With so many APIs being published these days, application development is looking more and more like an exercise in weaving together a set of calls to remote services and servers. Problem is, lots of times those remote APIs are hosted by groups, companies, organizations that are well outside the domain of your IT group. It raises the question, do you really know who you are connecting to? Is some bad guy masqerading as the true service you are trying to connect to?
SSL connections can help some, if you use them correctly! And like some many exercises in programming there are caveats, exceptions, and confusing protocols. In his latest article for deeloperWorks, Ori Pomerants explores how an application can thoroughly verify the identity of a remote server using node's built in https support plus a few bits of extra code. "Ver
The National Institute of Standards and Technology has revised the digital signature standard (DSS), designed to secure the identity of an electronic document signer (document is FIPS 186-4). According to NIST spokesperson Elaine Barker, this isn't a major revision to the technology; this update ensures that the standard remains consistent with other NIST cryptographic guidelines (for example, NIST Special Publication 131A, "Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths").
FIPS 186-4 specifies a suite of algorithms that can be used to generate a digital signature that is then used to detect unauthorized modifications to data and to authenticate the identity of a signatory. Also, a recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was generated by the claimed signatory (known as non-repudiation).
The standard defines three methods for digital signature generation:
The goal with this release, according to Barker, is to align the standard so that all NIST documents offer consistent guidance regarding the use of random number generators. The changes will also allow users to save random initial values for searching for prime numbers for purposes such as regenerating the values; the previous version of the standard only allowed saving these values for use as evidence.
You can get a broader perspective on digital signature security by exploring the IBM CBT Digital Signature solutions offered by the IBM Crypto Competence Center Copenhagen, one of the original groups to create online encryption technologies for banking purposes in the 1980s.