Solved

Distributing a private key

Posted on 2014-02-19
10
436 Views
Last Modified: 2014-02-25
Dear Experts,
I've been given a task I am not very knowledgeable about and hope you can provide some insight.

User's OS: Windows (Win7 & Win8; both 32 and 64 bit)
I have an application (VB6) that runs locally on users' systems. There are approximately 30 users on different systems in different locations. The distribution of the app is highly controlled and protected.

The app sends XML strings directly to a Receiver's site using HTTPS.post.

The task is to embed a signature in the HTTPS header so the Receiver can verify the message came from our company (any one of the 30 users). The Receiver is not interested in using Public/Private keys and our transmission to them does not go thru a server at any point.

Using makecert, I've created a local X509 certificate with a private key and have completed the work to generate the SHA1 hash to create the signature.

Here is where I am stuck - because I am very new to certificates, I don't understand how to get that private key to the app users.

My thought was to distribute the .cer file with the app setup (the code looks for the certificate in a specific directory) - then also snail mail the .cer to the Receiver.

Will this work?
Doesn't the private key have to be the same on all systems (for the signature to be the same?)
Am I way off base?

Thank you
klheitz
0
Comment
Question by:klheitz
10 Comments
 
LVL 28

Expert Comment

by:becraig
Comment Utility
In order to give users the private key you will have to export to pfx you can do so with certutil:

Certutil.exe -p <Password> –exportpfx Thumbprintofcert c:\pfxfile.pfx

Once you have done the above you can simply script out the copy and install of the cert to the users store this can be bundled as a part of installing your app, so when the user runs your app you can point to the path with the pfx and do an install e.g :

certutil –f –p <password> –importpfx C:\pfxfile.pfx



Once you are installing
A flow such as above should work, since the private key will be exported to the pfx file.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
Comment Utility
Here's an overview of how the general process should work; compare to your current approach.

Proper Implementation

1.

Alice wants to send a message to Bob and provide confidentiality, integrity, proof of origin and proof of receipt.

2.

To protect the secrecy of her message contents, she uses a symmetric cipher to encrypt it. For that she uses a symmetric key. This produces a ciphertext message.

3.

To protect the accuracy of the message, she uses a hashing algorithm that condenses the arbitrary-length message to a fixed-size message digest value.

4.

To prove the message actually came from her, Alice signs the message by encrypting the hash value with her private key. The sum of the message digest encrypted with Alice's private key results in a digital signature.

5.

This digital signature is then appended to the bottom of the symmetrically encrypted message. Now in order for Bob to read, prove the origin, and check the accuracy of the message, he must reverse all of the encryption done above.

6.

To read the message, Bob needs a copy of the symmetric key. Alice encrypts it using asymmetric encryption and encrypts the symmetric key with Bob's public key, producing a ciphertext key.

7.

Bob decrypts the ciphertext key with his private key to give him his copy of the symmetric key.

8.

Bob uses the symmetric key to decrypt the message with that key and read it.

9.

Bob decrypts Alice's digital signature using Alice's public key. Once the decryption process is complete, he is left with the message digest.

10.

But, he has yet to prove the integrity of the message or the proof of origin. He must prove the message digest value is correct. To do this, Bob must rehash the message that he has received and decrypted.

11.

If the message digest that he generates from the message matches the message digest that he decrypted from Alice's digital signature, then he has proof of integrity and proof of origin.

12.

To prove that he received the actual message Alice sent, Bob re-encrypts the message digest with his private key, which will result in his digital signature.

13.

Bob sends his digital signature back to Alice.

14.

Alice decrypts Bob's digital signature using his public key to produce the message digest.

15.

She compares the message digest she just received to the message digest she originally generated. If these two message digests match, then she has proven that her message was received by Bob (proof of receipt) in its correct format (proof of integrity).
0
 
LVL 2

Expert Comment

by:CubeOver
Comment Utility
I would advise you to look at deploying a web enrolment service so that clients can request certificates, and enrol them once you approve their requests.
I.e. you shall need the following roles deployed and available on the Internet or other network where all your clients have access:

ADCS - Certificate Enrollment Web Service
ADCS - Certificate Enrollment Policy Web Service

Please read up on both - you can start right from the Add Role Services Wizard.
Once deployed, give URI of the Policy Service to your clients along with instructions how to set things up.
Each computer shall have it's own certificate, allowing you to revoke it in case of compromise.
==>Please design, deploy and test CRL web service before doing anything else, otherwise you shall have no means of stopping the compromised computers from connecting (short of shutting down the solution!) Make sure your CA works well with CRL service before issuing any certs.
==>Also make sure the template you use specifies non-exportable enrolment. This will stop users from exporting private keys from one PC into another.

Clients will need credentials in your domain, you could also use one shared user/password pair - one user may have many certs issued to him.
Make sure that your CA requires your approval for every request. even renewals.
Once you see new request incoming you could call the user/company to verify correct enrolment, and then approve. The rest is automatic, I mean renewal request coming your way every year or period configured.

This is a free, scalable solution.
The benefit is you do not email private keys - everything happens inside SSL tunnel.
Another benefit is users only configure it once, for lifetime of your solution.

.CER files do not contain private keys, .P7B do.
0
 

Author Comment

by:klheitz
Comment Utility
Hi bcraig;

I've determined this approach will work for me. I have run into some questions however.

I've been able to export the thumbprint a .pfx.

My first attempts failed (not found); so I used certutil to -addstore MY <cer path>. After doing so, it was successful.

In the dos window however, right above 'success' it reported:
'cannot find the certificate and private key for decryption' (i've attached a screen shot)

In your instructions you said:
"Once you have done the above you can simply script out the copy and install of the cert to the users store this can be bundled as a part of installing your app,"

I'm unfortunately ignorant in this area. is it possible to clarify? I'm not sure what you mean by 'script out the copy' (the pfx yes?).
'and install the cert to the users store' -

Will I be able to include the .pfx in my build; and run the
certutil –f –p <password> –importpfx C:\pfxfile.pfx command at the end of the install (vs. when the app itself runs)

Also - I don't know how to install it in the user's store. If I import as above and run certutil -addstore MY imported.cer will that do it?

I'm sorry to be so green at this.

Thank you
klheitz





Once you are installing
A flow such as above should work, since the private key will be exported to the pfx file.
certutil-export.png
0
 
LVL 28

Accepted Solution

by:
becraig earned 500 total points
Comment Utility
In order to export the pfx the cert must be installed (with private key marked as exportable on the machien you do the first step from)

Since this will be bundled in a build I think this will be secure as the pfx cannot be decrypted without the password.


Once you install the certificate on the machine you are first exporting from you can get the thumbprint by opening the cert - clicking on the details tab and  scroll down to thumbprint and copy the thumbprint.

Then proceed to export the pfx file using certutil
Certutil.exe -p <Password> –exportpfx Thumbprint c:\pfxfile.pfx

At this stage you need to embed the pfx file in your app and add a line to do the import from the pfx file when expanded with your application install:
Have some aspect of your install (maybe when staging the install) run the following command.
certutil -f -user -p [password] -importpfx  c:\path-your-app-expands-the -pfx-file-to\file.pfx

This will install the cert with private key to the user's store.

You can then have a command in your app installer delete the pfx file from the local computer and proceed to install your application.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:klheitz
Comment Utility
Hi becraig;
This is all great stuff and I feel I'm 99.5% of the the way there! Thank you so much!

Here's my final (I hope) brick wall.

After exporting the .cer to a .pfx and importing the .pfx ... what is the path of the imported .cer file? I've searched my system and cannot find it.

I ask because my vb.net code is as follows:

 Public Function GetSignature(ByRef XMLString As String) As String
        ' The path to the certificate.
        Dim Certificate As String = "c:\[path]\[filename].cer"
       
        ' Load the certificate into an X509Certificate object.
        Dim cert As New System.Security.Cryptography.X509Certificates.X509Certificate2(Certificate)

Does that make sense?
Thank you again!
klheitz
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Ok so the problem here is that when the pfx is imported it is imported into the certificate store.  At this stage of your code what are you attempting to do next ?

Are you attempting to validate the certificate once it's installed ?
0
 

Author Comment

by:klheitz
Comment Utility
I'm attempting to use the certificate's private key to apply SHA1 hash & create a digital signature. Full routine below:

    Public Function GetSignature(ByRef XMLString As String) As String
        ' The path to the certificate.
        Dim Certificate As String = "c:\[path to cert]\[filename].cer"
        Dim ByteConverter As New ASCIIEncoding
        Dim strDataString As String = XMLString

        'create byte arrays to hold orig & sigstring
        Dim OrigData As Byte() = ByteConverter.GetBytes(strDataString)
        Dim signedData() As Byte

        ' Load the certificate into an X509Certificate object.
        Dim cert As New System.Security.Cryptography.X509Certificates.X509Certificate2(Certificate)

        ' Create a new instance of the RSACryptoServiceProvider class  
        ' and automatically create a new key-pair.
        Dim RSAalg As New RSACryptoServiceProvider

        ' Export the key information to an RSAParameters object.
        ' You must pass true to export the private key for signing.
        Dim Key As RSAParameters = RSAalg.ExportParameters(True)

        ' Hash and sign the data.
        signedData = HashAndSignBytes(OrigData, Key)


        Dim sigString = Convert.ToBase64String(signedData)


        ' Verify the data and display the result to the  
        ' console.
        If VerifySignedHash(OrigData, signedData, Key) Then
            'MessageBox.Show("The data was verified.", "Verification", MessageBoxButtons.OK)
            ' Console.WriteLine("The data was verified.")
            GetSignature = sigString
        Else
            GetSignature = "The data does not match the signature."
            'Console.WriteLine("The data does not match the signature.")
        End If

        ' Display the value to the console.
        'Console.WriteLine(sigString)
        'GetSignature = sigString
    End Function
0
 

Author Comment

by:klheitz
Comment Utility
I've requested that this question be closed as follows:

Accepted answer: 0 points for klheitz's comment #a39884586

for the following reason:

Very helpful - and patient! beCraig helped clarify my misunderstanding and offered excellent suggestions.
0
 

Author Closing Comment

by:klheitz
Comment Utility
(i might have done this wrong before - i think I accepted my own note as the solution and I didn't mean to)
beCraig's solution worked great. Thank you very much!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now