Digital Signature in Electronic Workflow Environments Eng. Andreas Schuster Business Development Manager Applied Security (apsec) M.E.

Contents Difference of Electronic Signature Visual Signature Digital Signature Signing of electronic documents (Live Demo) Verifying of digital signatures Usage of smartcard & fingerprint Solutions to be added Advantages, Integration Examples

Difference of

Electronic Signature

Visual Signature

Digital Signature

Signing of electronic documents (Live Demo)

Verifying of digital signatures

Usage of smartcard & fingerprint

Solutions to be added

Advantages, Integration Examples

“ Electronic Signature” – Is it new? Electronic signature definition: “A signature that consists of one or more letters, characters, numbers or other symbols in digital form incorporated in, attached to or associated with an electronic document or transaction.” Samples: PIN for ATM Digital pen or signature pad for Signing a credit or debit slip POS transaction handover certificate / certificate of receipt (delivery) Fax transmission with a stamp and/or signature Security: Electronic signature is not protected by cryptographic methods, but considered as enforceable contract in most countries. Forging and spoofing can not be prevented due the fact that the e-signature can be copied easily.

Electronic signature definition: “A signature that consists of one or more letters, characters, numbers or other symbols in digital form incorporated in, attached to or associated with an electronic document or transaction.”

Samples:

PIN for ATM

Digital pen or signature pad for

Signing a credit or debit slip

POS transaction

handover certificate / certificate of receipt (delivery)

Fax transmission with a stamp and/or signature

Security:

Electronic signature is not protected by cryptographic methods, but considered as enforceable contract in most countries.

Forging and spoofing can not be prevented due the fact that the e-signature can be copied easily.

Electronic “Visual” Signature Process of adding a handwritten signature to a electronic document. Either: Signature line can be scanned once and the image can be added to the document later Or: signature is captured every time by the use of a signature pad Security: Signature graphic can be protected, but still can be extracted from any signed document and re-used unauthorized. Automatic verification of the entered signature is not possible. Manual forensic signature analysis would be required. Signature Scan Interlink ePad II approx. US$ 160

Process of adding a handwritten signature to a electronic document.

Either: Signature line can be scanned once and the image can be added to the document later

Or: signature is captured every time by the use of a signature pad

Security:

Signature graphic can be protected, but still can be extracted from any signed document and re-used unauthorized.

Automatic verification of the entered signature is not possible. Manual forensic signature analysis would be required.

Electronic “Digital” Signature Digital signature uses a private (and secret) key to generate a digital signature for a specific document. Anyone can use this document including the attached digital signature plus a public key to verify the authenticity of the document. Security: Digital signature provides non-repudiation and allows originator authentication and identification. Private key (the secret used to generate the digital signature) should be protected with 2-factor authentication Digital signature cannot be copied, because it is valid for a single document only.

Digital signature uses a private (and secret) key to generate a digital signature for a specific document.

Anyone can use this document including the attached digital signature plus a public key to verify the authenticity of the document.

Security:

Digital signature provides non-repudiation and allows originator authentication and identification.

Private key (the secret used to generate the digital signature) should be protected with 2-factor authentication

Digital signature cannot be copied, because it is valid for a single document only.

Adding an Digital Signature Demonstration of an Office 2007 Signature Demonstration of a PDF Signature with apsec fide AS ® sign 2.0

Demonstration of an Office 2007 Signature

Demonstration of a PDF Signature with apsec fide AS ® sign 2.0

Principle of digitally signing Build a one-way hash of the document Encrypt the hash value with the private key of the signer Encrypted hash + certificate = signature Certain document- types allow to attach signature (e.g. PDF, PDF/A or XML) For other documents the signature could be saved as an extra file unsigned electronic document one-way hash Key-card encrypted one-way hash certificate signed electronic document

Build a one-way hash of the document

Encrypt the hash value with the private key of the signer

Encrypted hash + certificate = signature

Certain document- types allow to attach signature (e.g. PDF, PDF/A or XML)

For other documents the signature could be saved as an extra file

Verification of electronically signed documents Separate signature from document Check certificate (e.g. CRL, OCSP) Decrypt hash with certificate Compute hash of document Compare the two hash values unsigned electronic document one-way hash encrypted one-way hash certificate signed electronic document encrypted one-way hash certificate decrypted one-way hash check if valid compare

Separate signature from document

Check certificate (e.g. CRL, OCSP)

Decrypt hash with certificate

Compute hash of document

Compare the two hash values

Signature Verification of PDF-Documents PDF can be verified with Acrobat Reader A simple click on the sign symbol in the document is enough Certificates can be checked offline or online

PDF can be verified with Acrobat Reader

A simple click on the sign symbol in the document is enough

Certificates can be checked offline or online

Media to store the Private Key PKCS#12 – software certificate PKCS#11 – smartcard or USB-token USB-token Smartcard + smartcard reader Fingerprint Biometric e.g. Feitian BioPass 3000 Public Key and the Digital Certificate Is used to verify the signature and is stored together with the document Can define a time frame the keys/trusts are valid Usage of Smartcards and Fingerprint Cryptographic Smartcard, Cryptographic USB-Token, Cryptographic Fingerprint Reader: 32K-72K secure memory, RSA key generation on card, optional biometric match on card

