The proof of your digital documents ______________________________________________________________________ UN/CEFACT August 29, 2008
What is a digital signature ? How it works Dear Alice, Let’s meet in Venice next weekend. Bob Alice Dear Alice, Let’s meet in Venice next weekend. Bob Bob 4. Imprint Bob y9jl09cw56 x6fR7890cv 1. Imprint Bob x6fR7890cv 3. Decypher Bob 2. Cypher If equality then : Message comes from Bob Message has not been modified Bob ______________________________________________________________________ y9jl09cw56 x6fR7890cv Signature UN/CEFACT August 29, 2008
Digital signature formats : PKCS#7, CMS, XAdES History of digital signature formats Influenced by structured data models ASN.1 (Abstract Syntax Notation 1) Message and communication oriented Compact Binary data support Performance Abstruse XML (eXtensible Markup Language) Applications oriented Verbose Binary data not supported -> required Base64 encoding (x 4/3) High CPU and memory requirements Open – self described ______________________________________________________________________ UN/CEFACT August 29, 2008
Digital signature formats : PKCS#7, CMS, XAdES History of digital signature formats (continued) ASN.1 1990 PKCS#7 1993 Public Key Cryptographic Standard XML 1998 XML Digital Signature XMLDSIG 2000 Cryptographic Message Syntax CMS 2004 XML Advanced Electronic Signature XAdES 2003 CMS Advanced Electronic Signature CAdES 2005 ______________________________________________________________________ t UN/CEFACT August 29, 2008
Different types of signature 3 types of signatures = 3 types of proof Enveloping attached : signature contains signed content (through internal URI) Enveloping detached : signature references signed content (external URI reference) Enveloped: signature is included in the document it signs (internal URI which excluedes itself) ______________________________________________________________________ UN/CEFACT August 29, 2008
Different types of signature Pros and cons of different types of signatures Enveloping attached Contains signature(s), content, timestamps, etc. Ease of verification and use Can sometimes be complex to manipulate if huge Enveloping detached Only contains signature Difficult to verify because access to signed content is required : file system, database, network resources, etc. Allows the signature to be communicated independantly of signed content Enveloped Signature is inside content Only works with XML content or proprietary (PDF, Microsoft) Implementation is tied to data structure Adapted to internal applications, low interoperability ______________________________________________________________________ UN/CEFACT August 29, 2008
Digital signature properties Properties are important to signature contextualization Signed properties Date & time Signature production place Signature policy Etc… Signed properties participate in digital signature computation Unsigned properties Timestamp LCR, OCSP Note : these properties are not signed by the signatory but are nevertheless signed ! Unsigned properties do not participate in digital signature computation and hence do not participate in the document’s integrity. UN/CEFACT August 29, 2008
Different types of signature French banking commission XAdES format as defined in RGI (French e-Administration interoperability framework) BES (SigningCertificate or KeyInfo mandatory) EPES (signature policy mandatory) Enveloping attached signature required Signature policy : Identifyer : 1.2.250.1.115.200.300.1 (OID) http://www.banque-france.fr/igc/signature/ps/ps_1_2_250_1_115_200_300_1.pdf 1 file = 1 signature Canonicalisation algorithm de http://www.w3.org/2001/10/xml-exc-c14n# (because XBRL) Supported certificates, digital evidence agreement, etc. ______________________________________________________________________ UN/CEFACT August 29, 2008
Zoom on XAdES signature policy http://www.w3.org/TR/XAdES/#Syntax_for_XAdES_The_SignaturePolicyIdentifier_element <xad:SignaturePolicyIdentifier> <xad:SignaturePolicyId> <xad:SigPolicyId> <xad:Identifier Qualifier="OIDAsURN">urn:oid:1.2.250.1.115.200.300.1</xad:Identifier> </xad:SigPolicyId> <xad:SigPolicyHash> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod> <ds:DigestValue>q+ahW33Qg36KEeKdQLs94R4zb1c=</ds:DigestValue> </xad:SigPolicyHash> <xad:SigPolicyQualifiers> <xad:SigPolicyQualifier> <xad:SPURI>http://www.banque-france.fr/igc/signature/ps/ps_1_2_250_1_115_200_300_1.pdf</xad:SPURI> </xad:SigPolicyQualifier> </xad:SigPolicyQualifiers> </xad:SignaturePolicyId> </xad:SignaturePolicyIdentifier> UN/CEFACT August 29, 2008
Contact Francois Devoret Lex Persona +33 6 72 74 35 53 fdevoret@lex-persona.com www.lex-persona.com UN/CEFACT August 29, 2008