Re: How do I store secrets?
From: Michel Gallant (neutron_at_istar.ca)
Date: 07/01/04
- Next message: Steve Jansen: "Re: DPAPI Security"
- Previous message: Eugene Mayevski [SecureBlackbox]: "Re: How do I store secrets?"
- In reply to: Eugene Mayevski [SecureBlackbox]: "Re: How do I store secrets?"
- Next in thread: Eugene Mayevski [SecureBlackbox]: "Re: How do I store secrets?"
- Reply: Eugene Mayevski [SecureBlackbox]: "Re: How do I store secrets?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 1 Jul 2004 12:08:15 -0400
<WARNING .... a "trust" rant!!>
One of the aspects of digital signature verification that is too often
under-stressed is the importance of trusting the *issuer* (CA) of the
client-certificate whose private key is used to sign the data.
Verify a digital signature guarantees:
- the integrity of the data (that the data has not been changed in any way,
since encrypted with the PRIVATE key for which you have, and TRUST,
the PUBLIC key which you use to verify the signature.
If the certificate is issued (i.e. signed) by a KNOWN and TRUSTED CA, which
means that you implicitly trust the CA list provided by default by Microsoft (or Sun etc...)
to do due-diligence in issuing certs to parties, AND that you trust that the person who
was issued the cert him/her-self is using it in an appropriate way, then you trust the
authenticity of the signature.
If you accept signatures (either PKCS#1 or cms/pkcs#7) signatures, signed by a
*self-signed* certificate, then you are 100% responsible for establishing trust of
the certificate. In practice, this means either receiving in person the certificate (or
public key blob) from that person, who you know and implicitly trust .. since there
is no "vouching for" CA involved. If you know the person, trust them, and receive
their certificate through regular email, that is NOT sufficient trust. You need to establish
out-of-band that you have received exactly the certificate the intended to send you.
This means, for example, phoning them, or meeting in person and getting the hash of the
cert or similar ...
- Mitch Gallant
MVP Security
"Eugene Mayevski [SecureBlackbox]" <mayevski@eldos.org> wrote in message news:elCGu83XEHA.3536@TK2MSFTNGP11.phx.gbl...
> Danny van Kasteel wrote:
>
> > Okay, so what would a scenario involving certificates look like?
> > Please keep in mind that I need to prove that a particular piece of
> > code produced a certain set of data (by signing it). How do I employ
> > certificates to achieve this? Wouldn't a certificate stored on the
> > client PC sort of defeat the purpose of ascertaining that the client
> > cannot forge a response by signing with an available key?
>
> First you create a root certificate. Then you create a server
> certificate signing it with root. The server issues certificates for
> clients which will send the server their data.
>
> When it is necessary to send something, the client uses [user]
> certificate to sign the data and sends the data to the server. The
> server validates the packet and the certificate, used to sign this packet.
>
> Here the certificate is a proof of user's identity, not software
> integrity. You can't really 100% guarantee software identity.
>
> The described scheme is achieved by using PKCS#7 format. You will find
> certain articles about certificates on
> http://www.secureblackbox.com/article.html
>
> Also check PKIBlackbox at
> http://www.secureblackbox.com/description-sec-pkiblackbox.html
>
> It contains .NET classes for certificate generation and validation, for
> data signing and verification.
>
>
> --
> Eugene Mayevski
> EldoS Corp., CTO
> Networking and security solutions, development and consulting services
> http://www.eldos.com
>
- Next message: Steve Jansen: "Re: DPAPI Security"
- Previous message: Eugene Mayevski [SecureBlackbox]: "Re: How do I store secrets?"
- In reply to: Eugene Mayevski [SecureBlackbox]: "Re: How do I store secrets?"
- Next in thread: Eugene Mayevski [SecureBlackbox]: "Re: How do I store secrets?"
- Reply: Eugene Mayevski [SecureBlackbox]: "Re: How do I store secrets?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
