CoSign by ARX for PIV Cards

Transcription

1 The Digital Signature Company CoSign by ARX for PIV Cards Seamless and affordable digital signature processes across FIPS 201-compliant systems

2 Introduction to Personal Identity Verification (PIV) In response to the Homeland Security Presidential Directive 12 (HSPD 12), the National Institute of Standards and Technology (NIST) instituted a program for improving the identification and authentication of federal employees and contractors for access to federal facilities and information systems. Federal Information Processing Standard (FIPS) 201, entitled Personal Identity Verification (PIV) of Federal Employees and Contractors, specifies the interface and data elements of the PIV card, the technical acquisition and formatting requirements for identity data on the card, and acceptable cryptographic algorithms and key sizes. In addition, a number of guidelines have been developed with regard to implementing and using the PIV system: creating a PIV card that is personalized with data required by the PIV system in order to grant the card holder access to federal facilities and information systems; assuring appropriate levels of secure access for all relevant federal applications; and providing standardized interoperability among federal organizations. FIPS 201 and its supporting documents specify a suite of information and key material that may be stored on the PIV Card for personal identity verification. Widespread rollout, limited adoption With close to five million PIV cards issued to federal employees and contractors to date, the Government Accountability Office (GAO) confirms substantial advancement in issuing the cards and significant headway in using them for physical access to government facilities. However, the GAO reports a limited increase in card usage for access to government networks and minimal progress in cross-agency acceptance. A number of factors contribute to the lagging adoption of the PIV smart cards. Technical and budgetary limitations restrict agencies from making full use of the electronic capabilities contained in the chips of the cards, including biometric and other identifying data, as well as cryptographic signature keys. In addition, ancillary equipment, such as card readers, is not always readily available to these agencies. On the employee side, technological inhibitors include the fact that the PIV cards are not supported on mobile devices, such as phones and tablets. This aspect makes usage inconvenient for employees and contractors, especially those on the move. In addition, the PIV cards are often not integrated with existing applications and workflow technology, rendering card usage cumbersome and inefficient. In order to boost usage while continuing to streamline processes and reduce costs, government organizations require cost-effective solutions that can automate their processes and transform their workflows, especially for digital signature automation and management requirements.

3 The Case for Digital Signatures Digital signatures produce legally enforceable secure electronic records. These records eliminate paper-related workflow bottlenecks and create highly efficient digital environments for government employees and the communities they serve. Digital signatures, generically referred to as Public Key Infrastructure (PKI), are the most secure form of electronic signatures, and meet federal standards as defined in NIST FIPS PUB 186. They are the only signature standard published, maintained and accepted by independent bodies such as ISO, OASIS, IETF and W3C, as well as by governments around the world, including the U.S., Canada, the European Union and Latin America. When government organizations explore their options regarding electronic signatures, they typically choose digital signatures because of their non-proprietary nature, global acceptance, compliance with local regulations, security assurance, and ability to work with the most commonly used off-the-shelf business applications. Through the use of cryptographic operations, digital signatures create a fingerprint unique to both the signer and the document, thus ensuring both signer identity and content integrity, while preventing the risk of deniability (non-repudiation). Because they adhere to international standards, digital signatures can be easily validated by anyone in all locations when using widely available applications such as Microsoft Word, Excel and Adobe Reader, without the need for proprietary software. When it comes to laws and regulations, only digital signatures are compliant with the most stringent requirements set by government agencies, including major regulations such as ESIGN, UETA, EU directives and VAT law, FDA 21 CFR Part 11, HIPAA and SOX. For government agencies requiring a higher level of security, there is a requirement for a digital signature solution which offers FIPS Level 3 systems certified by NIST, and which is certified internationally for Common Criteria Evaluation Assurance Level (EAL) 4+. CoSign by ARX provides this solution. CoSign by ARX ARX offers a secure, robust and compliant signing solution which is ideal for PIV users. ARX s CoSign solution is the only standard cross-enterprise digital signature solution that ensures trust, integrity, control and security of signature-dependent processes throughout the business environment. Available as an on-premises or cloud solution, CoSign is the most widely-used standard digital signature solution for government and enterprise users around the world. CoSign works with Derived PIV Credentials, or cryptographic credentials that are derived from the PIV card and carried in a mobile device rather than in the card. Regulations regarding Derived PIV Credentials are specified in NIST s Special Publication (SP) , released in March 2014, defining the technical specifications for implementing and deploying Derived PIV Credentials to smartphones, tablets, ipads and other mobile devices. A key factor in promoting PIV card usage is the fact that CoSign adheres to the NIST specifications, effectively enabling signing and authentication without the actual PIV smart card.

