1. ADSS Server / Trusted Archive Server Saving Time & Money, Avoiding Risk & Fraud
2.
3.
4. Ascertia ADSS Server Integration Options Note: You only need license and use what is needed today ADSS Server Web Services - via XML/SOAP messaging - via a provided high level .NET API - via a provided high level Java API Using ADSS GoSign - Within a web-browser (GoSign Applet) - Within a desktop .NET app (GoSign .NET) - Within a desktop Java app (GoSign Java) Using ADSS Server Auto File Processor - For one or more watched folders Using ADSS Gateway for confidentiality - to extract signatures from documents Using the Secure eMail Server - to handle emails and/or attachments ADSS Server HTTP fast interface - For Signing and Verification services Sign Verify Q3 2008 Q3 2008 -
5. Ascertia ADSS Server Trust Services Note: You only need license and use what is needed today PDF Documents - Basic signature (visible / invisible) - Certify - Sign & timestamp - Long-term signatures XML Documents - XML DSig (XAdES ES) - Timestamps (XAdES ES-T) - Long-term signatures (XAdES X-Long) PKCS#7 / CMS / SMIME - Basic signature (CAdES ES) - Timestamps (CAdES ES-T) - Long-term signatures (CAdES X-Long) Historic Verification OCSP Validation (immediate verify & long term sign) Time Stamp Authority (TSA) Server Sign Verify -
6. ADSS Server Product Architecture Application Web Services Application Java API Email Gateway Watched Folder OCSP Clients SCVP clients XKMS clients using HTTP HTTP/S XML/SOAP Synchronous Asynchronous = Q1 2008
7.
8.
9.
10. Interaction with ADSS Server ADSS Server Trusted Archive Service ADSS Enterprise Server offers a variety of digital signature creation, verification, timestamp client and validation services ADSS Infrastructure server offers CA, TSA and OCSP VA services LTANS Archiving Timestamp client OCSP Client Trusted Archive Server CRL Manager Verification Signature Draft IETF LTANS processing of archive requests Multi-policy archive management CAs TSA VA Signature Verification Service Signature Generation Service
11.
12.
13.
14. Submitting basic data Verify request & client authorisation c Gather Archive Process Meta Data Request timestamp for full archive object c Trusted Archive Server Time Stamp Authority (e.g. Ascertia ADSS TSA Service) DB Meta data sent by client may include: Filename, Author details, digital signature, etc. Archive Process Meta data may include archiving time, retention period, cryptographic info, etc. ERS stands for Evidence Record Syntax – this includes the timestamp information obtained from RFC3161 compliant TSA (see next slide) Hash & Timestamp Submission by people or applications Data Object Meta Data Data Object Meta Data Archive Process Meta Data ERS
15. Evidence Record Syntax (ERS) <EvidenceRecord> <Version /> <ArchiveTimeStampSequence> <CanonicalizationMethod /> <ArchiveTimeStampChain Order> <DigestMethod /> <ArchiveTimeStamp Order> <HashTree /> * <TimeStamp /> + <CryptographicInformation /> * </ArchiveTimeStamp>) + </ArchiveTimeStampChain> + </ArchiveTimeStampSequence> </EvidenceRecord> An Evidence Record must contain at least one timestamps in the TimeStampChain Additional timestamps may be added as the old timestamp nears its expiry. These are all contained within a single TimeStampChain A new TimeStampChain is created with the underlying hash algorithms need to be renewed (due to weakness in original algorithm) Note: Ascertia ADSS TAS Service will use a timestamp for each data object rather than using hash trees. This provides best security and immediate response (compared to hash trees) . Support for Merkle hash trees will be added later
16. ERS - Timestamp Renewal Structure EvidenceRecord ArchiveTimeStampSequence ArchiveTimeStampChain Order =1 DigestMethod ArchiveTimeStamp Order =1 TimeStamp Cryptographic Information ArchiveTimeStamp Order =2 TimeStamp Cryptographic Information ArchiveTimeStampChain Order =2 The first timestamp is over the archive object including meta data Cryptographic Information is used to store CRLs/certs/TAs required to verify the timestamp A new timestamp is requested before expiry of a previous timestamp (or configurable period, e.g. annually). This timestamp is only over the last timestamp. A new chain is created when the digest algorithm is changed. Note this timestamp will be over original data object and all previous chains
17.
18.
19. Notary Signing and Archiving Meta Data (e.g. detached signature) Verify request & client authorization c Gather Archive Process Meta Data Request timestamp for full archive object c Time Stamp Authority (e.g. Ascertia ADSS TSA Service) DB Archive Meta data will include a notary signature over the Archive Data object. This can be PKCS#7/CMS signature or XML DigSig ERS will cover the notary signature so that the whole package including notary signature is protected for long-term Compute a signature over Archive Object HSM (e.g. SafeNet LunaSA) Trusted Archive Server Signed Data Object
20.
21.
22.
23.
24. Data Storage within an ECM System Meta Data (e.g. detached signature) Verify request and ECM system authorisation c Create response and send to ECM using identifiers provided in the request, logs to DB c ADSS TAS Service DB Process Archive Service request (Archive, Verify, Export, Search Request System: Could be any system, but expected to be the ECM (or EPM, ERP or CRM) system ERS data: This is not stored in ADSS TAS database area but passed back to defined ECM system for secure storage and retrieval under given identifiers. ECM system is responsible for storing data Object, Meta data, Archive Process Meta Data and ERS data Transaction Data: The request / response details are held by ADSS Server within the TAS transaction log and the actions and results can be viewed there, provides details of ECM storage identifiers Archive Process Meta Data ERS data ECM System Archive request Archive response/ data management Option to return all data to the ECM environment Data Object c LOGS
25.
26.
27. ADSS Server Scalability / Resilience CRLs CRLs CRLs OCSP OCSP OCSP Hardware Load Balancer ADSS Server Database replication E.g. Big-IP Cisco HSM 1 ADSS Server HSM 2 SQL Server or Oracle or PostgreSQL Archive requests and responses Option for 1 or more CAs supported Optional HSMs CA 1 CA 2 CA n
28. Use Case Example - Workflow Archive services Request Sign Protect Review Approve Countersign Later audit / review ERP CRM ECM Verify Verify ADSS Server + TAS Sign & Timestamp Evidence Archive Approval required business flows Approval granted business flows