Introduction

Digital Certificates are used for secure communication between two parties. In digital certification we ensure that the peoples who are using our apps or services are securely communicating with each other and those peoples can be individual consumers or businesses.

In Digital Certification we use both Hashing and Asymmetric encryption for creating digital signatures.

After encrypting the hash of data we obtain a digital signature later which is used for verification of data.

Background

As there are a lot more peoples and private businesses have their presence on internet for public and as well se private communication according to their business needs.

The number of peoples and businesses online is continuing increasing. As the communication is becoming cheaper and easily available so people start spending more time online and most of the time they do personal communications as well.

As Internet is open for all, everybody can get connected and start communication. Internet was originally designed for communication in mind but not security So some internet criminals started taking advantages from internet vulnerabilities for illegal gains.

Now the business need security to succeed on internet and that’s where digital certification comes into play.

Digital Certificates provide us secure and confidential way to communicate.    

 

Public Key Infrastructure (PKI)

Digital certificates are part of PKI (Public Key Infrastructure) which is a cryptographic system for creating digital certificates.

PKI uses two keys one is public key and the other one is private key. PKI actually based on Asymmetric Encryption. The public key is known by all and private key is only known by key owner and should be kept in secure place.

The unique thing about the keys is that both are mathematically related to each other in such a way so that the message can be encrypted by private key and only the corresponding public key can decrypt the message. If you know the public key, then it is impossible to infer the private key. 

  

Simple Scenario

Suppose we have to persons Ahmed and Fatima. They both want to communicate securely. So what process they should have to follow for secure and confidential communication.

1. First Ahmed hashes his message to generate hash.

2. Then he encrypts the hash with his private key to create digital signature.

3. When Fatima receives Ahmed’s message on other hand then she also receives digital signature.

4. Fatima decrypts the signature with her public key to get hash from signature.

5. Now Fatima has both signature hash and message, Fatima will hash her message to compare whether her hash and hash from Ahmed match are not.

If the both hashes matched, then we can say Fatima received the actual message from Ahmed otherwise the message was changed.

Certificate Authority (CA)

In digital certification CA (Certification Authority) is third part individual that issues certificates that are trustworthy to all other parties involved in communication.

Certification authority issues the certificates that contain public key, certificate subject, and details about authority itself.

For now, about CA you just keep in mind there are some authorities who issue certificates and you need to trust them so that secure communication can happen

Creating Certificate with Makecert.exe

At development level we can use a tool Makecert.exe to create X.509 certificates for testing purposes.

X.509 Certificate: X.509 certificate is standard that is widely used for defining digital certificate. X.509 uses PKI (Public Key Infrastructure) to verify the identity of user with public key.

To create certificate using makecert open visual studio developer command prompt as administrator and run the following command.

makecert -n "cn=sampleCertSubject" -sr currentuser -ss sampleCertStore

The command will create a new certificate and install that into a certificate store name sampleCertStore at current user location.

 Managing Certificate

At this point we successfully created a certificate in store named sampleCertStore. Now we can use our certificate from sampleCertStore to successfully sign and verify data.

Signing Data

Now if Ahmed has to send data to Fatima then he needs to sign data with private key. To sign data, he has to follow some simple steps that are explained in following code snippet. Once he signed the data then he should send both signature and data.

x
54
1
class X509CertTest
2
    {
3
        static void Main(string[] args)
4
        {
5
            string messageToFatima = "My personal data";
6
7
            //retrieve certificate from store//
8
            X509Certificate2 certificate = GetCertFromStore();
9
10
            //**signing data**//
11
            
12
            //to sign we need the hash of data//
13
            byte[] hashBytes = GetDataHash(messageToFatima);
14
15
16
           byte[] signature= GetDigitalSignature(hashBytes);
17
        }
18
19
20
        private static byte[] GetDigitalSignature(byte[] hashBytes)
21
        {
22
            X509Certificate2 certificate = GetCertFromStore();
23
            /*use any asymmetric crypto service provider for encryption of hash
24
              with private key of cert.
25
             */
26
            RSACryptoServiceProvider rsaCryptoService = (RSACryptoServiceProvider) certificate.PrivateKey;
27
28
            /*now lets sign the hash
29
              1.spevify hash bytes
30
              2. and hash algorithm name to obtain the bytes
31
             */
32
            return rsaCryptoService.SignHash(hashBytes,CryptoConfig.MapNameToOID("SHA1") );
33
        }
34
35
        private static byte[] GetDataHash(string sampleData)
36
        {
37
           //choose any hash algorithm
38
           SHA1Managed managedHash=new SHA1Managed();
39
            
