Creating Signatures at User Agents Comparing Transport Bindings.

Slides:

Advertisements

Similar presentations

ProAssist ® complex assistance services management system Global Assistance & INGENIUM Praha.

Advertisements

Practical Digital Signature Issues. Paving the way and new opportunities. Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.

Copyright Hub Software Engineering Ltd 2010All rights reserved Hub Document Exchange Product Overview Secure Transmission for Transaction-based Documents.

EbMS3 Routing scenarios Part 2. MSH A MSH intermediary MSH B 1-way from A to B 1-way/push: A-Int 1-way/push: Int-B Int only forwards the message M1 HTTP.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Virtual Ticketing Agents using Web Services and J2EE Advisor: Dr. Chung-E-Wang Date: 05/06/03 Naveen Repala.

G O B E Y O N D C O N V E N T I O N WORF: Developing DB2 UDB based Web Services on a Websphere Application Server Kris Van Thillo, ABIS Training & Consulting.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Modelling Feature Interaction Patterns in Nokia Mobile Phones using Coloured Petri Nets and Design/CPN Louise Lorentsen University of Aarhus Antti-Pekka.

Can PKI be made simple enough to be used by non-experts? Signature formats and context Antonio Lioy ( polito.it ) Politecnico di Torino Dip. Automatica.

Design of Web-based Systems IS Development: lecture 10.

What we will cover… Home Networking: Network Address Translation (NAT) Mobile Routing.

Copyright W. Howden1 Lecture 19: Intro to O/O Components.

1 Prototype Design of an Evolutionary Trustworthy Web Server  Hons Project Fall 2003.

INTRODUCTION Toomeeting Conference (TMC) is the easiest and more accessible multimedia videoconferencing solution on market. TMC offers a large portfolio.

DSS and the use of separate (secure) signature creation devices.

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

Prashanth Kumar Muthoju

1 Enabling Secure Internet Access with ISA Server.

Overview SAP Basis Functions. SAP Technical Overview Learning Objectives What the Basis system is How does SAP handle a transaction request Differentiating.

Processing of structured documents Spring 2003, Part 6 Helena Ahonen-Myka.

Course 201 – Administration, Content Inspection and SSL VPN

X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Visual Signature Profile OASIS - DSS-X. Agenda General Requirements – Digital Signature operation Visual Signature content Verification Operation.

OASIS OASIS Digital Signature Services Juan Carlos Cruellas Juan Carlos Cruellas Andreas Kuehne Stefan Drees Ernst Jan van Nigtevecht.

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.

Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.

Databases and the Internet. Lecture Objectives Databases and the Internet Characteristics and Benefits of Internet Server-Side vs. Client-Side Special.

Remotely authenticating against the Service Framework.

Introduction to ebXML Messaging V3 Derived from the OASIS Webinar series on ebXML (June 6, 2007) ‏

GIS technologies and Web Mapping Services

Creating Signatures at User Agents Comparing Transport Bindings.

Digital Signatures and e-Identity. Getting the best out of DSS / DSS-X services. Andreas Kuehne – DSS-X member.

Enabling Embedded Systems to access Internet Resources.

Small Devices on DBGlobe System George Samaras Chara Skouteli.

VNC Greg Fankhanel Jessica Nunn Jennifer Romero. What is it? Stands for Virtual Network Computing It is remote control software which allows you to view.

Web Services Description Language CS409 Application Services Even Semester 2007.

Risks of data manipulation and theft Gateway Average route travelled by an sent via the Internet from A to B Washington DC A's provider Paris A.

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

IETF - LTANS, March 2004P. Sylvester, Edelweb & A. Jerman Blazic, SETCCE Introduction The following slides were prepared as a result of analysis and discussion.

® IGEL Technology Many functions. One device. 1 MultiScreen Agent, January 2008 IGEL MultiScreen Agent Unveil the full potential of multiscreen Thin Clients.

An XML based Security Assertion Markup Language

Web Services. Abstract  Web Services is a technology applicable for computationally distributed problems, including access to large databases What other.

OTP-ValidationService John Linn, RSA Laboratories 11 May 2005.

Architectural Patterns Support Lecture. Software Architecture l Architecture is OVERLOADED System architecture Application architecture l Architecture.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.

Web Services Presented By : Noam Ben Haim. Agenda Introduction What is a web service Basic Architecture Extended Architecture WS Stacks.

SWEB SWEB Security and Privacy Technologies – Implementation Aspects Venue:SWEB Day in APV, Novi Sad Author(s):Dr. Milan Marković Organisations:MISANU.

