Sorry I couldn't find the best heading for this question. Following is my requirement.
I a working on a project which deals which large amount of money transactions to different account. The system automatically transfers money to accounts of A,B, C etc etc,, But before this is done Some one from A,B or C should approve(electronically) the amount to be transferred.
What do you think is the best way of doing it? I want the system to send a file (PDF of something) which is digitally signed (?) and the authorised person from A,B and C should check and confirm that the amount is correct.
Since the amount is high I must make sure the file sent out by the system is not tampered and at the same time I also want to make sure the file (reply) sent by A,B or C is also not tampered . What is the best way to achieve it? Any ideas?
Digital Signatures is what you are looking for. Adobe PDF (since you mentioned pdf) allows you to sign the pdf in the free Adobe Reader version and verification is also done automatically, as soon as you open the pdf document.
The difference between DigSig and (H)MACs as posted by Noldorin is, that MACs use symmetric encryption, where you require a secure channel to exchange the key, whereas in a PKI environment that secure channel is not required.
It depends how you want to distribute your keys.
You'll want to look into MACs (Message Authentication Codes). There are a number of libraries out there for various languages that implement common algorithms such as HMAC.
EDIT: See also DSA (http://en.wikipedia.org/wiki/Digital_Signature_Algorithm), which is a popular algorithm for digital signatures, and is fully implemented in the standard .NET framework (System.Cryptography namespace).
My first reaction would be Digital Signatures - but they have a fatal flaw: they are digital data that could be compromised by a careless user.
If that is a concern you can go for the process that South African banks use, a one-time password. This password is transferred to them via a means that is not involved in the transaction (in South Africa this is by SMS, which I strongly recommend). We first type in a username and password, and then get the OTP via SMS which we then need to type in for any transactions that lead to money leaving our accounts.
Strong forms of security (in increasing effectiveness) include (I am no expert, but I do know a few):
Knowledge (A password)
Possession (A cell-phone SIM card that can receive SMSes, or a USB thumbdrive with a certificate)
Location (A computer with a hardware-based certificate management system, CellID)
Time (OTP expires, transaction must occur at specific time)
Identity (A fingerprint reader - effectively a password - but insanely long)
Uniqueness (A fibre-optic cable encoded in the polarization of the photons)
From what I know if you have any three of those you can be comfortable with your security. Adding more increases security exponentially, but also increases the inconvenience factor. The banks use Knowledge, Possession and Time in South Africa - and phishing really doesn't work against South African banks.
Hope this helped you out a little.
To digitally sign a file, you can use any of Microsoft's partners. Arx for example provide you with a tool called CoSign which you can use for free (or at least their trial version). This will allow you to add electronic signatures to most available formats (word, pdf, xml etc').
Related
My problem is this: I must digitally sign, with a token bound in an external card (PIN required), a large number of pdf files every day.
I wrote a macro to convert word files into pdf at once; now I wonder if I can insert in the same routine some other lines to accomplish the further task of digitally signing each pdf file created.
Since you are talking of word documents, I assume, you are using it on Windows. Some of the smartcard or USB Token drivers, on Windows OS (as far as I know), has feature to save or remember user PIN. Enabling that feature would prevent asking for PIN for every cryptographic operation.
If driver does not have such feature, then you may have to study and use CSP (Crypto Service Provider on Windows) of the device if available or use direct PKCS#11 API to achieve the operation by providing PIN programmatically, but these things requires sufficient expertise and understanding of PKI.
For bulk signing of pdf there are lot of free and paid softwares available which provides you lot of automated features. You may consider going for once instead of re-inventing the wheel. My Co. CISPL also provides Signer.Digital range of solutions for achieving the task.
As i understand SAM modules are kind of SMART Cards which connect to the MCU via ISO 7816 protocol.
Is there any other application for them except storing secure
keys?
Can I used usual mobile sim-cards instead of SAM module to storing
keys?
As i know when we store keys in the SAM module ,it is almost
impossible to retrieve the keys, & SAM used a sequence of random
challenge & polyphase authentication to verify the card.Then how SAM
send this verification to MCU?is there direct access between SAM &
Reader ? or they connected via MCU?which command used to store keys
in the SAM?
Is there any special standard protocol for this secure
transmission? (storing key in SAM/ Authentication between
CARD-SAM-MCU/ verifying process & ...)
Why chip manufacturer does not equipped their MCU to this secure
Element internally?
Is there any other application for them except storing secure keys?
Smart Cards contain a general purpose CPU, so anything you can think of. But performing operations on the stored keys are indeed their main purpose.
Can I used usual mobile sim-cards instead of SAM module to storing keys?
A generic (Java) card would make more sense.
As i know when we store keys in the SAM module it is almost impossible to retrieve the keys, & SAM used a sequence of random challenge & polyphase authentication to verify the card. Then how SAM send this verification to MCU? Is there direct access between SAM & Reader? Or they connected via MCU? Which command used to store keys in the SAM?
This really depends on the implementation.
Is there any special standard protocol for this secure transmission? (storing key in SAM/ Authentication between CARD-SAM-MCU/ verifying process & ...)
Not as far as I know. There are probably many "standards" that do apply, but to my knowledge there isn't a one that describes the use of SAM cards in general.
Why chip manufacturer does not equipped their MCU to this secure Element internally?
Sometimes they do.
Securing a chip is however very tricky. Basically you are storing a key in a device that you know an attacker is going to get its hands on. So you have to use address-bus scrambling, shields etc. etc. etc.
