Trusted path explained

A trusted path or trusted channel is a mechanism that provides confidence that the user is communicating with what the user intended to communicate with, ensuring that attackers can't intercept or modify whatever information is being communicated.

The term was initially introduced by Orange Book.[1] As its security architecture concept, it can be implemented with any technical safeguards suitable for particular environment and risk profile.

Examples

Electronic signature

In Common Criteria[2] and European Union electronic signature standards trusted path and trusted channel describe techniques that prevent interception or tampering with sensitive data as it passes through various system components:

User login

One of popular techniques for password stealing in Microsoft Windows was login spoofing, which was based on programs that simulated operating system's login prompt. When users try to log in, the fake login program can then capture user passwords for later use. As a safeguard Windows NT introduced Ctrl-Alt-Del sequence as secure attention key to escape any third party programs and invoke system login prompt.[3]

A similar problem arises in case of websites requiring authentication, where the user is expected to enter their credentials without actually knowing if the website is not spoofed. HTTPS mitigates this attack by first authenticating the server to the user (using trust anchor and certification path validation algorithm), and only then displaying the login form.

Notes and References

  1. 3.2.2.1.1 Trusted Path: The TCB shall support a trusted communication path between itself and user for initial login and authentication. Communications via this path shall be initiated exclusively by a user., Orange Book
  2. ISO/IEC 15408-1, Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model, 2005
  3. Yee . Ka-Ping . User Interaction Design for Secure Systems . 2002 . 278–290 . 10.1.1.65.5837 .