Standardized approach to digital signatures of files via .NET -


I am creating a system for the distribution of packages (.zip archives) created by different organizations. I would like one way of verifying that publishers of the package actually claim that they are, and that the file has not been tampered with

to confirm the publisher, by the web browser A system used is necessary - e.g., my application communicates with the root certificate officer who has verified the identity. In other words, 'green strip' :) I think the package creation will work like this:

  1. The author creates ZIP packages
    2. <
  5. A hash signed and public certificate
  6. Contains a body of the contents of the zip file
    7. < / Ol>

    Opening the package will work like this:

    1. Take the body of the data
    2. Hush it by using the same algorithm
      3. < Li> Public key with certificate
    3. Compare two hashes - now we have integrity
    4. Contact the root cage to verify identity

    In this way, I have confirmed the identity, and have confirmed the content (content is not required to encrypt itself - target verification is not privacy).

    So my questions are:

    1. Is there a right way to come up?
    2. Is the Hashing algorithm generally used by people? I think this should be one side. Can you choose just one (MD5, SHA1, SHA2?) Or is more common to support a variety and package authors tell you what they use (for example, in the header of the document Hashing is the name of the function).
    3. How do you work with root ca? Is this a X50 9 storey job, or does it include additional steps?
    4. What types of certifications are included here? Has the same certificate been used to sign the NAT assemblies? (Code-Signature certificate?)

    Finally, if there is no non-paid certificate in the organization and instead of deciding to use a self-issued certificate, So I believe that I can still verify the hash (for the sake of data integrity) without installing computer certificates or any kind of magic like these (in these cases, I just show it: "XYZ Company d Published by (unverified) ". Is it correct?

    I have found a lot of links to use the X509 and RSACryptoServiceProvider, so I can probably understand the code, I think I I am more interested in and I am using the right techniques.

Standard API.

In the namespace is necessary to create Opus (Open Packaging Specification) Classes for students.


Comments

Post a Comment