Re: MS Office 2007: Digital Signature does not protect Meta-Data

["Henrich C. Poehls" <poehls () informatik uni-hamburg de>]

Dear Mr. Naujoks,

yes, I can see your point, too.
I totally agree that users need to be educated, but I still think
that MS Office shall take a share to educate and inform users of
their digital signature's scope.

From: "Naujoks, Hans-Dietmar" <Hans-Dietmar.Naujoks () tuev-sued de>
Date: 12/14/2007 2:56:15 PM +010
> [...]
> In fact the visual clue you gave for a signed document in Word 2007 
> shows that in the context for those document properties there
> are also attributes like keywords, category and comments
> which are less misleading to the assumption those properties
> could be part of the signed document. So for example users
> of SharePoint Office Server are acquainted with the
> behavior of showing data that is managed and shown on
> server side in that area above the document.

This might be true, but in my opinion, still builds on either the
assumption
- that MetaData (like category) is not part of the
author's document (thus not covered by his digital
signature), or
- that users are educated/aquinted with having
information "with" a document that did not originate from the
author.

> You should also mention that the label on the menu for 
> showing this area reads "Prepare Document for Publishing"
> which also in my opinion gives a clue that this data is not
> part of the signed document.
> [...]

Agreed, the area is labelled like that, but if this would
be freely editable data, why is Office 2007 not allowing
editing this data through the GUI?

All GUI edits to the MetaData are prohibited,
once a document is signed.

I also agree, that the severity of this is open to discussion, and
invite anybody interested in this discussion to contact me directly.

