Presentation is loading. Please wait.

Presentation is loading. Please wait.

Creating Signatures at User Agents Comparing Transport Bindings.

Published bySuzanna Moore Modified over 8 years ago

Similar presentations

Presentation on theme: "Creating Signatures at User Agents Comparing Transport Bindings."— Presentation transcript:

1 Creating Signatures at User Agents Comparing Transport Bindings

2 Use Case Assumptions A User-Agent is connected to used as a Signature Creation Device, possibly by means of an SSCD., but cannot perform all verification functions nor all kinds of complex signature creation functions. This User-Agent may be equipped with a gradual set of signature-related functionality ranging from the simple forwarding of APDUs e.g. according to ISO/IEC 7816 to the (S)SCD to full blown signature functionality according to the different OASIS DSS(-X) profiles. A User-Agent may have has limited software & performance capabilities and hence may be supported by a remote Digital Signature Service to handle the complexities of the signature creation if it cannot manipulate the document itself. A User-Agent always initiates the transaction and serves as HTTP-client. A document may remain on the client or server side s or move from one side to the other. at it’s current location at the Remote-End. A remote Digital Signature Service may be is used to handle the complexities of the signature creation (see above). As an example, a User-Agent can be a Mobile Device or an Applet in the browser. The OASIS DSS Core is used.

3 Use Case Actor The End-User of the User-Agent. System The User-Agent, communicating with a remote system for document handling and signature creation.

4 Use Case Basic Flow –Actor selects document. –User Agent remembers the selected document at the remote end. –Actor requests a signing operation for the document. –User Agent asks the user for a PIN or Password. –Actor enters the PIN or Password –User Agent calculates the signature using the (Secure) Signature Creation Device and presents the signed document, at the remote end, to the user. –Actor views the signed document.

5 System Aspects The User Agent is capable of creating a raw digital signature; it needs the hash of the document to create the raw signature. The document is at the Remote End. Scenario’s –1: Remote End requests DSS to do the signature creation; DSS delegates the raw signature creation to the User Agent. –2: Remote End calculates the hash, requests the User Agent to create a raw signature and requests DSS to ‘complete’ the signature creation (the request contains the raw signature). –Case 2 requires the User Agent to have a ‘thin’ implemention of the DSS interface. –Both cases require 2 interactions between the User Agent and the Remote End for the signature creation. 12

6 User Agent Remote System Digital Signature Service (S)SCD @ User Agent Select document Sign document Calculate Hash DSS-Request(Complex) DSS-Request(PKCS#1) DSS-Response Prepare request for document Verification, Timestamping, Revocation Info, etc.... Sign Hash Sequence Diagram 1 – Delegated DSS Document signed 1 2

7 User Agent Remote System Digital Signature Service (S)SCD @ User Agent Select document Sign document Calculate Hash DSS-Request(Complex) DSS-Request(PKCS#1) DSS-Response Prepare request for document Verification, Timestamping, Revocation Info, etc.... Sign Hash Sequence Diagram 2 – Composite DSS Document signed 1 2

8 User Agent Remote System Select document SignRequest Calculate Hash (optional) SignResponse Prepare request for document Verification, Timestamping, Revocation Info, etc. (optional) Sequence Diagram 3 – “Rich DSS Client” signed Document 1 (S)SCD @ User Agent Sign Hash 2 Sign-APDU PKCS#1-Signature

9 User Agent Remote System Select document Sign(DID,hash) Calculate Hash SignResponse(Signature) Prepare request for document Verification, Timestamping, Revocation Info, etc. (optional) Sequence Diagram 4 – “SAL-Client (ISO/IEC 24727 / CEN 15480)” signed Document 1 (S)SCD @ User Agent Sign Hash 2 Sign-APDU PKCS#1-Signature HashResponse(hash) Hash(Message) or 0

10 User Agent Remote System Select document Transmit(Sign-APDU) Calculate Hash (optional) TransmitResponse(Signature) Prepare request for document Verification, Timestamping, Revocation Info, etc. (optional) Sequence Diagram 5 – “IFD-Client (ISO/IEC 24727 / CEN 15480)” signed Document 1 (S)SCD @ User Agent Sign Hash 2 Sign-APDU PKCS#1-Signature

