10 Sep 2010 
Support Center » Knowledgebase » Email Store Digital Signatures
 Email Store Digital Signatures
Solution
Introduction
 
 Email   Store  Digital   Signature  is   intended  to  provide  a  proof   that   a  message  has   not   been modified   in   Email   Store   since   it   was   stored. Digital   Signature is a binary data that is calculated from email data and stored along with the email.  Calculation is based on private / ­public key cryptography so that  nobody can fake a signature provided that  private  key remains undisclosed. But everyone can ensure that data has not been changed provide that public key is available.

Requirements: MPP 4.7.0 or higher, MySQL server and OpenSSL tools for public/private key generation

To create all tables, including new "message_signature" table  use:
ftp://ftp.messagepartners.com/pub/mpp4/sql/mpp-mysql.sql

To create only new "message_signature" table use:
ftp://ftp.messagepartners.com/pub/mpp4/sql/migrate_4_7_0.sql

To enable this feature, one should make sure "message_signature" table exists besides required archival tables, generate a new public/private DSA key pair using OpenSSL tools and add "archival_signer" option to group having arhival enabled.

Generate DSA Private­Public Key Pair

Though generation of DSA private­public key pair is not a part of MPP  functionality here you may find an example of how to generate public/private key pair.  Private key is needed for DSA Engine defined in MPP. Public key is needed for application (Qreview) that would verify a signature.

1. Generate DSA parameters param_4096.pem file for 4096 ­bit key:
openssl dsaparam ­-out param_4096.pem 4096

2. Generate private key file prv_archive_4096.pem from DSA parameter:
openssl gendsa ­-out prv_archive_4096.pem param_4096.pem

3. Generate public key file pub_archive_4096.pem from private key file:
openssl dsa ­-in prv_archive_4096.pem -­pubout ­-out pub_archive_4096.pem

Files prv_archive_4096.pem and pub_archive_4096.pem could be copied in /usr/local/MPP.

Define DSA Engine

Administrator   defines   an   instance   of   DSA   Engine   in   mppd.conf.xml   file   under <mppd><engines>  node   with   node   name  <dsa>.  ID of an instance of the engine  is defined with  id attribute of the node.

Example:

<mppd>
  ....
  <engines>
    <dsa id=”my_dsa_engine_id”> 
    <key_id>0</key_id>
     <private_key_file>
       <path>/usr/local/MPP/prv_archive_4096.pem</path>
       <format>pem</format>
     </private_key_file>
    </dsa>
  </engines>
...
<groups>
  <group id="arhival_group>
    ....
    <archive>mysql://USER:PASS@HOST:DB</archive>
    <archive_signer>my_dsa_engine_id</archive_signer>
</groups>
</mppd>

Message Verification

To verify message signature, use Qreview (http://host:20000):
ftp://ftp.messagepartners.com/pub/mppmanager/beta/mppmanager.tar.gz

Login as admin and go to Setup->Module Config where the following variables should be set:
signature_verification_enabled          1
signature_public_key_path                 /usr/local/MPP/pub_archive_4096.pem

When visiting Archive link now, you should notice a "green tick" near the Subject of each message. Click on the tick to verify the message.

Note: Qreview requires Crypt::OpenSSL::DSA Perl module installed to get message verification working correctly. Please check the following articles:
 MPP GUI install on RH / CentOS / Fedora Core Linux
 MPP GUI install on Debian/Ubuntu





Article Details
Article ID: 36
Created On: 04 Feb 2009 01:45 AM

 This answer was helpful  This answer was not helpful

 User Comments Add a Comment
 Back
 Login [Lost Password] 
Email:
Password:
Remember Me:
 
 Search
 Article Options
 Add Comment
 Print Article
 PDF Version
 Email Article
 Add to Favorites
Home | Register | Submit a Ticket | Knowledgebase | Downloads
Language: