I'm creating an application for a select group of people to use. But since it'll be free-ware I can't afford to buy a digital signature to authenticate the source as me. Do I have any other option? Are there any tools in windows I could take advantage of? Any free (third party) tools that I could use to increase the chances my app wont be flagged as potentially malicious? I understand that obviously these things aren't the easiest to come by, but I'd like something to at least say the applications not been tampered with.
Can you please advise me on any tools or methods I could use.
No, in the end these things are about trust, and unless you can get a key trusted at the location where they want to verify the binary, you cannot confer trust of the library.
Key trust is normally established using a certificate that was created for you. Buying a signature would only make sense if there is a separate party signing the code as a service.
Of course there are other ways to trust an application; e.g. you can distribute the source and allow builds of the application at a location that the user can trust. But that won't be as convenient as receiving a signed binary, if the system has been setup to mark those as trusted.
Related
I found many useful online tools that provide SSL/TLS analysis. Is there any offline or online tool that would check if specific ciphers are safe?
Sometimes servers are not visible in internet or admin wish not to inform the rest of the world that his server is not safe enough.
I know that I can run nmap against my own server, however quick static analysis would be fine.
For example, Qualys sells this product that you need for internal scanning. If you're not going to buy anything, you can script around openssl (it wouldn't take long).
I have a low volume (<500 PDFs/year) application for automated digital-signing of PDF files using iText in Java on Linux.
I've got iText adding a digital signature to PDFs using my SSL certificate. Is this a valid method to prove the PDF was generated by my domain (e.g. server)? Can it be used somehow to get the green checkmarks showing "trust" in Adobe Reader?
If not, I should use a certificate intended for PDFs (e.g. not my SSL certificate), so that the little green checkmarks indicating "trust" appear naturally when the user opens the PDF document.
The book http://itextpdf.com/book/digitalsignatures does a great job introducing this topic to me (I have very little experience in this area).
The book talks about a SafeNet Luna device (an HSM), but's it is much too expensive. I only require a minimal solution, and the Luna has a lot of bells and whistles. The Luna PCIe device is less expensive, but I don't require any features other than providing a certificate I can use to sign. Also, the USB-based SafeNet iKey device seems only to be marketed to Windows devices. Has anyone got iKey working with Linux? Is it even possible? Do other companies offer USB based devices that work on Linux?
I'm looking for a minimal solution for serving automated digitally signed PDFs on a Linux box. I'm sure a lot of small businesses have similar needs. I'm just trying to tap into existing knowledge out there. How do people solve this problem?
The solutions I see for automating this process assume large corporations using Adobe Live Cycle, and priced accordingly (see for example: https://www.globalsign.com/pdf-signing/compare-pdf-signing.html). But small businesses need to automate things too.
Ideally someone would sell a certificate similar to the SSL certificates, but for PDF files. Is there such a thing?
Is hardware (of some sort) a requirement (seems so)? If hardware is a requirement, are there any minimal solutions out there (e.g. with limited functionality other than enabling digital signing)?
Hoping someone can help me see the forest from the trees. What's the conventional wisdom?
Regarding signing with your SSL certificate: in a future iText version, we make require that the key-usage of the certificate indicates that the certificate can be used for non-repudiation. For now, we make checking the key-usage the responsibility for the developer, but in a perfect world, you should only sign with certificates suited for non-repudiation, and your SSL certificate probably doesn't allow this.
Regarding the green check mark: unless you can ask the consumers of your PDFs to add the root certificate of your certificate to the list of trusted identities, you'll always need a public/private key stored on hardware to get a green check mark.
Regarding the price of an HSM / USB key. USB keys are much cheaper, but usually they are meant for manual use (usually they have a limit of signing only once every second). I think that GlobalSign has a flavor of keys that work on Linux. As for HSMs, one of our customers told us that he bought one from Utimaco because it was less expensive (but I don't know what budget he had or spent).
No price info, but maybe a good read for inspiration: http://www.opendnssec.org/wp-content/uploads/2011/01/A-Review-of-Hardware-Security-Modules-Fall-2010.pdf
I created a test domain, a CA and I issued a certificate with that CA. I also have fully functional CSP. For logging on, Windows are offering smart card as logon option. However, when I insert the card, after a few seconds of interaction with the card I receive the message "no valid certificates found". I did my homework by reading tons of MS documentation and generally whatever Google offered. Since I have no more options I'm trying here.
Added after posting: The certificate was created from the Smartcard Logon template.
Here are a few things I would check:
the authentication cert asserts the windows smartcard logon OID in the EKU.
the authenctication cert has a UPN in the subject alternative name (not stricly necessary for windows 7/server 2008).
the authentication cert key usage is digitial signature.
the domain controller has the certificate chain installed correctly.
How was the card issued?
* Follow-up *
How did the certificates make it on to the card? AFAIK, there is no card management built into Windows, so an external card management system is needed to load the certs on the card in whatever card applet you are using. Can you provide more specifics on the card you are trying to use?