11 eCard-API-Framework Rich DSS Client SAL Client IFD-Client

12 Major standards ISO/IEC 24727 (CEN 15480) OASIS DSS (-X)

13 Signature-related functions

14 ISO/IEC 24727 is based on DSS <schema xmlns="http://www.w3.org/2001/XMLSchema" targetNamespace="urn:iso:std:iso-iec:24727:tech:schema" xmlns:iso="urn:iso:std:iso-iec:24727:tech:schema" xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema" elementFormDefault="qualified" attributeFormDefault="unqualified"> <import namespace="urn:oasis:names:tc:dss:1.0:core:schema" schemaLocation="http://docs.oasis-open.org/dss/v1.0/oasis-dss-core-schema-v1.0-os.xsd">

15 Interaction User Agent Initiate Request –Hash is calculated at the ‘Remote End’ Create signature –Hash is signed at the User Agent In all cases the client (User Agent) initiates the requests to the Remote End. Possible Transport Bindings: PAOS, reverse SOAP. ebMS v3, using the ‘polling’ mode. Two separate SOAP calls.

16 PAOAS – Sequence 1 (1) Sign document (2) DSS-Request(PKCS#1) (2) DSS-Response (1) Document signed Calculate Hash Sign Hash DSS DSS-Response Digital Signature Service DSS-Request(Complex) Prepare DSS request Different session! Remote System

17 PAOAS – Sequence 2 (1) Sign document (2) DSS-Request(PKCS#1) (2) DSS-Response (1) Document signed Calculate Hash Sign Hash DSS DSS-Request(Complex) DSS-Response Digital Signature Service Remote System

18 PAOS – Sequence 3 (1) Sign document (2) SignRequest (2) SignResponse (1) Document signed Calculate Hash (optional) Sign Hash DSS (optional) Remote System

19 PAOS – Sequence 4 (1) Sign document (2) Sign (ISO/IEC 24727) (2) SignResponse (ISO/IEC 24727) (1) Document signed Calculate Hash (optional) Sign Hash DSS (optional) Remote System

20 PAOS – Sequence 5 (1) Sign document (2) Transmit(APDU) (2) TransmitResponse(Signature) (1) Document signed Calculate Hash (optional) Sign Hash DSS (optional) Remote System

21 PAOAS Usage Sequence 1 seems more complex than Sequence 2 –The request/response “(2) DSS- Request(PKCS#1)” is a new session, initiated by the DSS server... –... That request has to be correlated, by the Remote End, to the first PAOAS R/R, to put the “(2) DSS-Request(PKCS#1)” into the POAS response. Sequence 3-5 show integration of OASIS DSS(-X) and ISO/IEC 24727 / CEN 15480 It seems that the „additional complexity“ stems from the separation of the Remote System and the DSS

22 (1) Document signed (1) Sign document ebMSv3 – Sequence 1 User Agent Remote System Digital Signature Service (S)SCD @ User Agent PUSH(Request(Sign document)) MSH AMSH BMSH A PULL(Request) (2) DSS-Request(PKCS#1) PUSH(Response) (2) DSS-Response PULL(Response) Calculate Hash DSS-Request(Complex) DSS-Response Verification, Timestamping, Revocation Info, etc.... Sign Hash MSH C

23 (2) DSS-Response (2) DSS-Request(PKCS#1) (1) Document signed (1) Sign document ebMSv3 – Sequence 2 User Agent Remote System Digital Signature Service (S)SCD @ User Agent PUSH(Request(Sign document)) MSH AMSH BMSH A Calculate Hash PULL(Request) PUSH(Response) PULL(Response) DSS-Request(Complex) DSS-Response Verification, Timestamping, Revocation Info, etc. Sign Hash

24 ebMS Usage Sequence 1 –Requires DSS server to use ebMSv3 –Pull Request from User Agent has to be routed via the Remote System. Sequence 2 –Does not require DSS server to use ebMSv3 –No routing issue How does the ebMSv3 ‘client’ compare to the PAOAS ‘client’ at the User Agent regarding implementation complexity? A simple PAOS-applet may be as small as 100 kB.

