Ensuring Digital Signature Lawfulness for Nonprofits in Mexico

How to eSign a document: digital signature lawfulness for Nonprofit in Mexico

we all know certificates and we are using them on a daily basis even if we don't necessarily call them certificates let me give you two examples first one if I browse to my own website dot onemark50.com then I can see this little padlock icon here in the address bar if I click on it then my browser tells me that my connection is secure and that I have a valid certificate hmm yeah that's great but what does it actually mean what is secure and what am I protected from we'll come to that but first let me tell you a little story this is my nephew he's five years old and he has a Kick Scooter one day I visit my brother-in-law and we are all sitting on The Veranda my nephew Drives By and starts making car driving noises I was up to the game stood up and said hold it citizen may I see your driver's license place now my nephew is smart and seemed to be prepared so he shows me this I try to maintain a strict phase and say thank you sir your license does check out please continue and have a nice day I invented this story but it shows nicely what a certificate is a certificate is a document that is linked to an identity in this case Mark's nephew so Marek's nephew can use this to prove his identity but no one else can a certificate has a subject and or a purpose in this case it proves that the person using it is authorized to drive a Kick Scooter it could not be used to fly an airplane it also has an issuer in this case it's my nephew it's a so-called self-signed certificate because he issued it to himself anyone who trusts the issuer would in turn trust the certificate but what would this license be accepted in the real world if he drove a real car on the railroad presumably no if we compare this license to a real driver's license in the real world however then there's actually only one single difference here the issuer a driver's license in the real world would be issued by the government typically or by any Authority that is authorized by the government such as a state or a county or a city and so on Plus those certificates have a certain number of features which makes it difficult to falsify or copy them this example from the Swiss government shows some of these features on the Swiss driver's license back to the certificate on my website onemark50.com how can it be that everyone on this planet trusts this certificate let me examine it for this I would use a cool software called xca by Christian hunstadt it's awesome and it's free open source if we browse to .hunt.de then we can download it for various platforms such as Linux Mac OS or Windows there's even a portable version of this guys all links to the software are in the description of the video so let me go to my blog site then I click on the padlock and view the details of the certificate I will then export it into a file as a file format with Google Chrome I use pkcs7 certificate chain because that format includes the most information in Firefox you can save it as a full chain pem file by just clicking on that link that it shows on the certificate detail page next I will use xca to import it just before I can use xca I need to quickly generate a new database for certificates and keys that can be any file anywhere and of course it needs to be protected with a password now I click on import then pkcs 7 and select the file that I had just exported from my browser here we go on the certificates tab I can now see the details and equally important I can see the chain of trust the full certificate chain my certificate .onemak50.com had been issued by someone or something called RS3 and that certificate had been issued by a corpus called isrg root X1 let's go bottom up I'm interested in two Fields here the subject and the issuer the subject of my certificate is .walmartmark50.com the issuer is R3 who surprise belong to Let's encrypt let me go one level up by clicking on this green R3 in the signature field here the subject of the R3 certificate is identical to the issuer of the onmark50.com certificate and the issue of this one is of course the Internet Security research group or short isrg again one level up to the root certificate the so-called certificate Authority or CA and surprise this CA certificate which is at the root level of the chain appears to be self-signed the issuer and the subject are identical but wait that one is self-signed just like my nephew's kick Scooter's license yet right and everyone trusts that one how can that be that sounds wrong well the secret is lifted if we check on the root certificate authorities that my browser or my operating system trusts out of the box on my Linux machine I can find them here in slash user slash share CA certificate Mozilla and there we go there are a lot of certificates and of course there is the isrg root X1 so it's part of the well-known companies or organizations that are trusted by the common browser products they are commonly trusted and we just learned one more thing a CA or certification Authority is just a self-signed certificate really in your browser you can find them in the settings under the Security Options here in Chrome you go to settings then privacy and security click on security then scroll down to manage certificates and then select the authorities tab you can as well export them from there with the context menu Firefox you can find this under settings privacy and security then scroll all the way down to certificates and click on view certificates again select the authorities tab select the certificate and you can export