Through several articles, I would like present the cryptographic mechanisms, types of keys, certificate, types of algorithms …etc:
- PRESENTATION : Concepts of Cryptography (concepts, types of keys symmetric/asymmetric, …)
- The principles of SSL
- The principles of Signature and Certificate
- The principles of Hardware Security Module HSM
- Encoding with base64, base64url, rfc-4648
- Encryption with Blowfish (Anonymization)
- Encryption with AES/CBC, AES/EBC (Encryption of files)
- Encryption with PBEWithMD5AndDES (Encryption of files)
- Encryption with RSA (asymmetric keys private and public)
- KeyStore, JCEKS, SecretKey, PrivateKey, PublicKey, Certificate
- Example, Use of SecretKey, PrivateKey, PublicKey, CSV file (CryptoTools, GenericObfuscationFile)
The principles of Signature and Certificat
An electronic signature is not a signature of a scanned document or a “pasted” digital signature on a document. The electronic signature is the method of identifying the author and / or the signatory of an electronic document guaranteeing the integrity of the document. So, the electronic signature is a sequence of digits/bytes. Indeed, in contrary to a handwritten signature, the electronic signature is not visual.
Below, the definition of electronic signature from https://en.wikipedia.org/wiki/Digital_signature:
A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message or documents. A valid digital signature gives a recipient reason to believe that the message was created by a known sender (authentication), that the sender cannot deny having sent the message (non-repudiation), and that the message was not altered in transit (integrity).
Digital signatures are a standard element of most cryptographic protocol suites, and are commonly used for software distribution, financial transactions, contract management software, and in other cases where it is important to detect forgery or tampering.
The cryptographic system
The secure electronic signature is done via cryptography based on asymmetric keys that is two encryption keys are used:
- A public key, sent automatically with the signature certificate for example when sending of a signed mail.
<X509PublicKey> 7cc5ef6e403436f83cb0c63d91c5d0d010101050003818d0030890e592b4e38d2 231f146f157d9f7cc33d180fd8cd5a1d90fc4aeeb0b2531dc62133b28edda650e1 7c263173d626b8d943364c84935bb3a7a1e6f565e7ec59f9bcf969aaa54e7e4e70 </X509PublicKey>
- A secret key, known only to its owner, ensures that any document generated by this key has necessarily been generated by its owner. In addition, a document encrypted with the public key can only be opened by the owner of the private key.
The system relies on confidentiality and authentication via public and private, Especially on the trust placed in the public key, and it is difficult to verify that it belongs to the person who claims it.
Thus, to validate the link between an electronic signature and its recipient and secure online exchanges between two remote entities (physical persons, web servers, routers), electronic certificates have been put in place.
The electronic certificate
The electronic certificate secure online exchanges by validating the link between an electronic signature and its recipient using the two public and private keys.
The certificate guarantees :
- The identity of the signatory (identity card);
- The integrity of the documents exchanged (ie protection against any alteration);
- The assurance of non-repudiation (ie the impossibility of renouncing his signature).
It contains the following informations:
- Identification of certificate holder : name, location, e-mail address
- Attributes of certificat
- At least, one public key
- The electronic signature (private key) of the certificate with the key of the issuing authority.
The electronic certificate is delivered by accredited providers, also known as trusted third parties. Depending on the objectives, in particular the level of security, it is preferable to choose certificates of different classes:
- Classe I : Does not guarantee the identity of the holder of the certificate but only the existence of his e-mail address. There is no control of the identity of the certificate holder.
- Classe II : Guarantees the information of the holder and his company (checked by the certifying authority on supporting documents submitted by post). There is a check on documents, proof of identity is necessary.
- Classe III : Same as Class II, provides additional control over the holder’s identity. Maximum security. The physical presentation of the applicant’s documents was completed.
- Classe III+ : Same as Class 3, but the certificate is stored on a physical medium (smart card or smart card, excluding software certificates).