such that H^((P-1)/Q) mod P > 1 X = A random number < Q Y = G^X mod P Public keys are: (Q, P, G and Y). Private key is X (To find X one must solve the DLP Problem). B. Signing To sign a message (M) follow these steps: Generate a random number K where (K < Q) Compute: R = (G^K mod P) mod Q Compute: S = (K^-1*(SHA(M) + X*R)) mod Q The pair C(R,S) is the signature of M. C. Verifying Given the signature C(R,S) one would verify it as follows: Compute: W = S^-1 mod Q Compute: U1 = (SHA(M) * W) mod Q Compute: U2 = (R*W) mod Q Compute: V = ((G^U1 * Y^U2) mod P) mod Q Confirm that V == R D. Example Using the tool that I’ve recently made, “DSAKEYGENERATOR“, we’ll be able to see the previous steps in action. The tool is user friendly and gives full control, meaning you can either generate keys and test them and/or input your own keys and work on them. Prime P bits size from 512 to 1024. Generate new keys. To test the keys. Calculate Y in case you’ve already had the keys from somewhere else. Generate new G and X keys, Y will also be calculated automatically. Clicking “TEST” will cause a new window to show up: A checkbox that generates a random K every one second (checked by default and must be unchecked when trying to sign). Button to sign a message. Button to verify a message. 4. Target analyses Here we have the challenge as you see in the picture below: We load up the challenge in PEiD: That’s something new, we have a non-packed/protected .NET application, not like the previous two challenges which were made in MASM, but that’s not a problem. Since it’s a .NET application, we cannot use OllyDbg, instead we’ll use .NET Reflector. So load up the assembly in Reflector and keep expanding until you reach Form1: There are a lot of methods as you might see, but what interests us more is the method btn_check_Click since it’s related to the only button in this challenge. Click that method and you shall see: The code is easy to understand, we have the typed name put in a variable ‘text’ and the typed serial in ‘input’ name length must be between 3 and 15. Serial length must be between 0x4f (79d) and 0×51 (81d). After that a method called isHex(string x) does some checking, let’s find out what’s inside: This method uses Regex’s isMatch method to see if the typed serial matches the Regex string “^[0-9A-Fa-f]{40}[-][0-9A-Fa-f]{40}?$”. Let me explain each Regex symbol: ^: Start of string. [0-9A-Fa-f]: One from 0 to 9, A to F or a to f. {40}: Exactly 40 characters. [-]: one hyphen. ?: Once or none. $: End of string So the serial must contain 40 hexadecimal characters, a hyphen ‘-’ and another 40 hexadecimal characters. If name and serial are okay, the serial will be split into two parts, the first part before the hyphen and the second part after the hyphen, and put in a string array called strArray. After that, a method is called to check whether the serial is right or wrong; this method has three string parameters verify(string name, string rx, string sx) and returns a bool. Let’s get inside that method: If we compare the variables (integer8, exp, integer10 and integer11) with the verifying steps of DSA we’ll know that: modulus = order Q n = prime P integer3 = generator G integer4 = public key Y integer6 = rx = R = strArray[0] which is the first part of the serial integer8 = sx = S = strArray[1] which is the second part of the serial integer8 = W exp = u1 integer10 = u2 integer11 = v Now we have everything we need, the only problem is that it will take so much time to solve DLP since P, G and Y are 512 bits size. So what we are going to do is to change the challenge’s keys with new ones that we will have their private key X, meaning we are going to patch the target. And that’s the job of Reflexil. First open DSAKeygenerator and generate some 512 bit keys. Leave it open. Assuming you have already downloaded Reflexil. Extract the rar file and you’ll find a dll inside a folder, it’s called “Reflexil.Reflector.AIO.dll”. Move it to somewhere else where it won’t be deleted (C for example). Now go back to Reflector and do as shown in the pictures below: Choose the dll file and close. Now go back to menu Tools and click Reflexil. Right Click on Offset 0 and click Edit. Change the operand at offset 0 with the generated Q in DSAKeygenerator. The same to offset 13 with P, offset 26 with G and offset 39 with Y. I’ve got the following keys generated in DSAKeygenerator: Q = EEFBBFE158DBB7C602BE9540B89FF681EED0310D P = 86CC13E777A3ED808B3B17B3AC6C78D5ABA5F15746B1A68C72B6F530A6B723390B486228E0F715DBB593206801DF48E3E56DF57336E2BD6219EE8DEFD001F6E7 G = 1E342C53DBE73C97FF8D8022B8EB18329181B821B10A5DBFC2688DDCC9DB5DF84079DA58E81FEEA43AAD38A8C1D3901E25859C7AB63AFEE1145EFD02DCC9B1AA X = AF12001D2043D47E8E1B661958177B6068C8FAA2 Y = 2C166A5F90BD4B40D159CD48CC4391A8322BF3839DB58DA6EB0EEDF9D322AC3446EBAB0362F6BFB7127320C6CCED2CF77C915A1B56E5CE57A1758B53DAFA9C45 The result in Reflexil must look like: Now on the assembly browser, right click on the main assembly (1) and do as follows: Now that we have the challenge patched with the new keys, we must generate the signature (R,S) using DSAKeygenerator (Hope you didn’t close it! If so just fill each key with the one on top without clicking the ‘generate keys’ button) and click TEST as shown below: I’ve changed M to “Jamal Chahir” and unchecked the “RAND” checkbox so that I can get a fixed R and S. Now all we’ve got to do is fill in the name and serial in the patched challenge with what we’ve got: Name: Jamal Chahir Serial: R-S = 5DD88D3FE73B83F8027BB0AD3A53D404F887840B-E189F0BAC17C03EDA24FD5FD837FA397D6501321 The above picture shows that we have successfully registered the application. That’s it. 5. Conclusion The whole idea behind this article was to show you that the key size is no problem once you completely understand the algorithm. But there still plenty of ways to manage that problem, depending on how the programmer thinks. Download links: Target: https://www.dropbox.com/s/u7ywze2gsmweskk/CryptoChallenge3.rar?dl=0 DSAK: https://www.dropbox.com/s/b7lveh2lc8fukcs/DSAK.rar?dl=0 PEiD : PEiD Download - Softpedia .NET Reflector: .NET decompiler: decompile any .NET code | .NET Reflector Reflexil: reflexil.net Sources: http://en.wikipedia.org/wiki/Digital_Signature_Algorithm Source
×
×
  • Create New...