1

Digital Signatures for CAD and MoreePeter Sheerin

Dec 3, 2003 11:00 AM 12:30 PM

Course CM21-1

2

Digital Certificates & AutoCAD 2004

Used for digital signatures only, not encryption—AutoCAD’s encryption does not use x.509, just a password.Anyone who knows the password can open an encrypted AutoCAD 2004 drawing.With PKI/x.509 encryption, only the intended recipient can decrypt the file.For complete details on AutoCAD’s PKI support, please reference Tom Stoeckel’s Tuesday afternoon class—Childproof Drawings: Security Features of AutoCAD 2004 (CM12-1)

How easy is it?

Let’s go get a free, trial certificate

3

Types of Digital SignaturesE-mail only• Good for verifying e-mail came from the stated address, and for

verifying that a document was signed by someone with access to that e-mail address

Personal• More expensive, but verifies that you are who you claim to be. The

checks are against a drivers license or passport, plus your address, and checks of various databases. Sometimes need to be done in person, but usually the confirmation information is sent back via postal mail.

Business• Same checks as personal are done, and checks are made that you

actually work for the company you claim to work for. Probably the best for business uses.

What is a digital certificate?

A certificate contains identifying information such as your name, e-mail address, company name, mailing address, etc., depending on the type of certificate issued.A public certificate contains your public key—the one others use to check your digital signatures, and to encrypt messages to you. You can always feel safe about sharing a public certificate, on the web, by e-mail, or whatever (at least until spam bots start looking for e-mail addresses inside the certificates).

-or-A private certificate contains your private key. This should never be shared, and should be highly protected by you!

The third part is a signature from a Certificate Authority, certifying the accuracy of the public key and the identifying information.

4

Role of Certificate Authority

Issues you a digital certificate.Acts as a reference, to vouch for the validity of the data it has certified.Maintains a database of the certificates, allowing others to search for your certificate, and for you to revoke the certificate if it becomes compromised.

What you can do with a digital certificate?

Digitally sign e-mail messages• Proves that the message was not tampered with, and really

came from the claimed e-mail address (recipient only needs S/MIME-supporting client).

Encrypt e-mail messages• So that only the intended recipient can open the message. You

must have that recipient’s public certificate to encrypt messages.

Sign and/or encrypt Instant Messages• Makes your online chats trusted and secure

Sign documents• AutoCAD, PDF, MS Office, others.

5

Getting a Digital CertificateSources include:• Verisign

• https://digitalid.verisign.com/• http://www.verisign.com/products/class1/index.html (e-

mail address verification only)• http://www.verisign.com/products/class1/aim/index.html

(for AOL Instant Messenger)• Digital Signature Trust

• http://www.digsigtrust.com/• http://www.digsigtrust.com/certificates/trust/exchange.h

tml (server, business, and personal certificates)• Thwate (free e-mail certificates, supposedly)

• http://www.thawte.com/html/COMMUNITY/personal/index.html

Storing a Signature

Hard Drive• Only as secure as the PIN or password (if any) you choose

to assign• Not easy to transfer from one computer to another

USB flash drive• No standard interface for accessing digital certificate stored

on removable mediaSmart Card/USB Token• Can be much more secure, because you need to have the

card and the security PIN.• Most secure version is type that requires fingerprint or other

biometrics to use it

6

Finding Others’ Certificates

Verisign—Web search• https://digitalid.verisign.com/services/client/index.

html• Search by name or e-mail address

Verisign—LDAP directory server• directory.verisign.com (port 389)• Search using the name lookup in e-mail client

Digital Signature Trust—LDAP directory server• ldap.digsigtrust.com (port 389)• Search using the name lookup in e-mail client

Messaging Clients

OutlookOutlook ExpressNetscape MailAIMAOL Communicator• Strangely, no version of AOL mail supports digital

certificates for AOL e-mail accounts, although AOL Communicator supports their use for standard POP3 and IMAP accounts.

7

Cool things to do with PKI

Use e-mail filters/rules to give priority to digitally-signed e-mail

Cool things that should be possible

Include certificate in an electronic business card (vCard), for easier distribution.• Haven’t found software that will generate such a vCard

Commercial spam filters that act on signed messages• Verify validity of signature, to prevent spammers from spoofing the system

• Make sure signed mail isn’t deletedWeb sites use your certificate for log-on, instead of making you remember a different username/password for each site

8

Demonstrations

Send, receive signed e-mailSign documentsExport public and private certificatesImporting certificates into different applicationsWhat to do when you lose a certificate—how to revoke

Certificate/Key formats

.pfx, .p12• PKCS #12 personal information exchange, can contain private key

.p7b• PKCS #12 certificates, can not contain private key; IE export format.

.cer• DER encoded binary x.509, cannot contain private key, Java 1.3 certs

• Base-64 encoded x.509, cannot contain private key, Java 1.3 certs

9

Contacting Me

Day JobPeter K. Sheerin

Product Review Editor, Game Developer magazineEditor, Gamasutra.competer@gamasutra.comThis address accepts only S/MIME messages—those using x.509 certificates for encryption and/or signing.

Published by CMP Media, former owner of a certain CAD magazine

10

Personal Web Site

Peter K. Sheerin

PetesGuide.comA blog and reference site about technology—mostly Web

standards, but other stuff, too.pete@petesguide.comThis address accepts only S/MIME messages—those using x.509

certificates for encryption and/or signing.peter@petesguide.com if you can’t use secure e-mail

The CAD Society

Joe GrecoPresident

Peter K. SheerinSecretary/Webmaster

http://www.CADsociety.org/