Call Girls In Sikandarpur Gurgaon â¤ď¸8860477959_Russian 100% Genuine Escorts I...
Â
Blockchain private permissioned
1. BVBA
03-23-05Juni 2011
page 1 ⢠TSDT
TSDT-Trusted secure digital trans-actioning
(blockchain private)
Presented by Jan Biets
2. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 2 ⢠TSDT
âForviewâ
introduction
â Introduction: why do we need a trustworthy system?
â Overview of TSDT, the elements;
â Compliant with international standards
â Typical situation
⢠Business cases to apply âsecure trans-actioningâ
3. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 3 ⢠TSDT
Intro
⢠The author adherents:
â in general âclosed environmentâ, also known as âpermissioned
blockchainâ, and âprivate blockchainâ, trust authority, or company
network, and other âmembershipâ or âsocietyâ -based
environments, with very strong identification, access and
authorisation management
â In general ânon-repudiationâ is definitely not easy to constitute in
a contemporary world. Trustworthy partners (authorities) are
required to establish a reliable (read: âtrustworthyâ) and generally
accepted business trans-actioning system;
Admittance: face-2-face identification, class 3, 4 or even 5
5. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
NON-REPUDIATION
TSA
TTP
XADES-XL
C
A
LTANS
SSCD
PKI
RA
PROCESS
POLICY
CRL
OCSP
XADES-A
OID
HSM
European
LAW
ERS
VAS
XML TA
A
ETSITS102023
ETSITS101903
IAM
TSDT
How?
6. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 6 ⢠TSDT
TSA
E-SIGN
CA - PKI
ERS
Management
LAW
Policy
Security
Business
Process
User
interface
components
IAM
7. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 7 ⢠TSDT
TSDT
operations
other
modules
documentedmanaged
law &
standards
constellation
8. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 8 ⢠TSDT
TSDT - other elements
⢠Business Case
â Why, what, how (justification)
⢠Risk assessment
â What are the risks âwhat if notâ
⢠Business Process Flow
â Define the streams of the document flows
⢠DMS
â Choice âcommercialâ product, or open source
â User interface (GUI)
Abbreviations:
DMS - Document Management System,
GUI â Graphic User Interface
9. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 9 ⢠TSDT
TSDT - pre requisites
⢠CA â PKI and RA: strong identification and access
management
⢠Xades XL, electronic signature
â ETSI TS 101 903 XML advanced electronic
signatures
â ETSI TS 101 703 Electronic Signature Formats
(CMS)
â XAdES Long-Term Signature Format Profile v1.0
â Basic electronic signature (XAdES-BES)
â Explicit policy based electronic signature (XAdES-
EPES)
â Electronic signature with Time (XAdES-T)
â Electronic signature with Complete Validation Data
Reference (XAdES-C)
⢠TSA, timestamp authority
â ETSI TS 101 861 Time stamping profile
â ETSI TS 102 023 Policy requirements for time
stamping authorities
10. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
Applicable standards
â˘IAM : identification and access
management, by means of:
â RA â registration authority, both based on ,
and full compliancy with ETSI TS 101 456
V1.4.1 (2006-01)
â Technical Specification Electronic Signatures
and Infrastructures (ESI);
â Policy requirements for certification authorities
issuing qualified certificates, and
â ETSI_TS_101 862_Qualified_certificate_profile
â Policy based on ETSI TS 101 456
11. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
Applicable standards
⢠Electronic signature:
â To enable the use of digital signature, the programme decided to realise Xades
XL signature (ETSI TS 101 903 V1.3.2 (2006-03)
â Technical Specification XML Advanced Electronic Signatures (XAdES)
â ETSI_es_201733v010103_Electronic Signature Formats
â ETSI_sr_002176v010101_Algorithms and Parameters for Secure Electronic
Signatures
12. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
Applicable standards
⢠TSA (timestamp authority) based on ETSI TS 102 023 V1.2.1 (2003-01)
⢠Technical Specification Electronic Signatures and Infrastructures (ESI);
Policy requirements for time-stamping authorities, and
⢠ETSI_ts_101861v010301_time_stamping_profile
14. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 14 ⢠TSDT
TSA â timestamp , process flow
Request
Time stamp
Verify validity
certificate
logging
Verify validity
> 1 < second
logging
Set
Time stamp
TimeStamp
According ETSI TS 102 023
System audit process
15. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 15 ⢠TSDT
TSDT - approach
⢠creating a system to enable the TSDT service :
â policy,
â processes,
â procedures,
⢠procedures (or protocols) contain the 'what',
the 'how', the 'where', and the 'when'.
