×
Community Blog Best Practice for Using KMS to Sign and Verify the Signature

Best Practice for Using KMS to Sign and Verify the Signature

This article explains how to use Alibaba Cloud Key Management Service (KMS) to sign text files and verify the signatures to ensure the security of data transmission.

By Yong Yang

Alibaba Cloud Key Management Service (KMS) can be used to sign files or certificate files and verify their signatures. This helps effectively prevent attackers from tampering with sensitive files and important files during transmission. Additionally, it can be used to verify the validity of certificates during certificate-based mutual authentication, ensuring the security of the transmission.

1. Basic Concepts

Encryption: The sender uses the receiver's public key to encrypt the plaintext to be sent.

Decryption: The receiver uses its private key to decrypt the ciphertext.

Signing: The sender writes its own signature for the file to be sent. The private key of the sender must be used.

Signature verification: To verify the signature, the receiver needs to confirm whether the received ciphertext file is actually sent by the sender and whether it is tampered with along the way. The signature is finally verified based on the comparison of message digests.

Signature generation and verification process:

  1. A signer sends a public key to a receiver.
  2. The signer uses the private key to sign data.
  3. The signer sends the data and signature to the receiver.
  4. After the receiver receives the data and signature, the receiver uses the public key to verify the signature.

Digital signatures are widely used to defend against data tampering and authenticate identities.

• You can use digital signatures to protect the integrity of your binary code and verify that the code has not been tampered with. This helps provide a trusted execution environment.

• Digital signatures can also be used in digital certificate systems. In such a system, a certificate authority (CA) provides a signature for a digital certificate to certify the entity information, public and private key information, key purpose, expiration date, and issuer. The private key holder of a certificate uses the private key to sign a message. The message receiver uses the public key contained in the certificate to verify the message signature and uses the public key of the certificate issuer to verify the certificate.

2. Use Alibaba Cloud KMS to Verify the Signature of the Text

2.1. Prepare the Test Environment

Background: To avoid the disclosure of an SSL private key, you must use KMS to sign the SSL private key and verify the signature.

Test environment:

  • Nginx server (mutual authentication)
  • PCA certificate
  • KMS encryption instance

2.2. Build the Test Environment

• You need to build an environment that implements PCA-based mutual authentication. To do so, you need to configure PCA-based mutual authentication on the Nginx server.

2.2.1. Export the Root Certificate

Click the three dots on the right of the root CA and click Details.

1

Scroll to the bottom to view the content of the root certificate and save it as a file named ca.crt, which will be used by the client and server later.

2

2.2.1.1. Export the Server Certificate

The new version of PCA allows you to directly export the server certificate in the PEM format without decryption. The server certificate file server.pem can be used in combination with the intermediate CA, while the private key file server.key can be directly used.

Go to the certificate list page of the intermediate CA.

3

You'll see the created server certificate. Click Details.

4

Select View Private Key Content, enter the password, and then click Export to view the certificate content.

5

The certificate content and complete certificate chain are saved as server.pem.

The private key content is saved as enc_server.key.

Decrypt the file with the openssl command in the server:

openssl rsa -in enc_server.pem -out server.key

Enter the password used for export to obtain the decrypted private key file server.key.

6

2.2.1.2. Export the Client Certificate

You can export the client certificate in the PEM format in the same way as the server certificate. The client certificate file client.pem can be used in combination with the intermediate CA, while the private key file client.key can be directly used. If you want to import the client.pem and client.key files into a Windows environment, convert them to the PFX format. For testing purposes on Windows 10, you do not need to set a password during the conversion.

You can convert the client.pem and client.key files into a .pfx file by using the format conversion tool in the SSL console. Leave the original password empty and enter the new password for testing on Windows.

7

Finally, you'll get the client certificate file client.pfx.

8

2.2.2. Configure Certificates

2.2.2.1. Configure the Server

Add configurations related to mutual authentication (line 8 to line 11 in the following code) to Nginx. Save the configurations and restart Nginx.

server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;
        server_name  XX.rootyzc.top; # Domain name
        root         /usr/share/nginx/html;
        ssl_certificate "/etc/nginx/ssl/pca/server.pem"; # The public key certificate of the server
        ssl_certificate_key "/etc/nginx/ssl/pca/server.key"; # The private key of the server
        ssl_client_certificate "/etc/nginx/ssl/pca/ca.crt"; # The CA root certificate
        ssl_verify_client on;   # Enable mutual authentication
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
        ssl_prefer_server_ciphers on;
    }

When the client accesses the server, the prompt in the figure below is displayed.

9

2.2.2.2. Configure the Client

The root certificate and client certificate are ready on the client.

10

Open a browser, such as Chrome, and click the three dots in the upper right corner. Choose Settings > Privacy and security > Security > Manage certificates.

11

Click Trusted Root Certification Authorities and then Import. Select the root certificate file ca.crt to import it.

12

Click Personal and then Import. Select the client certificate file client.pfx and enter the new password to import it.

13

2.2.3. Test the Effect

Access the domain name in the browser, select the certificate, and click OK.

