Introduction. About Image-X Enterprises. Overview of PKI Technology

Transcription

1 Digital Signature x

2 Introduction In recent years, use of digital or electronic signatures has rapidly increased in an effort to streamline all types of business transactions. There are two types of electronic signatures: those based on a Public Key Infrastructure (PKI) and those that are not. Digital signatures that do not use PKI: Cannot offer a unique signature for each user. Cannot identify the signer (authentication) cannot detect changes in the documentation after signing (non-repudiation). Cannot offer a guarantee of sole control for the signer (non-repudiation). Digital signatures that do use PKI: ind signers with respective user identities by means of a certificate authority (CA). Allow individuals to encrypt messages to each other. Establish message integrity, confidentiality and user authentication, even if the parties have never had prior contact. In this paper, we will focus on electronic signatures that do use a PKI as these are widely considered to be more secure in the Information Technology community. PKI's can be developed within an organization as a turnkey solution, or through a trusted third party that acts as a Certificate Authority. About Image- Enterprises Image - Enterprises provides document management and electronic signature services to businesses and government organizations. Recently, Image- became a CA (Certificate Authority) in Washington. Image- has been providing electronic signature based solutions to County governments across USA. Overview of PKI Technology PKI technology is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA), allowing individuals to encrypt messages to each other, and enabling the various parties to a document to establish message integrity, confidentiality and user authentication, even if the parties have never had prior contact. For those who are unfamiliar with Public Key Infrastructure technology, it may be beneficial to describe the major elements of the system to get a better idea of how this technology operates: A Registration Authority (RA) - The RA is the authentication process in the network that verifies user requests for a digital certificate. The RA tells the certificate authority (CA) to issue the digital certificate. A Certificate Authority (CA) - The CA issues the digital certificate, which contains a public key and the identity of the owner. This certificate validates that this public key actually belongs to the certificate. A Database - The repository, or database, stores the digital certificates. The Certificate Authority is the most important element of a PKI structure and must be secure and cost-efficient. The digital certificate proves the ownership of a public key/private key pair by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or assertions made by the public key/private key pair. In this model of trust relationships, a CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate. 1

3 Assessing CA Requirements and Company Risks ecoming a certificate authority is an arduous process that involves passing background checks and audits to ensure the legitimacy of the certificate issuer. The requirements laid out in government statutes regarding security standards for PKI are both expensive and time consuming. The typical requirements for an organization are as follows:- Network administrators need to pass an examination that ensures that they are qualified to keep the digital certificates secure. Computer infrastructure must meet SAS 70 type II or web trust audits to assure that the servers are stored in a secure environment. All of the employees with access to servers need to have a security clearance. Expensive bonds must be issued with the state for liability purposes. These requirements are not without reason.; A compromised certificate or certificate server can result in forgery and theft by hackers that could cost a company millions of dollars. These threats are explained in more detail below and should be considered in your company s risk analysis. The typical risks are as follows: Compromised certificates Certificates that are lost or stolen represent a significant threat to your organization Typically, a Certificate Revocation List () identifies certificates that have been lost or stolen and blocks that certificate from being used. Certification Revocation List synchronization across all the certificate servers, distributed across the world, ( See Figure 1) can take some time. Most Certificate Policy Statement s (CPS) specify that the update time range is one to as many as seven days. This leaves open the possibility of a malicious denial-of-service attack on the certificate server. Registration costs for rowser For online transactions storing the digital certificates with the browser makes doing business with e-signatures easier, but also incredibly expensive. Registering the digital certificates with browsers such as Mozilla FireFox, Internet Explorer and Google Chrome can cost as much as $250,000/browser/organization. Cost of authentication Registering individual users with a certificate costs a significant amount of money. Most certificate authorities charge between $20.00/digital certificate to $60.00/digital certificate. Even for in-house solutions, costs per user can run far too high to make establishing these kinds of digital certificate structures cost-effective. Evaluating Digital Signature Options Companies that have decided to implement digital signatures have several different approaches to consider, each offering different value propositions. The following provides a brief overview of these options, which will be discussed in greater detail later in the paper Managed PKI Outsourcing the Solution - Outsourced PKI refers to a PKI solution that is owned and operated by a trusted third-party entity known as a Certificate Authority (CA). The CA assumes responsibility for setting policy, managing the technology and infrastructure, and owns the legal liability on behalf of the client. This approach does not require purchasing hardware or software. However, when factoring set-up fees per user license, annual renewal fees, and in-house IT support, the costs can be considerable. 2

4 Traditional PKI Developing an In-House Solution - In-house implementation involves the acquisition of PKI software and hardware in order to deploy digital certificates. Full-time, dedicated staff is required to create, manage, and support the systems and users. Utilizing this approach allows the organization to control and customize their digital signature solution according to their needs and infrastructure. Implementing an in-house option, even if using free software, can be the most costly approach to PKI technology. Server Side Signing An Off-the-Shelf Solution - A new concept in PKI technology, also known as Server Side Signing, leverages the existing infrastructure that is currently in place at a company. Cost / enefit Analysis of PKI Implementation Managed PKI Developing an Outsourced Solution Outsourcing is a popular solution for many modern tech companies. It is an easy way to allow your company to focus on its core business. Not needing to invest in new hardware, software, or personnel can lower total cost of ownership significantly. In a managed scenario, the Certificate Authority (CA), the outsourcing company, owns the digital signature solution and is responsible for the physical facility, the processing facility, operations and maintenance, as well as the legal framework. The CA is also responsible for all legal and security issues, as well as for changes in technology. In addition, the outsourcing entity assumes the responsibility for setting policy, and managing the information technology. Even though the client company can maintain control of certificate issuance, co-branding and management, the major responsibility for maintenance, scalability, and policy management is left to the outsourcing company. enefits Requires less initial investment in infrastructure/staffing. Faster deployment time. Good for companies that lack expert IT support because PKI requires extensive training. Costs Prohibitive costs such as renewal fees, service fees, and support fees (these can often add up to more than the cost of an in-house implementation). Have to coordinate with third party vendor with its own schedule of priorities. Some third parties, have lock-in agreements that become prohibitively expensive over time. Fees for customization and upgrades, if necessary. Company employees may be issued tokens to access the CA which may get lost or stolen and cause loss of production time within your company. In conclusion, while delegating all of the digital signature technology to an outsourcing company may seem enticing, as there is no significant upfront cost, the truth is that the total cost of ownership increases over time. Total costs can be around $300,000 for just 100 employees and close to half a million dollars for 1000 employees. 3