* Follow-up *
You might find this link interesting; it's for PIV cards but the same ideas probably apply to your situation - the article describes a test lab setup for smart cards. In particular, check out which certs go in which trust stores.
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=9427
You may find commercial software automating the binding process but no free ones. This way you won't have to check tons of support KB.
You can get a look at this demo (http://www.youtube.com/watch?v=OkMGXr-bls0) to see one of these tools in action.
I would like to do Symbian programming with features that require an application to be signed with more then the standard self signed cert. I don't want to pay mony for a cert since I don't know if I will get to a point of selling an application. Is there a way to grant capabilities such as read and write device data to my application for use on just my phone?
If you don't have a Publisher ID the only option for you by now is Open Signed Online.
Open Signed Online allows you to sign an application for installation onto a single device. Unfortunately you will get the signed application, not a certificate itself.
Aside from Open Signed Online, which is pretty hopeless when you want to debug on the device, the only options at the moment are to find someone with a publisher ID to create a developer certificate for you device via Open Signed Offline, or wait for Symbian to come up with another way to get you a developer certificate. They are already planning to make publisher IDs cheaper and easier for individuals to get (currently you need to be a registered company) and wider availability for developer certificates is also on the cards.
I'm helping a typical small company that started with a couple of outsourced systems (google apps, svn/trac). added an internal jabber server (ejabber for mostly iChat clients). subscribes to a couple of webservices (e.g. highrisehq). and has a vpn service provided by a pfsense freebsd firewall.
And the net result of all this is that they're drowning in passwords and accounts.
It seems that if they had a single unified login / single signon service they could go a long way to combining these. E.g.: ldap as the master repository, radius linked to it for vpn, ejabber and even WPA2 wireless access, plugins for google app sign on, and perhaps an openid server for external websites like highrisehq.
It seems that all these tools exist separately, but does anyone know of a single box that combines them with a nice GUI and auto-updates? (e.g. like pfsense/m0n0wall for firewalls, freeNAS for storage). It doesn't have to be FOSS. A paid box would be fine too.
I figure this must exist. Microsoft's Active Directory is likely one solution but they'd rather avoid Windows if possible. There seem to be various "AAA" servers that ISPs use or for enterprise firewall/router management, but that doesn't seem quite right.
Any obvious solutions I'm missing? Thanks!
It's been over a year since you originaly asked the question, so I'm guessing you've solved your problem by now. But if someone else is interested in a possible solution I suggest the following:
First of all, I don't know of any "all in one" solution to your problem. However it's quite easy to combine three products that will solve all of your needs and provide a single source for User management and password storage.
The first thing to do is install an LDAP Directory to manage Users and Groups (and possibly other objects outside the scope of your question). This can be OpenLDAP, Apache DS, Microsoft Active Directory, etc. Basically any LDAP Server will do.
Second I recommend installing FreeRADIUS with the LDAP Directory configured as it's backend Service.
Third get a license of Atlassian Crowd. It provides OpenID and Google Apps authentication. Prices for up to 50 Users start at $10 and go all the way up to $8000 for an unlimited user license.
Installation and Configuration of the three is relatively easy. You'll probably put most work into creating your Users and Groups. You can install all three components on a single Server and end up with a box that allows you to authenticate pretty much everything from Desktop Login, over Google Apps and other Web Apps, down to VPN and even Switch, WiFi and Router Login.
Just make sure you configure your Roles and Groups wisely! Otherwise you might end up with some Sales Person being able to do administration on your Firewalls and Routers :-)
I would encourage anyone searching for this type of solution to check out the Gluu Server (http://gluu.org).
Each Gluu Server includes a SAML IDP for SAML SSO, an OpenID Connect Provider (OP) for OpenID Connect SSO, an UMA Policy Decision Point (PDP) for web access management, and a RADIUS and LDAP server.
All the components of the Gluu Server are open source (i.e. Shibboleth, OX, FreeRADIUS, OpenDJ, etc.), including the oxTrust web user interface for managing each component of the server.
For commercial implementations, Gluu will build, support, and monitor this stack of software on a clients VM.
You may not want to standardise passwords across so many apps (especially external ones), though for internal ones using an auth service like LDAP makes sense.
You could solve the issue of remembering passwords with an eSSO like Novell SecureLogin
Also you might be interested in Novell Access Manager and Novell Identity Manager
I too could use such a device, however the only one I could find was a (possibly outdated) data sheet from Infoblox. They seem to have since concentrated on automated network managment and I can't find the LDAP appliance on their current website. I guess building a linux box with the FOSS stuff mentioned above is what everyone does, but it would be great not to have power supplies, disks, fans etc. I suppose you could use something like an EEE PC and put the config on a flash card.
This is something I was looking for as well, and http://www.turnkeylinux.org/openldap looks like the solution: "appliance" installation, and it includes encrypted online backup which is easily restored to a new or replacement machine.