 |
BorlandTalk.com
Borland discussion newsgroups
|
| View previous topic :: View next topic |
| Author |
Message |
Jonathan Benedicto
Guest
|
 Posted: Fri Feb 17, 2006 7:03 pm Post subject: digital signature authentication |
 |
|
Hello All,
I'm writing a system for some of my applications that contacts my webserver
to retrieve info. However, I'd like to verify that the server that my code
is talking to is actually the JomiTech server, so I've added digital
signing.
In other words, when my program contacts the server, it expects a response
back that has been signed. However, to decrypt that signature, I need my
public key.
What I'm concerned about is that someone might come along, add "jomitech.com
127.0.0.1" into their hosts file, create their own public/private key pair,
and send phony responses back into my app from a phony server.
What ways are used to get around this problem ?
Jonathan |
|
| Back to top |
|
 |
Tamas Demjen
Guest
|
| Posted: Fri Feb 17, 2006 8:03 pm Post subject: Re: digital signature authentication |
|
|
Jonathan Benedicto wrote:
| Quote: | What I'm concerned about is that someone might come along, add "jomitech.com
127.0.0.1" into their hosts file, create their own public/private key pair,
and send phony responses back into my app from a phony server.
What ways are used to get around this problem ?
|
This is a common problem with public key cryptography. Its safety is
only guaranteed if you can trust the public key itself. Complete trust
can only be achieved if you meet the person and hand your public key
over to him or her on a flash drive. The second best thing is to verify
the key over the phone -- that's why PGP has a key signature, which is
reasonably short and can be human verified quickly. Another possible
solution would be is to establish an international organization that
authenticates keys, but it's only as trusted as your local government
is. And we know that there can be corruption even within the United
Nations. The same way birth certificates and passports can be faked,
public keys are subject to fraud as well. To the best of my knowledge,
the best thing available is the signing of public keys. You can sign
public keys of people that you know personally, and they can sign their
friends' and colleagues' keys, and various government agencies can add
signatures as well. The more signatures a key has, the more trusted it
is. It's very unlikely that someone can fraud 100 different sources at
the same time.
SSH has the same problem. If someone compiles a special version of
Firefox with a fake SSH key in it, he can coax people to run his
modified browser, others thinking it's the official one, and when they
purchase something from a secure web site, the impersonator can easily
steal your credit card infomation (for example, by redirecting
amazon.com to an ideantical looking fake site).
You can't completely prevent this. Just like you can't prevent ATM
fraud, or bulglaries or bank robberies. Only the power of the law can
step up against such crimes. They can be enforced by punishing such acts
of crime.
Tom |
|
| Back to top |
|
|
Jonathan Benedicto
Guest
|
| Posted: Fri Feb 17, 2006 8:03 pm Post subject: Re: digital signature authentication |
|
|
Tamas Demjen wrote
[snip]
Thank you very much for this info. I guess I'll have to try to sign the
public key as many times as possible.
Jonathan |
|
| Back to top |
|
|
Tamas Demjen
Guest
|
| Posted: Fri Feb 17, 2006 10:03 pm Post subject: Re: digital signature authentication |
|
|
Jonathan Benedicto wrote:
| Quote: | Thank you very much for this info. I guess I'll have to try to sign the
public key as many times as possible.
|
It will only work if the entire society is ready for it. You would have
to ask other people who trust you to sign your key, and those people in
turn would ask others, and so on. They have to believe that the key
they're signing is really yours. Anyway, I don't think it's happening
right now. At one point you have to accept a certain level of trust
somewhere in the system.
If you write a communication application that has a public key, it's
pretty secure. The only way it could be abused is if someone provided
your application for download with a fake key in it (or they would
distribute the hacked product on a CD-ROM). The only thing that protects
you from that is the license agreement you write, and the law that helps
enforcing it.
If it's really important to safeguard the public keys, such as in a
banking system (ATM machine), you have to make the hardware such that it
self-destroys the key when the case gets opened. Also put a protective
plastic layer on the printed circuit board that prevents probing to it
with an external instrument, and perhaps even shield the box so no
elctromagnetic waves can leave the system. There's not much you can do
on a conventional PC. At the minimum you would have to have the
authentication algorithms built into the CPU, and supported at OS level.
Similarly how the CPU throws an access violation when you read, write or
execute unauthorized memory address ranges. But from the day secured
computing arrives, you won't be able to make unauthorized copies of
software, music, movies, books, etc., unless you will run them on an
untrusted CPU and an untrusted OS, connecting to an untrusted network.
There are books out there if you're interested about cryptography and
secure communication. I don't think you can do significantly better than
SSH today.
Tom |
|
| Back to top |
|
|
Tamas Demjen
Guest
|
| Posted: Fri Feb 17, 2006 10:03 pm Post subject: Re: digital signature authentication |
|
|
Jonathan Benedicto wrote:
| Quote: | I'm concerned about the public key being altered in the .exe, and then that
person then distributing the app to use their server instead of mine.
|
SSH has the advantage that it requires registration with an agency,
which can be verified.
I don't think I can recommend anything better, but I'm not a security
expert.
Tom |
|
| Back to top |
|
|
Jonathan Benedicto
Guest
|
| Posted: Fri Feb 17, 2006 10:03 pm Post subject: Re: digital signature authentication |
|
|
Tamas Demjen wrote:
| Quote: | SSH has the advantage that it requires registration with an agency, which
can be verified.
|
The SSH clients I've tried merely ask you if you want to add this
unrecognized public key to the DB, and then let you use it, which in this
case is too late.
| Quote: | I don't think I can recommend anything better, but I'm not a security
expert.
|
Thank you for your replies. I highly appreciate it.
Jonathan |
|
| Back to top |
|
|
Jonathan Benedicto
Guest
|
| Posted: Fri Feb 17, 2006 10:03 pm Post subject: Re: digital signature authentication |
|
|
Tamas Demjen wrote:
| Quote: | It will only work if the entire society is ready for it. You would have to
ask other people who trust you to sign your key, and those people in turn
would ask others, and so on.
|
This would be a problem.
| Quote: | If you write a communication application that has a public key, it's
pretty secure. The only way it could be abused is if someone provided your
application for download with a fake key in it (or they would distribute
the hacked product on a CD-ROM).
|
I'm concerned about the public key being altered in the .exe, and then that
person then distributing the app to use their server instead of mine.
My brain is still churning over various different options, downloading
processor instructions that are unique everytime etc.
Jonathan |
|
| Back to top |
|
|
Daniel James
Guest
|
| Posted: Sat Feb 18, 2006 11:03 am Post subject: Re: digital signature authentication |
|
|
In article <43f60e9b (AT) newsgroups (DOT) borland.com>, Jonathan Benedicto wrote:
| Quote: | I'm writing a system for some of my applications that contacts my webserver
to retrieve info. However, I'd like to verify that the server that my code
is talking to is actually the JomiTech server, so I've added digital
signing.
|
What's your actual worry here? Whose interests are you trying to protect and
who do you think may try to attack the system?
It makes a big difference to the sort of security you will need to add.
| Quote: | What I'm concerned about is that someone might come along, add "jomitech.com
127.0.0.1" into their hosts file, create their own public/private key pair,
and send phony responses back into my app from a phony server.
|
This sounds like you are trying to implement some sort of software licence
scheme, and you are worried that the user of your software will deliberately
subvert your communication with the server to circumvent your checks. That's
probably the hardest situation to protect against, because the "attacker" of
the system is your own customer, and is in complete control of his own PC.
Furthermore, any encryption keys the application uses to protect its
communications with the server will have to be on the PC, and so are available
to the user if he wants to intercept and analyse the data transmitted.
Is this the sort of thing that you're trying to do, or am I barking up the
wrong tree?
Cheers,
Daniel. |
|
| Back to top |
|
|
Daniel James
Guest
|
| Posted: Sat Feb 18, 2006 11:03 am Post subject: Re: digital signature authentication |
|
|
In article <43f63e17$1 (AT) newsgroups (DOT) borland.com>, Tamas Demjen wrote:
| Quote: | I'm concerned about the public key being altered in the .exe, and then that
person then distributing the app to use their server instead of mine.
SSH has the advantage that it requires registration with an agency,
which can be verified.
|
That doesn't help if it's the person using the certificate that has spoofed it.
They can simply set up their own local CA and issue a certificate for the spoof
key themselved. SSH will be quite happy to accept the spoof certificate as long
as the issuing CA is known to it.
Cheers,
Daniel. |
|
| Back to top |
|
|
Jonathan Benedicto
Guest
|
| Posted: Sat Feb 18, 2006 4:03 pm Post subject: Re: digital signature authentication |
|
|
Daniel James wrote:
| Quote: | This sounds like you are trying to implement some sort of software licence
scheme, and you are worried that the user of your software will
deliberately
subvert your communication with the server to circumvent your checks.
That's
probably the hardest situation to protect against, because the "attacker"
of
the system is your own customer, and is in complete control of his own PC.
Furthermore, any encryption keys the application uses to protect its
communications with the server will have to be on the PC, and so are
available
to the user if he wants to intercept and analyse the data transmitted.
Is this the sort of thing that you're trying to do, or am I barking up the
wrong tree?
|
Yes it is. You guessed correctly :-)
Jonathan |
|
| Back to top |
|
|
Daniel James
Guest
|
| Posted: Sun Feb 19, 2006 1:03 pm Post subject: Re: digital signature authentication |
|
|
In article <43f740d7$1 (AT) newsgroups (DOT) borland.com>, Jonathan Benedicto wrote:
| Quote: | Is this the sort of thing that you're trying to do, or am I barking up the
wrong tree?
Yes it is. You guessed correctly 
|
Then, what you're trying to do isn't easy.
There are commercial tools you can use for this sort of thing (sorry, I can't
really recommend one) and I'd seriously suggest that it isn't worth trying to
reinvent the wheel, here. You can do something quick and dirty yourself that
will deter a casual attacker, but if you need stronger protection it has to be
worth buying it in.
Cheers,
Daniel. |
|
| Back to top |
|
|
Jonathan Benedicto
Guest
|
| Posted: Mon Feb 20, 2006 12:03 pm Post subject: Re: digital signature authentication |
|
|
Mark Jacobs wrote:
| Quote: | Then, what you're trying to do isn't easy.
There are commercial tools you can use for this sort of thing (sorry, I
can't really recommend one) and I'd seriously suggest that it isn't worth
trying to reinvent the wheel, here. You can do something quick and dirty
yourself that will deter a casual attacker, but if you need stronger
protection it has to be worth buying it in.
Also, once your app is in the customers' hands, you cannot be held
responsible for what they do with it (although us programmers often are!).
It's like trying to give them a copy of format.com that is safe! At the
end of the day, there's only so much you can do for the client.
|
Thank you both. Well, I guess I'll have to make it as strong as possible and
leave it there.
Jonathan |
|
| Back to top |
|
|
Mark Jacobs
Guest
|
| Posted: Mon Feb 20, 2006 12:03 pm Post subject: Re: digital signature authentication |
|
|
Daniel James wrote:
| Quote: | In article <43f740d7$1 (AT) newsgroups (DOT) borland.com>, Jonathan Benedicto wrote:
Is this the sort of thing that you're trying to do, or am I barking up the
wrong tree?
Yes it is. You guessed correctly :-)
Then, what you're trying to do isn't easy.
There are commercial tools you can use for this sort of thing (sorry, I can't
really recommend one) and I'd seriously suggest that it isn't worth trying to
reinvent the wheel, here. You can do something quick and dirty yourself that
will deter a casual attacker, but if you need stronger protection it has to be
worth buying it in.
|
Also, once your app is in the customers' hands, you cannot be held responsible for what
they do with it (although us programmers often are!). It's like trying to give them a copy
of format.com that is safe! At the end of the day, there's only so much you can do for the
client.
--
Mark Jacobs
http://www.dkcomputing.co.uk |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