What to remember from Chap 13 (Logical architecture)

Case Study.  Client needed to build data collection agents for various mobile platform  This needs to be integrated with the existing J2ee server 

1 G52IWS: Web Services Chris Greenhalgh. 2 Contents The World Wide Web Web Services example scenario Motivations Basic Operational Model Supporting standards.

EBIZ302 Jupiter Business Process Automation and Web Services David Fong Program Manager.

E-SIGNED DocFlow SYSTEM in GEORGIAN FINANCIAL SECTOR NANA ENUKIDZE – E-Business Development Consultant.

Creating Signatures at User Agents Comparing Transport Bindings Version May 29, 2011.

CEN6502, Spring Understanding the ORB: Client Side Structure of ORB (fig 4.1) Client requests may be passed to ORB via either SII or DII SII decide.

#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson

# # 0089CB # 00283C HEXRGB # COLOUR PALETTE TEXT COLOUR HEXRGB # FFFFFF 255 # # BFBFBF.

DM Collaboration – OMA & BBF: Deployment Scenarios Group Name: WG5 - MAS Source: Tim Carey, ALU, Meeting Date:

OASIS Juan Carlos Cruellas – UPC Stefan Drees - DSS-X co-chair Nick Pope – Thales eSecurity OASIS Digital Signature Services and ETSI standards Juan Carlos.

Presented by : Piero Milani ( InfoCamere - Italy)Piero Milani InfoCamere - Italy VCD Signature & VCD Verification strategy as seen by InfoCamere ( WP1.

Consuming OAuth Services in Alfresco Share

Invoke Image Display (IID)

PDA & Mobile Verification Solution Presentation

E-Government Government Gateway Overview.

Azure AD Application Proxy

Software Analysis.

MicroToken Exchange Data Security Solutions

Presentation transcript:

Creating Signatures at User Agents Comparing Transport Bindings

Use Case Assumptions A User-Agent is connected to used as a Signature Creation Device, possibly by means of an SSCD., but cannot perform all verification functions nor all kinds of complex signature creation functions. This User-Agent may be equipped with a gradual set of signature-related functionality ranging from the simple forwarding of APDUs e.g. according to ISO/IEC 7816 to the (S)SCD to full blown signature functionality according to the different OASIS DSS(-X) profiles. A User-Agent may have has limited software & performance capabilities and hence may be supported by a remote Digital Signature Service to handle the complexities of the signature creation if it cannot manipulate the document itself. A User-Agent always initiates the transaction and serves as HTTP-client. A document may remain on the client or server side s or move from one side to the other. at it’s current location at the Remote-End. A remote Digital Signature Service may be is used to handle the complexities of the signature creation (see above). As an example, a User-Agent can be a Mobile Device or an Applet in the browser. The OASIS DSS Core is used.

Use Case Actor The End-User of the User-Agent. System The User-Agent, communicating with a remote system for document handling and signature creation.

Use Case Basic Flow –Actor selects document. –User Agent remembers the selected document at the remote end. –Actor requests a signing operation for the document. –User Agent asks the user for a PIN or Password. –Actor enters the PIN or Password –User Agent calculates the signature using the (Secure) Signature Creation Device and presents the signed document, at the remote end, to the user. –Actor views the signed document.

System Aspects The User Agent is capable of creating a raw digital signature; it needs the hash of the document to create the raw signature. The document is at the Remote End. Scenario’s –1: Remote End requests DSS to do the signature creation; DSS delegates the raw signature creation to the User Agent. –2: Remote End calculates the hash, requests the User Agent to create a raw signature and requests DSS to ‘complete’ the signature creation (the request contains the raw signature). –Case 2 requires the User Agent to have a ‘thin’ implemention of the DSS interface. –Both cases require 2 interactions between the User Agent and the Remote End for the signature creation. 12

User Agent Remote System Digital Signature Service User Agent Select document Sign document Calculate Hash DSS-Request(Complex) DSS-Request(PKCS#1) DSS-Response Prepare request for document Verification, Timestamping, Revocation Info, etc.... Sign Hash Sequence Diagram 1 – Delegated DSS Document signed 1 2

User Agent Remote System Digital Signature Service User Agent Select document Sign document Calculate Hash DSS-Request(Complex) DSS-Request(PKCS#1) DSS-Response Prepare request for document Verification, Timestamping, Revocation Info, etc.... Sign Hash Sequence Diagram 2 – Composite DSS Document signed 1 2

User Agent Remote System Select document SignRequest Calculate Hash (optional) SignResponse Prepare request for document Verification, Timestamping, Revocation Info, etc. (optional) Sequence Diagram 3 – “Rich DSS Client” signed Document 1 User Agent Sign Hash 2 Sign-APDU PKCS#1-Signature