Using a standard smart card that has previously received certification and withstood penetration testing is much more cost effective.
This question (or variations of this question) has been asked before, but as Apple's export compliance rules change relatively frequently, and no one seems to ever get a straight answer, I thought I would ask.
I write an iPhone application that uses version 0.2 of the Dropbox API.
I have emailed Apple concerning use of this specific API, and I will be sure to update this question as I learn more and hear back from Apple. In the meantime, if any developer is using the Dropbox API in their iPhone application, did you mark your application as using encryption?
Edit: Upon closer inspection, it looks like the file data is also transferred using SSL. Since their API is using the NSMutableURLRequest class over HTTPS though, I still can't determine whether or not this API "uses encryption." If in the App Store submission page I mark that it does include encryption, Apple then asks if I'm using greater than a 64-bit symmetric encryption key.
If your app uses SSL (HTTPS), then yes it does include encryption. The export compliance rules changed last year though, so you will need an Encryption Registration Number instead of a CCATS number. See this blog post for details.
As it happens I'm working on this right now on a related project.
The Apple position is clarified in the FAQ in iTunesConnect; (my bold)
If your App contains, uses or
accesses standard cryptography for purposes other than those listed in
questions 2-4, you need to submit for
an ERN authorization. Examples of
standard encryption are: AES, SSL,
https.
This authorization requires that you
submit an annual report to two U.S.
Government agencies with information
about your App every January.
It's a pain in the neck, but that is the law if you want to be fully compliant. I'd love to hear that I'm wrong though!
PS. You could always ask for a direct opinion from the Government department concerned here;
http://www.bis.doc.gov/forms/rpdform.html
You can also call the Bureau of Industry and Security help desk at 202-482-0707 or read the web site at http://www.bis.doc.gov/encryption for more information.
Discussing your question with a live person is probably going to be better than filling out the online form and waiting for a response.
I have read all the blog posts on digital signing and checked out GoDaddy, Thawte and a couple of others. All of these say that you need to be a registered company and have official documentation and proof on incorporation etc.
I don't have any of that - I am a Sole Trader based in Australia who runs a social network (PokerDIY.com) for poker players, and now I am releasing a free app (PokerDIY Tourney Manager) and I need to let users type whilst in fullscreen mode (it's almost ironic that I am doing all this just for this). So I am looking into digitally signing my .xap so that I can run in elevated trust whilst OOB. In legal eyes I am just a hobbyist developer.
So I have a couple of questions that I would like answered before spending $100 on a certificate that I might not be able to use:
1) Can I buy a SL code-signing certificate as an individual? (Jeff Wilcox's blog (which is the most useful I have read on this matter for developers in my situation) seems to imply that you can and the Ksoftware site (https://secure.ksoftware.net/code_signing.html) seems to imply the same. However this leads to Q2:
2) Can this be used commercially - ie. if I decide to charge for my app (it's available globally for free but I will probably have a ad-free version at some point) - can I use this individual certificate that I purchased?
3) And can I register it to PokerDIY (my domain name) which is NOT a registered company. I would rather not register it to my full real name - this would look odd to a user if it said - PokerDIY Tourney Manager- Publisher: My Name. This is probably the most important as I doing this all for the perception of being a reputable entity.
There's really not much info out there on this and I dont want to make a mistake when it comes to $100 for a year's cert! (I wont go into how annoying it is to have to pay to release a free app just so people can type in fullscreen mode ;)
Thanks!
Yes, you can sign as an individual and use it for any purpose, including commercial purposes, with companies such as the KSoftware - but the larger providers like Thawte will not allow just an individual to do so. I do not know the specifics for Australia however so there could be regional differences, different companies, or other restrictions specific to your situation.
Your publisher name (your actual name) will appear in the elevation dialog for the Silverlight application. So it may look less professional to some, but it will still serve a purpose of providing a code signing certificate and some level of assurance for your customers.
But understand that your name and the address you provide for verification will be present in that certificate for anyone to see (answers your 3rd question).
Authenticode signing certificates don't actually match to a site such as your domain - they only verify the code signer - so you can use it with any site.
A good option for you might be to self-sign your app. This doesn't require a third party, and so no yearly fee.
You can also distribute a trusted XAP without signing it at all, but you won't be able to update it via the Silverlight updating mechanism.
I have a client who is interested in adding in electronic signature support to a long (40 question) seller application form. I'm a little stumped on whether there is an existing standard or process that's out there that folks in the financial world would expect to see?
I could certainly add in a system where we generate a bunch of text based on their responses, have the applicant sign it with their private key and upload a public key- but that seems like a lot to ask of people. Do non-nerds even have PGP installed these days?
Is there a standard approach to this out there? Anyone work in the financial world that's done this and had it work well?
We use Alphatrust's e-Sign Software.
What purpose is the signature trying to fill? Are you trying to verify that the form actually came from a specific seller? (If so, you would have to know their public key ahead of time.) Are you trying to hold the seller accountable for their answers at a later date? (In that case, you might need some kind of third-party involved.)
Sometimes people ask for electronic signatures just because they sound neat.
If these forms are meant to be shared throught to a general public you'll need to know (and can validate, that's the hardest part) all the producers of these amount of certificates people could use to sign these forms, and it's almost impossible.
With closed environments (like functionaries, doctors...) where all the users are suposed to hold a certificate (with a pre-known CA you trust) and you should be sure the form is sended by someone trusted (non repudation, integrity...) it's a better scenario to sign a form, otherwise I do not recomend you to use signed forms to achieve your goal.