How To Create A Digital Signature Certificate

Transcription

1 Tool. For Signing & Verification Submitted To: Submitted By: Shri Patrick Kishore Chief Operating Officer Sujit Kumar Tiwari MCA, I Year University Of Hyderabad

2 Certificate by Guide This is certifying that Mr. Sujit Kumar Tiwari, MCA Ist year, SCIS University of Hyderabad has done summer training during May June 2013 under my guidance. He Guide: Signature: Shri Patrick Kishore Chief Operating Officer ( IDRBT )

3 Acknowledgement It has been a great opportunity and honor to undergo summer training at IDRBT (Institute for Development and Research in Banking Technology). I would like to express my deep gratitude to Shri Patrick Kishore my guide for their guidance and useful critiques of this work. I would also love to thanks Shri Sudhir Kumar Jha and Smt. R. Jayalakshmi for his valuable and constructive suggestion during development of this project. His willingness to give his time so generously has been very much appreciated. Finally, I want to thanks SCIS (School of Information Sciences) University of Hyderabad, for providing me permission to carry out this summer training. Thanks to All Sujit Kumar Tiwari

4 Content 1 Introduction 2 The Basics of Project 2.1 Digital Signature Digital Signature and its type Classes of Signature Need for Digital Signature Benefits of digital signature Non-Repudiation & Authenticity Integrity..6 3 Structure of Working 3.1 PKI structure Symmetric-key Cryptography Block & Stream Cipher Public-key Cryptography Signing 10 4 Verification 12 5 Coding Refrences..

5 Introduction Further, in report you will find Why to sign? How to sign? And How to verify? First of all, What is the need of making such tool? The answer is that on any public and non - secure network if we will transfer any data (i.e. plain text) then it is prone to tamper. The solution is to sign the content before transferring which will guaranties, Data Integrity, Authenticity and Non Repudiation. In this report you will get detail study regarding to digital signature, type of signature, method of signing and verification. Work is still to be done

6 Digital Signature: A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, such that the sender cannot deny having sent the message and that the message was not altered in transit. These are often used to implement electronic signatures, a broader term that refers to any electronic data that carries the intent of a signature with the help of digital certificate. Ministry of Company Affairs has launched a prestigious e-governance programme named MCA21. Under the said MCA21 programme, new e-forms have been notified. To make these new e-forms legally recognized and authenticate Digital Signature Certificate. These Digital Signature Certificate used for e-forms has the same legal recognition and validity as handwritten signatures. Uses: Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering. Digital Signature: A Digital Signature Certificate(DSC) is not only a digital equivalent of a hand written signature it adds extra data electronically to any message or a document where it is used to make it more authentic and more secured. Digital Signature ensures that no tampering of data is done once the document has been digitally signed. A DSC is normally valid for 1 or 2 years, after which renewal is required. The digital signature will be useful not only for ROC e-filing but can be used for varied e-commerce transaction like online e-tds, ITReturne-filing, e-tendering, etc. These certificates are accepted for IFFCO, Northern Railway, MCA21, E-filing, E - tendering etc. There are basically 3 types of Digital Signature Certificates Class 1, Class 2 & Class 3 each having different level of security.

7 Class 1 Certificates: Class 1 certificates are issued only to individuals. Class 1 certificate confirm that a user s name (or alias) and address form a distinct subject name within the IDRBT CA repository. Class 1 certificates are added to his/her set of available certificates in the directory services. They are used primarily for digital signature to enhance the security of these environments. Class 1 Encryption Certificate is used for purposes. The validity period of Class 1 Certificates is two years. For Class 1 Certificates the authentication of the identity is done by the RA. The verification of the certificate request represent a simple check of the certainty of the subject name within the CA repository, plus a limited verification of the address, other personal information and address. The Class 1 Certificate is intended to use for Digital Signature and Class 1 encryption Certificates is used for Encrypting s. Class 1 Certificates shall be Digital Certificates under IT Act, and the legal effect, conjecture and evidentiary value of Digital Certificates as provided in the IT Act will be applicable. Class 2 Certificates: Class 2 certificates are issued to individuals and to the servers used in financial transactions. The RA bases it on the verification of the application form and the certificate request. The Applicant/Subscriber submits the Certificate Application (both online and offline), the documents to the Registration Authority under IDRBT CA. The RA verifies the name, address and the postal address in the request as well as the documents supplied along with the certificate request. RA has the right to reject the certificate request if it finds not meeting the criteria. RA then digitally signs the certificate request and sends to CA for the issuance of the certificate.

