11:11 Electronic digital signature for dummies what it is and how not to choke Part 4 | |
| Part 1 Part 2 Part 3 In the previous parts we have understood about what exactly we're going to have. Now, finally, we go directly to the selection of dishes to us to taste. Here we consider the goal of using digital signatures, which camp to join and what features of each option, and also touch on the legal background of the use of digital signatures. In parallel, we will consider issues arising in the process and deepen ones knowledge of the mechanisms that currently possess. Suppose you have the irresistible urge to, well, maybe an urgent need to use a digital signature. The first overarching issue, which you must ask yourself: Why? If you can not more or less unambiguously answer this question, then think twice before you go on the road using this technology further. After the introduction, and most importantly, the use of digital signature in its every incarnation - rather laborious process, so if a clear understanding of the goals there, it's better not even start. Let you all do realize that the digital signature you just need. And you need it, of course, to protect your information. Now consider a situation in which it is possible to apply a digital signature and encryption in order of complexity. To begin with relatively simple choices: you - a private person and want to protect the sent you via electronic sources of information from the substitution, as well as, perhaps, from reading strangers. You send information such as an ordinary person with whom you can always agree on what will protect your information. What you need to do? We begin with the S / MIME. We do this firstly, because this format, as I said, much more common, and most importantly: it is supported at the level of Windows (and Windows, anyway, the most common operating system), as well as the many programs that work under Windows. But secondly - this format from a legal point of view allows us (in our state, naturally) is much larger. What is the easiest and most common way to transmit information to another person? Of course, this is - e-mail. Take the letter, stick to it, and send files. And here we are digitally signed in the format S / MIME is especially lucky: all popular email clients know how to take a digitally signed message, and send them. In this case, signed by the whole message, including files attached to the letter. Page Trust Center Outlook 2007 And all is well, that's just to send a letter with a signature must have a program that performs the work with cryptography (crypto or cryptographic service provider, CSP), and a certificate specific purpose and its associated private key. Appointment certificate - this is an area in which it can be used. More information about the assignment of certificates will be discussed later, but for the current problem, we actually need a certificate for secure email (email protection certificate). But back to our needs. Where can I get this same program, CSP? Luckily, the Windows operating system not only supports the format itself, but also contains a collection of the crypt, which come with either version of the system is completely free, that is nothing. So, the most obvious solution to this situation - just use them. So, with the crypt we understand, but what to do with the certificate? In the previous article I said that in the process of issuing certificates involved some third party - a certification authority, which shall issue directly, certificates and identity of their contents and relevance. Dwell on this point in some detail, as these skills will be needed in the future. Confirmed that this particular user certificate is correct and that the contents therein have not been altered is still the same digital signature is only signed by a certification authority. In Certification Authority, as well as users who have their own certificate. And so it was with his help, he signed certificates issued by them. This procedure, first of all, protects issued by Certification Authority certificates from the change (as I said above), and secondly clearly shows what kind of certification authority issuing the certificate. As a consequence, a bad man, of course, can make a complete copy of your certificate with your name, surname, even with any additional information, here are just fake digital signature certification authority, not having his private key, for it would be virtually impossible task, and therefore recognize that counterfeiting is not just easy, but it is very easy. The very same certificate certifying the center, in an amicable way, too, must be protected. And that means, and signed. Who? Higher standing certification center. And that, in turn, further upstream. And this chain can be very long. What does it end? And it ends with self-signed certificate certifying center. Such a certificate signed by the private key associated with it also. Citing an analogy, it is as a reference for position and salary of the Director General. "This help Ivanov II, General Director of" Dandelion "certifies that Ivanov II occupies in the organization's CEO and receives a salary of $ ####### rubles. " To help this trust, you have to believe most of OOO "Dandelion", and this belief is not supported by any third party. So with the root certificates (ie certificates of certification authorities). Self-signed certificates of the certification authorities that you trust, must lie in a special vault in the system, which is called the "Trusted Root Certification Authorities". But before you get there, they needed to get something. And it is - the weakest link in the system. Itself self-signed certificate to fake, as well as custom, does not work, but great will replace the transmission. Hence, the transfer must be protected against dilution of the channel. To avoid, where possible, such difficulties, Microsoft has chosen several certification authorities and incorporated their certificates directly to the installation of Windows (a Thawte, VeriSign and others). They already have on your computer and do not need to get nowhere. And this means to replace them only if you live on your computer trojan (or a bad person to be administrator access to your computer), and talk about using digital signatures in such a case a few meaningless. In addition, these certification centers are widely known and much used by anyone, and the simple substitution of their certificates will lead to many errors in the work of, say, the sites whose certificates issued by these certification authority, which, in turn, quickly put things to think about that something is not clear. By the way, the self-signed certificate: this certificate can be created for their own use, not only for the certification center. Naturally, such a certificate inherits all the disadvantages of this type of certificates, but to check whether to use a digital signature in correspondence, or a better way to do it perfect. To create these certificates, you can use the program, which is composed of Microsoft Office (Digital Certificate for Project VBA), or to fine tune the destination, and other fields of the certificate, third-party programs such as KriptoArm, which even in its free version allows such create certificates. View the self-signed certificate means the system Windows So, we choose some that suits us both certification center, get it certified (which fill the form on the website, we provide the necessary documents and pay the money, if need be), or create currently self-signed certificate and ... Strictly speaking, everything. Now we can use our e-mail client (the same Outlook'a) to send and receive signed and encrypted messages. To use the OpenPGP standard and everything is simpler and more complicated. To use this standard still need crypto, a pair of public and private keys and programs directly to the signing and encryption. OpenPGP for all these components can be both paid and free. With more hassle free installation, but with less pay, but the principles and those, those are the same. Following is the description used by the sequence, start with a program with which you will be contacted and most of all: the mail client. Using pure Outlook'a here is impossible, because of their ignorance about the standard OpenPGP, which means it is necessary either to move to a customer who knows the standard, or use plug-ins to Outlook'u, or even to work with the signatures and encryption through the copying of information in external programs. As an example, email clients, working with the standard OpenPGP, can cause Mozilla Thunderbird which, incidentally, still need a plugin or The Bat!, Who knows how to work with version Profissional OpenPGP standard itself. The main screens e-mail client Mozilla Thunderbird and The Bat! Plug-ins needed to work with the OpenPGP standard in the mail, you can also find both paid and free. Pay-ins included with the paid versions of the same program PGP, but as an example of free plug-in can cause Enigmail plug-in for all of the same Thunderbird. Add-ons that appear in their email client after installing the Enigmail crypto same here one way or another for free. You can use the CSP, distributed with even a free version of PGP, but you can use GnuPG. Page of key management GnuPG Here, perhaps, is worth little to warn those who will pursue a free and open source code. Most of these applications actually work and perform their functions, but there are a number of issues specific to them all. And particularly significant sounds the problem of inadequate testing and elaboration of the problem of user interfaces. Both of these problems indigenous to free software by its very essence: the development is "the world" (or a separate group), and so projects have in most cases, no general ideologue, no overall design, designer, etc. As a result, often get a situation "that has grown - it has grown, and it's not always convenient from a purely functional point of view. Testing, too, as a rule, is "the world", not professional testers, over which hangs an evil leader, so the bugs in the final version gets bigger. In addition, if a bug is found, which may lead to the loss of your information, there is nobody to ask is: in a free and open, and financial or legal liability to you like no one is. However, it is not necessary obolschktsya, a charge on the situation exactly the same, although in rare cases, possible options. Unfortunately, these cases are, rather, to partner companies and corporate clients, so for us, ordinary users can just as easily assume that no options. However, I in no way do not want to plead with the dignity of such software. In fact, considering both paid and free programs that work with cryptography, we can see that the first problem - Bahamas - this software is practically (with rare exception who simply do not have to use it) is not affected. But the second - appalling in terms of user interfaces - is concerned, oddly enough, almost everyone. And if the reason for this situation to free software can be taken as time "that has grown - it grew" (say, a remarkable in all aspects of the program TrueCrypt, which is the de facto standard for encrypting data, the interface is horrific for someone not deeply versed in question), then a similar situation with paid software can be explained, perhaps, only by the fact that cryptography, as the direction of development, is usually regarded as a residual. Exceptions to these rules are found there, and there, but balshee number of exceptions to me personally, though, occurred in the camp of paid software. But back to our mail. Remained unresolved issue a certificate. "It is easier and more difficult to" live right here. Create it, you can directly on your computer, without using an external certification authority that will agree, it's easier than sending a request to a certification authority. But it and the problems with the data certificates: they are all self-signed, which means they are subject to the same issues that we discussed with the self-signed certificate certifying centers. The second point of fact, and is thus "difficult". The problem of trust in the certificates in this camp is solved by means of networks of trust, a principle which can be summarized as follows: the more people know you (your certificate), the more grounds for confidence. In addition, to facilitate solution of the issue of transfer certificate, the recipient may be a public certificate banks, in the depths of a wicked man that delve a bit more complicated than in the transmitted mail. At the bank, you can download a certificate when it is created, and the recipient simply pass where it should pick up the certificate. Certificates are stored in some stores that make your machine code to work with the standard OpenPGP, they provide access to them. This too should not forget, because it means that access to these certificates are only forces operating system without the use of these programs will not work. All, as in the case of S / MIME, the above-described set of actions you have enough to achieve our goal: an exchange signed and encrypted email. This is a start. We are now able to use the first, fairly simple dish with seasoning in the form of digital signatures, but it is good only for the seed and dwell on it certainly is not worth it. In future articles we will analyze more and more complex situations, and more and learn more about the features of this technology. | |
|
| |
| Total comments: 0 | |