How to implement Digital Signature using C#

Question

2.00/5 (1 vote)

See more:

C#2.0

C#

Is it necessary to have SSL on your C# website to implement a usb token or Digital signature ?

Posted 14-Jul-14 20:50pm

Surendra Singh Dangi

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Answer 1 · 2014-07-14T21:19:00

Solution 1

The short answer is: no. But further discussion makes no sense unless this delicate problem is formally and accurately formulated. On of the most important thing is: do you need a server-side signature, or client-side signature (so the client could confirm that this is "the same very client").

The role of SSL is very different from just the digital signature mechanism. You can read about it. Again, it makes little sense to discuss it all without knowing your exact goal.

—SA

Posted 14-Jul-14 21:19pm

Sergey Alexandrovich Kryukov

Comments

Surendra Singh Dangi 15-Jul-14 4:42am

Sergey Thanks for your reply
i am talking about client-side signature verification.

I am working on C# application having two level of authentication first is login credential and other through USb token

So please guide me how can i implement the same

Note : Currently the site is not having SSL certificate

Sergey Alexandrovich Kryukov 15-Jul-14 11:25am

I understand the problem with SSL certificate. In addition to private secret communication, SSL certificate creates the trust with the customers, who can check up the server-side certificate and address to certificate authority for confirmation. With client-side, you can checkup client certificate; and in this case the authority is you: you are the organization who issued the certificate, so you just compare the certificate sent by a customer with the one you keep at the site, in some customer account record (that is, some data you always can trust).

So, technically, this all will work. You can use any public-key encryption and even any custom form of signed data.

Now, what is the problem of such approach? Only one: your channel in not encrypted. Imagine what happens if all the client's packages are monitored by some spy. Of course, this person cannot retrieve the customer's private key and fake any arbitrary block of signed data. But, if the user simply sends the certificate with digital signature, this spy can simply do exactly the same and misrepresent the customer.

This problem can still be solved. You can make a customer side to request some arbitrary generated block of data, have it digitally signed with the customer's private key and send back to the service. They your service can use the public key stored for this customer (if the public key is disclosed, it won't break this system, so you can store is without worries) to check up if the random block of data and its decrypted copy sent from a customer are identical. So, the approach would be solved without certificate.

Still, there will be one unsolved problem. Your security hole would be initial distribution of a private key (or anything else) to the customer. If this is done not an encrypted way, some spy captures all the data from this moment, you cannot get protected. You need to develop some encryption schema covering it. Ultimately, there is always a moment when you have to trust a customer. And later you only get a confirmation that "this is the same very person", no more.

Do you know how public-key encryption works in principle? You just need to learn it. .NET provides some algorithms in its BCL.

—SA