?
Solved

Software Digital Signature

Posted on 2011-03-20
21
Medium Priority
?
441 Views
Last Modified: 2012-06-21
I want to know more information about digital signature, how digital signature companies sign a software code and how to start digital signing business company?
0
Comment
Question by:Mohamed Abowarda
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 4
  • 3
  • +2
21 Comments
 
LVL 8

Expert Comment

by:jako
ID: 35182331
Your search terms should be "Class 3 PKI" and probably "steep initial investment" both HR and HW-wise.. ;)
0
 
LVL 12

Author Comment

by:Mohamed Abowarda
ID: 35220743
@jakopriit: I need more explanation.

Actually, I want to know how can I digitally sign software EXE myself.
0
 
LVL 9

Accepted Solution

by:
gtkfreak earned 240 total points
ID: 35225567
You can self-generate a certificate and then use that to self-sign your code using OpenSSL. Alternatively, see this link on code signing.
http://www.top20toolbar.com/misc/codesigncert.htm
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 12

Author Comment

by:Mohamed Abowarda
ID: 35225826
@gtkfreak: How can I self-generate a certificate? Also, what commands do I need to use on OpenSLL to sign the code?
0
 
LVL 4

Expert Comment

by:m_walker
ID: 35225842
Have a read of this

http://msdn.microsoft.com/en-us/library/bb530410.aspx#vistauac_topic6h

On that page goto section "8. Authenticode Sign Your Application"

0
 
LVL 9

Expert Comment

by:gtkfreak
ID: 35225850
0
 
LVL 12

Author Comment

by:Mohamed Abowarda
ID: 35226058
@gtkfreak: Thanks! One more thing, how can I build trusted company to commercially sign codes like VeriSign, Thawte, etc....
0
 
LVL 4

Assisted Solution

by:m_walker
m_walker earned 480 total points
ID: 35226101
If you want to sign certificates that will work on 3rd party computers the will need to be signed by a known CA (Certificate Authority) such as verisign.  With out that, they wont be able to verify your certificate is valid.  
I think you can buy certificate from some top level CAs that will let you sign others, but it will cost you (if you can still get them).  You will also have to prove you have the correct setup in place and pass all audits.

The key reason it is hard is you need to have your signing public certificate published, then that needs to be installed into every browser in the world to work, this is down via product updates from windows, apple, firefox etc....

If you can sign certificates, then you can forge certificates (hence the audits).  If just anyone could do it, then SSL would be worthless.

You could try looking at re-selling like at : http://www.instantssl.com/ssl-certificate-affiliates/resellers/ssl-certificate-index.html
In which case you dont sign them yourself, but can get them signed at the CA.
0
 
LVL 12

Author Comment

by:Mohamed Abowarda
ID: 35226282
> "this is down via product updates from windows, apple, firefox etc...."

How can I make my certification imported on all browsers in the world by OS updates, firefox updates, etc...?
0
 
LVL 4

Assisted Solution

by:m_walker
m_walker earned 480 total points
ID: 35228060
You need to be a registered CA, else you can not do it.  If you certificate is signed by a registered CA then you dont need to have hosts knon about it as it can be verified by one of the installed root and intermediate CA already published.

I dont have the doc reference atm, but in order to become a CA there is a list of things you must meet and pass and audit.  These are thigs like having your top level private certificate off line on a computer that is in a secure location and NEVER gets connected to the internet (eg: In a safe).  That certificate is used to sign your intermediate Certificates which are used to sign user certificates.  You need to prove that no-one can get a certificate signed unless its valid.  You will need to demonstrait how you verify that someone is entitiled to that request certificate.

eg:  Lets say your bank has a web site www.abcbank.com.  When you visit that web site it d/l the certificate from web site.  In there will be a CN=www.abcbank.com .... Now If I make a certificate with CN=www.abcbank.com then I would have the private key and could fake the banks ssl connection... this is bad.

Seach the net for "how to be a root level CA"  or simular.
0
 
LVL 12

Author Comment

by:Mohamed Abowarda
ID: 35273623
@m_walker: I need to know from where can I register CA and become root level CA, where can I prove the things you mentioned?

Thanks,
0
 
LVL 9

Expert Comment

by:gtkfreak
ID: 35276226
Difficult but not impossible. You will have to look it up yourself. If you want to sign macros / code just for one computer, you can look around for selfcert.exe to get a self signed certificate. Note that this will only run on the computer where it was signed.
0
 
LVL 12

Author Comment

by:Mohamed Abowarda
ID: 35276295
@gtkfreak: I have already done self-singed certification, however I am not sure if I need to contact Microsoft, Firefox and all the web browsers companies to ask them to publish the certification with their updates and make it world wide trusted.
0
 
LVL 8

Expert Comment

by:jako
ID: 35276883
Your little enterprise WILL NOT be accepted as root level CA unless it _strictly_ adheres to rules and regulations set. And to do that you need steep initial investments (the first post). Business continuity is a major concern. Utmost data security - you need to guard your root private keys better than your life. You need to set up comprehensive verification procedures for applicants. Etc, etc.
0
 
LVL 5

Expert Comment

by:TomasP
ID: 35318092
In short, forget about being a CA. It is expensive and per the other's comments this is something you must not just roll yourself. The whole concept is built around a chain of trust where the most trusted is at the root. In short what you offer is the equivalent of saying "I am me because I say I am me". Not worth much in the security world.
If you are serious about signing your code so it is trusted, do some reasearch about buying a CODE signing certificate from a well known CA.
0
 
LVL 12

Author Comment

by:Mohamed Abowarda
ID: 35318168
@TomasP: No! I could do CA business later on, that's why I posted that question.

It's expensive doesn't mean it's impossible, I don't want frustration please, If anyone know what to do in steps to become CA root, no matter how much time it will take or how much money, etc... please post.
0
 
LVL 5

Assisted Solution

by:TomasP
TomasP earned 480 total points
ID: 35318484
The mechanical steps of being a root CA issing self-signed certs can be found here

http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
http://www.ibm.com/developerworks/lotus/library/ls-Certification_Authority/?S_TACT=105AGX99&S_CMP=CP

Start with the basics of setting up an internal CA as noted above.
Build the internal CA until it can offer CA services to partner companies. This is building the trust. When the pool of clients that trust you islarge enough spin away from the parent company

0
 
LVL 12

Author Comment

by:Mohamed Abowarda
ID: 35319348
@TomasP: OK, that's great, what's the difference between normal certificate and extended validation certificate?
0
 
LVL 5

Expert Comment

by:TomasP
ID: 35319483
No difference in cryptography, but the CA undergoes a more stringent background check/interview and once passed and undergo a deeper audit can offer certs marked as extended...more trustworthy
0
 
LVL 12

Author Comment

by:Mohamed Abowarda
ID: 35386595
@TomasP: I still don't understand the difference between normal certificate and extended validation certificate, technically how the browser recognize that this is normal certificate or this is extended validation certificate?
0
 
LVL 5

Assisted Solution

by:TomasP
TomasP earned 480 total points
ID: 35386773
This document will help you understand the policy property in the certificate and how it should be handled

http://www.cabforum.org/Guidelines_v1_2.pdf

This is an excerpt from wikipedia: http://en.wikipedia.org/wiki/Extended_Validation_Certificate#Extended_Validation_certificate_identification
"EV certificates are standard x.509 digital certificates. The primary way to identify an EV certificate is by referencing the Certificate Policies extension field. Each issuer uses a different object identifier (OID) in this field to identify their EV certificates, and each OID is documented in the issuer's Certification Practice Statement"

0

Featured Post

TCP/IP Network Protocol Cheat Sheet

TCP/IP is a set of network protocols which is best known for connecting the machines that make up the Internet. The truth is that TCP/IP is one of the oldest network protocols and its survival is mainly based on its simplicity and universality.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
Let's recap what we learned from yesterday's Skyport Systems webinar.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question