none
XML Digital Signatures - sercurity question

    Question

  • Basically, i've started from here...
    http://social.msdn.microsoft.com/Forums/en-US/clr/thread/90c5af5e-63f2-4bce-aa93-df4dedd9b4d4

    Here's what I've done:

    I've generated private/public keys from SHA1CryptoServiceProvider.
    Then with my private key I generated an xml file with an enveloped signature.
    When I got to read back that file, I need my public key.

    Now, suppose that some malicious user will look the structure of the file, he can make it's own copy with his keys, and replace my public key with his one, and validate his file.

    Is there a way to prevent my xml file to be modified? maybe encrypt that file?

    How can I secure my keys?

    Thanks

    Thursday, March 08, 2012 10:21 AM

Answers

  • Thank you for the reply.

    I did a bit of confusion between Encription/Decription and Digital signatures.

    I looked HERE, and now I have the ideas a little clearer.

    Basically, I cannot Encrypt with my private key and decrypt with my public key.

    I've already signed my document with an enveloped Digital Signature and I think that using RSACryptoServiceProvider class with SignData/VerifyData methods it's ok...

    Thank you for your help.




    • Edited by DevRex Monday, March 19, 2012 11:17 AM
    • Marked as answer by DevRex Monday, March 19, 2012 11:17 AM
    Tuesday, March 13, 2012 9:07 AM

All replies

  • Hi DevRex,

    Welcome to the MSDN forum.

    According your description, I think one possible way is to encrypt your XML file to prevent it to be modified.

    And there are some ways to make the goal, such as Asymmetric Keys, Symmetric Keys, X.509 Certificates and so on. The followings are some links related encrypt a XMl file for your reference, all of them have a decrypt solution:

    http://msdn.microsoft.com/en-us/library/ms229749.aspx 

    http://msdn.microsoft.com/en-us/library/ms229746.aspx

    http://msdn.microsoft.com/en-us/library/sb7w85t6.aspx

    http://msdn.microsoft.com/en-us/library/ms229744.aspx

    Hope it helps.


    Best Regards,
    Rocky Yue[MSFT]
    MSDN Community Support | Feedback to us

    Monday, March 12, 2012 6:39 AM
    Moderator
  • Thank you for these useful links.

    In my scenario, I need to deploy my xml file.

    So when I create my keys locally, then I export the public key in an xml file with RSACryptoServiceProvider.ToXmlString() method and read back with RSACryptoServiceProvider.FromXmlString() method.

    Now here's a dumb question:

    Are there some benefits of using CspParameters.KeyContainerName? Or it's only for a local usage?

    Thank you.


    Monday, March 12, 2012 8:45 AM
  • As MSDN document said: Asymmetric private keys should never be stored verbatim or in plain text on the local computer. If you need to store a private key, you should use a key container. One of the benefits of using it I think should be safety.

    And for local or net work usage, I think it mainly due to the XMl string coming from. You can try to load a XML from a net site.

    The following is an example for your reference:

    http://msdn.microsoft.com/en-us/library/tswxhw92(v=vs.80).aspx 

    Hope it helps.


    Best Regards,
    Rocky Yue[MSFT]
    MSDN Community Support | Feedback to us

    • Proposed as answer by Lie YouModerator Thursday, March 15, 2012 3:34 AM
    • Unproposed as answer by DevRex Monday, March 19, 2012 11:16 AM
    Tuesday, March 13, 2012 3:30 AM
    Moderator
  • Thank you for the reply.

    I did a bit of confusion between Encription/Decription and Digital signatures.

    I looked HERE, and now I have the ideas a little clearer.

    Basically, I cannot Encrypt with my private key and decrypt with my public key.

    I've already signed my document with an enveloped Digital Signature and I think that using RSACryptoServiceProvider class with SignData/VerifyData methods it's ok...

    Thank you for your help.




    • Edited by DevRex Monday, March 19, 2012 11:17 AM
    • Marked as answer by DevRex Monday, March 19, 2012 11:17 AM
    Tuesday, March 13, 2012 9:07 AM