Risk Reduction for Electronic Signing of Large Value Business Obligations. Michał Tabor

Size: px

Start display at page:

Download "Risk Reduction for Electronic Signing of Large Value Business Obligations. Michał Tabor"

Berniece Fletcher
8 years ago
Views:

1 Risk Reduction for Electronic Signing of Large Value Business Obligations Michał Tabor Trusted Information Consulting Warsaw, 10 October 2013

2 Project BIO-PKI Biometric techniques and PKI in identity documents and the protection of information systems Project co-finansed by NCBiR Naukowa i Akademicka Siec Komputerowa Politechnika Wrocławska Politechnika Warszawska Asseco Trusted Information Consulting

3 Agenda Electronic signature is an evidence Business concept Technical solution Solution applications

4 ELECTRONIC SIGNATURE IS AN EVIDENCE

5 Doing business Employer Employer wants to have the job done and have evidence for accounting purposes Meets needs and mitigates risk Need of contract Process of establishing contract Employee wants to provide work and receive salary Trustworthy contract Meets needs and mitigates risk Employee - consultant

6 Doing business Employer Need of contract Process of establishing Business process contract Trustworthy contract Employee - consultant

7 Document signature Employer Need of contract Business process Trustworthy contract Employee - consultant

8 Document signature Employer Need of contract Business process Trustworthy contract Employee - consultant

9 BUSSINES CONCEPT

10 PKI Keys Threats Private Key Public Key Unauthorized use Key duplicate

11 Problem of card esignature No signature evidence Signatory Trust to card issuer

12 Forgery evident concept Check Sign Evidence

13 Solution Evidence Signatory Sign Sign Sign Sign

14 Solution Evidence Signatory Sign Sign Error Error

15 Solution Evidence Signatory Dupl sign. Sign Sign Error Error

16 Solution Evidence Signatory Dupl sign. Sign Error Key duplication Sign Duplication proof Error

17 Solution Sign Evidence Signatory Signature status Trustee

18 TECHNICAL SOLUTION

19 Mediated signature mrsa Two keys control bank deposit box First key is held by the signatory Second key is held or counted on the fly by the Both must act to sign

20 Mediated signature mrsa The cryptographic algorithm is based on RSA Signatory has sole control over his private key Finalization authority is needed to create the signature Verification is based on a public key Signatory Finalization authority 20

21 mrsa Standard Signatory draft-kutylowski-mrsa-algorithm Finalization authority 21

22 Technical Solution Evidence Signatory Presign Finalize Alter private key Presign Finalize Alter private key

23 Forgery-Evident and crypto algorithms Forgery-Evident doesn t depend on crypto algorithms Forgery-Evident can be used with all mediated algorithms

24 Forgery-Evident - background process FE key generation and evolution as a background process in crypto operations sd Key generation Card owner Cryptocard Generate mrsa key pair Return mrsa and FE keys Finalizer Generate evolution key Generate mrsa key pair

25 Forgery-Evident - background process sd Crypto operations Card owner Cryptocard Finalizer Presign Evaluate FE key Sign and send FE key alt [recievedvalue!= generatedvalue] Sign Evaluate FE key Compare FE keys Revert evolution steps Return error message Revert evolution steps [recievedvalue == generatedvalue] Return signed message Commit evolution steps Commit evolution steps Sign message

26 Project deliverables PKCS#11 FE Library Works with PKCS#11 signature creation software Works with SSL clients CARD FE Applet Finalization FE Server

27 SOLUTION APPLICATIONS

28 Corporate model Sign Signature evidence Proxy Corporate Archive Every signed document is registered Proxy as signatory is protected

29 Website authentication Signature evidence Sign ID holder SSL Auth Website PKI authentication Authentication registry Recognised as SSL authentication

30 Mobile signatures Keys in application Additional authentication Sign Signature evidence HSM based cryptography Signature historical registry Whitelist controll Less security on client site Secured on server site Overall solution security - high

31 CASES

32 Usage Signing with an archive upload check

33 Usage Signing with an archive upload check

34 Usage Signing with an archive upload check

35 Usage Signing with an archive upload check

36 Usage Uploading signature to an archive with authentication check

37 Usage Uploading signature to an archive with authentication check

38 Usage Uploading signature to an archive with authentication check

39 Usage Uploading signature to an archive with authentication check

40 Usage Verifying the signature

41 Usage Verifying the signature

42 Usage Verifying the signature

43 Usage Verifying the signature

44 Usage Verifying the signature

45 Questions Thank you for your attention Michał Tabor twitter.com/michal_tabor

Applying Cryptography as a Service to Mobile Applications

Applying Cryptography as a Service to Mobile Applications SESSION ID: CSV-F02 Peter Robinson Senior Engineering Manager RSA, The Security Division of EMC Introduction This presentation proposes a Cryptography