[Ed: Clarification received from ICICI Bank on October 20, 2004 is here.]
It was a pleasant surprise for the undersigned to receive today an
e-mail from ICICI stating that the mail is digitally signed.
However I was sorry to find out soon that the usage of the digital signature
was not correct and was amenable to misuse.
It is to bring to the notice of the public the problems in wrong usage of
digital signatures that I am providing the details here.
The e-mail received is
reproduced here.
This e-mail had two attachments one containing the file to be
authenticated with the signature and the other the digital signature file which
could be read with the SafeDoxx verification utility. ( A
link was provided for free download of the utility along with the mail)
It was however noticed that the digital signature file had
not been linked to the file that it was supposed to authenticate.
To test the possibility of the digital signature not having
any relation to the file to be authenticated, a mail was sent with a different
attached file and the same digital signature. As was suspected the two
attachments were received in a form similar to the original mail of ICICI and
the digital signature when checked declared itself verified.
In other words the digital signature attached to a file could
be taken and reattached to a different file with the recipient not being in a
position to identify the difference.
The e-mail to which a different file and the same digital
signature was attached is
available here.
The digital signature confirmation received for the digital
signature attached to the different file is
available here. ( Please note that the attached file here has a different
name but could have been named same as the original file if required).
This is a serious lacuna in the system and ICICI and the SafeDoXX suppliers
need to rethink on how to use the system.
Naavi
September 7 2004
Clarification received from ICICI Bank on October 20, 2004 is here.
