Categories
Data Protection

Learn more about storing digital certificates

How to store digital certificates and ensure the company’s security? No doubt the way is always through the adoption of good practices.

That is, the storage of digital certificates and cryptographic keys provides a critical security layer that protects all of a company’s virtual assets. Breaches due to trust-based attacks are caused precisely by inadequate storage and mismanagement.

When successful, an attack carried out against a digital certificate can have disastrous effects for any organization. Besides security aspects, expired certificates cause great losses in lost business.

Therefore, it is not enough to implement a policy for the use of digital certificates and cryptographic keys: it is also necessary to assertively develop storage and management processes.

Read on to learn more about digital certificate storage.

Digital certificate storage and trust-based attacks

As you know, digital certificates and encryption keys are essential for business. After all, they protect data, keep communications private, and establish trust between communicating parties.

In practice, digital certificates are used for several purposes. These include identity verification, file encryption, web authentication, email security, and software signature verification.

Despite their importance, many companies are vulnerable to breaches because they allow certificate and key management to be seen as an operational problem, rather than as a security vulnerability that needs to be fixed immediately.

In fact, there is much more a flaw in the policies and processes for storing digital certificates than a vulnerability caused by the absence of security updates or bugs that can compromise any kind of technological structure of an organization.

After all, hackers focus on keys and certificates as attack vectors. With bad intentions, they steal them to obtain a trusted status, and then use this to avoid detection and bypass security controls.

The attack happens precisely when the breach of trust occurs

Cybercriminals use trust-based attacks to infiltrate companies, steal valuable information, and manipulate domains. In other words, if private keys used to sign a digital certificate fall into the wrong hands, the system can be breached and the site taken down.

When these keys are lost, significant time and energy is wasted in accessing systems or renewing certificates.

To give you an idea, if the code signing certificates used to sign an iPhone or Android application, for example, are compromised, an unauthorized developer could launch malware with the help of the breached corporate identity.

In order to reduce the risk of trust-based attacks, digital certificates and cryptographic keys need to be protected and stored securely. This prevents them from being lost or falling into the wrong hands.

Digital certificate storage options and best practices

Every time a digital certificate is issued, a key pair – private and public – is generated.

Without a doubt, the best practice is to keep the private key secure. After all, if someone can use it, they can create phishing sites with your organization’s certificate in the address bar, authenticate on corporate networks pretending to be you, sign applications or documents in your name, and read your encrypted e-mails.

In many companies, digital certificates and encryption keys are the identities of their employees and therefore an extension of their organization’s identification. Protecting them is equivalent to protecting your fingerprints when using biometric credentials.

You certainly would not allow a hacker to get your fingerprint. So why let him have access to your digital certificate?

Vantagens do uso dos Certificados e Assinaturas Digitais
 

The storage of digital certificates

The most used modalities for storing digital certificates in Brazil are two: A3, in token or card, and A1, in file on the computer or other device.

A3 stored in token

This is a type of certificate that is stored in a cryptographic token, a device similar to a USB stick, which must be connected directly to a USB port on the user’s computer or server where the system will run. Furthermore, it is not possible to copy, otherwise the media will be blocked.

A3 stored on card

This type of certificate is stored on a smart card with a chip, just like the new bank cards. In short, it must be connected to a reader that needs to be plugged into a USB port on the user’s computer or server where the system will run. Likewise, it is not possible to copy, otherwise the cryptographic media will be blocked.

A1 stored in file on computer or other device

It is an electronic file stored in the user’s computer or server where the system will run. It usually has the extensions .PFX or .P12 and does not need tokens or cards to be transported from one side to the other.

A1 cloud storage

With it you can access your certificate and digitally sign documents through any device: desktops, smartphones and tablets. Finally, you also gain in security and eliminate the worry about physical damage, theft, and loss.

Don’t lose your digital certificates

In summary, the storage of digital certificates needs to be efficient and treated as a priority in the organization. The choice of the best way to store will depend on the security policies and processes implemented in the company, and especially on who uses the certificates and what they are used for.

In this way, any regulations your company needs to comply with, costs and internal resources will be secured by storing the digital certificates.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Digital Signature

Learn how the Digital Signature works

Don’t confuse it with a digital certificate! This is the first step in learning how the digital signature works. It serves to validate the authenticity and integrity of a message, software, or electronic document.

