Smart card assistance for generating digital signatures is current state of the art and best
practice. This is mainly due to the fact that smart cards now a days have enough processing power
to produce digital signatures for documents by on card resources (processor and memory) only.
This way the owner’s private signing key never has to leave the smart card: The signing key is
and remains permanently stored in a tamper proof environment. A closer look at the signing
process however reveals a still existing major security problem: the problem known as the “what
you see is what you sign” problem. Before signing a document the signer usually wants to check
the document’s syntactic and semantic correctness.
When compared to the traditional process of signing a paper document with a hand written signature,
the difference can easily be identified: In the traditional case, it is relatively easy for the user
to assert the correctness, because syntactic and semantic document checking and signature generation
are in immediate context. Digitally signing an electronic document is completely different, because
checking and signature generation are executed in two different environments, exposing fundamentally
different characteristics different with respect to security on the one hand and processor, memory,
and display resources on the other hand.
Traditionally, the signing application computes the document’s digest using a one way hash function
and sends the result to the smart card. The card encrypts the digest by an asymmetric cipher using the
signing key stored on the card. The resulting value is the digital signature of the document. It is sent
back to the signing application. The user can neither check the syntactic correctness of the document
(in case of XML documents: well formedness, validity) nor the semantic correctness of the document. What
really is signed is beyond the user’s control. It might for instance be the digest for a manipulated
document. Even if the smart card can be regarded as tamper proof, the terminal (e.g. a PC) and the
programs running on it are vulnerable to viruses and Trojan horses. Such evildoers might obviously also
affect signing applications and let them produce valid signatures for from the user’s perspective invalid
documents. Such incidents invalidate the signing process in total.
We propose an enhanced architecture which performs checking and signing of XML documents on Java smart
cards, called JXCS architecture. The basic idea of JXCS is to shift the syntactic validation and hash value
generation from the vulnerable PC to the trusted smart card. Syntactic validation imposes the following
challenges and opportunities: Challenging is the need of processing XML documents on resource constraint
Java smart cards. The opportunity of the approach is the possibility to perform syntactic and even semantic
checks on the XML document in a tamper proof environment which improves the security of the signing process.
We propose the need for three major checks on the XML documents to be signed: Well formedness, validity and
content acknowledgement using a class 3 card reader. Taken together all three checks can defeat “what you
see is what you sign” attacks.