it using the export button at the bottom in other words the trust for those self-signed root CA certificate is built into the products that use them typically that's your browser a server certificate that is signed or issued by such a trusted CA can prove to everyone that the server that I'm connecting to actually is who it pretends to be but could I go around this could I use these certificates let's say in an isolated environment I mean I have a valid certificate here for ibm.com I have just saved it from chrome like I did with my own certificate obviously I can't IBM's identity in the web because I don't control the DNS service and I have no interest doing this but could I now let's say Define ibm.com to be my internet or my internal domain name rather Here in My Lan with my local DNS server then I would set up a web server still in my local land and set up a host called then browse to that internal web server would I get one of these nasty security warnings or would I get a certificate for free you may have guessed this is not possible but why and how well this is how certificates are supposed to work only the owner can use them but anyone and everyone can verify them just like photo ID in the real world let's go back to xca the onemark50.com certificate has been signed by the R3 certificate that's why the R3 appears green here in the signature field and there is a public key stored inside the one Mark 50 certificate that allows me to verify that signature coming from the private key of the R3 certificate watch what happens when I delete the R3 certificate I can still see that public key but I can't verify the signature because the signing certificate is not there anymore let me quickly explain how private and public Keys work in a nutshell with algorithms like RSA we can do four or rather five things with private or public Keys we can encrypt decrypt sign and verify and as a consequence we can authenticate the trick is now that you can only verify the signature that has been made with one key by using the other key the same is true for encryption and decryption you can only decrypt data with one key that had been encrypted with the other key in real life we use the private key to sign something that means that only the public key can verify the signature one person can sign and everyone can verify the other way around everyone can encrypt with a public key and only the owner of the private key can decrypt how is that possible let's do a little bit of math don't worry it will not get too complicated in fact we would need an operation that can easily be done in One Direction but is impossible or let's say hard to do in the other direction let me give you one example if I was to calculate let's say 3 times 7 times 17 times 23. that's quite easy to do the result is 8211. the numbers that I have used for this multiplication are prime numbers now if I would ask you to do this the other way around so if I would ask you to tell me which prime numbers I have multiplied in order to get to 8211 then this is much much harder to do if the calculation in One Direction would need let's say four CPU Cycles then the reverse calculation could use hundreds or maybe even thousands of Cycles it would take much much more time now of course this is feasible with 8211 but what if I had not used 7 or 17 as prime numbers but really huge prime numbers such as 2 to the power of 255 minus 19. that's a number with 77 digits virtually impossible it would take the fastest computer on this planet thousands of years to calculate it maybe a it could go faster if it had a huge hash table with all known prime numbers and a really big number of pre-calculated hashes the algorithms that are used for public and private keys are of course much more complex than this but I think you get the idea in a nutshell it is not impossible to let's say calculate or find a private key if you only have the public key it would just take incredibly long we therefore say that the cipher is computationally secure back to the certificates in order to use a certificate for all operations I would need the public key which I have because it's stored inside the certificate and the private key which I don't have in my ibm.com example only IBM have it that's the reason why I can't their identity I can't build a chain of trust without having both keys so when and how would the public CA issue a certificate to me to mark from Germany they would need to be sure that I am who I pretend to be or rather that my server is who it pretends to be how are isrg and let's encrypt doing it I mean all the browser vendors are trusting the let's encrypt certificates and they have issued a certificate to me how would they make sure that they can stand up to Firefox Chrome Edge or whoever and say trust us we have verified Mark's identity I mean I have never spoken to them well let's encrypt our using DNS for this they don't actually have to verify my personal identity just the one of my server the thought process is as follows if a host let's say .onemak50.com requests a certificate from isrg then all they'd have to do is do a DNS lookup of that address and if that DNS lookup points to the host that made the request then it's authentic because the person initiating the request needs to have control over the domain's DNS entries that process can easily be automated and they do provide me with a signed certificate and a private key for that single specific identity if I am able to put some arbitrary text entry on demand into my DNS then they are even willing to issue a so-called wildcard certificate to me that means that I could request a certificate