Digital Signature / Electronic Signature / Digital Certificate

• explain the simple certificate enrollment protocol.

  The Simple Certificate Enrollment Protocol (SCEP) is a protocol used for issuing and managing digital certificates in a public key infrastructure (PKI) environment. SCEP is a lightweight protocol that allows for automated certificate enrollment and renewal, and it is widely used in enterprise environments.

  Here is a high-level overview of the SCEP process:

  1. Certificate Enrollment Request: The certificate enrollment process begins when a device or user sends a certificate enrollment request to the Certificate Authority (CA) using the SCEP protocol. The request typically includes information such as the subject name and public key of the certificate requester.

  2. CA Authorization: The CA will then validate the identity of the requester and determine whether they are authorized to receive a certificate. This may involve checking the requester's credentials or other identifying information.

  3. Certificate Issuance: If the requester is authorized to receive a certificate, the CA will issue a certificate to the requester. The certificate is typically encrypted with the requester's public key to ensure confidentiality.

  4. Certificate Delivery: The CA then delivers the certificate to the requester, typically over a secure channel such as HTTPS.

  5. Certificate Installation: The requester then installs the certificate on their device, completing the enrollment process.

  SCEP is designed to be a simple and lightweight protocol that can be easily implemented in a variety of environments. It is commonly used for certificate enrollment in enterprise environments, such as for mobile device management and VPN authentication.

• explain automated certificate enrollment and renewal

Automated certificate enrollment and renewal is a process that allows digital certificates to be automatically issued and renewed by a Certificate Authority (CA) without the need for manual intervention from the certificate holder. This process is commonly used in public key infrastructure (PKI) environments to ensure that certificates are always up to date and to reduce the administrative burden of managing certificates.

The process typically works as follows:

1. Certificate Enrollment: When a device or user needs a digital certificate, it sends a certificate enrollment request to the CA using a protocol such as SCEP or ACME. The request includes information such as the subject name and public key of the certificate requester.

2. Certificate Issuance: If the requester is authorized to receive a certificate, the CA will issue a certificate and send it to the requester. The certificate is typically encrypted with the requester's public key to ensure confidentiality.

3. Certificate Renewal: Before the certificate expires, the requester's device or application will automatically request a new certificate from the CA using the same protocol as the initial enrollment. The CA will validate the requester's identity and issue a new certificate to replace the expiring certificate.

Automated certificate enrollment and renewal allows for certificates to be issued and renewed quickly and efficiently, without the need for manual intervention. This reduces the risk of certificates expiring and causing disruptions to applications or services that rely on them. It also reduces the administrative burden of managing certificates, freeing up IT staff to focus on other tasks.

• explain x.509 v3 certificate.

  An X.509 v3 certificate is a digital certificate that is used to authenticate the identity of a person, organization, or device on a computer network. The certificate contains information such as the name of the certificate holder, the certificate's public key, the certificate's digital signature, and the certificate's validity period.

  Here are some key components of an X.509 v3 certificate:

  1. Subject: The name of the certificate holder, which can be an individual or an organization.

  2. Public Key: The certificate holder's public key, which is used to encrypt and verify data.

  3. Certificate Authority (CA): The organization that issues the certificate and verifies the identity of the certificate holder.

  4. Digital Signature: A signature that is generated using the CA's private key to verify the authenticity of the certificate.

  5. Validity period: The period of time during which the certificate is valid.

  In addition to the above components, X.509 v3 certificates can also contain additional information such as extensions, which can provide further details about the certificate holder or the intended usage of the certificate.

  X.509 v3 certificates are commonly used for secure communication over the internet, including SSL/TLS encryption and digital signatures. They are also used for authentication in VPNs and other network services.

• Digital Signatures

digital signing is a special process that is applied to an electronic document
this process is a code which is specific to the document thus the signature can not be copied to other documents
digital signatures require public and private key
we always keep our private key safe so that nobody can use it but we publish our public key to everyone we need to communicate
we sign document with our private key and the recipient uses our public key to verify that document is same as we send it.
if someone changes document then document will not validate.So your signature can't be copied while physical signature can be copied.
if someone else signs the document with another private key pretending to be you this can't work as your public key can't verify this document.

• Digital Signatures

we digitally signs documents,messages,images etc
when we sign digitally we actually encrypts something with our privaye key
before encryption process what we want to digitally sign is applied to hashing procedure
when we sign a document hash is encrypted rather than document.
encrypted hash is called digital signature

• Security+ Digital Signatures

primary purpose is authentication which means I want to know who sends document,to prevent someone to pretend to be someone else
message is hashed (provides integrity)
hash of message is encrypted with private key
encrypted hash can only be decrypted with public key

• digital signature

A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document
A valid digital signature gives a recipient reason to believe that the message was created by a known sender and that it was not altered in transit

http://en.wikipedia.org/wiki/Digital_Signature


A digital signature is used to verify a message. It is basically an encrypted hash of the message. The recipient can check if the message was tampered with by hashing the received message and comparing this value with the decrypted signature.

• Digital Certificates - CompTIA Security+ SY0-301: 6.3

digital certificates are pulic key certificates that we use in browsers
Certificate Authority(CA) publishes digital certificate
PGP,open PGP

• The basic difference is that it is impractical to separate a digital signature from the contents it signs whereas an electronic signature can be separated.

An electronic signature is any author identification and verification mechanism used in an electronic system. This could be a scan of your real hand-written signature or any kind of electronic authenticity stamp. It's a generic term that covers a lot of authenticity measures.

PDF creation software (e.g. Adobe Acrobat) has the ability to create both scanned hand-written signatures and cryptographic digital signatures. The OpenXML document (docx, xlsx, etc.) format also supports such signatures, so you should be able to produce similar results in Microsoft Office / OpenOffice

A digital signature is a type of electronic signature. It is a signature generated by a computer for a specific document, for the purposes of strong authenticity verification. For example, in asymmetric cryptography, a private key might be used to sign a hash of a document, which anyone in possession of the corresponding public key can verify but not forge. It also prevents modification of the document after the signature is generated. This allows one user to place a digital signature on a document, and many other users to verify that the signature is correct

http://security.stackexchange.com/questions/17554/what-is-the-difference-between-an-electronic-signature-and-a-digital-signature

• "Electronic Signature" is a generic, technology-neutral term that refers to the universe of all of the various methods by which one can "sign" an electronic record. Although all electronic signatures are represented digitally (i.e., as a series of ones and zeroes), they can take many forms and can be created by many different technologies. Examples of electronic signatures include: a name typed at the end of an e-mail message by the sender; a digitized image of a handwritten signature that is attached to an electronic document (sometimes created via a biometrics-based technology called signature dynamics); a secret code or PIN to identify the sender to the recipient; a code or "handle" that the sender of a message uses to identify himself; a unique biometrics-based identifier, and a digital signature (created through the use of public key cryptography).

"Digital Signature" is simply a term for one technology-specific type of electronic signature. It involves the use of public key cryptography to "sign" a message and is perhaps the one type of electronic signature that has generated the most business and technical efforts in addition to legislative responses.

http://www.xyzmo.com/en/resource-center/Pages/DigitalSignatureFAQ.aspx

• Electronic Signature

An electronic signature can be any piece of electronic data, such as a JPEG image of a signature or name, a sound recording, a symbol, or a voiceprint. An electronic signature can even be something as simple as a typed name.
they are problematic when it comes to security and integrity
electronic signatures are not considered a secure way of signing and are useful only in environments where signers are familiar with and in very close proximity to one another.


Digital Signature
A digital signature is a secure form of an electronic signature. In this way, digital signatures are a sub-group of electronic signatures, and they provide a signature and content integrity as well as non-repudiation of signed documents.

As opposed to an electronic signature, a digital signature cannot be copied, forged, or tampered with. This is because digital signatures are based on Public Key Infrastructure (PKI) technology, which, using a cryptographic operation, creates a ‘fingerprint’ unique to both the signer and the content. For this reason, a digital signature ensures signer authenticity and data integrity

http://www.arx.com/information/digital-electronic-signature/differences-electronic-and-digital-signatures.htm

• U.S. legislation (ESIGN/UETA) defines an electronic signature as “an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record”.

One of the most commonly used Electronic Signatures today is the Text Typed signature; text typed meaning that one has used a keyboard to type their name, with the intent to sign “something”.
 Although this is the most common, electronic signatures are not limited to this method.
 SmartSign allows businesses to have documents e-signed using other accepted methods such as voice, mouse, signature pads, iPad/iPhone (with your finger or stylus), smart-phones and the list goes on.
 What is important to note; an electronic signature can be applied almost by any means, but it is just the first step in a fully secure and compliant electronic signature process.

Digital signatures require the use of a digital certificate, essentially a type of key or code that utilizes cryptographic algorithms to assure the integrity and authenticity of electronic media, and the information within.
Put simply, the application uses an algorithm to generate a unique code by processing the source file. That unique code, think of it as a document’s fingerprint, is then encrypted using the private key stored in the digital certificate.
The result of all this processing is a secure document that is tampering evident.
If any value in the source document is corrupted or maliciously altered, it can be easily detected by verifying the original signature.

http://www.eoriginal.com/blog/index.php/2011/03/24/what-is-the-difference-between-an-electronic-and-digital-signature/

• electronic signature

An electronic signature, or e-signature, is any electronic means that indicates either that a person adopts the contents of an electronic message, or more broadly that the person who claims to have written a message is the one who wrote it (and that the message received is the one that was sent).

http://en.wikipedia.org/wiki/Electronic_signature

• A digital signature is used to verify a message.

It is basically an encrypted hash of the message.

The recipient can check if the message was tampered with by hashing the received message and comparing this value with the decrypted signature.

To decrypt the signature, the corresponding public key is required.

A digital certificate is used to bind public keys to persons or other entities

If there were no digital certificates, the digital signature could be easily be forged, as the recipient could not check if the public key belongs to the sender.

The digital certificate itself is signed by a trusted third party, a Certificate Authority(CA) like VeriSign

In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document which uses a digital signature to bind together a public key with identity information

such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual

http://stackoverflow.com/questions/2882506/what-is-the-difference-between-digital-signature-and-digital-certificate

Digital signature: Suppose Alice wants to send a signed document or message to Bob. The first step is generally to apply a hash function to the message, creating what is called a message digest. The message digest is usually considerably shorter than the original message. In fact, the job of the hash function is to take a message of arbitrary length and shrink it down to a fixed length. To create a digital signature, one usually signs (encrypts) the message digest as opposed to the message itself.

Alice sends Bob the encrypted message digest and the message, which she may or may not encrypt. In order for Bob to authenticate the signature, he must apply the same hash function as Alice to the message she sent him, decrypt the encrypted message digest using Alice's public key and compare the two. If the two are the same he has successfully authenticated the signature. If the two do not match there are a few possible explanations. Either someone is trying to impersonate Alice, the message itself has been altered since Alice signed it or an error occurred during transmission.

Digital certificate: In addition, someone could pretend to be Alice and sign documents with a key pair he claims is Alice's. To avoid scenarios such as this, there are digital documents called certificates that associate a person with a specific public key.

http://www.rsa.com/rsalabs/node.asp?id=2182

• The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate

It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI).

Comparison to CRLs

Since an OCSP response contains less information than a typical certificate revocation list (CRL), it puts less burden on network and client resources

Since an OCSP response has less data to parse, the client-side libraries that handle it can be less complex than those that handle CRLs

OCSP discloses to the responder that a particular network host used a particular certificate at a particular time. OCSP does not mandate encryption, so other parties may intercept this information

https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

• OCSP overcomes the chief limitation of CRL: the fact that updates must be frequently downloaded to keep the list current at the client end. When a user attempts to access a server, OCSP sends a request for certificate status information. The server sends back a response of "current", "expired," or "unknown." The protocol specifies the syntax for communication between the server (which contains the certificate status) and the client application (which is informed of that status). OCSP allows users with expired certificates a grace period, so they can access servers for a limited time before renewing.

http://searchsecurity.techtarget.com/definition/OCSP

• The Online Certificate Status Protocol (OCSP) is the protocol used by browsers to obtain the revocation status of a digital certificate attached to a website. Naturally OCSP speed is considered one of the main criteria for quality, as browsers reach out to webservers and confirm that the SSL certificate is valid.

http://www.symantec.com/connect/blogs/what-ocsp

• What is a Code Signing Certificate?

A Code Signing Certificate is a digital certificate that contains information that fully identifies an entity and is issued by a Certificate Authority such as GlobalSign. The Digital Certificate binds the identity of an organization to a public key that is mathematically related to a private key pair. The use of private and public key systems is called Public Key Infrastructure (PKI).

Signing Code with a Code Signing Certificate
When a digital signature is applied, a timestamp is also recorded. This time‐stamping feature acts to ensure the signed code remains valid even after the digital certificate expires. Unless you’re adding additional code or making changes to the code, a new signature does not need to be applied (even if the digital certificate used to initially sign the code expires).

Code Signing Helps Prove
Content Source:
Code Signing identifies that the software or application is coming from a specific source (a developer or signer).
Content Integrity:
Code Signing ensures that a piece of code has not been altered and determines whether code is trustworthy for a specific purpose. If the application/ software code is tampered with or altered after digitally signing, the signature will appear invalid and untrusted.
https://www.globalsign.com/en/code-signing-certificate/what-is-code-signing-certificate/

Jack wants to send a document by email to Gill 

neither of them care if somebody reads it, there is nothing secret about it 

Gill wants to make sure document definitely came from Jack  and nobody else made changes to it on the way

"Software" prepares digital signature on Jack's computer

SHA-256 algorithm is used for hashing.

copy of document is processed with SHA-256 algorithm 

result is hash value(digest of the document)

hashing is one way process

hashing makes sure document's integrity

"Software" encrypts hash value using Jack's private key 

encrypted hash is embedded in the original document, now "signed document"

document now has a digital signature ,now "signed document"

Jacks sends Gill a copy of "signed document" and copy of public key 

Alternatively Jack can put public key on his website

Gill's computer decrpyts Jacks digital signature with public key 

If Gill can decrypt it then she knows it came from Jack

Gill's computer uses SHA-256 algorithm to calculate hash value again, using the text of document 

IF Gill computer's calculated hash value is the same as the hash value Jack sent, then Gill can be sure the document has not been tampered with since it was created.

• In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates.[1] X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS,[2] the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures.

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key.

The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer).

If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject 

In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization

However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices.

TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

In a typical public-key infrastructure (PKI) scheme, the certificate issuer is a certificate authority (CA),[2] usually a company that charges customers to issue certificates for them

By contrast, in a web of trust scheme, individuals sign each other's keys directly, in a format that performs a similar function to a public key certificate.

The most common format for public key certificates is defined by X.509

Email certificate

In accordance with the S/MIME protocol, email certificates can both establish the message integrity and encrypt messages. To establish encrypted email communication, the communicating parties must have their digital certificates in advance. Each must send the other one digitally signed email and opt to import the sender's certificat

Some publicly trusted certificate authorities provide email certificates, but more commonly S/MIME is used when communicating within a given organization, and that organization runs its own CA, which is trusted by participants in that email system.

Self-signed and root certificates

A self-signed certificate is a certificate with a subject that matches its issuer, and a signature that can be verified by its own public key

For most purposes, such a self-signed certificate is worthless. However, the digital certificate chain of trust starts with a self-signed certificate, called a "root certificate," "trust anchor," or "trust root." A certificate authority self-signs a root certificate to be able to sign other certificates.

An intermediate certificate

An intermediate certificate has a similar purpose to the root certificate; its only use is to sign other certificate. However, an intermediate certificate is not self-signed. A root certificate or another intermediate certificate need to sign it.

end-entity or leaf certificate 

An end-entity or leaf certificate is any certificate that cannot sign other certificates. For instance, TLS/SSL server and client certificates, email certificates, code signing certificates, and qualified certificates are all end-entity certificates.

Code-signing certificate: Certificates can validate apps (or their binaries) to ensure they were not tampered with during delivery.

Subject: The entity a certificate belongs to: a machine, an individual, or an organization.

Issuer: The entity that verified the information and signed the certificate.

https://en.wikipedia.org/wiki/Public_key_certificate

• Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge

https://en.wikipedia.org/wiki/Let%27s_Encrypt

• In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates.[1] X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS,[2] the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures.

An X.509 certificate binds an identity to a public key using a digital signature. A certificate contains an identity (a hostname, or an organization, or an individual) and a public key (RSA, DSA, ECDSA, ed25519, etc.), and is either signed by a certificate authority or is self-signed.

When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can use the public key it contains to establish secure communications with another party, or validate documents digitally signed by the corresponding private key.

End-entity certificate

This is an example of a decoded X.509 certificate that was used by wikipedia.org and several other Wikipedia websites. It was issued by GlobalSign, as stated in the Issuer field. Its Subject field describes Wikipedia as an organization, and its Subject Alternative Name (SAN) field for DNS describes the hostnames for which it could be used. The Subject Public Key Info field contains an ECDSA public key, while the signature at the bottom was generated by GlobalSign's RSA private key.

Intermediate certificate

This is an example of an intermediate certificate belonging to a certificate authority. This certificate signed the end-entity certificate above, and was signed by the root certificate below. Note that the subject field of this intermediate certificate matches the issuer field of the end-entity certificate that it signed. Also, the "subject key identifier" field in the intermediate matches the "authority key identifier" field in the end-entity certificate.