User Agent Remote System Select document Sign(DID,hash) Calculate Hash SignResponse(Signature) Prepare request for document Verification, Timestamping, Revocation Info, etc. (optional) Sequence Diagram 4 – “SAL-Client (ISO/IEC / CEN 15480)” signed Document 1 User Agent Sign Hash 2 Sign-APDU PKCS#1-Signature HashResponse(hash) Hash(Message) or 0

User Agent Remote System Select document Transmit(Sign-APDU) Calculate Hash (optional) TransmitResponse(Signature) Prepare request for document Verification, Timestamping, Revocation Info, etc. (optional) Sequence Diagram 5 – “IFD-Client (ISO/IEC / CEN 15480)” signed Document 1 User Agent Sign Hash 2 Sign-APDU PKCS#1-Signature

eCard-API-Framework Rich DSS Client SAL Client IFD-Client

Major standards ISO/IEC (CEN 15480) OASIS DSS (-X)

Signature-related functions

ISO/IEC is based on DSS <schema xmlns=" targetNamespace="urn:iso:std:iso-iec:24727:tech:schema" xmlns:iso="urn:iso:std:iso-iec:24727:tech:schema" xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema" elementFormDefault="qualified" attributeFormDefault="unqualified"> <import namespace="urn:oasis:names:tc:dss:1.0:core:schema" schemaLocation="

Interaction User Agent Initiate Request –Hash is calculated at the ‘Remote End’ Create signature –Hash is signed at the User Agent In all cases the client (User Agent) initiates the requests to the Remote End. Possible Transport Bindings: PAOS, reverse SOAP. ebMS v3, using the ‘polling’ mode. Two separate SOAP calls.

PAOAS – Sequence 1 (1) Sign document (2) DSS-Request(PKCS#1) (2) DSS-Response (1) Document signed Calculate Hash Sign Hash DSS DSS-Response Digital Signature Service DSS-Request(Complex) Prepare DSS request Different session! Remote System

PAOAS – Sequence 2 (1) Sign document (2) DSS-Request(PKCS#1) (2) DSS-Response (1) Document signed Calculate Hash Sign Hash DSS DSS-Request(Complex) DSS-Response Digital Signature Service Remote System

PAOS – Sequence 3 (1) Sign document (2) SignRequest (2) SignResponse (1) Document signed Calculate Hash (optional) Sign Hash DSS (optional) Remote System

PAOS – Sequence 4 (1) Sign document (2) Sign (ISO/IEC 24727) (2) SignResponse (ISO/IEC 24727) (1) Document signed Calculate Hash (optional) Sign Hash DSS (optional) Remote System

PAOS – Sequence 5 (1) Sign document (2) Transmit(APDU) (2) TransmitResponse(Signature) (1) Document signed Calculate Hash (optional) Sign Hash DSS (optional) Remote System

PAOAS Usage Sequence 1 seems more complex than Sequence 2 –The request/response “(2) DSS- Request(PKCS#1)” is a new session, initiated by the DSS server... –... That request has to be correlated, by the Remote End, to the first PAOAS R/R, to put the “(2) DSS-Request(PKCS#1)” into the POAS response. Sequence 3-5 show integration of OASIS DSS(-X) and ISO/IEC / CEN It seems that the „additional complexity“ stems from the separation of the Remote System and the DSS

(1) Document signed (1) Sign document ebMSv3 – Sequence 1 User Agent Remote System Digital Signature Service User Agent PUSH(Request(Sign document)) MSH AMSH BMSH A PULL(Request) (2) DSS-Request(PKCS#1) PUSH(Response) (2) DSS-Response PULL(Response) Calculate Hash DSS-Request(Complex) DSS-Response Verification, Timestamping, Revocation Info, etc.... Sign Hash MSH C

(2) DSS-Response (2) DSS-Request(PKCS#1) (1) Document signed (1) Sign document ebMSv3 – Sequence 2 User Agent Remote System Digital Signature Service User Agent PUSH(Request(Sign document)) MSH AMSH BMSH A Calculate Hash PULL(Request) PUSH(Response) PULL(Response) DSS-Request(Complex) DSS-Response Verification, Timestamping, Revocation Info, etc. Sign Hash

ebMS Usage Sequence 1 –Requires DSS server to use ebMSv3 –Pull Request from User Agent has to be routed via the Remote System. Sequence 2 –Does not require DSS server to use ebMSv3 –No routing issue How does the ebMSv3 ‘client’ compare to the PAOAS ‘client’ at the User Agent regarding implementation complexity? A simple PAOS-applet may be as small as 100 kB.