8 Although CA s Class 2 Certificate identification process is a method of authenticating a certificate applicant s identity, it does not require the applicant s personal appearance before the RA. The validity period of Class 2 Certificates is two years. Class 2 Certificate processes utilize various procedures to obtain probative evidence of the identity of individual applicants. These validation procedures provide strong assurance of an applicant s identity. The Class 2 Certificate is intended to use for Digital Signature, and Encryption of messages. Class 2 Certificates shall be Digital Certificates under IT Act, and the legal effect, conjecture and evidentiary value of Digital Certificates as provided in the IT Act will be applicable. Class 3 Certificates: Class 3 Certificates are issued to Individuals as well as Servers. Class 3 Certificates provide important assurances of the identity of individual subscribers by requiring their personal (physical) appearance before an RA. All the personal details will be physically verified by the RA office and after confirmation of facts it will recommend the issuance of the certificate. He/She has the right to reject the certificate request if he/she finds it not meeting the criteria. The private key corresponding to the public key contained in a Class 3 certificate must be generated and stored in a trustworthy manner according to applicable requirements. If the organization wants to be a Registration Authority under CA, the authorized representative of the organization must personally appear before the CA office with the necessary documents mentioned above. The CA will issue Class 3 Individual Certificate after verification.

9 Class 3 Certificates for Secure Web Server will help web servers to enable secure communications through the use of Secure Sockets Layer (SSL) technology. IDRBT CA Secure Server Certificate boosts the credibility and scope of your website with today's strongest encryption available for secure communications. Along with the application form the authorized person must give the domain name or the Server IP address on which it needs the Certificate. The domain name must be registered and the proof must also be accompanied with the application. Class 3 Certificate processes make use of various procedures to obtain strong confirmation of the identity of individual applicants as well as the server. These validation procedures provide stronger guarantee of an applicant s identity. Utilizing validation procedure by the Registration Authorities boosts the practical uses and trustworthiness of Class 3 Certificates. The Class 3 Certificate is intended to use for Digital Signature, Encryption of messages, Object signing and Secure Web Server. Class 3 Certificates shall be Digital Certificates under IT Act, and the legal effect, conjecture and evidentiary value of Digital Certificates as provided in the IT Act will be applicable.

10 Need For Digital Signature: A valid digital signature gives a recipient reason to I. Believe that the message was created by a known sender - Non- Repudiation II. Sender cannot deny having sent the message - Authentication III. The message was not altered in transit - Integrity Non-Repudiation:- Regarding digital security, the non-repudiation shifts to mean: A service that provides proof of the integrity and origin of data. An authentication that can be asserted to be genuine with high assurance. Sender sign (encrypt) hash with his private key using cipher algorithms. Since private key is accessible to him only, so he can t repudiate that he hasn t send the message. This maintains authenticity and also Nonrepudiation. Authenticity:- Authenticity mean, sender of a data can t deny that he hasn t send the message. For achieving this goal we use PKI. Public-key Infrastructure refers to a cryptographic system requiring two separate keys, 1. One is secret (Private Key) 2. Other is public. (Public Key) PKI is a system for the creation, storage, and distribution of digital certificates, Which are used to verify that a particular public key belongs to a certain entity?

11 Integrity:- Integrity Completeness Totality Authenticity Integrity of a message is maintained by the mean of a Message Digest. A Message Digest is a digitally created (hash) from a plaintext block. All the information of the message is used to construct the Message Digest (hash), But the message cannot be recovered from the hash. For this reason, Message Digests are also known as one way process. In our application we use SHA-2 as the digest algorithm. The security provided by a hashing algorithm is entirely dependent upon its ability to produce a unique value for any specific set of data.

12 PKI (Public Key Infrastructure): Digital signature employ a type of cryptography encryption. For messages sent through a nonsecure channel, a properly implemented digital signature gives the receiver reason to believe the message. Cryptography is the practice and study of techniques for secure communication in the presence of third parties (called adversaries). More generally, it is about constructing and analyzing protocols that overcome the influence of adversaries and which are related to various aspects in information security such as data confidentiality, data integrity, authentication, and non-repudiation. Cryptography prior to the modern age was effectively synonymous with encryption, the conversion of information from a readable state to apparent nonsense. The originator of an encrypted message shared the decoding technique needed to recover the original information only with intended recipients, thereby precluding unwanted persons to do the same. Modern cryptography is heavily based on mathematical theory and computer science practice; cryptographic algorithms are designed around computational hardness assumptions, making such algorithms hard to break in practice by any adversary. It is theoretically possible to break such a system but it is infeasible to do so by any known practical means. Modern cryptography: Modern cryptography is mainly divided into two type 1. Symmetric-Key Cryptography 2. Public-key Cryptography Symmetric-Key Cryptography: Symmetric-key cryptography refers to encryption methods in which both the sender and receiver share the same key. Symmetric key ciphers are implemented as either block ciphers or stream ciphers.

13 Block Cipher: A block cipher enciphers input in blocks of plaintext as opposed to individual characters, and is a deterministic algorithm operating on fixed-length groups of bits, called blocks, with an unvarying transformation that is specified by a symmetric key. Stream Cipher: While stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (key stream). In a stream cipher each plaintext digit is encrypted one at a time with the corresponding digit of the key stream, to give a digit of the cipher text stream. An alternative name is a state cipher, as the encryption of each digit is dependent on the current state. The pseudorandom key stream is typically generated serially from a random seed value using digital shift registers. The seed value serves as the cryptographic key for decrypting the cipher text stream.

14 The Data Encryption Standard (DES) and the Advanced Encryption Standard (AES) are block cipher designs which have been designated cryptography standards by the US government. DES's designation was finally withdrawn after the AES was adopted. Public Key Cryptography: Symmetric-key cryptosystems use the same key for encryption and decryption of a message, though a message or group of messages may have a different key than others. A significant disadvantage of symmetric ciphers is the key management necessary to use them securely. Each distinct pair of communicating parties must, ideally, share a different key, and perhaps each cipher text exchanged as well. The number of keys required increases as the square of the number of network members, which very quickly requires complex key management schemes to keep them all straight and secret. The difficulty of securely establishing a secret key between two communicating parties, when a secure channel does not already exist between them, also presents a chicken-and-egg problem which is a considerable practical obstacle for cryptography users in the real world. Whitfield Diffie and Martin Hellman proposed the notion of public-key (asymmetric key) cryptography in which two different but mathematically related keys are used a public key and a private key. A public key system is so constructed that calculation of one key (the 'private key') is computationally infeasible from the other (the 'public key'), even though they are necessarily related. Instead, both keys are generated secretly, as an interrelated pair. In public-key cryptosystems, the public key may be freely distributed, while its paired private key must remain secret. In a public-key encryption system, the public key is used for encryption, while the private or secret key is used for decryption. Public-key cryptography can also be used for implementing digital signature schemes. A digital signature is reminiscent of an ordinary signature; they both have the characteristic of being easy for a user to produce, but difficult for anyone else to forge. Digital signatures can also be permanently tied to the content of the message being signed; they cannot then be 'moved' from one document to another, for any attempt will be detectable. In digital signature schemes, there are two algorithms:

15 1 One for signing, in which a secret key is used to process the message (or a hash of the message, or both), 2 Other for verification, in which the matching public key is used with the message to check the validity of the signature. RSA and DSA are two of the most popular digital signature schemes. Digital signatures are central to the operation of public key infrastructures and many network security schemes. Signing contain mainly three steps. 1. Creating Digest of message - Message Digest 2. Encrypt it with sender s Private key - Digital Signature 3. Append signature and certificate of sender - PKCS#7 in message in PKCS#7 format Message Digest: The data to be encoded are often called the "message," of Plain Text and the hash value computed with the help of hash function is sometimes called the message digest or simply digest. A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that any (accidental or intentional) change to the data will change the hash value. There are so many digest algorithms. Now a days, we are using SHA-2 for digesting. Digital Signature: Now encrypt digest using your private key, which will generate the digital signature. For this purpose we can choose algorithms accordingly. Create PKCS#7: Now create packet of digital signature and certificate of signer in PKCS#7 formate. Which will decode and use certificate of signer for decrypt digital signature to get digest. Following diagram shows the signing mechanism..

16 Signing Procedure(Using PKI) 1 Sha-2 algorithm 2 Digital - Signature 3 Signer s Certificat e Digital Signature Message PKCS#7 Append PKCS#7 format. And send to recipient. Verification

17 How to verify? Verification contain following steps: 1. Split message in (i) text and (ii) attachment separately. 2. Attachment will contain sender s certificate and signature. 3. Use sender s certificate to Decrypt digital signature and cult-out hash. 4. Generate new hash with text part. 5. Compare result of step 4 and step 5. PKCS#7 Text Receiver s Certificate Sha-2 algorithm Digital Signature Use certificate to Get public key for Decryption Hashes are equal Therefore text message is not tampered If both hashes are equal then message is not tampered. This way we will ensure Authenticity, Integrity and Non-Repudiation.