Root certificate

This is an example of a self-signed root certificate representing a certificate authority. Its issuer and subject fields are the same, and its signature can be validated with its own public key. Validation of the trust chain has to end here. If the validating program has this root certificate in its trust store, the end-entity certificate can be considered trusted for use in a TLS connection. Otherwise, the end-entity certificate is considered untrusted.

https://en.wikipedia.org/wiki/X.509

• Applied to cryptography, the public and private key pair is used to encrypt and decrypt a message, ensuring both the identity of the sender and the security of the message itself. The most common use case of X.509-based PKI is Transport Layer Security (TLS)/Secure Socket Layer (SSL), which is the basis of the HTTPS protocol, which enables secure web browsing. But the X.509 protocol is also applied to code signing for application security, digital signatures, and other critical internet protocols.

The Benefits of X.509 Certificates

Trust - Digital certificates allow individuals, organizations, and even devices to establish trust in the digital world. As the foundation for all digital identities, X.509 certificates are everywhere and are essential to every connected process from websites to applications to endpoint devices and online documents

When a certificate is signed by a trusted CA, the certificate user can be confident that the certificate owner or hostname/domain has been validated, while self-signed certificates can be trusted to a lesser extent as the owner doesn't go through any additional validation before issuance.

Scalability - An additional benefit of this certificate-based approach to identity is scalability. The PKI architecture is so scalable that it can secure billions of messages exchanged daily by organizations over their own networks and across the internet. What enables this is that public keys can be distributed widely and openly without malicious actors being able to discover the private key required to decrypt the message

The Basis of Public Key Infrastructure

The public key is comprised of a string of random numbers and can be used to encrypt a message. Only the intended recipient can decipher and read this encrypted message and it can only be deciphered and read by using the associated private key, which is also made of a long string of random numbers. This private key is secret and is known only to the recipient. As the public key is published for all the world to see, public keys are created using a complex cryptographic algorithm to pair them with an associated private key by generating random numeric combinations of varying lengths so that they cannot be exploited through a brute force attack. The most common algorithms used to generate public keys are:

Rivest–Shamir–Adleman (RSA)

Elliptic curve cryptography (ECC)

Digital signature algorithm (DSA)

PKI Certificate Encoding

One notable element not defined in the X.509 standard is how the certificate contents should be encoded to be stored in files.

However, there are two encoding schemas commonly used to store digital certificates in files:

Distinguished Encoding Rules (DER) - most common, as the schema addresses most data objects. Certificates encoded by DER are binary files and cannot be read by text editors but can be processed by web browsers and many client applications.

Privacy Enhanced Mail (PEM) is an encrypted email encoding schema that can be used to convert DER-encoded certificates into text files.

Common Applications of X.509 Public Key Infrastructure

Web Server Security with TLS/SSL Certificates

Digital Signatures and Document Signing

Digital signatures are a specific type of electronic signature that leverages PKI to authenticate the identity of the signer and the integrity of the signature and the document. Digital signatures cannot be altered or duplicated in any way, as the signature is created by generating a hash, which is encrypted using a sender's private key. This cryptographic verification mathematically binds the signature to the original message to ensure that the sender is authenticated and the message itself has not been altered.

Code Signing

Code Signing enables application developers to add a layer of assurance by digitally signing applications, drivers, and software programs so that end users can verify that a third party has not altered or compromised the code they receive. To verify the code is safe and trusted, these digital certificates include the software developer's signature, the company name, and timestamping.

Email Certificates

S/MIME certificates validate email senders and encrypt email contents to protect against increasingly sophisticated social engineering and spear phishing attacks. By encrypting/decrypting email messages and attachments and by validating identity, S/MIME email certificates assure users that emails are authentic and unmodified.

SSH Keys

SSH keys are a form of X.509 certificate that provides a secure access credential used in the Secure Shell (SSH) protocol.

SSH keys not only improve security, but also enable the automation of connected processes, single sign-on (SSO), and identity and access management at the scale that today's businesses require.

Digital Identities

X.509 digital certificates also provide effective digital identity authentication. As data and applications expand beyond traditional networks to mobile devices, public clouds, private clouds, and Internet of Things devices, securing identities becomes more important than ever. And digital identities don't have to be restricted to devices; they can also be used to authenticate people, data, or applications. Digital identity certificates based on this standard enable organizations to improve security by replacing passwords, which attackers have become increasingly adept at stealing.

https://sectigo.com/resource-library/what-is-x509-certificate