Use of Digital Signatures to Sign Drawings (and Other Documents) PLSO 2016 Conference Eugene, OR January 20, 2016 Speaker Background Author: CH-P04-0502-G-Digital Stamping Instructions Engineering and IT experience Rob Brawn, PE, OR Dir, Automation Systems CH2M HILL Presentation Outline Why use digital signatures? What is a digital signature? Third party certification What is it? Why is it important? Validation of signed documents Clarification regarding original documents Enabling multiple signers Using multi-sheet document sets Securing certificates Outlook for digital signatures Turnkey signing solutions Concluding remarks Discussion and questions 1
Benefits of Digital Signatures Saves time and money Work is performed in many locations - no delay, no FedEx or paper charges Encrypts content to prevent modification Controls access to content Manage who can access what content when Secures intellectual property (IP) Challenges to Deployment Awareness of capability and benefits Configuring the system Training Is this a Digital Signature? 2
From Wikipedia - Digital Signature A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message or documents. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, that the sender cannot deny having sent the message (authentication and non-repudiation), and that the message was not altered in transit (integrity). Digital Signatures are Enabled by Digital Certificates Public Key Issued by a certificate authority (CA) Publicly verifiable Private Key Under control of the signer Not shared Note: The digital signature is secured by the private key and the certificate authority Knock, Knock 3
John Smith Who s there? Sure, let me show you Can you show me your ID? 4
Sure, let me show you ACME, LLC John Smith #12345 541-222-9999 Headquarters Can you verify John Smith, employee #12345? ACME, LLC John Smith #12345 541-222-9999 Yes, John Smith is authorized to be at your residence Thank you! 5
3 rd Party Certification 3 rd Party Certificate Request Document Signer Document Recipient Typical Components of a Digital Certificate Serial Number: Used to uniquely identify the certificate Subject: The person, or entity identified Signature Algorithm: The algorithm used to create the signature Signature: The actual signature to verify that it came from the issuer Issuer: The entity that verified the information and issued the certificate Valid-From: The date the certificate is first valid from Valid-To: The expiration date Key-Usage: Purpose of the public key (e.g. encipherment, signature, certificate signing...). Public Key: The public key Thumbprint Algorithm: The algorithm used to hash the public key certificate Thumbprint (also known as fingerprint): The hash itself, used as an abbreviated form of the public key certificate. 3 rd Party Certification Document Recipient Public Key Private Key Document Signer 6
Public Key Public Key Private Key 3 rd Party Certification 3 rd Party Certification Encrypted Private Document Key Document Signer Document Signer Whatever is encrypted with a Private Key may only be decrypted by its corresponding Public Key and vice versa Document Recipient Document Recipient Verification by Certificate Authority (3 rd Party) Validity of individual Validity of certificate Expired Revoked Self-Issued Certificate ID: first.last@company.com Document Recipient Public Key Private Key Public Key Document Signer Cannot verify certificate unless there is implicit trust between both parties 7
Potential Types of Security Threats Security Risks Are Minimized by Use of Spoof 3 rd Party Certificate Man in the Middle Authority Brute Force Search Side Channel Attack 8
9
Where is the Original Document? The digitally signed document is the original Electronic format Usually PDF but could be DWG, DGN, DOCX, XLSX, PPTX, Email, etc. There can be multiple copies of digitally signed documents and each is valid All paper forms of digital documents are copies Copies are uncontrolled Modified digitally signed documents are no longer signed Unsigned electronic documents are not originals Create a Set of Signatures 10
Certify (Visible) Single Signer Image of seal and/or signature Certify (Not Visible) Single Signer No image visible in document Sign with Certificate Multi-discipline drawings, specs, forms Image(s) of seal and/or signature Last signer locks the document Each signer is tracked 11
Workflow for Document Packages Doc A Discipline X PDF Portfolio Work package Doc B Discipline Y Multi- Doc C Specifications Workflow for Document Packages Extracting a Document From a Package Doc A Discipline X PDF Portfolio Work package PDF Portfolio Work package Doc B Discipline Y Doc A Discipline X Specifications Extracted Document Remains Multi- Doc C Doc B Multi- Doc C Discipline Y Specifications 12
PDF Portfolio vs. Composite PDF PDF Portfolio Multiple signers Audit for each document Dynamic reordering of documents Extracted documents remain signed Batch printing Composite PDF Single signer Extracted pages are not signed Batch printing Smart Card vs. Computer Storage CH2M Certificate Request Process Certificate Authority Smart Card Computer Storage Pro Portable to other devices Secured by PIN Con Requires installation process Cost of smart card Pro Simple No extra cost Con Fixed to a computer or certificate must be exported Only secured by computer s file system Email Confirmation Containing Only Password Certificate Request Certificate Requestor Email Containing Only Certificate Certificate Installed with Password PIN applied to USB Smart Card PIN: **** 13
Digital Signature Usage Will Increase Turn around time in approving and packaging documents Exchange of model information for construction/fabrication Mobile access to validated information Online plan review and permitting Need for security will increase State Requirements are Met (5) A digital signature, as an option to a handwritten signature in permanent ink is acceptable for final documents. (a) The digital signature must be: (A) Unique to the registrant using it; and (B) Capable of verification; and (C) Under the sole control of the registrant using it; and (D) Linked to a document in such a manner that the digital signature is invalidated if any data in the document is changed. (b) Documents signed using a digital signature will bear the phrase digital signature in place of the handwritten signature. 14
Turnkey Digital Signature Solutions Simple to use and easy to get started Most cost effective at smaller scale Large organizations may need certificate management for other functions Servers/websites Code Many solutions for business documents not as many for drawings Example Turnkey Solutions Adobe EchoSign LiveCycle DocuSign DocuSign CoSign (ARX) Other References USB Smart Cards Search usb digital signature token Certificate Authorities Search certificate authorities 15
Conclusion Digital signatures save time and money Need for security of information will continue to increase Barrier to entry is low Use turnkey solutions Leverage existing IT infrastructure Now is the time to become familiar with digital signatures 16