签名、证书和戳

 

什么是数字证书?

In order to bind public keys with their associated user (owner of the private key), public key infrastructures (PKIs) use digital certificates. Digital certificates are the credentials that facilitate the verification of identities between users in a transaction. Much as a passport certifies one’s identity as a citizen of a country, the purpose of a digital certificate is to establish the identity of users within the ecosystem. Because digital certificates are used to identify the users to whom encrypted data is sent, or to verify the identity of the signer of information, protecting the authenticity and integrity of the certificate is imperative in order to maintain the trustworthiness of the system.

 

什么是 Certificate Authority?

A Certificate Authority (CA) is the core component of a public key infrastructure (PKI) responsible for establishing a hierarchical chain of trust. CAs issue the digital credentials used to certify the identity of users. CAs underpin the security of a PKI and the services they support, and therefore can be the focus of sophisticated targeted attacks. In order to mitigate the risk of attacks against Certificate Authorities, physical and logical controls as well as hardening mechanisms, such as hardware security modules (HSMs) have become necessary to ensure the integrity of a PKI.

 

什么是代码签名?

In public key cryptography, code signing is a specific use of certificate-based digital signatures that enables an organization to verify the identity of the software publisher and certify the software has not been changed since it was published.
Digital signatures provide a proven cryptographic process for software publishers and in-house development teams to protect their end users from cybersecurity dangers, including advanced persistent threats (APTs), such as Duqu 2.0. Digital signatures ensure software integrity and authenticity. Digital signatures enable end users to verify publisher identities while simultaneously validating that the installation package has not been changed since it was signed. All modern operating systems look for and validate digital signatures during installation, and warnings about unsigned code can cause end users to abandon installation.

 

什么是数字签名?

Digital signatures provide a proven cryptographic process for software publishers and in-house development teams to protect their end users from cybersecurity dangers, including advanced malware attacks. Digital signatures ensure the integrity and authenticity of software and documents by enabling end users to verify publisher identities while validating that the code or document has not been changed since it was signed.
Digital signatures go beyond electronic versions of traditional signatures by invoking cryptographic techniques to dramatically increase security and transparency, both of which are critical to establishing trust and legal validity. As an application of public key cryptography, digital signatures can be applied in many different settings, from a citizen filing an online tax return, to a procurement officer executing a contract with a vendor, to an electronic invoice, to a software developer publishing updated code.
Digital signing is also useful for organizations seeking to preserve business integrity by protecting copyright and facilitating licensing. For example, a company such as Microsoft can utilize signing to ensure its software cannot be issued by another company unaffiliated with Microsoft. Additionally, it is important for ensuring supply chain integrity and provenance of components. When coupled with public key infrastructure (PKI) it becomes a powerful tool for ensuring that software components are not tampered or tainted before being deployed in products or systems.

 

什么是时间戳?

Time stamping is an increasingly valuable complement to digital signing practices, enabling organizations to record when a digital item—such as a message, document, transaction or piece of software—was signed. For some applications, the timing of a digital signature is critical, as in the case of stock trades, lottery ticket issuance and some legal proceedings. Even when time is not intrinsic to the application, time stamping is helpful for record keeping and audit processes, because it provides a mechanism to prove whether the digital certificate was valid at the time it was used. The growing importance of digital signing solutions has created a corresponding demand for time stamping, so many software programs, such as Microsoft Office, support time stamping capabilities.

 

安全的重要性

If time stamping is to add real value, the time stamp must be secure.

 

与不安全的时间戳相关的风险

  • 无法信任电子流程会导致需要用昂贵的书面记录来备份电子记录。
  • 通过操纵计算机时钟,攻击者可以很轻易地破坏基于软件的时间戳流程,从而使整个签名流程无效。
  • 不安全的时间戳或数字签名流程会使组织面临合规性问题和法律挑战。
  • 即使在吊销了私有签名密钥和证书后,用户仍然可以访问它们。 如果没有时间戳,组织就无法证明签名是在吊销证书之前还是之后创建的。
即刻联系我们