On August 28, 2004, China officially promulgated the
Two years ago in a topic group, specializing in electronic signatures, electronic contracts, etc. At that time, there were still many experts, there were several drafters of electronic signature law.
Three years, get a lot of results. It has been studied from various aspects such as signature theory, technology to forensics, proof, quality, and evidence adoption, and published a lot of papers.
However, there are now some drawbacks of electronic signatures found at the time.
First, what you sign is not what you see (with false chaos)
The process of electronic signatures is technically not a PKI technology. Although the electronic signature method has adopted a technical neutral principle, it is now not found to be realized.
The technical underlying implementation process is:
Call the signature interface -> Incoming data to be signed -> Enter the PIN code -> Signature success
User's operation:
Read unsigned contracts -> excited signature - Signature success (prompt or cover an electronic bulletin), etc.
Where is the vulnerability?
The vulnerability is that the computer program is too flexible, and the hacker can draft a "false contract" (user wants, to the user to see) placed on the front end of the screen, and this fake contract is "true contract" ( If the hacker wants, it is really signed. The user is completely satisfied with the fake contract, click the hacker to provide the signature button (completely simulated empty electronic signature software), and call the real signature interface in the background hacker, pop up the true signature interface Enter the PIN code box, after entering the PIN code, the hacker's true contract is signed, and the customer is also signed by the contract you see.
This technology is not difficult.
Others will then say