4 High level architecture of the CoSign solution CoSign is installed within the enterprise and configured to work in sync with the existing user management system (e.g., Active Directory). CoSign is also configured to require PIV smartcard authentication as a means of authenticating the signers. The signature operations are completed by CoSign s FIPS-secure appliance. Depending on the business processes, risks and sensitivity of the operation, CoSign can facilitate multiple levels of authentication, with smartcard-based authentication as one method. In addition, signer identity, type of document or business flow, will determine whether lower-level authentication can be accepted (e.g., username/password, OTP). CoSign s integration modules, CoSign Connectors, enable quick and easy integration of CoSign digital signatures within existing business applications such as SharePoint, OpenText, Oracle, K2, Nintex, and others. DR Site Directory Users Authentication PIV (or CAC) Card OTP Active Directory (or LDAP) Remote PC Application Server(s) Authentication U/P OTP WiFi/Cellular in HA/LB CAC = Common Access Card OTP = One-Time Password U/P = User-Name and Password DR = Disaster Recovery HA/LB = High Availability / Load Balancing

5 Key Benefits and Features of CoSign for Federal Government Agencies CoSign digital signatures can be used for signing in Web applications Smartcards do not integrate naturally in such environments and require cumbersome interfaces for connecting them to Web applications, such as ActiveX, browser plugins, etc. As a server-based architecture, CoSign integrates well with other server-based configurations. CoSign digital signatures can be deployed from mobile devices (smartphones and tablets) The process can be facilitated via web applications using CoSign Web App or by utilizing the native CoSign Mobile App for Android and ios platforms. This process is applicable for a wide range of thinclient configurations. CoSign digital signatures can be employed in batch signing operations The solution offers high-performance and simple integration of digital signatures in batch signature processes for signing e-invoices, e-archiving, automated document delivery, etc. Sole control without transferring too much responsibility to the end-users When using smartcards for signing, much responsibility is given to the card holder (the end-user), including lifetime signing rights until specifically revoked. As CoSign synchronizes with the organization s provisioning system (e.g., Active Directory), immediate revocation and deletion of the signing occurs as soon as the user leaves the organization. Signature credentials in CoSign are never lost or stolen Unlike smartcards that can be lost or stolen, signature credentials stored on CoSign s central server are securely stored and protected and cannot be lost or stolen. A cross-benefit of this feature is the simplification of certificate revocation operations, as mentioned above. As the signing credentials are protected by CoSign and CoSign allows efficient key revocation, a separate mechanism for certificate revocation is no longer needed. Improved security and audit logging When a smartcard is connected to a PC, malicious applications can capture the smartcard s PIN code and use the signature credentials without the card owner s approval. In many cases, these malicious operations will go undetected. As a centralized solution, all signature operations in CoSign require the client s authentication of the signer across secure communication channels. The credentials are validated by the CoSign application and the signature operation is approved only upon successful authentication. The CoSign server maintains a central audit log of all signature operations, which can then be used for a security audit. Summary CoSign by ARX makes it easier for U.S. Federal Government employees, government contractors and other approved stakeholders to comply with security regulations and use their PIV smart cards for authentication and digital signatures. The result is complete interoperability, compliance, and uniform security. The CoSign solution is fully tested, validated and government approved. It preserves investments, reduces costs, and removes complexities, making it seamless and affordable to facilitate digital signature processes across FIPS 201-compliant systems. The Digital Signature Company ARX 855 Folsom St. Suite 939, San Francisco, CA Tel. (415) [email protected]