Kevin Robinson
asked on
Digital Signature
I have a client application that connects remotly to a central server. All users connect to the database using differnt usernames and passwords.
What I need is something to add in to the database along with the updated record that certifys the user that updated the record.
I am working with SQL server 2005 which has its own certificate store etc.
What I need is something to add in to the database along with the updated record that certifys the user that updated the record.
I am working with SQL server 2005 which has its own certificate store etc.
update table set field=@field, modified=getdate(), modifiedby=USER where id=@id
the solution above is easily modifiable and does not constitute as a digital signature.
you might want to think about hashing the contents of the record including the hash of the previous record. then you get a long list of chained hashes that combined with periodic validation hashes, that can be taken offline, should give you the validity you seek.
In short, if there should be a hack that updates a record in between and does not update all the hashes subsequent to that plus the validaion hashes (and those are offline for almost impenetrable security) it would be visible.
you might want to think about hashing the contents of the record including the hash of the previous record. then you get a long list of chained hashes that combined with periodic validation hashes, that can be taken offline, should give you the validity you seek.
In short, if there should be a hack that updates a record in between and does not update all the hashes subsequent to that plus the validaion hashes (and those are offline for almost impenetrable security) it would be visible.
ASKER
Do I need a certificate for this?
jakopriit, your idea doesn't constitute a digital signature either! it's also prone to the injection of fake hashes - where is the hash info going to come from?. the sql statement above can easily be made tamperproof either by forcing updates to go through a stored procedure and using views to control access to the underlying table or by using triggers. a seperate log table could also be used.
vda - what level of security do you actually require?
vda - what level of security do you actually require?
no, but you might need the certificate to sign the offline validation hashes (it gives them higher credibility). Even better when the passphrase for the cert that is going to be used for signing these is split between several people, each of whom has a backup person knowing the same piece of the passphrase. properly done PKI-s use this scheme to prove issued certificates and such.
the threat of fake hashes can be mitigated with proper permissions and external hash components.
ASKER
Is data that is encrypted with a certificate the Digital Signature.?????
what is digital signature -- it's a hash proving that certain amount of data was in a certain state in certain point of time. It could also include the identity information of somebody/something that did the aforementioned certification.
encryption is a different matter. Encryption does not certify anything - it is only a measure to limit the availability/usability of the data.
encryption is a different matter. Encryption does not certify anything - it is only a measure to limit the availability/usability of the data.
In order to get good answers it is utterly important to pose good questions.
ASKER
Sorry I am a bit slow picking this up.
Ok this is what I have so far. I will be refering to sql server etc but it just the theroy I want calrified. (keep it simple if you can)
I create a user login and Certificate to go with this user. ( This I can do )
The remote client can then logon using their unique username and password.
When the client want to approve their data (Sign it off) I need to encrypt this data (using thier certificate) and enter it into the database. This will allow me do verify that the data has not changed but will not necessarly ensure authentication. (Not technically a Signature)
So I need some Digital ID to add to the database to act as a signature.
Ok this is what I have so far. I will be refering to sql server etc but it just the theroy I want calrified. (keep it simple if you can)
I create a user login and Certificate to go with this user. ( This I can do )
The remote client can then logon using their unique username and password.
When the client want to approve their data (Sign it off) I need to encrypt this data (using thier certificate) and enter it into the database. This will allow me do verify that the data has not changed but will not necessarly ensure authentication. (Not technically a Signature)
So I need some Digital ID to add to the database to act as a signature.
Are you inserting / updating the data programmatically or through sql tools?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"Are you inserting / updating the data programmatically or through sql tools"
Well either way as long as it works.
Can a certificate be used with this class or is it necessary.
ASKER
Ok got that working OK.
Can I use my certificates as the KEY?
Can I use my certificates as the KEY?
You might want to put a 'pointer' question over in the SQL Forum.
The folks over there know about everything there is to know about that application - and a pointer question will get them looking at this.
Vic