Download
leveraging digital signature with lincpass n.
Skip this Video
Loading SlideShow in 5 Seconds..
Leveraging Digital Signature with LincPass PowerPoint Presentation
Download Presentation
Leveraging Digital Signature with LincPass

Leveraging Digital Signature with LincPass

708 Views Download Presentation
Download Presentation

Leveraging Digital Signature with LincPass

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Leveraging Digital Signature with LincPass USDA-wide Training Session for the Digital Signature Project An ICAM Program Objective Inter-Disciplinary ICAM Program April 2011

  2. Leveraging Digital Signature with LincPass • Why is digital signature important to me? • Prerequisites for digital signature • Leveraging LincPass to sign documents and emails • Electronic signatures, digital signatures, non-repudiation • Differences between assurance levels, eAuthentication, and USDA LincPass • Digital signature policy • When should I use digital signature? • Digitally signing, validating, and removing a signature for a Microsoft Office 2007 document • Digitally signing an Adobe Acrobat 9.x document • Digitally signing a Microsoft Outlook 2007 email • Configuration changes for Adobe • Resources for digital signature • Questions Inter-Disciplinary ICAM Program

  3. Why is Digital Signature Important to Me? • FY11 and Beyond Business Drivers • Achieve LincPass-integrated and improved business processes and identity validation in those business processes • Capitalize on an efficient, time-saving, cost-reducing alternative to “wet ink” signature • ICAM Oct. 6 “Preparing to Implement Identity, Credential and Access Management” as directed by OMB • Use the LincPass for validation & verification of the signer's digital identity “The day of smart card issuance is behind us; the era of usage is here.” Inter-Disciplinary ICAM Program 3

  4. Prerequisites for Digital Signature LincPass card • Two-factor card reader for • your desktop or laptop • Digital Signature • User Guides • AD account is LincPass-enabled, • workstation has ActivClient installed Inter-Disciplinary ICAM Program

  5. Digital Signature ProjectLeveraging LincPass to Sign Documents & Email Document Signing with the LincPass • The USDA Digital Signature Project - Phase I is focused on providing information on how to use the certificates on the LincPass to digitally sign documents and emails. The benefit of digitally signing documents and emails is assurance that the information hasn’t been altered since the document was signed, and verification of the signer’s digital identity. Scope: • Adobe Acrobat files & forms (Versions 8 & 9) • Microsoft Office Word, Excel, PowerPoint (Versions 2003 & 2007) • Microsoft Outlook (Versions 2003 & 2007) Benefits: • LincPass integrated • Assurance that the content has not been altered since the file was signed • Provides a digital signature certificate that can be used for a non-repudiable digital signature • Verification of the signer's digital identity • Efficient, time-saving, cost-reducing alternative to “wet ink” signature Digital Signature Inter-Disciplinary ICAM Program

  6. Digital Signature Project What is an Electronic Signature? • “Electronic Signature”: A token (sound, symbol, process) logically associated with an electronic record with intent to sign the record • Example: A travel tracking system with a user ID/password access requires a manager click a button labeled “Digital Signature” to approve travel for her staff. Problems: single-factor; user ID not traceable to anything, e.g., an official HR record, PIV card • Authorized by the law [e.g., 1998 Digital Signature and Electronic Authentication Law (SEAL), 1999 Uniform Electronic Transactions Act (UETA), 2003 GPEA, etc.] Loose and variable standards make electronic signatures increasingly easy to forge or spoof Generally requires compensating controls and out-of-band identity validation (e.g., wet-ink signature on a timesheet) Inter-Disciplinary ICAM Program

