Trusted path
Encyclopedia
A trusted path is simply some mechanism that provides confidence that the user
is communicating with what the user intended to communicate with, ensuring that attackers can't intercept or modify whatever information is being communicated.
As such it is the counterpart to needing trustworthy channels in that it assures users that they really are working with the program or system they intended to use.
The traditional example is a 'fake login' program (e.g.: a program is written to look like the login screen of a system, as in Login spoofing
). When users try to log in, the fake login program can then capture user passwords for later use.
According to
Some smart card readers also have keypads that mean the PIN need not be entered on the untrustworthy PC keyboard.
User (computing)
A user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...
is communicating with what the user intended to communicate with, ensuring that attackers can't intercept or modify whatever information is being communicated.
As such it is the counterpart to needing trustworthy channels in that it assures users that they really are working with the program or system they intended to use.
The traditional example is a 'fake login' program (e.g.: a program is written to look like the login screen of a system, as in Login spoofing
Login spoofing
Login spoofings are techniques used to steal a user's password. The user is presented with an ordinary looking login prompt for username and password, which is actually a malicious program, usually called a Trojan horse under the control of the attacker...
). When users try to log in, the fake login program can then capture user passwords for later use.
According to
Principle of the Trusted Path. The most important input and output
channels are those used to manipulate authorities; if these channels can be
spoofed or corrupted, the system has a security vulnerability. Hence the principle
of the trusted path: the user must have an unspoofable and incorruptible channel
to any entity trusted to manipulate authorities on the user's behalf.
The authority-manipulating entity could be a number of different things,
depending on the domain. In an operating system, the authority-manipulating
entities would be the operating system and user interface components for handling authorities.
Microsoft WindowsMicrosoft WindowsMicrosoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
, for example, provides a trusted path to
its login window by requiring the user to press Ctrl+Alt+DelSecure attention keyA secure attention key is a special key or key combination to be pressed on a computer keyboard before a login screen must be trusted by a user. The operating system kernel, which interacts directly with the hardware, is able to detect whether the secure attention key has been pressed...
. This key sequence
causes a non-maskable interrupt that can only be intercepted by the operating
system, thus guaranteeing that the login window cannot be spoofed by any
application. This issue also needs to be addressed in any language system for
running untrusted code, such as Java.
Examples of Problems of Untrusted Paths
- As mentioned above, if the login prompt is spoofed, or if the channel is merely eavesdropped, the user's password can be acquired.
- If you hand your credit card to a dishonest waiter when paying a restaurant bill, there is a risk that your credit card details may be copied, and subsequently used for fraudulent transactions.
- If your postal mail is delivered to via an insecure mailbox, an identity thief may be able to learn information about you.
- If you type in a command to a shell, command prompt, or any other system, there may be some other process on the computer that can monitor and/or insert keystrokes.
History
An early reference to a trusted path is from the Orange Book:- 3.2.2.1.1 Trusted Path
- The TCB shall support a trusted communication path between itself and user for initial login and authentication. Communications via this path shall be initiated exclusively by a user.
Solutions
There have been different approaches to building trusted paths. Some are implemented purely in software, and we need to believe that the software is correct. The famous Ctrl-Alt-Del sequence is not purely implemented in software, but there is no hardware indication to the user that the secure software is activated.Some smart card readers also have keypads that mean the PIN need not be entered on the untrustworthy PC keyboard.