Introduction. About Image-X Enterprises. Overview of PKI Technology



Similar documents
Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

Ericsson Group Certificate Value Statement

Certification Practice Statement

Subject: Public Key Infrastructure: Examples of Risks and Internal Control Objectives Associated with Certification Authorities

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

How much do you pay for your PKI solution?

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

ITL BULLETIN FOR JULY Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance

Why You Should Consider Cloud- Based Archiving. A whitepaper by The Radicati Group, Inc.

HKUST CA. Certification Practice Statement

apple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Neutralus Certification Practices Statement

SYMANTEC NON-FEDERAL SHARED SERVICE PROVIDER PKI SERVICE DESCRIPTION

Ford Motor Company CA Certification Practice Statement

Why outsourcing your PKI provides the best value A Total Cost of Ownership analysis

The name of the Contract Signer (as hereinafter defined) duly authorized by the Applicant to bind the Applicant to this Agreement is.

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

Danske Bank Group Certificate Policy

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

ONLINE BANKING AGREEMENT AND DISCLOSURE

WHY YOU SHOULD CONSIDER CLOUD BASED ARCHIVING.

NIST ITL July 2012 CA Compromise

Symantec Managed PKI Service for Windows Service Description

CMS Illinois Department of Central Management Services

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

Certificate Policies and Certification Practice Statements

White Paper. Authentication and Access Control - The Cornerstone of Information Security. Vinay Purohit September Trianz 2008 White Paper Page 1

Service Description. 3SKey. Connectivity

Business Issues in the implementation of Digital signatures

Public Key Infrastructure

What Are They, and What Are They Doing in My Browser?

Understanding Digital Signature And Public Key Infrastructure

TELSTRA RSS CA Subscriber Agreement (SA)

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

Concept of Electronic Approvals

Introduction to SAML

Securing Your Software for the Mobile Application Market

"Certification Authority" means an entity which issues Certificates and performs all of the functions associated with issuing such Certificates.

ENTRUST CERTIFICATE SERVICES

CSE543 - Introduction to Computer and Network Security. Module: Public Key Infrastructure

ENTRUST CLOUD. SSL Digital Certificates, Discovery & Management entrust@entrust.com entrust.com

INDEPENDENT AUDIT REPORT BASED ON THE REQUIREMENTS OF ETSI TS Aristotle University of Thessaloniki PKI ( WHOM IT MAY CONCERN

Lecture VII : Public Key Infrastructure (PKI)

Class 3 Registration Authority Charter

ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0

Why Digital Certificates Are Essential for Managing Mobile Devices

STRONGER AUTHENTICATION for CA SiteMinder

How to check if I care for the safety of my Clients?

Digital Signatures: The Digital Signature Company. Best Practices for State and Local Government

GEOSURE PROTECTION PLAN

Government CA Government AA. Certification Practice Statement

An Oracle White Paper Dec Oracle Access Management Security Token Service

Equens Certificate Policy

Capitalized terms not defined below shall have the meaning given to them in the applicable CP/CPS, unless the context requires otherwise.

White paper. Implications of digital certificates on trusted e-business.

Online Banking Agreement

SECURITY ORGANISATION Security Awareness and the Five Aspects of Security

Certum QCA PKI Disclosure Statement

Chapter 3 Copyright Statement

Simplify SSL Certificate Management Across the Enterprise

Transnet Registration Authority Charter

Independent Accountants Report

Managing SSL Security

Publicly trusted certification authorities (CAs) confirm signers identities and bind their public key to a code signing certificate.