that would be valid for any host in the onemark50.com domain for free this type of authentication is called domain validation I authenticate by proof of control over a domain in my case onemark50.com so far so good we now know that there are different types of certificates some of these are called a certificate Authority or short CA a CA can sign other certificates or even other Cas just like isrg signed the r3ca which in turn signed my1mark50.com server certificate so how would I proceed if I wanted to use certificates for my service at home how could I generate my own certificates well basically I have three Alternatives here either I use a paid or free service that issues server or wildcard certificates to me such as let's encrypt or I ask one of the routes EAS to sign my own CA which in turn I could then use to sign as many certificates as I please a so-called vanityca or that's alternative 3 I use my own self-signed certificate each of these mechanisms has advantages and challenges let's encrypt and the like require me to use an agent and to be in control of DNS not a big thing there's many videos on that by the way and in the next episode I'll show you a couple of Tricks around that such as automating wildcard certificate requests with ansible or using let's encrypt certificates for your internal Network the limitation of these Services is usually that you only get server certificates the second method the vanityca has one big challenge the price I checked on multiple provider Pages for pricing and all of them just stated ask for quote or on demand that doesn't sound cheap also you would presumably have to provide a lot of security procedures in order to prove to them that you don't issue certificates for just anybody remember if your ca is signed by a trusted CA then you become part of the globally recognized chain of trust and as such a high value Target I wouldn't actually want that so what's left actually we can easily create our own certificate Authority or CA as self-science CA just no one else would trust it so probably not a good solution for a public web server but there are valid use cases for this a CA is really just a normal certificate which has a couple of specific attributes here in xca we can add them down here with a default CA template that does a couple of things here in the extensions Tab and the key usage tab as a minimum I need to give the ca a name and a common name I strongly advise to also assign it an organizational name and a country code and I need to generate a private key cool so now I have a CA that is of course trusted by no one on this planet however we can now generate more certificates here we see the first difference now I cannot only create self-signed certificates but I can actually sign this certificate with my CA let me first apply the TLs server template here again I need to give it a name and a common name preferably an organization in the country code and I need to generate a key for it I'll use a server or router name in my sandbox as the common name here because I want to use it for that server let me export that server certificate in pen format that means just the plane certificate without the key there are other formats available some of these do contain the key and others don't the web server that I want to use the certificate with needs both in separate files so next I'll export the corresponding key again in pem text format that's it I can now use that certificate for that server but in order to have my browser trust it I needed to recognize my CA certificate but no problem I own it so I can just import it into my web browser in xca I export the ca certificate we don't need the key for this just like we don't have the key for the public ones then next in my browser I go back to the certificate settings or info page and there I can import the new ca my browser will now trust any certificate that has been issued by that CA so when can and when would we use self-signed certificates in general we can use this mechanism when we have control over both parties that means the client and the server just like I showed here I control the server and the client which is my web browser or maybe I don't trust the public Cas for some reason however there are challenges when you have many clients as your ca is not built into the browsers you would need to import or roll out the ca certificate to all of them but let's have a look at options for that scenario in the next episode when we will see how we can use free let's encrypt certificates for service for our local network and also more options for self-site cas just the last remark with regards to security vulnerabilities and so on you may have heard that the security gets better with longer Keys that's true also there are different Cipher and hashing algorithms that you can use some of them are compromised in other words proven to be insecure md5 is an example for this however please keep in mind that most successful attacks against crypto do not break the underlying crypto Primitives but rather get around them in other words why would I want to brute force your private key if I can easily steal it from your Workstation so TLS certificates encryption authentication all these things do not only rely on a good algorithm and a Long Key it's equally important to have a look at the whole process of generating and distributing keys and certificates and also how you manage your keys in other words the real challenge is not encryption or decryption but rather key management but more on this in later episodes until then like always thank you so much for watching stay safe stay healthy bye for now