18 Coding Coding is written for GUI tool of signing and verification. Main Form package imp; public class SignerTool extends javax.swing.jframe { public SignerTool() { initcomponents(); help.setcenter(this); // <editor-fold defaultstate="collapsed" desc="generated Code">//GEN- BEGIN:initComponents private void initcomponents() { OptionsGroup = new javax.swing.buttongroup(); detailpanel = new javax.swing.jpanel(); iconlabel = new javax.swing.jlabel(); optionpanel = new javax.swing.jpanel(); Options = new javax.swing.jpanel(); signfileradio = new javax.swing.jradiobutton(); verifyfileradio = new javax.swing.jradiobutton(); forward = new javax.swing.jbutton(); jlabel1 = new javax.swing.jlabel(); jseparator1 = new javax.swing.jseparator(); setdefaultcloseoperation(javax.swing.windowconstants.exit_on_close); settitle("signer Tool");

19 detailpanel.setborder(javax.swing.borderfactory.createtitledborder(null, "Signer Tool", javax.swing.border.titledborder.center, javax.swing.border.titledborder.below_top, new java.awt.font("aharoni", 3, 24), java.awt.color.red)); // NOI18N iconlabel.seticon(new javax.swing.imageicon("e:\\programing\\java\\netbeans\\gui\\signertool\\src \\netbean\\icon_ribbon1.gif")); // NOI18N javax.swing.grouplayout detailpanellayout = new javax.swing.grouplayout(detailpanel); detailpanel.setlayout(detailpanellayout); detailpanellayout.sethorizontalgroup( detailpanellayout.createparallelgroup(javax.swing.grouplayout.alignment.l EADING).addComponent(iconLabel, javax.swing.grouplayout.default_size, 226, Short.MAX_VALUE) ); detailpanellayout.setverticalgroup( detailpanellayout.createparallelgroup(javax.swing.grouplayout.alignment.l EADING).addComponent(iconLabel, javax.swing.grouplayout.preferred_size, 337, javax.swing.grouplayout.preferred_size) ); optionpanel.setborder(javax.swing.borderfactory.createtitledborder(null, "What do you want", javax.swing.border.titledborder.center, javax.swing.border.titledborder.default_position, new java.awt.font("aharoni", 0, 18), java.awt.color.black)); // NOI18N

20 Options.setBorder(javax.swing.BorderFactory.createTitledBorder(null, "Options", javax.swing.border.titledborder.default_justification, javax.swing.border.titledborder.default_position, new java.awt.font("aharoni", 2, 18), java.awt.color.red)); // NOI18N OptionsGroup.add(signFileRadio); signfileradio.setfont(new java.awt.font("monotype Corsiva", 1, 18)); signfileradio.setforeground(new java.awt.color(51, 0, 51)); signfileradio.settext("sign File"); OptionsGroup.add(verifyFileRadio); verifyfileradio.setfont(new java.awt.font("monotype Corsiva", 1, 18)); verifyfileradio.setforeground(new java.awt.color(51, 0, 51)); verifyfileradio.settext("verify File"); verifyfileradio.addactionlistener(new java.awt.event.actionlistener() { public void actionperformed(java.awt.event.actionevent evt) { verifyfileradioactionperformed(evt); } }); forward.setfont(new java.awt.font("monotype Corsiva", 1, 18)); forward.settext("forward"); forward.addactionlistener(new java.awt.event.actionlistener() { public void actionperformed(java.awt.event.actionevent evt) { forwardactionperformed(evt); } }); jlabel1.setforeground(new java.awt.color(255, 0, 0)); jlabel1.settext("* Choose an option and click on \"Forward\" button to proceed.."); javax.swing.grouplayout OptionsLayout = new javax.swing.grouplayout(options); Options.setLayout(OptionsLayout);

21 OptionsLayout.setHorizontalGroup( OptionsLayout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEA DING).addGroup(OptionsLayout.createSequentialGroup().addGap(48, 48, 48).addGroup(OptionsLayout.createParallelGroup(javax.swing.GroupLayout.Alig nment.leading).addcomponent(verifyfileradio).addcomponent(signfileradio, javax.swing.grouplayout.preferred_size, 156, javax.swing.grouplayout.preferred_size)).addcontainergap(119, Short.MAX_VALUE)).addGroup(javax.swing.GroupLayout.Alignment.TRAILING, OptionsLayout.createSequentialGroup().addContainerGap(200, Short.MAX_VALUE).addComponent(forward, javax.swing.grouplayout.preferred_size, 113, javax.swing.grouplayout.preferred_size).addcontainergap()).addgroup(javax.swing.grouplayout.alignment.trailing, OptionsLayout.createSequentialGroup().addContainerGap(javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE).addComponent(jLabel1).addContainerGap()).addComponent(jSeparator1, javax.swing.grouplayout.default_size, 323, Short.MAX_VALUE) ); OptionsLayout.setVerticalGroup( OptionsLayout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEA DING).addGroup(OptionsLayout.createSequentialGroup()