5 Traditional PKI Developing an In-House Solution Companies that choose to develop a traditional or in-house PKI implementation, base their decision on the perceived merits of greater control and flexibility and lower costs over the long term. With traditional PKI, the expectation is that the solution can be implemented using the existing IT personnel without any additional expenses. However choosing a traditional PKI implementation is a major investment with significant up-front costs. The first step is to choose the desired software. According to Microsoft's own assessments for managing a Windows Server 2003 Public Key Infrastructure, the initial set up effort alone demands 13 days (105.5 hours) of work. Once the software and the hardware (dedicated servers) are purchased, it is essential to have experts in PKI technology, who are able to define the company s certificate creation and distribution policies. The software and hardware also require a dedicated IT staff. Once the solution is implemented, there are additional expenses to ensure that the physical servers are secure. Encryption keys safety and back up and disaster plans represent significant incidental costs that are necessary for a secure environment. If these steps are not taken, the possibility of unauthorized use of signing keys increases. Nevertheless, a traditional PKI implementation does offer some benefits:- enefits Gives flexibility to the company to issue and revoke certificates quickly. Cost per user lower than outsourced PKI, because cost of issuing certificates is lower. Procedural policies can be changed to coordinate with changes in company policy. Can add support for proprietary applications and services that a third party may not be willing to provide. Costs Company must manage root keys (administrator privileges), digital certificates and private keys, as well as maintaining audit logs to comply with government regulations. Have to coordinate with third party vendor with own schedule of priorities. Some third parties have lock-in agreements that become prohibitively expensive over time. Fees for creating a Certificate Revocation List () if employees lose their key. Company employees may be issued tokens to access the CA which may get lost or stolen and cause loss of production time within your company. Payments for hardware such as dedicated servers and software for the servers and consequent upgrades can add up. In conclusion, creating an in-house system is neither easy nor inexpensive. According to cost comparisons, minimum costs for 100 employees can be $1,500 per person. For a larger company with 1000 employees, these costs could run close to $500,000. Final Option Evaluation Research indicates that for most companies a major obstacle to deploying a digital signature solution is the prohibitive cost of implementing this type of complex solution. Whether a company chooses to outsource a solution to a trusted third party or to develop a traditional solution in-house, the decision can cost close to half-a-million dollars over a three-year period for only 1,000 users. This is a major investment per user for a company of any size. 4

6 Image-'s Digital Signature Solution Image- Enterprises Inc. has found a way of bypassing the high costs associated with both in-house and outsourced methods of PKI. While Image- is approved to act as a certificate authority in a way similar to the outsourced scenario described above, Image s approach is unique and cost-effective by: 1) Authenticating the user before issuing digital certificate by County Clerk or other approved local authority. 2) Restricting the use of digital certificates only for document signing. 3) Providing a two loop process to eliminate the problems associated with (Certificate Revocation List) in case of loss of a certificate by a user. 4) Reducing the cost of issuing and maintaining the integrity and acceptance of digital certificate across the world by creating an innovative approach to public key distribution and use of secured repository that can store all the signed documents associated with the certificate server. Practical Application Image- has already passed the rigorous standards to become a CA (Certificate Authority) for Washington State. Registering with the state of Washington requires that the company pass the Statement on Auditing Standards, specifically SAS 70 Type II audit. This confirms for clients in the state that they are allowed to issue certificates for digital signatures. Image- s servers currently run web services that allow attorneys and judges to request legal documents from court clerks online. In this example, Image- already acts as a trusted third party between the requestor and the distributor of legal documents. There are numerous possibilities to integrate Image- s web technology with the ability to issue certificates to users anywhere in the world where they need to sign a document or confirm another individual s signature (See below illustration). Other Electronic Signature Companies versus Image-'s Two Tier Solution Certificate Servers Around the World A A C D D C R L C R L Certificate User A C D Different Company s CA servers The CA servers around the world are regionally oriented. If you store your certificate with one company in the U.S.and you want to sign a document in Germany, you go through a different company s server which verifies the validity of your certificate through a Certificate Revocation List (). 5

7 Centrally Located Certificate Servers Secure Website S ec ure We bsite Certificate User Image- Certificate servers Secured Repository With Image-, you can access the certificate by signing onto our web based application and using it anywhere in the world, bypassing the need for a while maintaining the same level of security. Conclusion In summary it can be stated that Image- has developed a process that can make the digital signature based solutions cost effective while still meeting all the legal requirements and eliminating associated technical problem such as and unlimited liability for the user in case of loss of the digital certificate. Incorporation of digital signature by government organizations and businesses will create greener environment and efficient document delivery system that can replace paperbased processes. To learn more about Image- Enterprises contact Dr. Mohammed Shaikh - mohammed@imagexx.com Or go to IMAGE- Enterprises, Inc. 6