Thursday, December 11, 2014

Signing files with openssl and s/mime

Okay here's my signing datafiles via S/MIME ( Secure/Multipurpose Internet Mail Extensions ). Openssl has the ability for signing files using S/MIME. In fact it's  as easy as 1-2-3 to sign & verify a file.

S/MIME is commonly used in SMTP and mail-messages but the use has grown from just doing mail. It's probably one of the more commonly used encryption for mailsystems that use a CentralAuthority for certificates. It 's  widely used by mail-servers and clients and it's  one of the best & probably better suited for the general user  than PGP for end-2-end mail security.

note: If I didn't use PGP, I would use S/MIME for mail security

Now, to sign a datafile, the sender ( signer ) will need the following;

    1: certificate 
    2: the private-key for the certificate we will sign with
    3: and obvious the datafile ( message, text,binary......)

On the receiver side of things ( recipient ),  he/she only needs the certificate or access to the certificate.

And if not obvious, the private-key stays private with the signer.

Okay so let's look at my sender, and the files we have on my host SOC01. SOC1 will sign a file and then we verify it on another machine.


We have the certificate labeled as "mycert.pem" and the private-key, plus the datafile named "file".
We will sign the datafile with the certificate and key. The file named "file",  is a simple text file

This process creates the signature which holds the original data along with attach signature. The cool thing about this, the file named "file" was a text file.

So we can open  the file.smime_sign and see the begin and ending parts of the signature and the original file. The lines between "------D0EC78ECFEFE5115C43A0E08FEB87DE8" will contain our original data.  This is known as the boundary and the 1st line in the file gives you details on the ; content-type, sha version,  boundary, etc.....

The verification process on the receiver is very simple, we only need the file and certificate and we reverse the process of the signing.

note: this was a self-signed certificate and not issued by a CA

Now the cool thing about this process, if the datafile was corrupted or tampered with,  the verification will always  fail.  The same for if  the certificate was corrupted or the wrong certificate was used during the verification, openssl will complain  with an "Verificiation failure"  or   "Error loading file ....."

Now , let's look at what happens when we add one whitespace to the signed.filed and try to re-verify the signature.

Signing ensure that the recipient knows with 100% confidence that the holder of the certificate sign the file. This can't be  repudiate. Also with the  passphrase assigned, the owner must know the passphrase used with the private-key and certificate.

So  signing  and verification is simple. Key points to  keep in mind;

  • the private-key is critical and needs to stay private
  • the signer is protected by the private-key and passphrase
  • signing  and than verify, that the author indeed  is the author
  • if your signing a binary file and not using -binary, the signature will be dettached

Ken Felix
Freelance Network/Security Engineer Mail Security Specialist
kfelix  -----a----t---- socpuppets ---dot---com

    ^    ^
=(  !  !  )=
      /   \

No comments:

Post a Comment