Digital Signature From ICICI..Incorrect Usage???



[Ed: Clarification received from ICICI Bank on October 20, 2004 is here.]

It was a pleasant surprise for the undersigned to receive today an e-mail from ICICI stating that the mail is digitally signed.

However I was sorry to find out soon that the usage of the digital signature was not correct and was amenable to misuse.

It is to bring to the notice of the public the problems in wrong usage of digital signatures that I am providing the details here.

The e-mail received is reproduced here.

This e-mail had two attachments one containing the file to be authenticated with the signature and the other the digital signature file which could be read with the SafeDoxx verification utility. ( A link was provided for free download of the utility along with the mail)

It was however noticed that the digital signature file had not been linked to the file that it was supposed to authenticate.

To test the possibility of the digital signature not having any relation to the file to be authenticated, a mail was sent with a different attached file and the same digital signature. As was suspected the two attachments were received in a form similar to the original mail of ICICI and the digital signature when checked declared itself verified.

In other words the digital signature attached to a file could be taken and reattached to a different file with the recipient not being in a position to identify the difference.

The e-mail to which a different file and the same digital signature was attached is available here.

The digital signature confirmation received for the digital signature attached to the different file is available here. ( Please note that the attached file here has a different name but could have been named same as the original file if required).

This is a serious lacuna in the system and ICICI and the SafeDoXX suppliers need to rethink on how to use the system.


September 7 2004

Clarification received from ICICI Bank on October 20, 2004 is here.

For Structured Online Courses in Cyber laws, Visit Cyber Law


Back To