20.2. Digital Signatures and Certificates

Up to this point we've been talking about how databases with digital signatures are exceptions to the macro security checks. That is, if a database is digitally signed, it can be opened regardless of the macro security level setting.

So what is a digital signature and how do you create one?

You have probably seen various forms of digital signatures or digitally signed programs while browsing the Internet or installing software. Typically you'll see a security warning dialog box. The dialog box contains information that describes the purpose of the digital certificate used to sign the program, the date and time the certificate was published, and who published it. Some certificates permit you to obtain more information about the program and/or the publisher. After reviewing the information about the certificate, you can accept the certificate or reject it. If desired, you can choose to have that certificate accepted automatically by selecting the Always trust content from this publisher check box.

So a digital certificate is an electronic attachment applied to a program, database, or other electronic document. The digital certificate identifies the person or entity that published it and the date and time that it was published. The certificate can also identify the purpose of the certificate and/or the purpose of the program, database, or electronic document to which it applies.

Therefore, a digital signature is a means to apply a digital certificate to programs, databases, or other electronic documents so that a user of that program, database, or document can confirm that the document came from the signer and that it has not been altered since it was signed. If the program, database, or document is altered after it has been digitally signed, the signature is invalidated (removed). This feature means that you can be assured that nobody can introduce viruses after the signature is applied.

What all of this means is that you will have to obtain a digital certificate in order to give your database a digital signature. In a moment, we'll explain more about how to obtain a digital certificate. And a bit later, we'll describe how to sign your database with the digital certificate. But first a bit more explanation about how digital certificates and digital signatures work with Access.

Microsoft Office 2003 uses Microsoft Authenticode technology to enable you to digitally sign your Access database by using a digital certificate. A person using your signed database can then confirm that you are the signer and that your database has not been altered since you signed it. If that person then trusts you, they can open your database without regard to their Access macro security level setting.

You 're probably thinking that your database will be altered. After all, that's what a user does when they insert or delete data. Since a database is likely to be altered in anticipated ways, a digital signature for an Access database applies to specific aspects of the database rather than to the entire database. Therefore, a database can be updated in the ways you would expect without the signature being invalidated.

More specifically, a digital signature on an Access database covers only objects that could be modified to do malicious things. These objects include modules, macros, and certain types of queries, for example, action queries, SQL pass-through queries, and data definition queries. The signature also applies to the ODBC connection string in queries and properties of ActiveX controls. If any of these types of objects are modified after you sign your database, the digital signature will be invalidated (removed).

20.2.1. Types of Digital Signatures

There are two types of digital certificates: commercial and internal. Commercial certificates are obtained through a commercial certification authority such as Verisign, Inc. Internal certificates are intended for use on a single computer or within a single organization and can be obtained from your organization's security administrator or created using the Selfcert.exe program, which we'll describe later.

20.2.1.1. Commercial Certificates

To obtain a commercial certificate, you must request (and usually purchase) one from an authorized commercial certificate authority vendor. When the vendor sends you one of these certificates, you will receive instructions about how to install the certificate on your computer and how to use it with your Access application.

The commercial certificate provides full protection of your database for authenticity. Since the digital certificate is removed if the file or VBA project is modified, you can be sure that your database will not be authenticated if anyone tampers with it.

Likewise, commercial certificates provide protection for users. In the event someone obtains a certificate and then uses that certificate for malicious purposes, the commercial authority will revoke the certificate. Then anyone who uses software that is signed with that certificate will be informed of its revocation.

20.2.1.2. Internal Certificates

An internal certificate is intended for use on a single computer or within a single organization. An internal certificate provides similar protections as the commercial certificate in that if the file or VBA project is changed, the certificate is removed, and the database will not automatically open under High or Medium security.

Internal certificates can be created and managed by a certificate authority within your organization using tools such as Microsoft Certificate Server. You can create a certificate for your own computer using the Selfcert.exe tool.

20.2.1.3. Obtaining a Digital Certificate

As mentioned earlier, you can obtain a certificate from a commercial authority such as Verisign, Inc. For internal certificates you can turn to your security administrator or Digital Certificate group, or you can create your own certificate using the Selfcert.exe tool.

You need to be aware that if you create your own certificate, Access will still generate the macro security warning when your signed database is opened on a computer other than the one where the certificate was created (High or Medium security). This happens because Microsoft considers this to be a self-signed database.

The trouble with self-certification is that the certificate isn't trusted because it is not in the Trusted Root Certification Authorities store. This means that if your certificate isn't registered so that Microsoft Authenticode technology can determine its authenticity, the certificate will get a crosswise look. And the reason for this is that a digital certificate you create can be imitated. Which means that someone can mimic your certificate and sign a database with it. Then if you have trusted a digital certificate that has been mimicked, a database signed with that certificate will open. So, if that database contains malicious code, it could execute that code. This brings up two important issues:

• If a certificate you create can be imitated, what kind of security do you really get?

• If your certificate won't be trusted on another computer, why bother creating your own certificate?

We 'll discuss how you can use self-certification in the next section. Let's take the imitation question now.

A certificate is nothing more than a digital document. As with any digital document it can be copied, replicated, or otherwise imitated. However, Microsoft's Authenticode technology is able to determine authenticity of the certificate if, and only if, it is in a Trusted Root Certification Authorities store.

Therefore, using self-certification is a solution that should only be considered if your databases will only be used behind the security of a firewall, with virus software, for protection. If your database, and therefore your certificate, will be made publicly available, such as through the Internet, you will be putting your certificate out where someone could copy it. They could then attach the copy to a database with malicious code and send that database back to you, or worse yet on to other users who could think the database is from you. If the certificate has been on the computer that is opening the database, that database will be trusted. The database will open and the malicious code will be executed.

If you are interested in acquiring a commercial certificate, the Microsoft Developer's Network has list of root certificate program vendors at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/rootcertprog.asp. When you are looking for a vendor to supply a certificate, you need one that provides a certificate for code signing or that works with Microsoft Authenticode technology.

20.2.2. Using Self-Certification

Having sufficiently warned you in the previous section of the pitfalls of self-certifying, this section will explain how you can self-certify in situations that you believe are secure from hacker attacks.

The question asked in the previous section was: If your certificate isn't going to be trusted on another computer, why bother creating one? The precise statement is that the certificate isn't trusted unless it is installed on the computer that is opening the signed database. Therefore, the solution is to install your certificate on that computer so that it will be trusted.

Next we'll take you through all the steps necessary to self-certify and use the certificate for your database as well as how to use that database on any computer. There are a few steps, but they're not difficult. Some of the steps will only have to be done once. Some will have to be repeated for each computer that will use your certificate to open your database. First you need to run Selfcert.exe to create a certificate on your computer.

With the certificate created, there are two requirements to use your database on another computer:

Signing your database is done through the Visual Basic Editor. Creating a file from your certificate can be accomplished many ways. Mainly this task is accomplished while viewing the certificate details. Installing the certificate on the target computer can be accomplished from Windows Explorer.

Keep in mind these steps only apply to self-certification. For example, if you use a commercial certificate you won't have to install your certificate on each computer.

20.2.2.1. Creating a Self-Certification Certificate

To create a certificate for yourself, simply run the SelfCert.exe program. For example, mine is located in C:Program FilesMicrosoft OfficeOFFICE11SELFCERT.EXE.

When Selfcert.exe starts you will see the screen as shown in Figure 20-5.

To complete the process, enter a name for your certificate and click OK. This will create a certificate and add it to the list of certificates for this computer only.

20.2.2.2. Adding a Certificate to Your Database

To digitally sign your database you add a certificate to it using the Visual Basic Editor. In the Visual Basic Editor select Tools | Digital Signature, as shown in Figure 20-6.

This menu option will open the Digital Signature dialog seen in Figure 20-7.

Note: This database has been previously signed with the certificate named Randall Weers. If the database is not previously signed, the Sign As Certificate Name will be [No certificate].

To pick a digital signature to sign your database, click Choose. . . will display the dialog box show in Figure 20-8, which shows all the digital certificates on this computer.

Click on the certificate you want to use to sign this database and click OK. The name of the selected certificate will display on the Digital Signature dialog box and a Detail . . . button will show, as it does in Figure 20-9.

You will use the Detail. . . button to get access to an option to create a file from your certificate so you can copy that certificate to another computer. To sign your database now, click OK.

If you sign your database and then make code changes on the computer that has the certificate, the digital certificate is removed and the database is automatically resigned. If you make code changes on a computer that does not have the certificate, the signature is removed without resigning the database.

Note: If you are using Access Developer Extensions, the Custom Startup Wizard has an option to add the certificate to your database just before creating the MDE.

20.2.2.3. Using a Self-Certification Certificate on Another Computer

Since self-certified databases won't be trusted on another computer, you need to add your self-certification certificate to other computers that will be accessing your databases. To do this you need to create a file from your certificate, copy the file to the other computer, and add the certificate to that computer.

One way to create the Certificate (CER) file is to view the details of the certificate from the Visual Basic Editor. To get to the details of the certificate, select Tools | Digital Signature. This displays the Digital Signature dialog box like the one shown in Figure 20-9. On that dialog, click the Detail. . . button. This will display the Certificate Information, as shown in Figure 20-10.

Notice that the bottom of the form shows You have a private key that corresponds to this certificate. This message will be missing from other computers that have trusted the signature when they opened your database and will prevent your certificate from being trusted. After you copy the certificate and install it on those other computers, they will show the message.

To get to the option that will permit you to save the certificate to a file, click the Details tab. This will show the certificate details as seen in Figure 20-11.

Note: the Value column has been hidden in Figure 20-11 so as not to show the details of my certificate.

Notice the button Copy to File. . . on the form. Click this button to start the Certificate Export Wizard as shown in Figure 20-12. The Wizard will lead you through a process to create a file that you can copy to another computer.

After you create the file, you may take the file to another computer and open it. A file of type CER is known to Windows and will show the certificate details as shown in Figure 20-13.

To install the Certificate, click Install Certificate. . . That will start the Certificate Import Wizard.

After the certificate is installed on the computer, the first time you open a database signed with that certificate, you will be prompted to approve the certificate as seen in Figure 20-4. If you select the option to always trust the publisher, databases that are signed with that certificate will be opened without a prompt.

Keep in mind that signing the database will only handle issues related to macro security. You may need to update the Jet Engine to Service Pack 8 to avoid other issues around the new security protections in Access 2003. The next section describes the changes in Jet Expression Services, Sandbox mode and Jet Engine SP 8.