Download ppt "Creating Signatures at User Agents Comparing Transport Bindings."

Similar presentations

ProAssist ® complex assistance services management system Global Assistance & INGENIUM Praha.

ProAssist ® complex assistance services management system Global Assistance & INGENIUM Praha.
Practical Digital Signature Issues. Paving the way and new opportunities. www.oasis-open.org Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.

Practical Digital Signature Issues. Paving the way and new opportunities. Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.
Copyright Hub Software Engineering Ltd 2010All rights reserved Hub Document Exchange Product Overview Secure Transmission for Transaction-based Documents.

Copyright Hub Software Engineering Ltd 2010All rights reserved Hub Document Exchange Product Overview Secure Transmission for Transaction-based Documents.
EbMS3 Routing scenarios Part 2. MSH A MSH intermediary MSH B 1-way from A to B 1-way/push: A-Int 1-way/push: Int-B Int only forwards the message M1 HTTP.

EbMS3 Routing scenarios Part 2. MSH A MSH intermediary MSH B 1-way from A to B 1-way/push: A-Int 1-way/push: Int-B Int only forwards the message M1 HTTP.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Virtual Ticketing Agents using Web Services and J2EE Advisor: Dr. Chung-E-Wang Date: 05/06/03 Naveen Repala.

Virtual Ticketing Agents using Web Services and J2EE Advisor: Dr. Chung-E-Wang Date: 05/06/03 Naveen Repala.
G O B E Y O N D C O N V E N T I O N WORF: Developing DB2 UDB based Web Services on a Websphere Application Server Kris Van Thillo, ABIS Training & Consulting.

G O B E Y O N D C O N V E N T I O N WORF: Developing DB2 UDB based Web Services on a Websphere Application Server Kris Van Thillo, ABIS Training & Consulting.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
Modelling Feature Interaction Patterns in Nokia Mobile Phones using Coloured Petri Nets and Design/CPN Louise Lorentsen University of Aarhus Antti-Pekka.

Modelling Feature Interaction Patterns in Nokia Mobile Phones using Coloured Petri Nets and Design/CPN Louise Lorentsen University of Aarhus Antti-Pekka.
Can PKI be made simple enough to be used by non-experts? Signature formats and context Antonio Lioy ( polito.it ) Politecnico di Torino Dip. Automatica.

Can PKI be made simple enough to be used by non-experts? Signature formats and context Antonio Lioy ( polito.it ) Politecnico di Torino Dip. Automatica.
Design of Web-based Systems IS Development: lecture 10.

Design of Web-based Systems IS Development: lecture 10.
What we will cover… Home Networking: Network Address Translation (NAT) Mobile Routing.

What we will cover… Home Networking: Network Address Translation (NAT) Mobile Routing.
Copyright W. Howden1 Lecture 19: Intro to O/O Components.

Copyright W. Howden1 Lecture 19: Intro to O/O Components.
1 Prototype Design of an Evolutionary Trustworthy Web Server  Hons Project Fall 2003.

1 Prototype Design of an Evolutionary Trustworthy Web Server  Hons Project Fall 2003.
INTRODUCTION Toomeeting Conference (TMC) is the easiest and more accessible multimedia videoconferencing solution on market. TMC offers a large portfolio.

INTRODUCTION Toomeeting Conference (TMC) is the easiest and more accessible multimedia videoconferencing solution on market. TMC offers a large portfolio.
DSS and the use of separate (secure) signature creation devices.

DSS and the use of separate (secure) signature creation devices.
Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Overview SAP Basis Functions. SAP Technical Overview Learning Objectives What the Basis system is How does SAP handle a transaction request Differentiating.

Overview SAP Basis Functions. SAP Technical Overview Learning Objectives What the Basis system is How does SAP handle a transaction request Differentiating.

Similar presentations

Ads by Google