Question: digital sign and malicious programs

[felix () daneel qodiga com (Felix Cuello)]

Hello!

   I'm working in a security area, and we have a little discussion
   about Digital Signatures with malicious program.
   Suppose that:

   Some person A try to sign a contract with other B using some open
   source(*) word procesor. Well, A knows that their word processor
   have malicious code inside, that do this thing:

   --------------------
       Have two different documents in memory
       The first document is the document that you're viewing
       "A will pay to B $1000 for your work"
       
       The second document is the document "malformed" that 
       will be signed with A private key. But "malformed"
       document say:
       "B will pay to A $1000 for your work"
   ---------------------

   Then... you see a document that's not real... but you don't know
   After this both will be sign this document, but only A knows the 
   real contains of the document.

   Obviously, B could be check the HASH of the source code,
   or binary program from a trusted site.

   But there are another way to check that?. 



   [(*)I said open source, because it's more easy to modify... but, in
   fact a VB program could be look's like M$Office and do the same
   thing]


   Thanks a lot,


   - Felix
   [sorry, my english is really poor]


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------