Electronic signature in a trusted environment based on the bootable Ubuntu 14.04 LTS and Rutoken EDS Flash
The procedure of imposing an electronic signature, designed to ensure the confirmation of the integrity of the signed document and its authorship, may in itself be unsafe.
The main attacks on an ES are key theft and substitution of the information being signed, as well as unauthorized access to the ES tool (for example, a USB token) by stealing its PIN code.
These attacks are implemented in various ways and at various levels. At the OS level, it is the introduction of malware (viruses, spyware, rootkits, etc.) that is able to steal keys, PIN-codes and do document substitutions by reading and / or replacing data in the memory of the system process using various mechanisms " Hack "embedded in the OS.
If we are talking about signing in the browser, then the man-in-the-middle attack is added to these attacks, which is aimed at modifying the signed data on a web page or at stealing a PIN code or intercepting the secure token to allow an attacker to pretend to be a subscriber of the system. . In addition, the sites can attack the type of CSS, due to the disorder of the developers of the site.
Obviously, to protect the client as much as possible during the ES procedure is possible only with a set of measures.
These measures include:
Some time ago, our company released a new Rutoken EDS Flash . This two-in-one device is a cryptographic token and a FLASH-controlled memory in a single package. At the same time, the controller allows you to configure FLASH-memory in such a way that the attributes of the settings can not be changed without knowing the PIN-code to the device.
')
In this article, we will make a custom Ubuntu 14.04 LTS, in which we “pack” smartcard drivers and Rutoken Plugin . We will write this OS to FLASH-memory of Rutoken EDS Flash (USB-live) and make it read-only with special means, so that without knowing the PIN-code, the attacker will not be able to remove this attribute.
Thus, we will get a boot device, when loaded from which the user will immediately be able to sign documents in the browser on non-recoverable keys in a trusted environment, the integrity of which is guaranteed by the USB token controller.
As a machine for customizing Ubuntu, I also had Ubuntu.
Training:
Download the ISO image of Ubuntu 14.04 and store it where necessary:
Mount the ISO image:
Make an extract of the image:
Well, and so on:
Actually customization - installation of a smart card driver and plug-in:
And technical work on the creation of a new ISO:
Ubuntu-14.04.1-desktop-i386-rutoken.iso is our bootable custom image (with installed smart-card drivers and Rutoken Plugin), which is ready to write to Rutoken EDS Flash.
First of all, we format Rutoken EDS FLASH with a special utility, setting the read-write attribute to the memory (under Windows):
Then we write the ISO to it using UNETBootin (under ubuntu):
Set the size for the preserve file to 0. Then the bootable Ubuntu will store all changes in the RAM memory, and not on FLASH.
After the image is written, use the read-only attribute of the device's FLASH memory using the special tools:
Now, no one without knowing the PIN of the device will be able to modify the Ubuntu image recorded on the FLASH memory.
Below is the download process from Rutoken EDS Flash and signing documents in the browser in a trusted environment:
1. Boot menu in bios
2. Select the desired item in the loader menu
3. Ubuntu has booted, launch the browser, go to the demo system. The browser asks the user for permission to run the plugin on the web page
4. Allowing the “Rutoken” plugin to load - click “Allow” in the upper right corner of the browser
5. F5
6. Authorization in the system according to the certificate that is stored on Rutoken EDS Flash
Enter the PIN:
6. Signature of payment in your account
The main attacks on an ES are key theft and substitution of the information being signed, as well as unauthorized access to the ES tool (for example, a USB token) by stealing its PIN code.
These attacks are implemented in various ways and at various levels. At the OS level, it is the introduction of malware (viruses, spyware, rootkits, etc.) that is able to steal keys, PIN-codes and do document substitutions by reading and / or replacing data in the memory of the system process using various mechanisms " Hack "embedded in the OS.
If we are talking about signing in the browser, then the man-in-the-middle attack is added to these attacks, which is aimed at modifying the signed data on a web page or at stealing a PIN code or intercepting the secure token to allow an attacker to pretend to be a subscriber of the system. . In addition, the sites can attack the type of CSS, due to the disorder of the developers of the site.
Obviously, to protect the client as much as possible during the ES procedure is possible only with a set of measures.
These measures include:
- application for electronic signature of cryptographic smart cards / USB-tokens with non-recoverable keys
- using the correct implementation of the TLS protocol on the site
- properly configuring this proper implementation of the TLS protocol
- use of special hardware to visualize signed data before applying a signature (trustscreen)
- Correct implementation of browser plug-ins and extensions that provide ES in the browser
- regulation of the signature procedure for the user, taking into account the security mechanisms built into the browser
- TLS server certificate validation by user before ES
- launch of browser plug-ins and extensions only on a trusted site (now properly configured browsers warn the user about the launch)
- entering a token PIN at the request of a trusted site only
- response to a browser warning of receiving “mixed” content — part via HTTPS, part via HTTP
- OS protection against malware (creating a trusted environment)
Some time ago, our company released a new Rutoken EDS Flash . This two-in-one device is a cryptographic token and a FLASH-controlled memory in a single package. At the same time, the controller allows you to configure FLASH-memory in such a way that the attributes of the settings can not be changed without knowing the PIN-code to the device.