Equivalent to a handwritten signature or stamped seal, the digital signature offers security and authenticity in electronic form. It is aimed at solving problems such as tampering and representation in digital communications.

If you still have doubts about the efficiency of the digital signature in your business, check out this post and clear up any doubts about how it works and the advantages of adopting this feature in your company.

The strategic value of digital signature for companies

For enterprises these solutions provide guarantees of evidence of origin, identity, and status of electronic documents, transactions, or messages. In addition, it also guarantees recognition and authenticity of what has been digitally signed.

To get an idea of the efficiency of digital signatures in companies, we can look at the United States. After all, there digital signatures have the same legal significance as more traditional forms of signed documents.

The U.S. Government Printing Office regularly publishes electronic versions of the budget, public and private laws, and congressional bills with digital signatures.

What’s behind the digital signature

Basically, digital signatures use public key or asymmetric cryptography to be created. A public key cryptography involves a pair of keys: one public and one private.

The two keys are mathematically related. The public key, as the name implies, is open and available to anyone who wants to access it. It can, for example, be stored on a public key server.

On the other hand, the private key is kept in a secure company environment, it will never be transmitted publicly. The sender of an electronic document uses his private key to encrypt that document, this is the digital signature.

Finally, the receiver then decrypts the signature with the public key to verify that it matches the attachment. In addition, the private keys are unique to each user, providing verified authenticity to the sender’s message.

Only the sender’s private key can be used to create the digital signature. The corresponding public key is used to confirm this signature, for which the digital certificate is used.

The use of digital signature optimizes investments and increases productivity

A digital signature can be used with any type of message, whether it is encrypted or not. It is used so that the recipient can be sure of the sender’s identity and that the message has arrived intact.

In this way digital signatures make it difficult for the “signer” to deny having signed something (non-repudiation). After all, the digital signature is unique for both the document and the signer.

The digital certificate contains the digital signature of the certificate issuing authority and binds a public key to an identity, and can be used to verify that a public key belongs to a specific person or entity.

Most e-mail programs, Internet browsers, and text readers, such as Adobe Reader, support the use of digital signature and digital certificate. This makes it easy to sign any outgoing email and validate incoming messages, or other types of digitally signed files.

Digital signatures are also widely used to provide proof of authenticity, data integrity, and non-repudiation of communications and transactions over the Internet.

 6 benefícios mais importantes da assinatura digital
 

You can reduce costs with digital signature

By migrating their business processes to digital media, companies reduce paper consumption and the costs associated with printing and transporting documents. This strategy allows, for example, to direct what has been saved to strategic sectors of the organization.

And even increase productivity

Besides optimizing investments in the core business, reducing printing costs and using digital media for process automation also increases productivity.

Organizations and their employees no longer perform manual processes and can focus on core activities without having to stop their tasks to print documents or take them to different departments, i.e., it is possible with digital signature to achieve strategic gains throughout the company.

Can any company use a digital signature?

Finally you may be wondering if any firm or organization can get a digital signature. How is it obtained? Is it worth investing in?

To answer this question, it is enough to review the concepts that we saw at the very beginning of the article. In other words, when a user creates a document, he signs it with a unique digital signature and sends it to the recipient.

If the sender’s signature uses a recognized certification authority, in Brazil’s case those that are homologated by the ITI, within ICP-Brazil, the recipient will trust the certification authority to confirm the identity of the publisher. In this way it authenticates the message and provides non-repudiation.

So yes, any person, company, agency, etc. can and should get a digital signature. Moreover, it is a matter of strategic company security. In addition, there are several companies, known as certification authorities (CA), which manage the issue of digital certificates and are approved by the ITI.

As you may have seen, companies can only gain by adopting digital signatures in their business processes.

In the midst of the Digital Transformation era, adopting this technology means that the company as a whole, suppliers, and customers can benefit from strategic efficiency in relation to the sale of products and services.

If you still have any questions about the subject, contact EVAL right now. Our experts are ready to help you overcome your difficulties and start your digital signature adoption project.

About Eval

A EVAL está a mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria, Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presente nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias.

Com valor reconhecido pelo mercado, as soluções e serviços da EVAL atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a LGPD. Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos.

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível.

Eval, segurança é valor.