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

thawte Certification Practice Statement

SIX STEPS TO SSL CERTIFICATE LIFECYCLE MANAGEMENT

Land Registry. Version /09/2009. Certificate Policy

BUSINESS GUIDE SECURING YOUR SOFTWARE FOR THE MOBILE APPLICATION MARKET THE LATEST CODE SIGNING TECHNOLOGY

Symantec Managed PKI Service Deployment Options

The Costs of Managed PKI:

7 Key Management and PKIs

Public Key Infrastructure for a Higher Education Environment

Trust Service Principles and Criteria for Certification Authorities

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

Digital certificates and SSL

Enterprise SSL FEATURES & BENEFITS

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

PKI Deployment Business Issues

Certification Practice Statement

Gandi CA Certification Practice Statement

White Paper. Simplify SSL Certificate Management Across the Enterprise

The Cloud: Why it makes sense for your business

Using Entrust certificates with VPN

NASH PKI Certificate for Healthcare Provider Organisations renewal confirmation

Managing SSL Security in Multi-Server Environments

Cloud security architecture

PASSWORD MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

WASHINGTON STATE EMPLOYEES CREDIT UNION ONLINE BANKING AGREEMENT

Casey State Bank Online Banking Agreement and Disclosure

thawte Certification Practice Statement Version 2.3

Why Use Electronic Transactions Instead of Paper? Electronic Signatures, Identity Credentialing, Digital Timestamps and Content Authentication

APPLICATION FOR DIGITAL CERTIFICATE

Managing Cloud Computing Risk

Administration Guide Certificate Server May 2013

Glossary of Key Terms

Transcription:

Digital Signature x

Introduction In recent years, use of digital or electronic signatures has rapidly increased in an effort to streamline all types of business transactions. There are two types of electronic signatures: those based on a Public Key Infrastructure (PKI) and those that are not. Digital signatures that do not use PKI: Cannot offer a unique signature for each user. Cannot identify the signer (authentication) cannot detect changes in the documentation after signing (non-repudiation). Cannot offer a guarantee of sole control for the signer (non-repudiation). Digital signatures that do use PKI: ind signers with respective user identities by means of a certificate authority (CA). Allow individuals to encrypt messages to each other. Establish message integrity, confidentiality and user authentication, even if the parties have never had prior contact. In this paper, we will focus on electronic signatures that do use a PKI as these are widely considered to be more secure in the Information Technology community. PKI's can be developed within an organization as a turnkey solution, or through a trusted third party that acts as a Certificate Authority. About Image- Enterprises Image - Enterprises provides document management and electronic signature services to businesses and government organizations. Recently, Image- became a CA (Certificate Authority) in Washington. Image- has been providing electronic signature based solutions to County governments across USA. Overview of PKI Technology PKI technology is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA), allowing individuals to encrypt messages to each other, and enabling the various parties to a document to establish message integrity, confidentiality and user authentication, even if the parties have never had prior contact. For those who are unfamiliar with Public Key Infrastructure technology, it may be beneficial to describe the major elements of the system to get a better idea of how this technology operates: A Registration Authority (RA) - The RA is the authentication process in the network that verifies user requests for a digital certificate. The RA tells the certificate authority (CA) to issue the digital certificate. A Certificate Authority (CA) - The CA issues the digital certificate, which contains a public key and the identity of the owner. This certificate validates that this public key actually belongs to the certificate. A Database - The repository, or database, stores the digital certificates. The Certificate Authority is the most important element of a PKI structure and must be secure and cost-efficient. The digital certificate proves the ownership of a public key/private key pair by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or assertions made by the public key/private key pair. In this model of trust relationships, a CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate. 1

Assessing CA Requirements and Company Risks ecoming a certificate authority is an arduous process that involves passing background checks and audits to ensure the legitimacy of the certificate issuer. The requirements laid out in government statutes regarding security standards for PKI are both expensive and time consuming. The typical requirements for an organization are as follows:- Network administrators need to pass an examination that ensures that they are qualified to keep the digital certificates secure. Computer infrastructure must meet SAS 70 type II or web trust audits to assure that the servers are stored in a secure environment. All of the employees with access to servers need to have a security clearance. Expensive bonds must be issued with the state for liability purposes. These requirements are not without reason.; A compromised certificate or certificate server can result in forgery and theft by hackers that could cost a company millions of dollars. These threats are explained in more detail below and should be considered in your company s risk analysis. The typical risks are as follows: Compromised certificates Certificates that are lost or stolen represent a significant threat to your organization Typically, a Certificate Revocation List () identifies certificates that have been lost or stolen and blocks that certificate from being used. Certification Revocation List synchronization across all the certificate servers, distributed across the world, ( See Figure 1) can take some time. Most Certificate Policy Statement s (CPS) specify that the update time range is one to as many as seven days. This leaves open the possibility of a malicious denial-of-service attack on the certificate server. Registration costs for rowser For online transactions storing the digital certificates with the browser makes doing business with e-signatures easier, but also incredibly expensive. Registering the digital certificates with browsers such as Mozilla FireFox, Internet Explorer and Google Chrome can cost as much as $250,000/browser/organization. Cost of authentication Registering individual users with a certificate costs a significant amount of money. Most certificate authorities charge between $20.00/digital certificate to $60.00/digital certificate. Even for in-house solutions, costs per user can run far too high to make establishing these kinds of digital certificate structures cost-effective. Evaluating Digital Signature Options Companies that have decided to implement digital signatures have several different approaches to consider, each offering different value propositions. The following provides a brief overview of these options, which will be discussed in greater detail later in the paper Managed PKI Outsourcing the Solution - Outsourced PKI refers to a PKI solution that is owned and operated by a trusted third-party entity known as a Certificate Authority (CA). The CA assumes responsibility for setting policy, managing the technology and infrastructure, and owns the legal liability on behalf of the client. This approach does not require purchasing hardware or software. However, when factoring set-up fees per user license, annual renewal fees, and in-house IT support, the costs can be considerable. 2

Traditional PKI Developing an In-House Solution - In-house implementation involves the acquisition of PKI software and hardware in order to deploy digital certificates. Full-time, dedicated staff is required to create, manage, and support the systems and users. Utilizing this approach allows the organization to control and customize their digital signature solution according to their needs and infrastructure. Implementing an in-house option, even if using free software, can be the most costly approach to PKI technology. Server Side Signing An Off-the-Shelf Solution - A new concept in PKI technology, also known as Server Side Signing, leverages the existing infrastructure that is currently in place at a company. Cost / enefit Analysis of PKI Implementation Managed PKI Developing an Outsourced Solution Outsourcing is a popular solution for many modern tech companies. It is an easy way to allow your company to focus on its core business. Not needing to invest in new hardware, software, or personnel can lower total cost of ownership significantly. In a managed scenario, the Certificate Authority (CA), the outsourcing company, owns the digital signature solution and is responsible for the physical facility, the processing facility, operations and maintenance, as well as the legal framework. The CA is also responsible for all legal and security issues, as well as for changes in technology. In addition, the outsourcing entity assumes the responsibility for setting policy, and managing the information technology. Even though the client company can maintain control of certificate issuance, co-branding and management, the major responsibility for maintenance, scalability, and policy management is left to the outsourcing company. enefits Requires less initial investment in infrastructure/staffing. Faster deployment time. Good for companies that lack expert IT support because PKI requires extensive training. Costs Prohibitive costs such as renewal fees, service fees, and support fees (these can often add up to more than the cost of an in-house implementation). Have to coordinate with third party vendor with its own schedule of priorities. Some third parties, have lock-in agreements that become prohibitively expensive over time. Fees for customization and upgrades, if necessary. Company employees may be issued tokens to access the CA which may get lost or stolen and cause loss of production time within your company. In conclusion, while delegating all of the digital signature technology to an outsourcing company may seem enticing, as there is no significant upfront cost, the truth is that the total cost of ownership increases over time. Total costs can be around $300,000 for just 100 employees and close to half a million dollars for 1000 employees. 3

Traditional PKI Developing an In-House Solution Companies that choose to develop a traditional or in-house PKI implementation, base their decision on the perceived merits of greater control and flexibility and lower costs over the long term. With traditional PKI, the expectation is that the solution can be implemented using the existing IT personnel without any additional expenses. However choosing a traditional PKI implementation is a major investment with significant up-front costs. The first step is to choose the desired software. According to Microsoft's own assessments for managing a Windows Server 2003 Public Key Infrastructure, the initial set up effort alone demands 13 days (105.5 hours) of work. Once the software and the hardware (dedicated servers) are purchased, it is essential to have experts in PKI technology, who are able to define the company s certificate creation and distribution policies. The software and hardware also require a dedicated IT staff. Once the solution is implemented, there are additional expenses to ensure that the physical servers are secure. Encryption keys safety and back up and disaster plans represent significant incidental costs that are necessary for a secure environment. If these steps are not taken, the possibility of unauthorized use of signing keys increases. Nevertheless, a traditional PKI implementation does offer some benefits:- enefits Gives flexibility to the company to issue and revoke certificates quickly. Cost per user lower than outsourced PKI, because cost of issuing certificates is lower. Procedural policies can be changed to coordinate with changes in company policy. Can add support for proprietary applications and services that a third party may not be willing to provide. Costs Company must manage root keys (administrator privileges), digital certificates and private keys, as well as maintaining audit logs to comply with government regulations. Have to coordinate with third party vendor with own schedule of priorities. Some third parties have lock-in agreements that become prohibitively expensive over time. Fees for creating a Certificate Revocation List () if employees lose their key. Company employees may be issued tokens to access the CA which may get lost or stolen and cause loss of production time within your company. Payments for hardware such as dedicated servers and software for the servers and consequent upgrades can add up. In conclusion, creating an in-house system is neither easy nor inexpensive. According to cost comparisons, minimum costs for 100 employees can be $1,500 per person. For a larger company with 1000 employees, these costs could run close to $500,000. Final Option Evaluation Research indicates that for most companies a major obstacle to deploying a digital signature solution is the prohibitive cost of implementing this type of complex solution. Whether a company chooses to outsource a solution to a trusted third party or to develop a traditional solution in-house, the decision can cost close to half-a-million dollars over a three-year period for only 1,000 users. This is a major investment per user for a company of any size. 4

Image-'s Digital Signature Solution Image- Enterprises Inc. has found a way of bypassing the high costs associated with both in-house and outsourced methods of PKI. While Image- is approved to act as a certificate authority in a way similar to the outsourced scenario described above, Image s approach is unique and cost-effective by: 1) Authenticating the user before issuing digital certificate by County Clerk or other approved local authority. 2) Restricting the use of digital certificates only for document signing. 3) Providing a two loop process to eliminate the problems associated with (Certificate Revocation List) in case of loss of a certificate by a user. 4) Reducing the cost of issuing and maintaining the integrity and acceptance of digital certificate across the world by creating an innovative approach to public key distribution and use of secured repository that can store all the signed documents associated with the certificate server. Practical Application Image- has already passed the rigorous standards to become a CA (Certificate Authority) for Washington State. Registering with the state of Washington requires that the company pass the Statement on Auditing Standards, specifically SAS 70 Type II audit. This confirms for clients in the state that they are allowed to issue certificates for digital signatures. Image- s servers currently run web services that allow attorneys and judges to request legal documents from court clerks online. In this example, Image- already acts as a trusted third party between the requestor and the distributor of legal documents. There are numerous possibilities to integrate Image- s web technology with the ability to issue certificates to users anywhere in the world where they need to sign a document or confirm another individual s signature (See below illustration). Other Electronic Signature Companies versus Image-'s Two Tier Solution Certificate Servers Around the World A A C D D C R L C R L Certificate User A C D Different Company s CA servers The CA servers around the world are regionally oriented. If you store your certificate with one company in the U.S.and you want to sign a document in Germany, you go through a different company s server which verifies the validity of your certificate through a Certificate Revocation List (). 5

Centrally Located Certificate Servers Secure Website S ec ure We bsite Certificate User Image- Certificate servers Secured Repository With Image-, you can access the certificate by signing onto our web based application and using it anywhere in the world, bypassing the need for a while maintaining the same level of security. Conclusion In summary it can be stated that Image- has developed a process that can make the digital signature based solutions cost effective while still meeting all the legal requirements and eliminating associated technical problem such as and unlimited liability for the user in case of loss of the digital certificate. Incorporation of digital signature by government organizations and businesses will create greener environment and efficient document delivery system that can replace paperbased processes. To learn more about Image- Enterprises contact Dr. Mohammed Shaikh - mohammed@imagexx.com Or go to http://www.imagexx.com IMAGE- Enterprises, Inc. 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information