')
In this article, we will make a custom Ubuntu 14.04 LTS, in which we “pack” smartcard drivers and Rutoken Plugin . We will write this OS to FLASH-memory of Rutoken EDS Flash (USB-live) and make it read-only with special means, so that without knowing the PIN-code, the attacker will not be able to remove this attribute.
Thus, we will get a boot device, when loaded from which the user will immediately be able to sign documents in the browser on non-recoverable keys in a trusted environment, the integrity of which is guaranteed by the USB token controller.
Ubuntu image modification
As a machine for customizing Ubuntu, I also had Ubuntu.
Training:
sudo su apt-get install squashfs-tools genisoimage Download the ISO image of Ubuntu 14.04 and store it where necessary:
mkdir ~/livecdtmp mv ubuntu-14.04.1-desktop-i386.iso ~/livecdtmp cd ~/livecdtmp Mount the ISO image:
sudo su mkdir mnt mount -o loop ubuntu-14.04.1-desktop-i386.iso mnt Make an extract of the image:
sudo su mkdir extract-cd rsync --exclude=/casper/filesystem.squashfs -a mnt/ extract-cd Well, and so on:
sudo su unsquashfs mnt/casper/filesystem.squashfs mv squashfs-root editsudo su cp /etc/resolv.conf edit/etc/ cp /etc/hosts edit/etc/ mount --bind /dev/ edit/dev chroot edit mount -t proc none /proc mount -t sysfs none /sys mount -t devpts none /dev/pts export HOME=/root export LC_ALL=C dbus-uuidgen > /var/lib/dbus/machine-id dpkg-divert --local --rename --add /sbin/initctl ln -s /bin/true /sbin/initctl Actually customization - installation of a smart card driver and plug-in:
pt-get install libccid libpcsclite1 pcscd mkdir /home/ubuntu/.mozilla mkdir /home/ubuntu/.mozilla/plugins chmod 776 /home/ubuntu/.mozilla chmod 776 /home/ubuntu/.mozilla/plugins cp npCryptoPlugin.so /home/ubuntu/.mozilla/plugins cp librtpkcs11ecp.so /home/ubuntu/.mozilla/plugins And technical work on the creation of a new ISO:
apt-get clean rm /var/lib/dbus/machine-id rm /sbin/initctl dpkg-divert --rename --remove /sbin/initctl umount /proc || umount -lf /proc umount /sys umount /dev/pts exit sudo su umount edit/dev sudo su chmod +w extract-cd/casper/filesystem.manifest chroot edit dpkg-query -W --showformat='${Package} ${Version}\n' > extract-cd/casper/filesystem.manifest cp extract-cd/casper/filesystem.manifest extract-cd/casper/filesystem.manifest-desktop sed -i '/ubiquity/d' extract-cd/casper/filesystem.manifest-desktop sed -i '/casper/d' extract-cd/casper/filesystem.manifest-desktop rm extract-cd/casper/filesystem.squashfs mksquashfs edit extract-cd/casper/filesystem.squashfs -comp xz -e edit/boot printf $(sudo du -sx --block-size=1 edit | cut -f1) > extract-cd/casper/filesystem.size nano extract-cd/README.diskdefines cd extract-cd rm md5sum.txt find -type f -print0 | sudo xargs -0 md5sum | grep -v isolinux/boot.cat | sudo tee md5sum.txt mkisofs -D -r -V "$IMAGE_NAME" -cache-inodes -J -l -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -o ../ubuntu-14.04.1-desktop-i386-rutoken.iso . Ubuntu-14.04.1-desktop-i386-rutoken.iso is our bootable custom image (with installed smart-card drivers and Rutoken Plugin), which is ready to write to Rutoken EDS Flash.
Creating a boot device
First of all, we format Rutoken EDS FLASH with a special utility, setting the read-write attribute to the memory (under Windows):
rtadmin.exe -F 1 30000 u rw -o 87654321 -z rtPKCS11ECP.dll Then we write the ISO to it using UNETBootin (under ubuntu):
Set the size for the preserve file to 0. Then the bootable Ubuntu will store all changes in the RAM memory, and not on FLASH.
After the image is written, use the read-only attribute of the device's FLASH memory using the special tools:
rtadmin.exe -C 1 ro p -c 12345678 -z rtPKCS11ECP.dll Now, no one without knowing the PIN of the device will be able to modify the Ubuntu image recorded on the FLASH memory.
What happened
Below is the download process from Rutoken EDS Flash and signing documents in the browser in a trusted environment:
1. Boot menu in bios
2. Select the desired item in the loader menu
3. Ubuntu has booted, launch the browser, go to the demo system. The browser asks the user for permission to run the plugin on the web page
4. Allowing the “Rutoken” plugin to load - click “Allow” in the upper right corner of the browser
5. F5
6. Authorization in the system according to the certificate that is stored on Rutoken EDS Flash
Enter the PIN:
6. Signature of payment in your account
Source: https://habr.com/ru/post/253619/
All Articles