Workbook on Digital Private Papers > Administrative and preservation metadata > Metadata for authenticity: hash functions and digital signatures

Metadata for authenticity: hash functions and digital signatures

Storing fixity information as XML metadata

Tools for creating and verifying digital signatures, keys and certificates

Tools for creating and verifying digital signatures tend to be developed for use from the command-line without assistance of a graphical user interface (GUI); the GUI interfaces that are provided sometimes lack the features of their command-line equivalents. Many are deployed as a backend or engine for other applications and may be integrated with file manager/browsers (e.g. KDE, Gnome and MS Windows Explorer) or embedded in applications such as OpenOffice, MS Office or email clients. Some tools, for example Jacksum, are hash engines, others like GnuPG are examples of cryptographic engines supporting the Public Key Infrastructure (PKI) infrastructure.

Paradigm conducted a brief survey of tools, focused on cross-platform and open source tools, supporting the generation and validation of hash values and digital signatures. The project was interested both in:

The tools surveyed fell into the following categories: application libraries providing underlying support for the algorithms and data stores required by the command-line tools for use by developers and associated graphical user interface (GUI) front-ends. The following table provides a summary of how these relate:

Interface Application Library Algorithmns
GUI Command-line
portecle   Bouncycastle
JCE		 Public-Key
Cipher
Hash
  GPG (libgcrypt) Public-Key
Cipher
Hash
Compression
Kgpg  
GPGee  
GPA  
  jacksum Jacksum Hash
Hasher  
  keytool
jarsigner		 Sun (JCA/JCE) Public-Key
Cipher
Hash
W3C XML Signature & Encryption
    Apache XML Security W3C XML Signature & Encryption
  xmlsec XML Security Library W3C XML Signature & Encryption

The following table summarises the features of the tools surveyed:

  Tool Summaries
BouncyCastle A Java Cryptographic Library that provides a set of independent application programming interfaces (APIs) for use in:
  • Digital signatures
  • Message digests (hashes).
  • Encryption (symmetric/asymmetric keys block/stream ciphers).
  • Key generation and management.
  • Certificates and certificate validation.
Portecle A Java GUI based on the Bouncycastle cryptographic libraries for creating, managing and examining key stores, keys, certificates, certificate requests and certificate revocation lists. Portecle also enables the user to covert between various keystore formats which would be of assistance in managing collections which are protected or signed by different providers.
GnuPG (GNU Privacy Guard) GnuPG (GNU Privacy Guard) is a complete implementation of the OpenPGP standard defined by RFC2440. GnuPG, also known as GPG (the name of its command-line tool) supports:
  • Encryption.
  • Digital signatures.
  • Key management system.
  • Access modules for public key directories.
  • Features for easy integration with other applications.
  • It has a range frontend applications, including KGPG, GPA, GPGee (Windows).
  • Version 2 of GnuPG also provides support for S/MIME (Secure / Multipurpose Internet Mail Extensions is a standard for public key encryption and signing of e-mail encapsulated in MIME).
  • Libgcrypt – a general purpose cryptographic library based on the code from GnuPG project. It provides functions for all cryptographic building blocks:
    • Symmetric ciphers (AES, DES, Blowfish, CAST5, Twofish, Arcfour).
    • Hash algorithms (MD4, MD5, RIPE-MD160, SHA-1, TIGER-192).
    • Message Authentication Codes - MACs /HMACs.
    • Public key algorithms (RSA, ElGamal, DSA).
    • Large integer functions, random numbers, etc.
KGPG A KDE (KDE is a desktop environment for Linux and Unix) GUI for GnuPG that supports key signing, importing and exporting. It can be integrated with other KDE tools such as the Konqueror file browser/manager.
GPA GPA (GNU Privacy Assistant) is a Windows GUI for the GnuPG application library.
GPGee GPGee is a Windows GUI for GnuPG adding support via a context menu for: signing, signing and encrypting, encrypting, verifying and decrypting. It works on multiple files at once.
Jacksum Jacksum is an Open Source, platform independent, Java utility for calculating and verifying checksums, hash values and file timestamps.
Hasher HasherGUI is a GUI for Jacksum. It currently supports some of the hash functions, such as MD5, SHA-1, SHA-256, SHA-512, MD4, CRC, etc., provided by Jacksum.
Jarsigner A JAR Signing and Verification Tool which is a command-line java based application and part of the Sun Java Development Kit (JDK).
Java Security Libraries ( jca/ jce) Basic functionality for using cryptographic techniques is provided by the Java Cryptography Architecture (JCA) which focuses on authentication; the Java Cryptography Extension (JCE) provides a framework for implementations of encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms.
keytool Part of the Sun Java Development Kit (JDK), keytool is a command-line Java based application which allows users to manage their own public/private key pairs and associated certificates as well as storing the certificates (public keys) of other users and services.
Apache XML Security Version 1.4 provides a Java library implementing the standard Java Application Programming Interface (JSR105: XML Digital Signatures) for creating and validating XML Signatures as defined by the W3C XML Digital Signature Specification. There is also a cross-platform C++ library implementation (Version 1.3).
XML Security Library XML Security Library is a C library based on LibXML2. The library supports all the features and algorithms described in the W3C XML Digital Signature and Encryption Specification, it provides an API to sign prepared document templates, add signature(s) dynamically to a document or verify the signature(s) in the document.

Some of these command-line and GUI tools are explored further in how-tos.