I am trying to implement a (simplified) RSA-like verification process in my (Java) application.
The client sends a request (data + private key signature) and the server either rejects his request or processes it - depending on the signature validity.
But I don't understand how the verification server knows which public key to use for signature decryption. Indeed, no public key - nor public key ID - seem to be sent to the verification server.
Does it actually test all authorized public keys ? Or is the public key stored from a previous communication exchange ?
The figure has several errors and some omissions, because it is probably a simplification:
the hash is digitally signed, not encrypted, and the signature is verified, not decrypted. The underlying cryptographic operation is not equivalent.
the signed data should include the certificate and the certification chain
if you use a known format like CMS, pkcs#7 or XMLDsig the hash to sign usually includes also a reference to the signing certificate and content-type to avoid tampering
To validate a signed document you verify the signature using the public key of the attached certificate but it is mandatory to check that the signing certificate is trusted verifying that the certificate itself or the issuing Certification Authority is present in the client's trustore.
The signature includes the certification chain because usually the truststore does not contain the intermediate CAs. The certificates of the truststore are exchanged previously
Additionaly the verification process should check that the certificate is not expired and not revoked
Note that the verification process is the same for all digital certificates in a public key infrastructure, not just RSA
As the figure you attached with the question suggests, the client sends its certificate along with the signature, the certificate contains the public key, the server checks for certificate validity and uses it to check the signature.
Related
I have an ADFS that trusts a SP.
I added the signature verification certificate
for my relying party trust but I get the following error:
MSIS7093: MSIS7093: The message is not signed with expected signature algorithm. Message is signed with signature algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1. Expected signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
It seems pretty clear, but not coherent with the actual context: the signature verification certificate is generated by SHA-256, not SHA-1.
If I follow right the error message and change the secure hash algorithm from SHA-256 to SHA-1, it works and I can perform the SSO authentication. But I'm not happy with that, for two reasons:
SHA1 is not safe anymore
I don't know why I should set the secure hash algorithm to SHA-1 when the certificate used is actually in SHA-256.
The certificate was generated using openssl:
openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout samlkratos.key -out samlkratos.crt
Does anyone have any idea why that happens?
The hash of the certificate is not really related to the hash being used to has the data.
For instance when XML is signed, the canonical XML is hashed using one of a number of supported hash algorithms. The XML is then updated with the Signature Algorithm like http://www.w3.org/2000/09/xmldsig#rsa-sha1 to tel the server that this is the algorithm that was used.
In the server side there is often a setting at the IdP where the Signature Algorithm is specified. Essentially telling the IdP that it should be validating the request with a specific algorithm
If you are sending sha1 and the error is that it was expecting sha256 there is a mismatch and the SP (the application) likely needs to have the setting changed.
You can normally se what is being sent from the browser with a SAML decoder plugin.
Again it depends what the SP application is configured to send and what the IdP is configured to accept (if applicable) and has very litly to do with the certificate (the RSA in rsa-sha256) requires a RSA based certificae but the has can be a number of things as long as the combination is supported (example a DSA certificate cannot support sha512 since the specification does not allow it)
I want to generate a digital certificate for signature and authentication to sign a document, but I couldn't find any validated authority in my country that delivers digital certificates. In such a case, is there any way (website) to generate this type of certificates?
Thanks
You can create self signed certificate as described for example here How to generate a self-signed SSL certificate using OpenSSL?. Downside is that the Adobe Reader shows the signature invalid as by default it is not trusted.
You can also buy the "Document Signing Certificate" from any trust service provider. You will get USB crypto token with that. In this case Adobe Reader will show the signature valid.
I am not sure if we simply validating the client cert is enough, because if someone steal the cert then they can impersonate others, how do we validating the client? Does client needs to sign some message with its private key , send together with the client cert, and server side get the public key from the cert to validate the message to confirm he is the cert holder?
When a server validates a client certificate, it makes the client prove that the certificate is theirs by performing an operation with its corresponding private key. The private key isn't part of the certificate, so stealing it doesn't allow impersonation of the user.
I was working on a sample TLS client/server program to perform certificate validation.
For a self signed certificate validation, these are the steps i followed.
#server side:
Generated a server key file serverkey.key
Generated a CSR certificate servercert.csr from the key file.
Digitally signed(using openssl x509 utility) the servercert.csr using a
generated rootCA.key and rootCA.cert. server certificate file servercert.cert
is generated.
Loaded the certificate file(servercert.cert) and key file(serverkey.key) using
SSL_CTX_use_certificate_file and SSL_CTX_use_PrivateKey openssl apis.
#client side:
Loaded the server ca-file --> rootCA.cert (which was manually copied to the
client) using the SSL_CTX_load_verify_locations api.
Using the SSL_get_verify_result() api validated the certificate that server
sends in the Certificate message.
The question that i have is that if i use a trusted CA(like godaddy) to sign a server CSR certificate, will the CA be providing its public key file (something similar to rootCA.cert) as well which was used for signing ?
By which i can load the same to the trusted list at client side using SSL_CTX_load_verify_locations api.
My intention is to keep the code unchanged regardless of being a self signed certificate or a valid CA provided certificate.
When (any) x509 certificate is generated, these things happen:
Private key is generated
Public key (associated with the private key mentioned above) is embedded in the new certificate (becomes an integral part of it)
The new certificate is signed using private key of the issuer (read: CA)
In order to verify the certificate integrity (to check if nobody tampered with it) - you need to verify the signature (created using issuer's private key - see 3)). To be able to do it you need to obtain (somehow) the issuer's public key. This key is embedded in the issuer's certificate (see 2)). Usually the trusted CAs' certificates are stored in so called trusted certificate store. In case of OpenSSL you specify this "store" by using SSL_CTX_load_verify_locations function (and a few other simmilar functions - consult OpenSSL documentation).
To summarize:
In your case the location pointed by SSL_CTX_load_verify_locations should contain your CA's certificate(s) - all of them - the whole certificate chain up to the self-signed root certificate. You can obtain all of the certificates in the chain from your CA (in your case GoDaddy).
I hope that helps.
If I can clarify anything more please ask.
What is the purpose of challenge password in simple certificate enrollment protocol (SCEP)?
My understanding is that it is used to authenticate devices.
My question is : How it is different from authentication done by using public and private key pairs?
Challenge password is(/may be) used in the enrollment process. As stated in SCEP specification (section 2.3):
PKCS#10 [RFC2986] specifies a PKCS#9 [RFC2985] challengePassword
attribute to be sent as part of the enrollment request. Inclusion of
the challengePassword by the SCEP client is OPTIONAL and allows for
unauthenticated authorization of enrollment requests. The PKCS#7
[RFC2315] envelope protects the privacy of the challenge password.
When utilizing the challengePassword, the server distributes a shared
secret to the requester which will uniquely associate the enrollment
request with the requester. The distribution of the secret must be
private: only the end entity should know this secret. The actual
binding mechanism between the requester and the secret is subject to
the server policy and implementation.
In section 2.5 draft states:
The challengePassword MAY be used to automatically authorize the
request.
SCEP draft states in section 2.8:
SCEP does not specify a method to request certificate revocation.
but when challenge password was used in the enrollment process then:
In order to revoke a certificate, the requester must contact the CA
server operator using a non-SCEP defined mechanism. Although the
PKCS#10 [RFC2986] challengePassword is used by SCEP for enrollment
authorization (see Enrollment authorization (Section 2.3)) this does
not inhibit the CA server from maintaining a record of the
challengePassword to use during subsequent revocation operations as
implied by [RFC2985].
If a certificate is compromised (the private key is stolen, etc.) the
certificate needs to be revoked as it will remain valid till the end of it's
term.
Any administrator with access to a cert can revoke the cert. If a challenge
password was specified during the certificate signing request that password
will be required before the cert can be revoked.
So, it seems the sole purpose of the challenge password is to prevent
revocation by someone without the password.
SCEP is used to issue certificates to devices (mostly in an untrusted network). The admin will generate challenge password and send it to the user via mail. The SCEP server knows about this challenge password. (We can ask SCEP Server to generate a challenge password and give it to the admin which he shares with respective person). When a device requests SCEP server for certificate with this challenge password, the SCEP server can validate the challenge password and issue certificate.
Actually the device makes first request to get CA cert of the server. It validates the CA Cert. Then the device generates private and public key locally which is what, for instance, iOS MDM agent does. Then a CSR (Certificate Signing Request) is sent to the SCEP server with challenge password. The SCEP Server validates challenge password and now signs the device's public key with its private key. The result is the certificate.
Reference:
https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116167-technote-scep-00.html