Digital Certificates

wrathrow11wrathrow11 Member Posts: 5 ■□□□□□□□□□
Can Digital Certificates be copied, and used to become someone else?

e.g Eve copied Alice's Digital Certificate and use it to send email to Bob, so that Bob will think the email came from Alice.

Comments

  • haltokhaltok Member Posts: 13 ■□□□□□□□□□
    according to the sybex book:

    "The digital signature is derived from a hash process that is only known to the originator." So i suppose if you knew the hash process then yes??
  • s3nt3nc3s3nt3nc3 Member Posts: 3 ■□□□□□□□□□
    Alice can share her digital certificate safely to provide, for example, a secure channel with Tom, or Bob, or Sam...
    Eve can't sign any mail with the cert of Alice because she don't know the Private Key of Alice (....I hope ;).
    This is the process of signing a mail to Bob:

    Alice:
    -Compute the hashing value of message (md5 or sha-1)
    -Encrypt the hash with Private Key (...sorry Eve)
    -Associate the encrypted hash with message

    Bob:
    -Decrypt the hash with Public Key of Alice
    -Compute the hash value of message(with the same alg. used from Alice)
    -Compare the hashes to verify the sender is really Alice

    Ciao
  • SartanSartan Inactive Imported Users Posts: 152
    Before the days of certificate authorites, transmissions still began unencrypted. The first few packets of a transaction contained an unencrypted session key, which could then be copied and hashed. If you ran a packet sniffer continiously on a network you might be able to grab a key like that. However if you use IPSec polices you won't have to worry about it. Most important to the entire certificate process is an authority qualified to handle all transactions. Qualified No, they can't be copied.

    The key at the bottom of the email (not in text) is the public key, not the private key. The data should be nice and safe. Just make sure your certificates don't get stolen or your authority hacked.
    Network Tech student, actively learning Windows 2000, Linux, Cisco, Cabling & Internet Security.
  • tahjzhuantahjzhuan Member Posts: 288 ■■■■□□□□□□
    we used to keep our private keys on fortezza cards and if the card was lost or stolen, the certificate was put on a certificate revocation list (CRL). This made the card useless even if someone found the pin to the fortezza card.

    you can store the keys on a common access card (CAC), fortezza card, or a floppy. It all depends on the cost you're willing to pay and the amount of security you're looking to implement.

    to make a short story long, never say never

    the certificate should be accompanied by a stong password or pin just in case it does fall into the wrong hands

    *disclaimer*
    I'm not sure if this helps any I'm just trying to keep it fresh in my mind
Sign In or Register to comment.