---[ Phrack Magazine Volume 8, Issue 52 January 26, 1998, article 15 of 20 -------------------------[ Technical Guide to Digital Certification --------[ Yggdrasil Introduction ~~~~~~~~~~~~ Today's software technology provides not only flexible controls for web pages and complex remote interaction (ActiveX controls, Java applets and Netscape plugins) but also offers the possibility of downloading pieces of code for local execution to extend browsers capabilities. A major issue being the fact that this code cannot be initially distinguished from malicious code (virii/trojans, "man in the middle" attacks, forced downgrade, forgery of electronic documents, etc), disguised as utilities. The point is that end users do not know who published of a piece of software, if the code has been tampered with, and what that software will do, (until they download and execute it). Anyone can create plugins, applets or controls containing this potentially destructive code or even "intelligent" malevolent code, able to communicate covertly with a remote server. Public-key cryptography has produced a number of different implementations to verify the authenticity of software, network objects, documents and data transactions (for example, Electronic Funds Transfer) using Digital IDs. Authenticode Certifications ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Microsoft recently adopted Authenticode technology to sign their ActiveX based software. Any individual or commercial software publisher desiring their code to be "trusted" must apply for and receive a Digital Certificate from an Authenticode Certificate Authority (CA), such as VeriSign. The CA will request proof-of-identity, and other information, only then will they verify the publishers credentials (even employing Dun & Bradstreet rating). After the CA has decided that the publisher meets its policy criteria, it releases a Certificate (the expected cost is about $500 for a year, plus additional costs for hardware storage for commercial developers, up to $12,000). [ God save the next-generation developers. ] A Digital Certificate contains the publishers public-key (and other info) encrypted according to the industry standard X.509 V3 certificate format and PKCS #7 signed data standards. The ITU-T recommendation for X.509 states that: "It would be a serious breach of security if the CA issued a certificate for a user with a public key that had been tampered with." All Certificates have an expiration time, but the CA may revoke them prior to that time if a publisher's private-key or CA's certificate is assumed to be compromised. The CA may (or may NOT) inform the owner of the certificate. Revocation Lists ~~~~~~~~~~~~~~~~ The Revocation Lists, also called "black-lists", are held within entries as attributes of types CertificateRevocationList and AuthorityRevocationList. Their attribute types are defined as follows: certificateRevocationList ATTRIBUTE ::= { WITH SYNTAX CertificateList EQUALITY MATCHING RULE certificateListExactMatch ID id-at-certificateRevocationList } authorityRevocationList ATTRIBUTE ::= { WITH SYNTAX CertificateList EQUALITY MATCHING RULE certificateListExactMatch ID id-at-authorityRevocationList } CertificateList ::= SIGNED { SEQUENCE { version Version OPTIONAL, signature AlgorithmIdentifier, <----+ issuer Name, | thisUpdate UTCTime, | nextUpdate UTCTime OPTIONAL, version 2 revokedCertificates SEQUENCE OF SEQUENCE { only userCertificate CertificateSerialNumber, (extension) revocationDate UTCTime, | crlEntryExtensions Extensions OPTIONAL } OPTIONAL, | crlExtensions [0] Extensions OPTIONAL }} <----+ Implementation of X.509-3 ~~~~~~~~~~~~~~~~~~~~~~~~~ The ITU-T X.509 Directory Specification makes use of a set of cryptographic systems known as asymmetric Public-Key Crypto-Systems (PKCS). This system involves the use of two keys (one secret and one public as used in common public key packages like PGP). Both keys can be used for encoding: the private key to decipher if the public key was used, and vice versa (Xp*Xs = Xs*Xp, where Xp/Xs are the key-encoding/decoding functions). When applied to Digital Signatures, the public key encryption is used to encipher the data to be signed after it's passed through a hash function. Information is signed by appending to it an enciphered summary of the info. The summary is produced by means of a one-way hash function, while the enciphering is carried out using the private key of the signer. For further information about X.509 and certificate types please read the ITU-T Recommendation X.509 ("The Directory: Authentication Framework"). Windows Trust API ~~~~~~~~~~~~~~~~~ To ascertain an objects reliability under Win32, the WinVerifyTrust() API function is used, according to its prototype as follows: HRESULT --------------- Description --------------- WINAPI WinVerifyTrust ( HWND hwnd, <>0 to allow user to assist in trust decision DWORD dwTrustProvider, 0 = provider unknown, 1 = software publisher DWORD dwActionID, specifies what to verify LPVOID ActionData information required by the trust provider ) The HRESULT return code will be TRUST_E_SUBJECT_NOT_TRUSTED if the object is not trusted (according to the specified action in dwActionID). An error code more detailed than this could be provided by the trust provider. Creation of a Digitally Signed message ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PKCS #7 specifies several "types", such as ContentInfo, SignedData and SignerInfo. Version 1.5 of PKCS #7 describes the ContentInfo type as: ContentInfo ::= SEQUENCE { contentType ContentType, content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL } ContentType ::= OBJECT IDENTIFIER the content is (or better: MAY be) an octet-stream ASCII string to be passed to the selected digest algorithm (an example is MD2, see RFC-1321). The first step is to encode the ContentInfo field according to PKCS #7. This is the resulting encoded data: == DATA BLOCK #1 == {30 28} 06 09 0x0609: contentType = data 2A 86 48 86 F7 0D 01 07 01 PKCS #7 data-object ID A0 1B [0] EXPLICIT 04 [msg_len] content = OCTET STRING [octet stream representing the ASCII string, msg_len bytes long] <-- value (*) This (*) data is the input stream to the encoding algorithm (MD2 or other): (the identifier of the PKCS #7 data object is {1 2 840 113549 1 7 1}) == DATA BLOCK #2 == {30 20} 30 0C 0x300C: digestAlgorithm 06 08 2A 86 48 86 F7 0D 02 02 algorithm ID = MD2 05 00 parameters = NULL (0x00) 04 [block_len] digest [encoded data (MD2 output)] (the object identifier of the MD2 algorithm is {1 2 840 113549 2 2}) This data is the encoded DigestInfo. It will be encrypted under RSA using the user's private key. According to PKCS #1, RSA encryption has two main steps: an encryption data block is constructed from a padding string and the prefixed message digest; then the encryption block is exponentiated with the user's private key. The encryption block EB is the following 64-octet string: 00 01 block type FF FF FF FF FF FF FF FF FF FF FF FF FF FF padding string FF FF FF FF FF FF FF FF FF FF FF FF FF 00 separator (0x00) [here goes the whole DATA BLOCK #2] data bytes (prf. message digest) Now we need to encode various information: a SignedData value from the inner ContentInfo value, then the encrypted message digest, the issuer and serial number of the user's certificate, the certificate data, the message digest algorithm ID (MD2) and the encryption algorithm ID (PKCS #1 RSA). The encoded SignedData is: == DATA BLOCK #3 == 30 82 02 3D 02 01 01 version = 1 31 [size of inner data block] digestAlgorithms 30 [size] 06 08 2A 86 48 86 F7 0D 02 02 algorithm ID = MD2 05 00 parameters = NULL (0x00) [ContentInfo data] content = inner ContentInfo A0 82 01 [size] certificates [certificate data] user's certificate 31 81 [size] signerInfos 30 81 [size] 02 01 01 version = 1 30 [size] issuerAndSerialNumber [issuer data] issuer 02 04 {12 34 56 78} size (4), serialNumber (12345678) 30 [alg_size] digestAlgorithm 06 08 2A 86 48 86 F7 0D 02 02 algorithm ID = MD2 05 00 parameters = NULL (0x00) 30 [dig_size] digestEncryptionAlgorithm 06 [sz] rsaEncryption (d.E.A.) 2A 86 48 86 F7 0D 01 01 01 05 00 parameters = NULL (0x00) 04 [data_size] encryptedDigest [encrypted digestInfo encoded data block] Finally, a ContentInfo value from this SignedData data block is encoded (once again, using PKCS #7): 30 82 02 [size] 06 09 2A 86 48 86 F7 0D 01 07 02 contentType = signedData A0 82 02 [size] [0] EXPLICIT [here goes the whole DATA BLOCK #3] content = SignedData value (the object identifier of PKCS #7 signedData is {1 2 840 113549 1 7 2}) PKCS Key Example ~~~~~~~~~~~~~~~~ The following is the full hex dump of the above PKCS #7 encoded key. HEX Dump -------------------------------------: ASCII Dump ----: 30 82 02 50 06 09 2A 86 48 86 F7 0D 01 07 02 A0 0..P..*.H....... 82 02 41 30 82 02 3D 02 01 01 31 0E 30 0C 06 08 ..A0..=...1.0... 2A 86 48 86 F7 0D 02 02 05 00 30 28 06 09 2A 86 *.H.......0(..*. 48 86 F7 0D 01 07 01 A0 1B 04 19 41 20 64 65 6D H..........A dem 6F 20 43 6F 6E 74 65 6E 74 49 6E 66 6F 20 73 74 o ContentInfo st 72 69 6E 67 A0 82 01 5E 30 82 01 5A 30 82 01 04 ring...^0..Z0... 02 04 14 00 00 29 30 0D 06 09 2A 86 48 86 F7 0D .....)0...*.H... 01 01 02 05 00 30 2C 31 0B 30 09 06 03 55 04 06 .....0,1.0...U.. 13 02 55 53 31 1D 30 1B 06 03 55 04 0A 13 14 45 ..US1.0...U....E 78 61 6D 70 6C 65 20 4F 72 67 61 6E 69 7A 61 74 xample Organizat 69 6F 6E 30 1E 17 0D 39 32 30 39 30 39 32 32 31 ion0...920909221 38 30 36 5A 17 0D 39 34 30 39 30 39 32 32 31 38 806Z..9409092218 30 35 5A 30 42 31 0B 30 09 06 03 55 04 06 13 02 05Z0B1.0...U.... 55 53 31 1D 30 1B 06 03 55 04 0A 13 14 45 78 61 US1.0...U....Exa 6D 70 6C 65 20 4F 72 67 61 6E 69 7A 61 74 69 6F mple Organizatio 6E 31 14 30 12 06 03 55 04 03 13 0B 41 20 64 65 n1.0...U....A de 6D 6F 20 55 73 65 72 30 5B 30 0D 06 09 2A 86 48 mo User0[0...*.H 86 F7 0D 01 01 01 05 00 03 4A 00 30 47 02 40 0A .........J.0G.@. 66 79 1D C6 98 81 68 DE 7A B7 74 19 BB 7F B0 C0 fy....h.z.t..... 01 C6 27 10 27 00 75 14 29 42 E1 9A 8D 8C 51 D0 ..'.'.u.)B....Q. 53 B3 E3 78 2A 1D E5 DC 5A F4 EB E9 94 68 17 01 S..x*...Z....h.. 14 A1 DF E6 7C DC 9A 9A F5 5D 65 56 20 BB AB 02 ....|....]eV ... 03 01 00 01 30 0D 06 09 2A 86 48 86 F7 0D 01 01 ....0...*.H..... 02 05 00 03 41 00 45 1A A1 E1 AA 77 20 4A 5F CD ....A.E....w J_. F5 76 06 9D 02 F7 32 C2 6F 36 7B 0D 57 8A 6E 64 .v....2.o6{.W.nd F3 9A 91 1F 47 95 DF 09 94 34 05 11 A0 D1 DF 4A ....G....4.....J 20 B2 6A 77 4C CA EF 75 FC 69 2E 54 C2 A1 93 7C .jwL..u.i.T...| 07 11 26 9D 9B 16 31 81 9B 30 81 98 02 01 01 30 ..&...1..0.....0 34 30 2C 31 0B 30 09 06 03 55 04 06 13 02 55 53 40,1.0...U....US 31 1D 30 1B 06 03 55 04 0A 13 14 45 78 61 6D 70 1.0...U....Examp 6C 65 20 4F 72 67 61 6E 69 7A 61 74 69 6F 6E 02 le Organization. 04 14 00 00 29 30 0C 06 08 2A 86 48 86 F7 0D 02 ....)0...*.H.... 02 05 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 ...0...*.H...... 05 00 04 40 05 FA 6A 81 2F C7 DF 8B F4 F2 54 25 [email protected]./.....T% 09 E0 3E 84 6E 11 B9 C6 20 BE 20 09 EF B4 40 EF ..>.n... . ...@. BC C6 69 21 69 94 AC 04 F3 41 B5 7D 05 20 2D 42 ..i!i....A.}. -B 8F B2 A2 7B 5C 77 DF D9 B1 5B FC 3D 55 93 53 50 ...{\w...[.=U.SP 34 10 C1 E1 E1 4.... Many other demo (not only ;) keys, tons of related C++ source/libraries for Linux and Win32 and documentation can be found on my web site at this address (case sensitive): http://members.tripod.com/~xception_0x0A28/penumbra.html "That which does not kill us makes us stronger" -- Friedrich Nietzsche ----[ EOF