Media to store the Private Key

PKCS#12 – software certificate

PKCS#11 – smartcard or USB-token

USB-token

Smartcard + smartcard reader

Fingerprint Biometric

e.g. Feitian BioPass 3000

Public Key and the Digital Certificate

Is used to verify the signature and is stored together with the document

Can define a time frame the keys/trusts are valid

Solutions to be added: fide AS ® sign Server or client based digital signing solution Modular concept allows combining: Integration interfaces: GUI Batch-mode Email / SMTP connector SOAP Signature and document types: PDF (embedded) XML (embedded) CMS-signature (for any document) Signature quality: from software keys for internal use to different hardware solutions (like smart cards, tokens, biometric /w crypto chip)

Server or client based digital signing solution

Modular concept allows combining:

Integration interfaces:

GUI

Batch-mode

Email / SMTP connector

SOAP

Signature and document types:

PDF (embedded)

XML (embedded)

CMS-signature (for any document)

Signature quality:

from software keys for internal use

to different hardware solutions (like smart cards, tokens, biometric /w crypto chip)

Using electronic documents saves time and money: No paper / printing / mailing cost Accelerated workflow Easy, multi-user document archives Sign electronic documents to: Protect documents from manipulation Secure an approval process Identify the signer Make an electronic document legally binding Digital Signature is legalized in most countries including the U.A.E., see TRA law from 2006: http://www.tra.ae/TRA-eCommerce-resolutions.php Usability & Security Advantages

Using electronic documents saves time and money:

No paper / printing / mailing cost

Accelerated workflow

Easy, multi-user document archives

Sign electronic documents to:

Protect documents from manipulation

Secure an approval process

Identify the signer

Make an electronic document legally binding

Digital Signature is legalized in most countries including the U.A.E., see TRA law from 2006: http://www.tra.ae/TRA-eCommerce-resolutions.php

Technical Advantages Easy-to-use apsec CA is available to issue digital IDs One PIN entry for thousands of signatures – even when using smart cards Adjustable to your requirements Works with most common key media types like Smart cards USB-token HSM Module Biometric devices with crypto chip Key files Cryptographic Smartcard, USB-token, HSM, or Biometric: 32K-128K secure memory, RSA key generation on card, opt. biometric match on card

Easy-to-use

apsec CA is available to issue digital IDs

One PIN entry for thousands of signatures – even when using smart cards

Adjustable to your requirements

Works with most common key media types like

Smart cards

USB-token

HSM Module

Biometric devices with crypto chip

Key files

Internal workflows Simplify and accelerate work processes Archive signed electronic documents to: Make sure that hat the document is genuine Enable multi-user reading Reduced paper and printing cost Electronic contracts Multi-signing secures electronic contracts e-billing Save mailing, paper and printing costs Ensure legal and secure e-billing Application Advantages

Internal workflows

Simplify and accelerate work processes

Archive signed electronic documents to:

Make sure that hat the document is genuine

Enable multi-user reading

Reduced paper and printing cost

Electronic contracts

Multi-signing secures electronic contracts

e-billing

Save mailing, paper and printing costs

Ensure legal and secure e-billing

Integration Examples Workflow Supported Integration Interfaces for Workflow Applications Java Wrapper (portlet) IBM FileNet P8 Connector: Universal File Importer Dokumentum Check-in Filter Electronic Workflow Check-In / Check-Out J2EE (pure Java portlet) SOAP 1.1/1.2 XML Envelope Native XML Batch signing (in-folder, out-folder) Command line tool for simplest integration Email / SMTP interface

Supported Integration Interfaces for Workflow Applications

Java Wrapper (portlet)

IBM FileNet P8 Connector: Universal File Importer

Dokumentum Check-in Filter

Electronic Workflow Check-In / Check-Out

J2EE (pure Java portlet)

SOAP 1.1/1.2 XML Envelope

Native XML

Batch signing (in-folder, out-folder)

Command line tool for simplest integration

Email / SMTP interface

Reference Story: City of Oberursel Use PKI solution to digital sign workflow documents The documents are processed, signed and forwarded to the next person in charge. Implemented: 2004, enhanced 2006 Authentication: fingerprint + smartcard apsec products integrated: fide AS ® sign fide AS ® miniCA public sector

Use PKI solution to digital sign workflow documents

The documents are processed, signed and forwarded to the next person in charge.

Implemented: 2004, enhanced 2006

Authentication: fingerprint + smartcard

apsec products integrated:

fide AS ® sign

fide AS ® miniCA

See you soon on our next Webcast! Enhanced Encryption Technologies for Enterprises (planned 3 rd Week of June) Network / Server Encryption Database Encryption Email Encryption All participants will receive a free copy of our PC / notebook encryption solution fide AS ® file private

Enhanced Encryption Technologies for Enterprises (planned 3 rd Week of June)

Network / Server Encryption

Database Encryption

Email Encryption

All participants will receive a free copy of our PC / notebook encryption solution fide AS ® file private

Thanks for your attention! Speak with us.. apsec offers full service for all aspects of data security. Applied Security GmbH Industriestraße 16 D-63811 Stockstadt Fon: +49(0)6027/4067-0 Fax: +49(0)6027/4067-99 Internet: http://www.apsec.de email: info@apsec.de Your contact: Andreas Schuster Applied Security UAE, Dubai [email_address]