â security,
â infrastructure/architectural design and
â audit
⢠Verify: systems, documents, and operations
Abbreviations:
CA - Certification Authority ,
PKI - Private Key Infrastructure,
RA - Registration Authority
TSA - Timestamp Authority
16. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 16 ⢠TSDT
TSDT - IAM
⢠Minimal requirement!
⢠Class 3 Certificate: This certificate will be issued to
individuals as well as organizations. As these are high
assurance certificates, primarily intended for e-commerce
applications, they shall be issued to individuals only on
their personal (physical) appearance before the Certifying
Authorities.
Abbreviations:
CA - Certification Authority ,
RA - Registration Authority
17. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 17 ⢠Fedisa
Certificate classification (Verisign)
⢠VeriSign uses the concept of classes of digital certificates
â Class 1 for individuals, intended for email.
â Class 2 for organizations, for which proof of identity is required.
â Class 3 for servers and software signing, for which independent
verification and checking of identity and authority is done by the
issuing certificate authority.
â Class 4 for online business transactions between companies.
â Class 5 for private organizations or governmental security.
https://www.verisign.com/support/roots.html
18. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 18 ⢠TSDT
TSDT - Policy
A policy is typically described as a principle or set of rules to
guide decisions and achieve rational outcome(s).
Where as a policy will contain the 'what' and the 'why',
Typical topics:
â˘Purpose
â˘Policy administration
â˘Obligations and liability
â˘Organisationâs digital archive preservation policy
â˘Records to be deposited
â˘Time of deposit (retention)
â˘Data integrity, and access continuity assurances
â˘Data integrity â system
â˘Accepted formats
â˘Infrastructure
19. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 19 ⢠TSDT
TSDT â security shells (barriers, tiers)
Policy Security
PolicyHR
Trusted Archival
Authority
Physical Security
Building Security
Policy Security
Application security
Server room
Organisation&managementPolicy
System Security
Authorisation & authentification
Network Security
User interface Security
procedures people
20. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 20 ⢠TSDT
TSDT â basic functionalities and features
⢠Depose documents
⢠User management
⢠Access control
⢠Document life cycle management (retention policy)
⢠Audit trail (event logging)
⢠Proof of document integrity
⢠Web access (intranet, internet)
⢠Document management system (user interface),
21. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 21 ⢠TSDT
TSDT â basic functionalities: audit trail (logging of
events)
⢠System:
â Authorisation matrix
â Change file detection
â Log file is encrypted
â Secure logging
â Operator alerts
â System alarms
â System modifications have to be done by âsystem
administratorâ + logging (+ documented)
Based on results of risk assessment
1/2
Remark:
CWA 14167-1. Security Requirements for Trustworthy
Systems Managing Certificates for Electronic Signatures
22. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 22 ⢠TSDT
TSDT â basic functionalities: audit trail (logging of
events)
⢠Procedures
â 4-eyes in case system operations / modifications
â Administrator access management by means of
smart card and certificate
⢠Dashboard (events)
â Authorisation matrix
â Configuration user management , access
management modifications
â Who has, when , what document deposed,
modified, consulted, changed, deleted, shared?
Based on results of risk assessment
2/2
23. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 23 ⢠TSDT
TSDT â basic functionalities: user management
⢠Authority assigns access rights to users
⢠User management data (access rights) information exchange via Certificate
smart card, and authentic source;
â Roles:
⢠Authority
⢠Employee
⢠System administrator (local office/authority)
â Responsibilities:
⢠Depose
⢠Copy
⢠Share
⢠Delete
⢠View
⢠Annotate
⢠(other actions)
24. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 24 ⢠TSDT
TSDT â basic functionalities: proof of integrity
⢠System generates âERSâ per document, to proof long
term evidence (non-repudiation / undeniable )
⢠Kind of âfingerprintâ
â Timestamp
â Electronic signature
â Certificate (status)
â Root chain certificate
â Hashing (verification / proof of âun-changedâ status
of content
⢠System regenerates periodically ERS (based on
certificate life cycle)
Abbreviations:
ERS â Evidence record syntax
25. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 25 ⢠TSDT
TSDT â attributes of a trans-actioned document
Archived Object
Object META-DATA
Digital Signature
(optional)
Complementary data
Archive meta-data
Evidence record
Objectâs
conservationattributes
26. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 26 ⢠TSDT
TSDT â Overview of trans-actioned features
Archived Object
Object META-DATA
Digital Signature
(optional)
Complementary data
Archive meta-data
Evidence record
Objectâs
conservationattributes
Transactioning object
ďˇCould be any
electronic file / data.
