?
Solved

Digital Signature

Posted on 2006-10-20
19
Medium Priority
?
308 Views
Last Modified: 2010-04-11
I have a client application that connects remotly to a central server.  All users connect to the database using differnt usernames and passwords.

What I need is something to add in to the database along with the updated record that certifys the user that updated the record.

I am working with SQL server 2005 which has its own certificate store etc.  
0
Comment
Question by:Kevin Robinson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
  • +2
19 Comments
 
LVL 38

Expert Comment

by:younghv
ID: 17772965
Good Morning,
You might want to put a 'pointer' question over in the SQL Forum.
The folks over there know about everything there is to know about that application - and a pointer question will get them looking at this.

Vic
0
 
LVL 6

Expert Comment

by:bigphuckinglizard
ID: 17773884
update table set field=@field, modified=getdate(), modifiedby=USER where id=@id
0
 
LVL 8

Expert Comment

by:jako
ID: 17789778
the solution above is easily modifiable and does not constitute as a digital signature.
you might want to think about hashing the contents of the record including the hash of the previous record. then you get a long list of chained hashes that combined with periodic validation hashes, that can be taken offline, should give you the validity you seek.
In short, if there should be a hack that updates a record in between and does not update all the hashes subsequent to that plus the validaion hashes (and those are offline for almost impenetrable security) it would be visible.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 3

Author Comment

by:Kevin Robinson
ID: 17794531
Do I need a certificate for this?
0
 
LVL 6

Expert Comment

by:bigphuckinglizard
ID: 17794578
jakopriit, your idea doesn't constitute a digital signature either! it's also prone to the injection of fake hashes - where is the hash info going to come from?. the sql statement above can easily be made tamperproof either by forcing updates to go through a stored procedure and using views to control access to the underlying table or by using triggers. a seperate log table could also be used.

vda - what level of security do you actually require?
0
 
LVL 8

Expert Comment

by:jako
ID: 17794581
no, but you might need the certificate to sign the offline validation hashes (it gives them higher credibility). Even better when the passphrase for the cert that is going to be used for signing these is split between several people, each of whom has a backup person knowing the same piece of the passphrase. properly done PKI-s use this scheme to prove issued certificates and such.
0
 
LVL 8

Expert Comment

by:jako
ID: 17794653
the threat of fake hashes can be mitigated with proper permissions and external hash components.
0
 
LVL 3

Author Comment

by:Kevin Robinson
ID: 17795035

Is data that is encrypted with a certificate the Digital Signature.?????
0
 
LVL 8

Expert Comment

by:jako
ID: 17795076
what is digital signature -- it's a hash proving that certain amount of data was in a certain state in certain point of time. It could also include the identity information of  somebody/something that did the aforementioned certification.
encryption is a different matter. Encryption does not certify anything - it is only a measure to limit the availability/usability of the data.
0
 
LVL 8

Expert Comment

by:jako
ID: 17795102
In order to get good answers it is utterly important to pose good questions.
0
 
LVL 3

Author Comment

by:Kevin Robinson
ID: 17795140
Sorry I am a bit slow picking this up.

Ok this is what I have so far.  I will be refering to sql server etc but it just the theroy I want calrified.  (keep it simple if you can)

I create a user login and Certificate to go with this user.  ( This I can do )

The remote client can then logon using their unique username and password.  
When the client want to approve their data (Sign it off) I need to encrypt this data (using thier certificate) and enter it into the database.  This will allow me do verify that the data has not changed but will not necessarly ensure authentication. (Not technically a Signature)

So I need some Digital ID to add to the database to act as a signature.
0
 
LVL 4

Expert Comment

by:LBACIS
ID: 17807867
Are you inserting / updating the data programmatically or through sql tools?
0
 
LVL 4

Accepted Solution

by:
LBACIS earned 2000 total points
ID: 17815492
Let me actually update this;

                If you are doing this programmatically then here is a sample in vb.net...

Here is a whole class that I use to encrypt the data using the authenticated user as part of the hash.

Imports System.Security
Imports System.Text

Public Class Encryptor
    Private Shared ThreeDES As New Cryptography.TripleDESCryptoServiceProvider

    Private Shared SingleDES As New Cryptography.SHA1CryptoServiceProvider

    Private Shared ReadOnly Property Key() As Byte()

        Get
            ' Using the users idendity to create the key
            Return Encoding.Default.GetBytes(Principal.WindowsIdentity.GetCurrent.Name.PadRight(24, Chr(0)))
        End Get

    End Property

    Private Shared ReadOnly Property Vector() As Byte()

        Get
            ' Using the users idendity to create the vector
            Return Encoding.Default.GetBytes(Principal.WindowsIdentity.GetCurrent().Name.PadRight(8, Chr(0)))
        End Get

    End Property

    Public Shared Function Encrypt(ByVal Text As String) As String
        Try
            Return Transform(Text, ThreeDES.CreateEncryptor(Key, Vector))

        Catch
            Dim objsendmail As New EcommEncryptor.LocalErrorHandler
            objsendmail.SendMail("Encryptor.Encrypt", Err.Number, Err.Description)

            Return Err.Description.ToString
        End Try

    End Function

    Public Shared Function Decrypt(ByVal encryptedText As String) As String
        Try
            Return Transform(encryptedText, ThreeDES.CreateDecryptor(Key, Vector))

        Catch
            Dim objsendmail As New EcommEncryptor.LocalErrorHandler
            objsendmail.SendMail("Encryptor.Decrypt", Err.Number, Err.Description)
            Return Err.Description.ToString
        End Try

    End Function

    Private Shared Function Transform(ByVal Text As String, _
                                        ByVal CryptoTransform As Cryptography.ICryptoTransform) As String
        Try
            Dim stream As New IO.MemoryStream
            Dim cryptoStream As New Cryptography.CryptoStream(stream, CryptoTransform, Cryptography.CryptoStreamMode.Write)
            Dim Input() As Byte = Encoding.Default.GetBytes(Text)

            cryptoStream.Write(Input, 0, Input.Length)
            cryptoStream.FlushFinalBlock()

            Return Encoding.Default.GetString(stream.ToArray())
        Catch
            Dim objsendmail As New EcommEncryptor.LocalErrorHandler
            objsendmail.SendMail("Encryptor.Transform", Err.Number, Err.Description)

            Return Err.Description.ToString
        End Try

    End Function
End Class
 
0
 
LVL 3

Author Comment

by:Kevin Robinson
ID: 17817856

"Are you inserting / updating the data programmatically or through sql tools"

Well either way as long as it works.

Can a certificate be used with this class or is it necessary.
0
 
LVL 3

Author Comment

by:Kevin Robinson
ID: 17817962
Ok got that working OK.

Can I use my certificates as the KEY?
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question