40
            return managedHash.ComputeHash(Encoding.Unicode.GetBytes(sampleData));
41
        }
42
43
        private static X509Certificate2 GetCertFromStore()
44
        {
45
            //to access to store we need to specify store name and location
46
            X509Store x509Store = new X509Store("sampleCertStore",StoreLocation.CurrentUser);
47
48
            //obtain read only access to get cert
49
            x509Store.Open(OpenFlags.ReadOnly);
50
51
            return x509Store.Certificates[0]; 
52
        }
53
    }

Verifying Data

On other hand when Fatima receives Ahmed’s message and signature then she uses her public key to verify the message.

1
11
1
private static bool VerifyData(byte[] signature, string messageFromAhemd)
2
        {
3
            var messageHash = GetDataHash(messageFromAhemd);
4
5
            X509Certificate2 certificate = GetCertFromStore();
6
7
            RSACryptoServiceProvider cryptoServiceProvider=(RSACryptoServiceProvider)certificate.PublicKey.Key;
8
9
            return cryptoServiceProvider.VerifyHash(messageHash, CryptoConfig.MapNameToOID("SHA1"), signature);
10
        }

Following here is the complete source code.

1
77
1
using System;
2
using System.Security.Cryptography;
3
using System.Security.Cryptography.X509Certificates;
4
using System.Text;
5
6
namespace CertTest
7
{
8
    class X509CertTest
9
    {
10
        static void Main(string[] args)
11
        {
12
            string messageToFatima = "My personal data";
13
14
            //retrieve certificate from store//
15
            X509Certificate2 certificate = GetCertFromStore();
16
17
            //**signing data**//
18
            
19
            //to sign we need the hash of data//
20
            byte[] hashBytes = GetDataHash(messageToFatima);
21
22
23
           byte[] signature= GetDigitalSignature(hashBytes);
24
           bool isVerified = VerifyData(signature, messageToFatima);
25
26
            Console.WriteLine($"IsVerified: {isVerified}");
27
28
            Console.ReadLine();
29
        }
30
31
        private static bool VerifyData(byte[] signature, string messageFromAhemd)
32
        {
33
            var messageHash = GetDataHash(messageFromAhemd);
34
35
            X509Certificate2 certificate = GetCertFromStore();
36
37
            RSACryptoServiceProvider cryptoServiceProvider=(RSACryptoServiceProvider)certificate.PublicKey.Key;
38
39
            return cryptoServiceProvider.VerifyHash(messageHash, CryptoConfig.MapNameToOID("SHA1"), signature);
40
        }
41
42
        private static byte[] GetDigitalSignature(byte[] hashBytes)
43
        {
44
            X509Certificate2 certificate = GetCertFromStore();
45
            /*use any asymmetric crypto service provider for encryption of hash
46
              with private key of cert.
47
             */
48
            RSACryptoServiceProvider rsaCryptoService = (RSACryptoServiceProvider) certificate.PrivateKey;
49
50
            /*now lets sign the hash
51
              1.spevify hash bytes
52
              2. and hash algorithm name to obtain the bytes
53
             */
54
            return rsaCryptoService.SignHash(hashBytes,CryptoConfig.MapNameToOID("SHA1") );
55
        }
56
57
        private static byte[] GetDataHash(string sampleData)
58
        {
59
           //choose any hash algorithm
60
           SHA1Managed managedHash=new SHA1Managed();
61
            
62
            return managedHash.ComputeHash(Encoding.Unicode.GetBytes(sampleData));
63
        }
64
65
        private static X509Certificate2 GetCertFromStore()
66
        {
67
            //to access to store we need to specify store name and location
68
            X509Store x509Store = new X509Store("sampleCertStore",StoreLocation.CurrentUser);
69
70
            //obtain read only access to get cert
71
            x509Store.Open(OpenFlags.ReadOnly);
72
73
            return x509Store.Certificates[0]; 
74
        }
75
    }
76
}