e-szigno Digital Signature Application

Transcription

1 MICROSEC Software Development Ltd. e-szigno Digital Signature Application Microsec Software Development Ltd Budapest, Záhony utca 7. (+36-1) Cg (+36-1)

2 1. Microsec Software Development Ltd. - Introduction 1. Introduction Microsec Ltd. has been involved in the electronic signature market since its Hungarian apparition in The company was established in 1984 as a software development company and has been active since then. It was formed by Hungarian individuals, all of them engineers. The company has experienced a rapid growth in the past few years, due the explosive development of the electronic signature market. Our revenue in the fiscal year of 2008 reached HUF 1,5 bn, that is approximately MEUR 6. The current employee number is 44, half of which are IT and telecommunications engineers. The company is a fully licensed and authorized qualified certification electronic signature service provider and certificate authority supervised by the Hungarian Telecommunications Authority according the Hungarian Act on Electronic Signatures. We provide qualified digital signature certificates, authentication certificates, encryption certificates, SSL and code signing certificates. Microsec is fully licensed Qualified Archiving Service Provider enacted by the Hungarian Telecommunications Authority according to the Hungarian Act on Electronic Signatures. The General Terms of Contract and Terms of Services accepted by the authority may be found on the following link: Microsec Ltd. holds a 250 MHUF (~one million euro) insurance liability policy. 2. Timestamp and OCSP service Our timestamp service is a qualified service supervised by the Hungarian Telecommunications Authority. The service falls under the Act on electronic signatures (2001/XXXV.) Our timestamp service enables our customers to use Microsec s OCSP service to verify signature certificates online at no extra charge. Our infrastructure has been formed to meet the demands of the mass timestamp market. The server farm is designed as a scalable service, meaning, that its capacity can be expanded as demand grows. It is possible to use dedicated timestamp servers gates upon the demand of the customer. It is free of charge, development costs are assumed by Microsec. The only prerequisite is sufficient amount of timestamp traffic, that is, above at least above one million timestamps a month. As we are the PKI service providers for a number of high profile government and private institutions, we are constantly investing in the operation and maintenance of the infrastructure to be able to meet growing demand. Microsec timestamp customers are using over several millions of timestamps a month. Currently, our infrastructure is capable of providing between timestamps a second, an average of two million a day. Our OCSP service provides approximately three times of that amount. Many of our customers are relying on our timestamp service to provide other type of services, such as e-billing, to their own customers. While providing the timestamp service, Microsec does not receive the actual customer documents to be timestamped. It means, that there is no security concern regarding the contents of the documents. The qualified timestamp service requires internet connection. Leased line is also possible, however, we usually do not suggest it, as our experience shows that a permanent HTTPS internet connection is more than sufficient. 2

3 2. e-szignó Automata certified electronic signature application 2.1 Introduction Microsec has started the e-szignó Automata software development in The e-szignó Automata application is based on the XAdES standard maintained by the European Telecommunications Standards Institute. This standard has been adopted by the Hungarian legal environment as well as the everyday practical usage. We provide full PKI infrastructure for major government institutions and private sector as well. A few examples: Company Court System Commercial Banks Ministry of Justice (IRM) Hungarian Tax Authority (APEH) Hungarian Treasury (MÁK) Hungarian Chamber of Notaries (MOKK) Hungarian Chamber of Lawyers (MÜK) Hungarian Chamber of Judicial Executors (MBVK) Hungarian Land Registry (Földhivatal) Hungarian Financial Supervising Authority (PSZÁF) Hungarian Customs and Finance Guard ~ 7000 lawyers Other government and private institutions (see section on references) The application offered capable of handling electronic signature related functions, including signature verification, mass signature and timestamp, CRL and OCSP responses, full e-dossier (or directory) signatures, e-receipts, certificate based authentication and encryption, the full XAdES chain up to archiving, etc. The software is a fully licensed SDK (Software Development Kit) module supporting major platforms (Windows, Linux, Solaris, AIX) and major interfaces (C++, Java,.Net, COM). The software package includes documentation, examples, test signatures and timestamp. Our offer includes development assistance for the integrator, as well as necessary training in PKI related issues. The application has been integrated in about 50 different IT systems, including SAP, other ERP, Billing, Document Management, Work Flow, Portal systems, etc. We provide permanent software maintenance to handle the changes in standards, legal requirements or signature technology. Since we are signature and timestamps providers, our e-szignó Automata is guaranteed to be fully compatible with licensed signature providers working according to the XAdES standard. The e-szignó Automata complies with the XAdES standard and the Hungarian legal requirements. It supports other standards as well, such as PDF and CAdES signatures. The software product is a certified product proving the compliances. Copies of certificates are attached to the submitted offer. The application has a proven track record operating in large IT infrastructures in the financial sector. Integration can be done by any of the selected IT supplier of the client. We provide the development licenses and technical consultation by phone for free. 3

4 2.2 Server Side Application e-szignó Automata The e-szignó Automata complies with the legal requirements, standards and recommendations listed. The application is a certified application. The copies of certification documents are attached. Platforms: Windows, Linux (e.g. SUSE, RedHat, Fedora), Solaris, Win CE, AIX 5.3 Server application features: Multiple development interfaces: o Command line interface o standard C interface o JAVA programming interface o COM interface Can be called from shell scripts or CGI programs Runs in Daemon mode Communication on standard input, output and error streams with environment variables and file basis. Integrated C/COM/JAVA interface handles function return values. Handles both software and chipcard certificates Supports HSM modul (ncipher) Error and analytical reports in simple or XML messages One process calls multiple commands, therefore complex e-dossier structures can be signed rapidly Supports UNICODE Supports Qualified Archiving Service Electronic signatures features: Supports full XAdES standard signatures (XAdES-BES,-C,-T,-X-L,-A) XML signature format Supports CAdES standard signatures Supports MELASZ-Ready format Supports Hungarian Public Administration requirements Certificate chain build to trusted Certificate Authority (http, https or ldap protocol) Supports revocation verification based on CRL or OCSP (http, https or ldap protocol) Supports SHA 1 and SHA 256 algorithyms Timestamp creation and verification Supports signature policy Encryption to one or multiple addressee Supports both basic (login-password) and certificate based authentication towards timestamp server Supports electronic receipt and countersigning Supports PDF format signatures, verification and timestamps Supports user defined e-dossier schemes Signature of large files (over gigabyte size) Supports meta data on signed dossiers and documents 2.3 Quality and Information Security Assurance Microsec products and services are provided according to the ISO 9001:2008 standard and the British Lloyd's ISO/IEC 27001:2005 Information Security standard. 4

5 3. Certificates of e-szignó Automata e-szignó Automata Server 5

6 e-szignó MELASZ certificate 6

7 Regulations XXXV. Act on Electronic Signatures 3/2005. (III. 18.) IHM Regulation on the detailed requirements on services related to electronic signatures and service providers 114/2007. (XII. 29.) GKM Regulation on digital archiving 13/2005. (X. 27.) IHM Regulation on the requirements of conversion from paper based to electronic documents CXL. Act on the requirements of public administration and authority procedures (KET) CXXVII. Act on the Value Added Tax. 24/1995. and 47/2007 PM Regulation on electronic invoices EU Directive 1999/93/EC of the European Parliament and the council of 13 December 1999 on a Community framework for electronic signatures Norms, Recommendations and Standards 2/2002. (IV. 26.) MeHVM guideline on the security requirements concerning qualified electronic signatures and service providers CEN CWA Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures. ETSI TS v1.2.2 XML Advanced Electronic Signatures (XAdES). RFC 3161 Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP). CEN CWA General guidelines for electronic signature verification. RFC 3275 XML-Signature Syntax and Processing. ETSI TS Qualified Certificate Profile ETSI TS Certificates Issued to Natural Persons, v ( ) ETSI TS XML Advanced Electronic Signature (XAdES), v ( ) ETSI TR XML format for signature policies, v ( ) ETSI TS CMS Advanced Electronic Signatures (CAdES), v ( ) ETSI TS CMS Profile based on ISO , v ( ) ETSI TR Requirements for role and attribute certificates, v1.1.1 ( ) RFC 2560: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol (OCSP), June 1999 RFC 3161: X.509 Internet Public Key Infrastructure Time-Stamp Protocol (TSP), August 2001 RFC 3275 XML-Signature Syntax and Processing. RFC 3281: An Internet Attribute Certificate Profile for Authorization (April 2002) RFC 3647 Certificate Policy and Certification Practices Framework (Nov 2003) RFC 3739: Internet X.509 Public Key Infrastructure: Qualified Certificates Profile (March 2004) RFC 3852: Cryptographic Message Syntax, July 2004 RFC 4158: Internet X.509 Public Key Infrastructure: Certification Path Building (September 2005) RFC 4476: Attribute Certificate (AC) Policies Extension (May 2006) RFC 5280: X.509 Internet Public Key Infrastructure Certificate and Certificate revocation List (CRL) Profile, May 2008 PKCS #11 v2.11: Cryptographic Token Interface Standard International Organization for Standards/Internet Electrotechnical Committee (ISO/IEC) : Information Technology- Open Systems Interconnection-The Directory: Public Key and Attribute Certificate Frameworks (X.509 Standard) 7

8 4. References Below we list the most important references of Microsec that are based on e- Client Hungarian Company Court System Budapest Bank CIB Lízing Group Deliverables Supplier of full PKI infrastructure based on e-szignó technology for the entire company court system including 20 Company Courts, Ministry of Justice, Hungarian State Treasury, Hungarian Statistical Office, Commercial banks, Hungarian Customs and Finance Guard, Hungarian lawyers. e-szignó technology for e-billing and other business units for receiving and sending electronically signed documents. CIB Bank OTP Bank Raiffeisen Bank Hungarian Development Bank (MFB) Central Clearing House (KELER) GIRO Zrt. Ministry of Interior PKI infrastructure for the electronic passport. Hungarian Land Registry (Földhivatal) National Health Insurance Fund Administration of Hungary (OEP) e-szignó technology for receiving large amounts of electronically signed documents 8

9 Hungarian Chamber of Notaries (MOKK) Hungarian Chamber of Judicial Executors (Magyar Bírósági Végrehajtói Kamara) Hungarian Chamber of Lawyers (Magyar Ügyvédi Kamara) Hungarian Financial Supervisory Authority (PSZÁF) Hungarian Patent Office full PKI infrastructure including Qualified Archiving Service (signature, timestamp) based on e-szignó technology. full PKI infrastructure including Qualified Archiving Service (signature, timestamp) based on e-szignó technology. Nav N Go Ltd. e-post Ltd. Vatera.hu Ltd. Díjbeszedı Co. (Díjnet) MALÉV Digit Doc Ltd. DigiCom Média Ltd. Pfizer Ltd. full PKI infrastructure including Qualified Archiving Service (signature, timestamp) based on e-szignó technology for e-billing. Unitis Zrt. e-szignó technology implementation int he SAP system. Budapest Zugló self government Insurance Brokers PKI for the PSZÁF reporting system. Ministry of Justice 9

10 Hungarian Customs and Finance Guard Centrum Parking Ltd. PKI infrastructure based on e- DAC Digital Kft. Qualified timestamp service. Investech Kft. e-group Ltd. Qualified timestamp service. Ministry for Environment and Water PKI infrastructure including electronic signatures and timestamp. 10