Best Regards,
Henrich C. Pöhls

> -----Ursprüngliche Nachricht-----
> Von: Henrich C. Poehls [mailto:poehls () informatik uni-hamburg de] 
> Gesendet: Freitag, 14. Dezember 2007 12:08
> An: Naujoks, Hans-Dietmar
> Cc: bugtraq () securityfocus com
> Betreff: Re: MS Office 2007: Digital Signature does not protect Meta-Data
>
> Dear Mr. Naujoks,
>
> thanks for the feedback.
>
> From: "Naujoks, Hans-Dietmar" <Hans-Dietmar.Naujoks () tuev-sued de>
> > I think Microsoft does not consider metadata attached to a document as
> > part of the document and so they decided not to include it in the
> > content protected by the certificate.
>
> Considering that the MetaData not protected by the signature contains
> among others:
> 1.) Author
> 2.) Dates of creation and last change
> 3.) State Information
> I do think that most people, certainly the users, would feel that this
> data belongs to the "document", and would be protected when the
> "document" is signed.
>
> Considering that the signature creation time is stored and protected by
> the digital signature might help against modified creation times (and
> mitigate 2). But applications must consider this, and at least in MS
> Word the signature creation time is not displayed next to the other
> metadata, but (at least) next to the signature properties.
>
> > This fits the way we use attaching metadata during the process of
> > categorization to enable retrieval of a document by means and
> > taxonomies of the recipient, not of the author. If instead, as you
> > seem to propose, metadata would be treated as part of the document,
> > attaching the metadata needed for retrieval purposes would invalidate
> > the signature of the document.
>
> I think that there are other ways of adding additional MetaData, from
> the signer's point of view these are third-party MetaData. And, yes  I
> think that any data (including MetaData) set by the author should be
> protected by the author's digital signature:
> 1) Store it in an additional file inside the OOXML ZIP container
> 2) Apply a suitable transformation during the signature creation to
> protect user defined Meta-data entries, then what ever the user did not
> fill in before signing is not protected, but here we have a problem
> communicating this via GUI to the user.
> 3) probably several other ways ...
>
> > Just think of it as a sticker placed on the outside of a sealed 
> > envelope: You mustn't trust anything on the outside, just look inside 
> > the envelope to find the information you can rely on.
>
> Looking at the GUI[1], unsigned MetaData is displayed above the
> document, and next to the document it displays the statement of
> a valid signature.
> How a user would distinguish digitally signed data (Document-Content and
> formatting) from unsigned data (MetaData)?
> Or to use your example: What is the envelope and what is the inside?
>
> One big problem I see is that the user is left alone answering this
> question, and I have my doubts that a user would even ask
> herself/himself this question in the first place.
>
> Best Regards,
> Henrich C. Pöhls
>
> [1] Screenshot of a German Word 2007 GUI showing modified MetaData, and
> the intact digital signature
> <http://www.informatik.uni-hamburg.de/SVS/personnel/henrich/bugtraq_word_metatdata_screenshot.jpg>
>
>
> > -----Ursprüngliche Nachricht-----
> > Von: poehls () informatik uni-hamburg de [mailto:poehls () informatik uni-hamburg de] 
> > Gesendet: Mittwoch, 12. Dezember 2007 11:35
> > An: bugtraq () securityfocus com
> > Betreff: MS Office 2007: Digital Signature does not protect Meta-Data
> >
> >
> > Affects: Microsoft Office 2007 (12.0.6015.5000) 
> >
> >          MSO (12.0.6017.5000) 
> >
> >          possibly older versions
> >
> >
> >
> > I. Background
> >
> >
> > Microsoft Office is a suite containing several programs to
> >
> > handle Office documents like text documents or spreadsheets. 
> >
> > The latest version uses an XML based document format. 
> >
> > Microsoft Office allows documents to be digitally signed by
> >
> > authors using certified keys, allowing viewers to verify the 
> >
> > integrity and the origin based on the author's public key. 
> >
> > The author's public key certificate, which can come from a 
> >
> > trusted third party, is embedded in the signed document. 
> >
> > It is XML DSig based.
> >
> >
> >
> > II. Problem Description
> >
> >
> > Microsoft Office documents carry meta data information 
> >
> > according to the DublinCore metadata in the file 
> >
> > docProps/core.xml . Among these meta data information 
> >
> > are the fields "LastModifiedBy", "creator" together with 
> >
> > several others that can be displayed/changed through the 
> >
> > following menu "Office Button -> Prepare -> Properties".
> >
> > These entries can be changed without invalidating the signature. 
> >
> > At least under Windows Operating Systems these information are 
> >
> > also shown in the Window's file systems properties.
> >
> >
> >
> > III. Impact
> >
> >
> > The meta data of signed Microsoft Office documents can be 
> >
> > changed. An attacker can change the values to spoof the origin 
> >
> > of signed documents, hoping to induce trust or otherwise 
> >
> > deceive the user.
> >
> >
> > III.1. Proof of Concept
> >
> >
> > Open the OOXML ZIP container of a signed document. 
> >
> > Change the values in the docProps/core.xml file. 
> >
> > For example set the value between "<dc:creator>*</dc:creator>" 
> >
> > to "<dc:creator>FooBar</dc:creator>". 
> >
> > The changes will be displayed in the document's properties 
> >
> > dialog as described above. The signature will still be valid.
> >
> >
> >
> > IV. Workaround
> >
> >
> > The meta data information of a signed OOXML document 
> >
> > can be changed without invalidating the signature, thus 
> >
> > information about the real author of a signed document can
> >
> > only be retrieved from the certificate. 
> >
> > The signed file's meta data can not be trusted as the 
> >
> > meta data is not covered by the signature.
> >
> >  
> >
> >
> > V. Solution
> >
> >
> > No possible solution.
> >
> >
> >
> > VI. Correction details
> >
> >
> > A closer look into the references section of the XML signature 
> >
> > used by Microsoft Office (stored in the File 
> >
> > _xmlsignatures\sig1.xml) reveals that the file core.xml is 
> >
> > not in the list of references. Thus it is not covered by the
> >
> > signature. 
> >
> >
> > As a solution the scope of the signature needs to be extended 
> >
> > to cover all the relevant information contained in the whole 
> >
> > document, thus also the meta data in core.xml.
> >
> >
> > Include core.xml, and probably other files in the signature's 
> >
> > list of references.
> >
> >
> > VII. Time line
> >
> >
> > 2007-10-24: Vendor contacted
> >
> > 2007-10-25: Vendor acknowledged receipt
> >
> > 2007-11-14: 1st Deadline reached
> >
> > 2007-11-27: Reminder sent
> >
> > 2007-12-12: No response received until today
> >
> >
> >
> >
> >
> > Yours,
> >
> > Henrich C. Poehls, Dong Tran, Finn Petersen, Frederic Pscheid
> >
> > SVS - Dept. of Informatics - University of Hamburg

-- 
Henrich C. Pöhls
Research Group Security in Distributed Systems (SVS)
Center for Distributed Information and Communication Systems (VIKS)
Dept. of Informatics, MIN Faculty, University of Hamburg
Vogt-Koelln-Str. 30, 22527 Hamburg, Germany
Tel. : ++4940 / 42883-2344    Fax.: -2086
eMail: poehls () informatik uni-hamburg de
Web  : http://www.informatik.uni-hamburg.de/SVS


"If you can not measure it, you can not improve it." Lord Kelvin (1883)