14

This step indicates that mutual authentication is successful.

15

You can also use the curl command in the server to verify that mutual authentication is successful.

curl --cacert ca.crt --cert ./client.pem --key ./client.key https://pca.roo
tyzc.top -k -v

16

3. Signing Steps

3.1. Create a KMS Encryption Instance

• In the left-side navigation pane, click Instances. On the page that appears, click the Software Key Management tab, and then click Create Instance.

17

• Purchase an instance as needed and enable it. After the instance is enabled, it will appear in the instance list, as shown in the figure below.

18

3.2. Create a KMS Key

• In the left-side navigation pane, click Keys. On the page that appears, select the ID of the KMS encryption instance that you created and click Create Key.

19

• Select the key type Asymmetric Key and the key usage SIGN/VERIFY, set other parameters as needed, and then click OK.

20

• After the key is created, it appears in the key list, as shown in the figure below.

21

4. Signature Verification Steps

4.1. Complete Steps in the Application Access Guide of KMS

• Click Create Application Access Point in the first step Application Access Authorization.

22

• Select the KMS encryption instance you created, enter the name of the access point, and then click OK.

23
24

• After the access point is created, the client key files will be downloaded automatically. If they are not, click the button in the box to manually download the files, which are packaged in a ZIP file and will be used later.

25

• Click Download in the second step Instance CA Certificate to download the CA certificate of the KMS encryption instance.

4.2. Create a Script for Signature Verification

• You can find the reference document KMS Instance SDK at https://www.alibabacloud.com/help/en/kms/developer-reference/kms-instance-sdk/

• Here, we use the KMS instance SDK for Python to demonstrate the test process. For the access point name, see the reference document or test cases.

26

  • clientKey_KAAP.json: The client key file, which was downloaded after the application access point was created.
  • PrivateKmsCA.pem: The CA certificate of the KMS encryption instance, which was also downloaded before.
  • __init__.py: The Python main program used to test the SDK's interaction with the KMS instance.
# -*- coding: utf-8 -*-
from openapi.models import Config
from sdk.client import Client
from openapi_util.models import RuntimeOptions
from sdk.models import SignRequest
from sdk.models import VerifyRequest
import os
import base64


# --------->Initialize the SDK.<---------
config = Config()
# Set the connection protocol to "https". KMS supports connections only over HTTPS. 
config.protocol = "https"
# Set the endpoint of your KMS instance in the following format: <ID of your KMS instance>.cryptoservice.kms.aliyuncs.com. 
config. endpoint="kst-hkk657fb8XXXXtx8vjp3f.cryptoservice.kms.aliyuncs.com"# Enter the KMS endpoint.
# The client key file. 
config.client_key_file = "./clientKey_KAAP.json"
# The password of the client key file. 
config. password="5bdbdf01cff8b144b2c8e4acdeXXXXd"# The certificate password, which is masked here.
client = Client(config)


# --------->Set the CA certificate of the KMS instance by configuring runtime options (RuntimeOptions).<---------
runtime_options = RuntimeOptions()
# The CA certificate path.
runtime_options.verify = "./PrivateKmsCA.pem"


# --------->Call the Sign API to use an asymmetric key to generate a digital signature.<---------
request = SignRequest()
# The ID or alias of the key. 
request. key_id="key-hkk658125e7clXXXj3lds"# Enter the key ID or alias.
# The data that you want to sign. 
# Read the file to be signed.
with open('/etc/nginx/ssl/server.key',encoding='utf-8')  as file_obj:
contents = file_obj.read()
file_obj.close()
request.message = bytes(contents,encoding='utf-8')
# The signature algorithm. 
request.algorithm = "RSA_PSS_SHA_256"
sign_response = client.sign_with_options(request, runtime_options)
# The signature value. 
signature = sign_response.signature
# The request ID. 
request_id = sign_response.request_id


# --------->Call the Verify API to use the asymmetric key to verify the digital signature.<---------
request = VerifyRequest()
# The ID or alias of the key. 
request. key_id="key-hkk658125e7cXXXvj3lds"# Enter the key ID or alias.
# The data for which you want to verify the signature. 
# Read the file whose signature is to be verified.
with open("/etc/nginx/ssl/server.key",encoding='utf-8')  as file_obj:
contents = file_obj.read()
file_obj.close()
request.message = bytes(contents,encoding='utf-8')
# The signature algorithm. 
request.algorithm = "RSA_PSS_SHA_256"
# The signature value. 
request.signature = signature
verify_response = client.verify_with_options(request, runtime_options)
print ("<--Verified signature value-->\n",verify_response)
# The verification result. 
value = verify_response.value
print ("<--Verification result-->\n", value)
# The request ID. 
request_id = verify_response.request_id

4.3. Run the Script for Signature Verification

Parameters are printed, and the verification result is 'Value': True ;.


Disclaimer: The views expressed herein are for reference only and don't necessarily represent the official views of Alibaba Cloud.

0 1 0
Share on

Alibaba Cloud Community

1,076 posts | 263 followers

You may also like

Comments