22 .addcontainergap(24, Short.MAX_VALUE).addComponent(signFileRadio).addGap(18, 18, 18).addComponent(verifyFileRadio).addGap(6, 6, 6).addComponent(forward).addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELAT ED).addComponent(jSeparator1, javax.swing.grouplayout.preferred_size, 10, javax.swing.grouplayout.preferred_size).addpreferredgap(javax.swing.layoutstyle.componentplacement.related).addcomponent(jlabel1, javax.swing.grouplayout.preferred_size, 14, javax.swing.grouplayout.preferred_size)) ); javax.swing.grouplayout optionpanellayout = new javax.swing.grouplayout(optionpanel); optionpanel.setlayout(optionpanellayout); optionpanellayout.sethorizontalgroup( optionpanellayout.createparallelgroup(javax.swing.grouplayout.alignment. LEADING).addGroup(optionPanelLayout.createSequentialGroup().addContainerGap().addComponent(Options, javax.swing.grouplayout.preferred_size, javax.swing.grouplayout.default_size, javax.swing.grouplayout.preferred_size).addcontainergap(18, Short.MAX_VALUE)) ); optionpanellayout.setverticalgroup(

23 optionpanellayout.createparallelgroup(javax.swing.grouplayout.alignment. LEADING).addGroup(optionPanelLayout.createSequentialGroup().addGap(65, 65, 65).addComponent(Options, javax.swing.grouplayout.preferred_size, javax.swing.grouplayout.default_size, javax.swing.grouplayout.preferred_size).addcontainergap(84, Short.MAX_VALUE)) ); javax.swing.grouplayout layout = new javax.swing.grouplayout(getcontentpane()); getcontentpane().setlayout(layout); layout.sethorizontalgroup( layout.createparallelgroup(javax.swing.grouplayout.alignment.leading).addgroup(layout.createsequentialgroup().addcontainergap(javax.swing.grouplayout.default_size, Short.MAX_VALUE).addComponent(detailPanel, javax.swing.grouplayout.preferred_size, javax.swing.grouplayout.default_size, javax.swing.grouplayout.preferred_size).addgap(10, 10, 10).addComponent(optionPanel, javax.swing.grouplayout.preferred_size, javax.swing.grouplayout.default_size, javax.swing.grouplayout.preferred_size).addcontainergap()) ); layout.setverticalgroup( layout.createparallelgroup(javax.swing.grouplayout.alignment.leading)

24 .addgroup(layout.createsequentialgroup().addcontainergap().addgroup(layout.createparallelgroup(javax.swing.grouplayout.alignment.l EADING).addComponent(optionPanel, javax.swing.grouplayout.default_size, javax.swing.grouplayout.default_size, Short.MAX_VALUE).addComponent(detailPanel, javax.swing.grouplayout.preferred_size, 381, javax.swing.grouplayout.preferred_size))) ); pack(); }// </editor-fold>//gen-end:initcomponents private void forwardactionperformed(java.awt.event.actionevent evt) {//GEN-FIRST:event_forwardActionPerformed if(signfileradio.isselected()) new Signing().setVisible(true); else if(verifyfileradio.isselected()) new Verifing().setVisible(true); } private void verifyfileradioactionperformed(java.awt.event.actionevent evt) { } public static void main(string args[]) { java.awt.eventqueue.invokelater(new Runnable() { public void run() { new SignerTool().setVisible(true); }

25 }); } private javax.swing.jpanel Options; private javax.swing.buttongroup OptionsGroup; private javax.swing.jpanel detailpanel; private javax.swing.jbutton forward; private javax.swing.jlabel iconlabel; private javax.swing.jlabel jlabel1; private javax.swing.jseparator jseparator1; private javax.swing.jpanel optionpanel; private javax.swing.jradiobutton signfileradio; private javax.swing.jradiobutton verifyfileradio; }

26

27 REFERENCES Book: 1. Cryptography Theory And Practice, Douglas R. Stinson 2. Understanding Cryptography: A Textbook For Students And Practitioners, Paar URLs: