Monday, 19 November 2012

How to tell if a digital signature is trustworthy


Hide AllHide All
        Digital signatures play a central role in software security. This article explains what a digital signature is, and how you can check to make sure that a digital signature is trustworthy.
In this article
bookmark linkWhat is a digital signature?
bookmark linkView a digital signature in a signed document
bookmark linkView a digital signature in a signed e-mail message
bookmark linkView a digital signature for a signed macro
bookmark linkHow to tell if a digital signature is trustworthy
What is a digital signature?
A digital signature is used to authenticate (authenticate: The process of verifying that people and products are who and what they claim to be. For example, confirming the source and integrity of a software publisher's code by verifying the digital signature used to sign the code.) digital information — such as documents, e-mail messages, and macros — by using computer cryptography. Digital signatures help to establish the following assurances:
*  Authenticity The digital signature helps to assure that the signer is who they claim to be.
*  Integrity The digital signature helps to assure that the content has not been changed or tampered with since it was digitally signed.
*  Non-repudiation The digital signature helps to prove to all parties the origin of the signed content. "Repudiation" refers to the act of a signer's denying any association with the signed content.
To make these assurances, the content must be digitally signed by the content creator, using a signature that satisfies the following criteria:
*  The digital signature is valid (valid: Refers to the status of a certificate checked against a certificate authority's database and found to be legitimate, current, and not expired or revoked. Documents signed by a valid certificate and not altered since signing are considered valid.).
*  The certificate (certificate: A digital means of proving identity and authenticity. Certificates are issued by a certification authority, and like a driver's license, can expire or be revoked.) associated with the digital signature is current (not expired).
*  The signing person or organization, known as the publisher, is trusted (trusted publisher: The developer of a macro that is trusted by you on your computer. The trusted publisher is identified by the certificate that they used to digitally sign the macro. Also known as a trusted source.).
*  The certificate associated with the digital signature is issued to the signing publisher by a reputable certificate authority (CA) (certificate authority (CA): A commercial organization that issues digital certificates, keeps track of who is assigned to a certificate, signs certificates to verify their validity, and tracks which certificates are revoked or expired.).
The 2007 Microsoft Office system programs detect these criteria for you, and alert you if there is a problem with the digital signature. For details, see the last section in this article, How to tell if a digital signature is trustworthy.
ms-help://MS.MSPUB.12.1033/MSPUB/content/TopPageIcon_CLV.gifTop of Page
View a digital signature in a signed document
This section applies to the following 2007 Microsoft Office system programs: Excel, Word, and PowerPoint.
When you review any signed content, you should look at the attached signature details and the certificate used to create that signature to find out whether there are any potential problems.
1.     With the document open, click the Microsoft Office Button Button image, and then click Prepare.
2.     Click View Signatures.
Tip You can also click the signatures button at the bottom of your screen.
Signatures button
3.     In the Signatures pane, click the signature that you want to view, click the arrow next to the signature name, and then click Signature Details.
Signatures details
4.     In the Signature Details dialog box, click View.
Evaluating the digital signature is covered in the last section in this article, How to tell if a digital signature is trustworthy.
View a digital signature in a signed e-mail message
1.     Open the digitally signed message.
2.     Look at the Signed By status line and note the e-mail address of the person who signed the message.
Signed By status line
Important It is not enough to check the e-mail address in the From line, because it is necessary to verify who actually signed the message, and not just who sent it. If the e-mail address in the From line does not match the e-mail address in the Signed By status line, the Signed by line is the one to use in identifying who actually sent the message.
Digital signature
3.     Check to see whether the signature is valid or invalid.
§  If the button on the Signed By status line appears similar to the following Signature button Button image, the signature is valid. For more information about the status of the signature, click the button.
§  If a red underline appears under the Signed By status line and if the button appears as an exclamation mark, the signature is invalid. For more information about the status of the signature, click the button.
Signed By
4.     To see more information about why there is a problem with the digital signature, such as the certificate being invalid, click Details.
Digital Signature Invalid
5.     In the next security dialog box that appears, click View Details to see information about the certificate used in the digital signature.
View a digital signature for a signed macro
When you open a document that contains a signed macro project and there is a problem with the signature, the macro is disabled by default and the Message Bar appears to notify you of a potentially unsafe macro. However, this does not occur if you are opening the document from a trusted location.
Message Bar
If the macros have been signed, you can view the certificates for the files by doing the following:
1.     On the Message Bar, click Options.
2.     If the macros are signed, you see in the security dialog box a Signature area that looks similar to the following illustration.
Signature
3.     Click Show Signature Details.
How to tell if a digital signature is trustworthy
This section describes what you should look for when you evaluate the trustworthiness of a digital signature.
The digital signature is OK
A valid digital signature is identified by a message at the top of the Digital Signature Details dialog box, confirming that the digital signature is OK. You should also note the timestamp details under Countersignatures. The timestamp details indicate that the certificate authority — in this example, VeriSign — has verified and approved the digital signature.
Digital Signature Details dialog box
The date for the time stamp — in this case, August 7, 2003 — should be within the Valid from date range in the certificate. To see the date range in the digital signature, click View Certificate.
Certificate dialog box
The publisher — in this case, Microsoft Corporation — should be a trusted publisher by default on computers running the Microsoft Windows operating system. Certificates for Microsoft are located in the Trusted Root Certification Authorities store. If the publisher is not trusted by default, you must explicitly trust the publisher. Otherwise, the content signed by that publisher does not pass the security software checks.
Checking for the red X
A digital signature that presents problems shows the image with a red X.
Digital Signature Details dialog box
The red X can appear for the following reasons:
*  The digital signature is invalid for some reason. (For example, the content has been altered since it was signed.)
*  This digital signature is expired.
*  The certificate (certificate: A digital means of proving identity and authenticity. Certificates are issued by a certification authority, and like a driver's license, can expire or be revoked.) associated with the digital signature was not issued by a certificate authority (CA) (certificate authority (CA): A commercial organization that issues digital certificates, keeps track of who is assigned to a certificate, signs certificates to verify their validity, and tracks which certificates are revoked or expired.). For example, it might be a self-signed certificate created by using Selfcert.exe.
*  The publisher is not trusted.
What you should you do if there is a problem with a signature
When there is a problem with a digital signature, then depending upon your situation, you can do any of the following:
*  You can contact the source of the signed content, and let them know that there is a problem with the signature.
*  Contact the IT administrator in charge of your organization's security infrastructure.
*  If you feel that the macro or other active content associated with the document is trustworthy, you can save the document to a trusted location. Documents in trusted locations are allowed to run without being checked by the Trust Center security system. Using trusted locations is a better option than lowering your security level settings for all macros.
*  You can explicitly trust the publisher.
Posted by at

2 comments:

  1. Amelia17 December 2012 at 23:31

    Nice

    ReplyDelete
  2. Jenice18 December 2012 at 04:31

    Amazing ! I always wonder if there is a way to check if s digital signature is legit or not. I am fortunate that I found this article in which you have posted so many good ways to check a signature.
    digital signature software

    ReplyDelete

Subscribe to: Post Comments (Atom)