Object meta-data
Author, category, size, version,
date, key-word
Digital Signature
Relevance is depending on
legal requirements.
it is mandatory to proof the legal
âserieuxâ of the users
27. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 27 ⢠TSDT
TSDT â ERS, evidence record syntax
Archived Object
Object META-DATA
Digital Signature
(optional)
Complementary data
Archive meta-data
Evidence record
Objectâs
conservationattributes
Overview of ERS
Complementary data
â˘Digital certificate
â˘Certificate chain
â˘Certificate revokation list
meta-data
â˘Document owner
â˘Trans-actioning time
â˘Origin of document
Evidence record
â˘Document finger print
â˘Timestamp
â˘Hash link
28. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 28 ⢠TSDT
TSDT â basic architectural design
ERS
engine
Hardware &
Storage
Policy & Procedures
Security & Legal
User client
Web Service
DMS â
user
interface
TSA
29. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 29 ⢠TSDT
TSDT â functional architectural design
IAM
CA
TSA
DMS
ERS
i-Sign
HW
Event logging
(audit trail)
storage
SA*
Abbreviations:
IAM â identity & access management
CA â Certification authority
(RA â registration authority)
SA â âsource authenticâ
ERS â Evidence record syntax
30. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 30 ⢠TSDT
TSDT â process design
TAA & ERS
ERS
31. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
TSDT â how it could work (a suggested scenario or use
case)
page 31 ⢠TSDT
32. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 32 ⢠Fedisa
TAA - pre requisites : TSA
Abbreviations:
TSA - Timestamp Authority , ETSI TS 102 023
33. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 33 ⢠TSDT
TSDT â architectural design
S1
S2
S3
S4
Abbreviations:
LTAP â long term archival protocol
ERS â Evidence record syntax
34. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 34 ⢠TSDT
Afterwords, attention items
⢠Business case, justification
⢠Risk analysis, threat , vulnerability, security
⢠Legal: sometimes constraints: only one copy as the original ! or not allowed
to store abroad (difficult to verify on internet!)
⢠Select technology;
⢠Business process flow;
⢠Usability , user friendly GUI;
⢠Success , succès.
35. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 35 ⢠TSDT
Afterwords : points of attention during conceptual design
⢠Recoverability and Data Integrity
⢠Architecture / Design to achieve required availability
⢠Reliability
⢠Manageability
⢠Backup and Recovery
⢠Performance
⢠Scalability [Not every application supports more transactions or more
users when adding CPU and Memory]
⢠Installation Requirements
⢠Configuration Requirements
⢠Maintainability Requirements
⢠Localisation / Internationalisation Requirements & constraints
⢠Operations-, Support- and Troubleshooting Requirements
⢠Documentation Requirements
⢠Monitoring: Application Level Monitoring must be explicitly requested,
otherwise you just get system- and database monitoring.
⢠Archiving and Restoring
36. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 36 ⢠TSDT
TSDT â some other fields of application
1. Liberal professions, have in some case long term - legal- responsibilities,
i.e.
â Lawyers
â architects : a 10 year professional responsibility for building plans
â accountants : also responsible for VAT declarations
â auditor/revisor (head of accountants): signing of fiscal year
documents/statements
2. Log files
â log files (systems, applications,...) should not be changed, only by
dedicated staff (i.e. chief security officer), and applicable policy, or local
laws
3. Banks, insurance companies; stock exchange
â approval of credits and loans: who has done what in accordance of the
mandate
â timeline and sequence (order) of the performed transactions (using
time-stamping)
4. Medical statements and medicines prescription
â patients' medical records in electronic form
37. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 37 ⢠TSDT
TSDT â basic functionalities: proof of integrity
5. Justice (ministry)
â defined and traceable work streams
â from police statement to lawyers and judges, and classification of files:
every âroleâ has added, viewed, changed documents.
â Files can not be changed by un-authorised people, nor been lost, with
dramtic legal consequences
6. Patenting (every country has a patent office; patent is public information)
â to be able to prove who was first to come up with an idea or to patent
a document, drawing, design, music score, research results,...
â Escrow
7. IPP (intellectual property protection)
â research companies have a legal trace of the progress of the search for
a new product
â this can/could be private information (un-disclosed for third parties)
38. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 38 ⢠TSDT
TSDT â basic functionalities: proof of integrity
8. Registered mail
â electronic mail with proof of content, 'addressee", time , and
acceptance
9 . Closed environments
â tax governments, pension authority, banks, insurances, stock exchange
(logging of transactions),....
10. Accounting services companies
â storage of accounting companies customers' documents in electronic
formatâ outsourced electronic archiving (is implemented in some
Eastern European countries)
11. Apostilles:
â It specifies the modalities through which a document issued in one of
the signatory countries can be certified for legal purposes in all the
other signatory states. Such a certification is called an apostille
(French: certification). It is an international certification comparable to
a notarisation in domestic law.
12. Invoices:
â Electronic invoices archival, helpdesks, customerâs service , legal
purposes.
39. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 39 ⢠Fedisa
The EU Directive 1999/93/EC on a Community framework for
electronic signatures : Profiles
XAdES defines six profiles (forms) differing in protection level offered. Each profile
includes and extends the previous one:
ďˇXAdES, basic form just satisfying Directive legal requirements for advanced
signature;
ďˇXAdES-T (timestamp), adding timestamp field to protect against repudiation;
ďˇXAdES-C (complete), adding references to verification data (certificates and
revocation lists) to the signed documents to allow off-line verification and
verification in future (but does not store the actual data);
ďˇXAdES-X (extended), adding timestamps on the references introduced by
XAdES-C to protect against possible compromise of certificates in chain in
future;
ďˇXAdES-X-L (extended long-term), adding actual certificates and revocation
lists to the signed document to allow verification in future even if their original
source is not available;
ďˇXAdES-A (archival), adding possibility for periodical timestamping (e.g. each
year) of the archived document to prevent compromise caused by weakening
signature during long-time storage period.
40. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 40 ⢠TSDT
Xades, electronic signature composition
The XAdES-T envelope:
contains a trusted timestamp over the
signature. The goal is to prove that the
signerâs certificate was valid at the time of
signature.
The XAdES-X envelope:
âWhen an OCSP response is used, it is
necessary to time-stamp in particular that
response in the case the key from the
responder would be compromisedâ
In other words, the goal is to prove that
the OCSP responderâs signing certificate
was valid at the time of OCSP response.
âThe SignatureTimeStamp encapsulates the
time-stamp over the SignatureValue
element.â
XADES : XML Advanced Electronic
Signatures
Specification from the ETSI that is built
upon the Xmldsig specification.
It provides âsignatures that remain valid
over long periods.
XAdES-X-L
XAdES-X
XAdES-C
XAdES-T
XAdES-EPES
OCSP
Timestamp
Certificates Chain
Timestamp
XAdES - a Timestamp
42. BLOCKCHAIN, Private & Permissioned Juni 2011
BVBA
page 42 ⢠TSDT
âXades â Aâ, electronic signature composition
⢠Signed Signature Properties
⢠Signing Time (non-authoritative: may be from signerâs computer)
â˘Signature Certificate
â˘Signature Policy Identifier
â˘Signature Production Place (optional)
â˘Signer Role (optional)
â˘Signed Data Properties
â˘Data Object Format *
â˘Commitment Type Indication *
â˘All Data Objects Time Stamp *
â˘Individual Data Objects Time Stamp *
â˘Unsigned Signature Properties
â˘Counter Signature *
â˘Signature Timestamp+
â˘Complete Certificate Refs
â˘Complete Revocation Refs
â˘Refs Only Time Stamp - or â Sig and Refs Time Stamp
â˘Certificate Values
â˘Revocation Values
â˘Archive Time Stamp +