Solved

Software Digital Signature

Posted on 2011-03-20
21
410 Views
Last Modified: 2012-06-21
I want to know more information about digital signature, how digital signature companies sign a software code and how to start digital signing business company?
0
Comment
Question by:Mohamed Abowarda
  • 9
  • 4
  • 3
  • +2
21 Comments
 
LVL 8

Expert Comment

by:jako
ID: 35182331
Your search terms should be "Class 3 PKI" and probably "steep initial investment" both HR and HW-wise.. ;)
0
 
LVL 12

Author Comment

by:Mohamed Abowarda
ID: 35220743
@jakopriit: I need more explanation.

Actually, I want to know how can I digitally sign software EXE myself.
0
 
LVL 9

Accepted Solution

by:
gtkfreak earned 60 total points
ID: 35225567
You can self-generate a certificate and then use that to self-sign your code using OpenSSL. Alternatively, see this link on code signing.
http://www.top20toolbar.com/misc/codesigncert.htm
0
 
LVL 12

Author Comment

by:Mohamed Abowarda
ID: 35225826
@gtkfreak: How can I self-generate a certificate? Also, what commands do I need to use on OpenSLL to sign the code?
0
 
LVL 4

Expert Comment

by:m_walker
ID: 35225842
Have a read of this

http://msdn.microsoft.com/en-us/library/bb530410.aspx#vistauac_topic6h

On that page goto section "8. Authenticode Sign Your Application"

0
 
LVL 9

Expert Comment

by:gtkfreak
ID: 35225850
0
 
LVL 12

Author Comment

by:Mohamed Abowarda
ID: 35226058
@gtkfreak: Thanks! One more thing, how can I build trusted company to commercially sign codes like VeriSign, Thawte, etc....
0
 
LVL 4

Assisted Solution

by:m_walker
m_walker earned 120 total points
ID: 35226101
If you want to sign certificates that will work on 3rd party computers the will need to be signed by a known CA (Certificate Authority) such as verisign.  With out that, they wont be able to verify your certificate is valid.  
I think you can buy certificate from some top level CAs that will let you sign others, but it will cost you (if you can still get them).  You will also have to prove you have the correct setup in place and pass all audits.

The key reason it is hard is you need to have your signing public certificate published, then that needs to be installed into every browser in the world to work, this is down via product updates from windows, apple, firefox etc....

If you can sign certificates, then you can forge certificates (hence the audits).  If just anyone could do it, then SSL would be worthless.

You could try looking at re-selling like at : http://www.instantssl.com/ssl-certificate-affiliates/resellers/ssl-certificate-index.html
In which case you dont sign them yourself, but can get them signed at the CA.
0
 
LVL 12

Author Comment

by:Mohamed Abowarda
ID: 35226282
> "this is down via product updates from windows, apple, firefox etc...."

How can I make my certification imported on all browsers in the world by OS updates, firefox updates, etc...?
0
 
LVL 4

Assisted Solution

by:m_walker
m_walker earned 120 total points
ID: 35228060
You need to be a registered CA, else you can not do it.  If you certificate is signed by a registered CA then you dont need to have hosts knon about it as it can be verified by one of the installed root and intermediate CA already published.

I dont have the doc reference atm, but in order to become a CA there is a list of things you must meet and pass and audit.  These are thigs like having your top level private certificate off line on a computer that is in a secure location and NEVER gets connected to the internet (eg: In a safe).  That certificate is used to sign your intermediate Certificates which are used to sign user certificates.  You need to prove that no-one can get a certificate signed unless its valid.  You will need to demonstrait how you verify that someone is entitiled to that request certificate.

eg:  Lets say your bank has a web site www.abcbank.com.  When you visit that web site it d/l the certificate from web site.  In there will be a CN=www.abcbank.com .... Now If I make a certificate with CN=www.abcbank.com then I would have the private key and could fake the banks ssl connection... this is bad.

Seach the net for "how to be a root level CA"  or simular.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 12

Author Comment

by:Mohamed Abowarda
ID: 35273623
@m_walker: I need to know from where can I register CA and become root level CA, where can I prove the things you mentioned?

Thanks,
0
 
LVL 9

Expert Comment

by:gtkfreak
ID: 35276226
Difficult but not impossible. You will have to look it up yourself. If you want to sign macros / code just for one computer, you can look around for selfcert.exe to get a self signed certificate. Note that this will only run on the computer where it was signed.
0
 
LVL 12

Author Comment

by:Mohamed Abowarda
ID: 35276295
@gtkfreak: I have already done self-singed certification, however I am not sure if I need to contact Microsoft, Firefox and all the web browsers companies to ask them to publish the certification with their updates and make it world wide trusted.
0
 
LVL 8

Expert Comment

by:jako
ID: 35276883
Your little enterprise WILL NOT be accepted as root level CA unless it _strictly_ adheres to rules and regulations set. And to do that you need steep initial investments (the first post). Business continuity is a major concern. Utmost data security - you need to guard your root private keys better than your life. You need to set up comprehensive verification procedures for applicants. Etc, etc.
0
 
LVL 5

Expert Comment

by:TomasP
ID: 35318092
In short, forget about being a CA. It is expensive and per the other's comments this is something you must not just roll yourself. The whole concept is built around a chain of trust where the most trusted is at the root. In short what you offer is the equivalent of saying "I am me because I say I am me". Not worth much in the security world.
If you are serious about signing your code so it is trusted, do some reasearch about buying a CODE signing certificate from a well known CA.
0
 
LVL 12

Author Comment

by:Mohamed Abowarda
ID: 35318168
@TomasP: No! I could do CA business later on, that's why I posted that question.

It's expensive doesn't mean it's impossible, I don't want frustration please, If anyone know what to do in steps to become CA root, no matter how much time it will take or how much money, etc... please post.
0
 
LVL 5

Assisted Solution

by:TomasP
TomasP earned 120 total points
ID: 35318484
The mechanical steps of being a root CA issing self-signed certs can be found here

http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
http://www.ibm.com/developerworks/lotus/library/ls-Certification_Authority/?S_TACT=105AGX99&S_CMP=CP

Start with the basics of setting up an internal CA as noted above.
Build the internal CA until it can offer CA services to partner companies. This is building the trust. When the pool of clients that trust you islarge enough spin away from the parent company

0
 
LVL 12

Author Comment

by:Mohamed Abowarda
ID: 35319348
@TomasP: OK, that's great, what's the difference between normal certificate and extended validation certificate?
0
 
LVL 5

Expert Comment

by:TomasP
ID: 35319483
No difference in cryptography, but the CA undergoes a more stringent background check/interview and once passed and undergo a deeper audit can offer certs marked as extended...more trustworthy
0
 
LVL 12

Author Comment

by:Mohamed Abowarda
ID: 35386595
@TomasP: I still don't understand the difference between normal certificate and extended validation certificate, technically how the browser recognize that this is normal certificate or this is extended validation certificate?
0
 
LVL 5

Assisted Solution

by:TomasP
TomasP earned 120 total points
ID: 35386773
This document will help you understand the policy property in the certificate and how it should be handled

http://www.cabforum.org/Guidelines_v1_2.pdf

This is an excerpt from wikipedia: http://en.wikipedia.org/wiki/Extended_Validation_Certificate#Extended_Validation_certificate_identification
"EV certificates are standard x.509 digital certificates. The primary way to identify an EV certificate is by referencing the Certificate Policies extension field. Each issuer uses a different object identifier (OID) in this field to identify their EV certificates, and each OID is documented in the issuer's Certification Practice Statement"

0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now