Databases
StackOverflow2013
Postsdbo
POStandardized approach to digital signatures of files via .NET
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POStandardized approach to digital signatures of files via .NET
    text
    copied!<p>I am building a system for distributing packages (.zip archives) created by different organizations. I'd like a way to verify that the publisher of a package is indeed who they claim to be, and that the file has not been tampered with. </p> <p>To verify the publisher, a system similar to what is used by web browsers is required - e.g., my application contacts the root certificate authorities, who verify the identity. In other words, the 'green bar' :) </p> <p>I'm guessing the package creation would work like this:</p> <ol> <li>Author creates zip package</li> <li>Author hashes package and signs the hash</li> <li>It is re-packaged, with: <ul> <li>A header containing the signed hash, and the public certificate </li> <li>A body containing the contents of the zip file</li> </ul></li> </ol> <p>Package opening would work like this:</p> <ol> <li>Take the body of the data</li> <li>Hash it using the same algorithm</li> <li>Decrypt the package's hash using the public key from the certificate</li> <li>Compare the two hashes - we now have integrity</li> <li>Contact the root CAs to verify the identity</li> </ol> <p>This way, I have verified the identity, and also verified the contents (the contents themselves do not need to be encrypted - the goal is verification, not privacy). </p> <p>So my questions are:</p> <ol> <li>Is the above the correct way to approach it?</li> <li>What hashing algorithm do people normally use? I assume it should be one-way. Would you just choose one (MD5, SHA1, SHA2?) or is it more normal to support a variety and let the package author tell you which one they used (e.g., the header of the document contains the name of the hashing function). </li> <li>How do you work with the root CA's? Is this the job of the X509Store class, or are there additional steps involved?</li> <li>What kind of certificates are involved here? The same kind of certificates used to sign .NET assemblies? (Code-signing certificates?)</li> </ol> <p>Lastly, if an organization does not have a paid-for certificate and instead decide to use a self-issued certificate, I assume I can still verify the hashes (for the sake of data integrity) without having to install stuff into the computer's certificate stores or any magic like that (in these cases, I'd just display: "Published by XYZ Co. (Unverified)". Is this correct? </p> <p>I have found plenty of links on how to use the X509 and RSACryptoServiceProvider, so I can probably figure the code out, I guess I'm more interested in the process and knowing I'm using the right techniques. </p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload