1 / 18

AOL AIM and Document Signing

AOL AIM and Document Signing. Dartmouth College PKI Lab. AOL AIM for Windows implements PKI for secure messaging: Each message signed and encrypted using personal PKI credentials Assures identity of sender Guarantees privacy of contents of messages Not necessarily overkill:

aimon
Download Presentation

AOL AIM and Document Signing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AOL AIM and Document Signing Dartmouth College PKI Lab

  2. AOL AIM for Windows implements PKI for secure messaging: Each message signed and encrypted using personal PKI credentials Assures identity of sender Guarantees privacy of contents of messages Not necessarily overkill: ISTS system administrators discuss sensitive network and server configuration information No noticeable delay due to overhead for signature and encryption Instant Messaging

  3. Kudos to AOL for a clean and innovative product. But… Encryption and signing not (yet) interoperable with other IM implementations Should be easier to import trusted root certificates Instant Messaging

  4. Digital signature embedded in a document authenticates its source and enables detection of tampering: Text documents (Word, Acrobat) Spreadsheets (Excel) Presentations (PowerPoint) XML forms (Infomosaic) Document Signing

  5. Streamline business processes: Move paper-based processes online without sacrificing security (e.g. hiring authorization, requisitions, expense reports, grant applications) Electronic forms transmission, tracking, and processing while still allowing the crucial human authorization steps Secure transmission of business information without requiring it be sent on signed paper Intra-institutional transactions (within or between departments) Inter-institutional transactions (among Higher Education institutions or with government) – use HEBCA or USHER for inter-institutional trust Document Signing Uses

  6. Signed Word Document

  7. Signed PowerPoint Document

  8. Signed Excel Spreadsheet

  9. Signing Office Documents • To sign, select “Tools -> Options -> Digital Signatures…” • Must save before signing • Saving changes after signing removes signatures (to protect against tampering after signing) • Can have multiple signatures • User interface could use some improvement • Beware of macros – can change apparent content without requiring a save (sort of like changing ink on a signed paper document)

  10. Signed Acrobat (PDF) Document • Requires proper version of Acrobat. • No macro vulnerability. • Can use write-only form (write protected by institution) with user digital signature to implement electronic signed “fill in the blanks” style forms.

  11. Signed XML Forms • End user signing requires an application like Infomosaic’s SecureSign/SecureXML. • Uses XML digital signatures standards. • Standard XML forms can be generated and processed by any application that adheres to the proper standards. • Enables truly platform and application independent digital signing of electronic transactions (critical component of Web Services).

  12. NIH EDUCAUSE HEBCA Demo • XML form signing with two signatures: • Signer • Institutional co-signer (pre-registered with Federal receipt server) • Document is signed by signer and co-signer at one institution and then submitted to another institution. • Current proof of concept has Federal government as recipient, but can work for any two organizations.

  13. NIH EDUCAUSE HEBCA Demo • Uses HEBCA & FBCA bridges so the receipt server can trust signatures made with Higher Education PKI credentials • Read-only form provided by recipient (Federal agency in the proof of concept) and processed automatically upon receipt • Fine work by Peter Alterman and many others (including a number of our colleagues) • Award winning proof of concept

  14. NIH EDUCAUSE HEBCA Demo • Federal receipt and authorization server: • Checks validity of signer and co-signer certificates and if they are issued by a trusted institution’s PKI • Verifies that the co-signer is properly registered as an authorized co-signer for the signer’s institution • Verifies that the co-signer and signer are different individuals • Acknowledges secure and proper receipt of submission via web page and email • Use secure SSL for all transactions

  15. U N V E R S T Y HEBCA Internet CA @ College/University Federal Agency Portal Digitally Signed XML form. Digitally Signed XML form. Digitally Signed XML form. Digitally Signed XML form FBCA Applicant & cosigner Internal workflow I B M Agency Server Audit U N I V E R S I T Y Log College/University Validate certs Agency Back End Processing (Phase 4) Receipt message Receipt and Authorization Server XML form Transaction record XML form certs XML form

  16. NIH EDUCAUSE HEBCA Demo • Caveats: • I’m new to this application • Just got everything running properly today ;-) • I had to use a test certificate for the signer since I only have one Dartmouth identity • This is a proof of concept

More Related