Acrobat Distiller, Job 283 - augi.com · 3 Types of Digital Signatures E-mail only • Good for...
Transcript of Acrobat Distiller, Job 283 - augi.com · 3 Types of Digital Signatures E-mail only • Good for...
1
Digital Signatures for CAD and MoreePeter Sheerin
Dec 3, 2003 11:00 AM 12:30 PM
Course CM21-1
2
Digital Certificates & AutoCAD 2004
Used for digital signatures only, not encryption—AutoCAD’s encryption does not use x.509, just a password.Anyone who knows the password can open an encrypted AutoCAD 2004 drawing.With PKI/x.509 encryption, only the intended recipient can decrypt the file.For complete details on AutoCAD’s PKI support, please reference Tom Stoeckel’s Tuesday afternoon class—Childproof Drawings: Security Features of AutoCAD 2004 (CM12-1)
How easy is it?
Let’s go get a free, trial certificate
3
Types of Digital SignaturesE-mail only• Good for verifying e-mail came from the stated address, and for
verifying that a document was signed by someone with access to that e-mail address
Personal• More expensive, but verifies that you are who you claim to be. The
checks are against a drivers license or passport, plus your address, and checks of various databases. Sometimes need to be done in person, but usually the confirmation information is sent back via postal mail.
Business• Same checks as personal are done, and checks are made that you
actually work for the company you claim to work for. Probably the best for business uses.
What is a digital certificate?
A certificate contains identifying information such as your name, e-mail address, company name, mailing address, etc., depending on the type of certificate issued.A public certificate contains your public key—the one others use to check your digital signatures, and to encrypt messages to you. You can always feel safe about sharing a public certificate, on the web, by e-mail, or whatever (at least until spam bots start looking for e-mail addresses inside the certificates).
-or-A private certificate contains your private key. This should never be shared, and should be highly protected by you!
The third part is a signature from a Certificate Authority, certifying the accuracy of the public key and the identifying information.
4
Role of Certificate Authority
Issues you a digital certificate.Acts as a reference, to vouch for the validity of the data it has certified.Maintains a database of the certificates, allowing others to search for your certificate, and for you to revoke the certificate if it becomes compromised.
What you can do with a digital certificate?
Digitally sign e-mail messages• Proves that the message was not tampered with, and really
came from the claimed e-mail address (recipient only needs S/MIME-supporting client).
Encrypt e-mail messages• So that only the intended recipient can open the message. You
must have that recipient’s public certificate to encrypt messages.
Sign and/or encrypt Instant Messages• Makes your online chats trusted and secure
Sign documents• AutoCAD, PDF, MS Office, others.
5
Getting a Digital CertificateSources include:• Verisign
• https://digitalid.verisign.com/• http://www.verisign.com/products/class1/index.html (e-
mail address verification only)• http://www.verisign.com/products/class1/aim/index.html
(for AOL Instant Messenger)• Digital Signature Trust
• http://www.digsigtrust.com/• http://www.digsigtrust.com/certificates/trust/exchange.h
tml (server, business, and personal certificates)• Thwate (free e-mail certificates, supposedly)
• http://www.thawte.com/html/COMMUNITY/personal/index.html
Storing a Signature
Hard Drive• Only as secure as the PIN or password (if any) you choose
to assign• Not easy to transfer from one computer to another
USB flash drive• No standard interface for accessing digital certificate stored
on removable mediaSmart Card/USB Token• Can be much more secure, because you need to have the
card and the security PIN.• Most secure version is type that requires fingerprint or other
biometrics to use it
6
Finding Others’ Certificates
Verisign—Web search• https://digitalid.verisign.com/services/client/index.
html• Search by name or e-mail address
Verisign—LDAP directory server• directory.verisign.com (port 389)• Search using the name lookup in e-mail client
Digital Signature Trust—LDAP directory server• ldap.digsigtrust.com (port 389)• Search using the name lookup in e-mail client
Messaging Clients
OutlookOutlook ExpressNetscape MailAIMAOL Communicator• Strangely, no version of AOL mail supports digital
certificates for AOL e-mail accounts, although AOL Communicator supports their use for standard POP3 and IMAP accounts.
7
Cool things to do with PKI
Use e-mail filters/rules to give priority to digitally-signed e-mail
Cool things that should be possible
Include certificate in an electronic business card (vCard), for easier distribution.• Haven’t found software that will generate such a vCard
Commercial spam filters that act on signed messages• Verify validity of signature, to prevent spammers from spoofing the system
• Make sure signed mail isn’t deletedWeb sites use your certificate for log-on, instead of making you remember a different username/password for each site
8
Demonstrations
Send, receive signed e-mailSign documentsExport public and private certificatesImporting certificates into different applicationsWhat to do when you lose a certificate—how to revoke
Certificate/Key formats
.pfx, .p12• PKCS #12 personal information exchange, can contain private key
.p7b• PKCS #12 certificates, can not contain private key; IE export format.
.cer• DER encoded binary x.509, cannot contain private key, Java 1.3 certs
• Base-64 encoded x.509, cannot contain private key, Java 1.3 certs
9
Contacting Me
Day JobPeter K. Sheerin
Product Review Editor, Game Developer magazineEditor, [email protected] address accepts only S/MIME messages—those using x.509 certificates for encryption and/or signing.
Published by CMP Media, former owner of a certain CAD magazine
10
Personal Web Site
Peter K. Sheerin
PetesGuide.comA blog and reference site about technology—mostly Web
standards, but other stuff, [email protected] address accepts only S/MIME messages—those using x.509
certificates for encryption and/or [email protected] if you can’t use secure e-mail
The CAD Society
Joe GrecoPresident
Peter K. SheerinSecretary/Webmaster
http://www.CADsociety.org/