  7. Digital Signature Project What is a Digital Signature? • “Digital Signature”: A sub-category of electronic signatures; includes a cryptographic assurance of the originator’s (authors) identity, and an integrity check on the content received • Uses PKI for cryptographic assurance • Extremely difficult to forge • Example: A travel tracking system with a user ID/password access makes the manager digitally sign using her LincPass card when approving travel for her staff. Solves security (repudiation) problems: two-factor authentication; user ID traceable (via PKI infrastructure) to a known and verified identity in HSPD-12 system Digital Signature • Digital Signature: • Demonstrates the authenticity of a digital message or document • Not all electronic signatures use digital signatures • A true digital signature must be a digital cryptographic signature Inter-Disciplinary ICAM Program

  8. Digital Signature Project Digital Signatures are Non-Repudiable • “Non-repudiation”: Countering a claim that the signature is unauthorized or has no binding force • Two common claims of repudiation: • “Not me” • “Not what I signed” • A non-repudiable signature offers reasonable assurance that it was the person signing, and the file/record/transaction is unchanged from whenit was signed • The foundational concepts in • digital signing are document message integrity, and non-repudiation and confidentiality. Inter-Disciplinary ICAM Program

  9. Digital Signature Project Assurance Levels, eAuthentication, USDA LincPass To clear up other common misconceptions about digital signature, let’s discuss three more terms: • Identity Assurance Levels (as defined by NIST 800-63):How sure you are of the identity of an individual, and that the person with whom you are interacting is that individual — digital signatures are not related • eAuthentication: A software solution for authentication (is the user known?) and authorization (is the user allowed access?) — digital signatures not related, and eAuth provides no support for them • LincPass (PIV card):A hardware token solution that enables authentication (is the user known?), and has an electronic certificate on the card’s chip that can pass along a digital representation of that identity — the mechanism that allows a user with an application that supports it (e.g., Outlook, Acrobat) to create digitally-signed files Inter-Disciplinary ICAM Program

  10. Knowledge Check • Digital signature is non-repudiable • True • False • Digitally signing documents • Verifies the signer’s digital identity • Assures the document or email content has not been modified • Uses PKI for cryptographic assurance • All of the above • The receiver of a digitally signed document can claim it wasn’t altered in any way • True • False • eAuthentication provides support for Digital Signature • True • False Inter-Disciplinary ICAM Program

  11. Digital Signature Project USDA Policy USDA Policy References: • USDA DM 3530-003 • http://www.ocio.usda.gov/directives/doc/DM3530-003.pdf • Summary: Section #2 Policy • “All agencies and mission areas whose major support systems have a security requirement for non-repudiation will use digital signature.” • “It is the policy of the United States Department of Agriculture to encourage the use of PKI in satisfying system security requirements for non-repudiation. Agencies must satisfy the following procedural requirements prior to deployment of a Public Key Infrastructure.” Federal Policy References: • FIPS 186-3 Digital Signatures Standard (June 2009) • http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf • NIST Special Publication 800-89, Recommendations for Obtaining Assurances for Digital Signature Applications • http://csrc.nist.gov/publications/nistpubs/800-89/SP-800-89_November2006.pdf Inter-Disciplinary ICAM Program

  12. When Should I Use a Digital Signature? USDA is developing policy or directives that will officially address the technology of digital signature and its application in USDA. Check with your agency for interim guidance on when to use digital signatures for business purposes. Here are some general guidelines on when you might want to use them: • Placing a “seal” on the document • Multiple signatures within one document • Compliance • Leadership memorandums and policy issuance • Verification of the signer’s digital identity Inter-Disciplinary ICAM Program

  13. Fun with Digital Signatures Today we’ll walk through: • How to digitally sign a Microsoft Office 2007 document • How to remove a digital signature from a Microsoft Office 2007 document • How to validate a digital signature in a Microsoft Office 2007 document • How to digitally sign an Adobe Acrobat 9.x • How to digitally sign a Microsoft Outlook 2007 email You can find user guides on the OCIO intranet page http://www.ocionet.usda.gov/wps/portal/ocio/ocioportal/home/ioa/ioa.digital_signature • How to digitally sign, validate, and remove a digital signature for a Microsoft Office 2003 document • How to digitally sign, validate, and remove a digital signature for an Adobe Acrobat 8.x document • How to digitally sign, validate, and remove a digital signature for a Microsoft Outlook 2003 document Inter-Disciplinary ICAM Program

  14. Digitally Sign a Microsoft Office 2007 Document • Insert your LincPass into the computer’s card reader. • Within the document you wish to sign, from the main menu icon, select Prepare, then Add a Digital Signature. Inter-Disciplinary ICAM Program

  15. Digitally Sign aMicrosoft Office 2007 Document (cont.) • If this is the first time you’ve selected a certificate for digital signing, Microsoft offers to help you set one up. Since your LincPass already has certificates, click the OK button. (To avoid seeing this message each time, check the “Don’t show this message again” option. Inter-Disciplinary ICAM Program

  16. Digitally Sign aMicrosoft Office 2007 Document (cont.) • In the Sign window, complete the optional “Purpose for signing this document” field, then click the Change button to confirm you have the correct Certificate selected. • Select the certificate you want to use by highlighting it. (The next step will help you determine which is the correct certificate to select.) Inter-Disciplinary ICAM Program

  17. Digitally Sign aMicrosoft Office 2007 Document (cont.) • Click the View Certificate button. The General tab lists the information about the certificate. Click the Details tab. Scroll down in the list of fields and values to select the Key Usage field. In the field below, it should say “Digital Signature, Non-Repudiation c0).” Click the OK button to close the window. NOTE: If the “Key Usage” field only says “Digital Signature” or something else, go back to Step 5 and select one of the other certificates and use the View Certificate button to verify it’s the one you want. Inter-Disciplinary ICAM Program

  18. Digitally Sign aMicrosoft Office 2007 Document (cont.) • Back on the list of certificates, with the correct certificate highlighted, click the OK button. • Back on the Sign window, click the Sign button. NOTE: After you select the certificate the first time, Office 2007 will remember this certificate choice. The next time you want to digitally sign a document, you won’t have to repeat the selection process – you’ll jump from Step 4 to Step 8 in this sequence. Inter-Disciplinary ICAM Program

  19. Digitally Sign aMicrosoft Office 2007 Document (cont.) • At the ActivClient prompt, enter your LincPass PIN, then press Enter or click the OK button. • After the Certificate is validated, you will receive a successful signature message. Click the OK button. Inter-Disciplinary ICAM Program

  20. Digitally Sign aMicrosoft Office 2007 Document (cont.) • Once the signature has been successfully applied, Office 2007 automatically opens a Signatures window on the right side of the screen showing the valid signature(s). • The Word, Excel, or PowerPoint file is now digitally signed by you. Close the file without making any changes (or the digital signature will be lost). NOTE: More than one person can digitally sign a document, as long as the content of the document isn’t changed. After the first signature is applied and the file closed, the second person can follow Steps 1-12 to apply a second signature. This can be repeated for as many signatures as are needed. Inter-Disciplinary ICAM Program

  21. Remove a Digital Signature from a Microsoft Office 2007 Document If you want to remove all digital signatures from a document, the simplest way is to make a minor change to the document (e.g. add a space), then save the document. When Office 2007 warns you that all signatures will be lost, click the Yes button to continue the save operation. To remove one or more digital signatures from the document without changing the document contents, follow these steps: From the Signatures window on the right side of the screen, select the signature you want to remove, then click the right-side drop arrow. Select the “Remove Signature” option. Click OK to confirm you want to remove the signature. Inter-Disciplinary ICAM Program

  22. How to Verify a Signature is Valid in a Microsoft Office 2007 Document • Open the file for which you want to verify signatures. • You can tell the document has a digital signature because the Signatures window automatically opens when you open the document. The window lists valid signatures and the date the signature was added. If you want to see signature details, highlight and right-click the digital signature, then select Signature Details to view the certificate behind it. NOTE: If the window doesn’t open automatically, click the small red certificate icon in the bottom status information bar. Inter-Disciplinary ICAM Program

  23. Adding a Digital Signature to an Adobe Acrobat 9.x Document • Insert your LincPass into the computer’s card reader. • Open Adobe Acrobat. Either create a new document or open an existing document you want to sign. • From the top menu bar, select Sign, then select Place Signature. Inter-Disciplinary ICAM Program

  24. Adding a Digital Signature to an Adobe Acrobat 9.x Document (cont.) • Adobe will tell you to draw an area on the screen where you want to place the signature. Click the OK button, then with your mouse, draw a box for the signature. You can set the size of the signature, but it’s easier to read if you make it as large as possible. You can place the signature anywhere in your document as well, but the recommended locations are at the beginning or end of the document. After you have created the signature area, Adobe shows a placeholder for the signature area and displays the Sign Document window. Inter-Disciplinary ICAM Program

  25. Adding a Digital Signature to an Adobe Acrobat 9.x Document (cont.) • From the Sign As drop-list, select your digital signature key. You will need to view the certificate to confirm it is the correct certificate to use for signing. Select one of the two with your name and then select the Info button. NOTES: If other people with LincPass cards have used your computer, you will see their certificates offered in this list. Only select your personal certificates. If you don’t see your certificate keys listed at all, first check that your card is in the reader and wait a minute or two for Acrobat to find it. If your keys still aren’t listed, your agency may need to implement the Adobe Technical Modification for Digital Signature. Ask your system administration or help desk team for help implementing this modification. This technical modification will also save you from having to go through this selection process each time you want to digitally sign a document. Inter-Disciplinary ICAM Program

  26. Adding a Digital Signature to an Adobe Acrobat 9.x Document (cont.) • In the Certificate Viewer window, select the Details tab, then in the Certificatedata area, scroll down to and highlight the “Key Usage” item. The pane below should say “Sign transaction, Sign document.” Click the OK button to close the window. NOTE: If you don’t see the correct key usage value, go back to Step 6 and select the other certificate with your name, then repeat Steps 6 and 7. Inter-Disciplinary ICAM Program

  27. Adding a Digital Signature to an Adobe Acrobat 9.x Document (cont.) • You will now be back at the Certify Document screen with your correct certificate selected. Optional Inter-Disciplinary ICAM Program

  28. Adding a Digital Signature to an Adobe Acrobat 9.x Document (cont.) • Optional: You can adjust the appearance of your signature, though it is recommended that you keep the standard text option. If you want to explore the various options, select the Appearance drop-list and select Create New Appearance, to open the Configure Signature Appearancewindow where you can make changes. If you don’t want to make any changes, go to Step 10. Inter-Disciplinary ICAM Program

  29. Adding a Digital Signature to an Adobe Acrobat 9.x Document (cont.) • In the Sign Document window, click the Sign button. Inter-Disciplinary ICAM Program

  30. Adding a Digital Signature to an Adobe Acrobat 9.x Document (cont.) • When Acrobat prompts you, save the file. If you are working with an existing document, you may want to save it with a new name to distinguish it from the unsigned version of the document. • At the ActivClient prompt, enter your LincPass PIN, then press ENTER or click the OK button. Inter-Disciplinary ICAM Program

  31. Adding a Digital Signature to an Adobe Acrobat 9.x Document (cont.) • Your document is now digitally signed. Close it without making any changes. NOTE: Other people can digitally sign the same document by following Steps 1-13 in this section. You can have as many people digitally sign the document as needed. Inter-Disciplinary ICAM Program

  32. Digitally Signing a Microsoft Outlook Email • Open Outlook and, if it isn’t already there, insert your LincPass in the card reader. • Start a new message in Outlook. Suggestion: Address this first email to yourself so you can see what it looks like when you receive a digitally signed email (described later in Step 5). • In the message, with the Message tab selected, look for the digital signature icon (envelope with a red ribbon). Click the digital signature icon to turn it on. Select recipients and compose the message as usual, then click the Send button. Inter-Disciplinary ICAM Program

  33. Digitally Signing a Microsoft Outlook Email (cont.) • At the ActivClient prompt, enter your LincPass PIN, then press ENTER or click the OK button. Outlook will automatically verify your certificates on your LincPass and send the message. • The message will appear in the recipient’s Inbox with an envelope with a red ribbon on it, indicating the message is digitally signed. Inter-Disciplinary ICAM Program

  34. Digitally Signing a Microsoft Outlook Email (cont.) • Open the message and look for the Signed By information below the subject, and the red ribbon icon on the right. This indicates the message has been digitally signed. • Click the red ribbon icon, then the Details button to see details of the digital signature. If you want to send the message in clear text signed and/or request an S/MIME receipt for the email you’re sending, continue on to Step 8. Inter-Disciplinary ICAM Program

  35. Digitally Signing a Microsoft Outlook Email (cont.) • Start a new message in Outlook. In the top menu bar, select the Options tab. • In the More Options group, click the small arrow in the lower right corner of the group title. Inter-Disciplinary ICAM Program

  36. Digitally Signing a Microsoft Outlook Email (cont.) • In the Message Options window, click the Security Settings button. Inter-Disciplinary ICAM Program

  37. Digitally Signing a Microsoft Outlook Email (cont.) • In the Security Properties window, check the “Add digital signature to the message” (if it isn’t already checked) and, optionally, the “Send the message as clear text signed” and/or the “Request S/MIME receipt for this message” options. • Select “Send this message as clear text signed” if you want to allow others who may be using a lesser technology with Outlook to read your message. Recipients who don’t have S/MIME security will be able to read the message. • Select “Request S/MIME receipt for all S/MIME signed messages” if you want to be able to verify that your digital signature is being validated by recipients and to request confirmation that the message was received unaltered, as well as notification telling you who opened the message and when it was opened. Inter-Disciplinary ICAM Program

  38. Digitally Signing a Microsoft Outlook Email (cont.) • Click theOK button to close the Security Properties window, and the Close button to close the Message Options window. Add recipients and content as usual, then click the Send button. If you selected the Request S/MIME receipt option, Outlook will ask you to confirm that you want to send an S/MIME receipt. If you do, click the Yes button; if you don’t, click the No button. (If you want Outlook to always request the receipt when you’ve selected the option in Step 11, first click the “Don’t ask me about sending S/MIME receipts again” option, then click the Yes button.) Inter-Disciplinary ICAM Program

  39. Digitally Signing a Microsoft Outlook Email (cont.) • At the ActivClient prompt, enter your LincPass PIN, then press ENTER or click the OK button. • The message will appear in the recipient’s inbox with an envelope with a red ribbon on it, indicating the message is digitally signed. If you want to check the signature, follow Steps 6 and 7 above. Inter-Disciplinary ICAM Program

  40. Digitally Signing a Microsoft Outlook Email (cont.) • If you selected the Request S/MIME receipt option, you’ll receive a new message that will require you to enter your LincPass PIN again before you can open it. Inter-Disciplinary ICAM Program

  41. Set Microsoft Outlook to Digitally Sign All Emails By Default • Open Outlook and, if it isn’t already there, insert your LincPass in the card reader. • From the top menu bar, select Tools, then Trust Center. Inter-Disciplinary ICAM Program

  42. Set Microsoft Outlook to Digitally Sign All Emails By Default (cont.) • In the Trust Center window, select Email Security from the left menu. Inter-Disciplinary ICAM Program

  43. Set Microsoft Outlook to Digitally Sign All Emails By Default (cont.) • Select Add digital signature to outgoing messagesto automatically send digitally signed emails unless you choose not to for an individual message. • Select Send clear text signed message when sending signed messages if you always want to allow others who may be using a lesser technology with Outlook to read your message. Recipients who don’t have S/MIME security will be able to read the message. • Select Request S/MIME receipt for all S/MIME signed messages if you want to be able to verify that your digital signature is being validated by recipients and to request confirmation that the message was received unaltered, as well as notification telling you who opened the message and when it was opened. NOTE: It’s recommended that you don’t select the “Request S/MIME receipt” option by default unless you have a strong business need, as it doubles the number of emails in your inbox and adds network traffic. Inter-Disciplinary ICAM Program

  44. Set Microsoft Outlook to Digitally Sign All Emails By Default (cont.) • Click the OK button to close the Options window. When you start a new message, your toolbar will show the envelope with a small red ribbon already selected, indicating the message will be digitally signed. (You can choose not to sign an individual email by simply clicking the envelope icon to turn it off.) • If you selected the Request S/MIME receipt option in Step 3, you will receive a separate message with the recipient information, as described in the previous section, Steps 12-15. Inter-Disciplinary ICAM Program

  45. Configuration Change Required for Adobe Acrobat • By default, Adobe Acrobat 9 and Acrobat Reader 9 are configured to use the Adobe Approved Trust List (AATL) for validating the certificate trust chain of certificates used to digitally sign PDF documents. • The AATL is an Adobe-hosted resource that contains a list of trusted Certificate Issuers. • The issuing Certificate Authority at USDA for our LincPass certificates are not listed in the AATL. • The result is that LincPass digital signatures will not be trusted in Adobe by default. Adobe Acrobat 9 and Acrobat Reader 9 MUST be modified to use the Windows Certificate Store for the purpose of identifying trusted Certificate Authorities. Inter-Disciplinary ICAM Program

  46. Configuration Change Required for Adobe Acrobat (cont.) • Each agency MUST implement a change to trust the issuing Certificate Authority of the LincPass certificates in the Windows Certificate Store. • When this configuration change is implemented, LincPass digital signatures will be recognized as trusted by Adobe Acrobat. • Enabling Windows Integration in Adobe Acrobat 9 and Acrobat Reader 9 will allow Adobe to inherently trust the HSPD-12 PIV certificate issuing authority listed in the Windows Certificate Store. • This can be completed in the registry configuration on each client workstation. • ICAM Project Managers should ask their Adobe system administrators to make the registry configuration change. Detailed information can be found in our “Digital Signatures Adobe Configuration Change to Registry Setting for Certificates” document located here: http://www.ocionet.usda.gov/wps/portal/ocio/ocioportal/home/ioa/ioa.digitial_signature Inter-Disciplinary ICAM Program

  47. Digital Signature Resources This training presentation will soon be posted: • On our ICAM Community on USDA Connect https://connections.usda.gov/ • Agency ICAM Team SharePoint Folders https://sharepoint.egov.usda.gov/ocio/IAM/EEMS/B_I/AgencyImp/Agency%20Implementation%20Folders/Forms/AllItems.aspx • OCIO Intranet site http://www.ocionet.usda.gov/wps/portal/ocio/ocioportal/home/ioa/ioa.digital_signature Inter-Disciplinary ICAM Program

  48. Digital Signature Resources The Digital Signature User Guides: • Digital Signatures Microsoft Office – 2003 • Digital Signatures Microsoft Office – 2007 • Digital Signatures Microsoft Outlook – 2003 & 2007 • Digital Signatures Adobe Acrobat 8.x and 9.x Relevant Supporting Documents: • Digital Signatures Adobe Configuration Changes to Registry Settings • Digital Signature Industry Research Where to get these: OCIO Intranet:http://www.ocionet.usda.gov/wps/portal/ocio/ocioportal/home/ioa/ioa.digital_signature ICAM Community on USDA Connect:https://connections.usda.gov/– search for “ICAM Community” in the public communities list Inter-Disciplinary ICAM Program

  49. Questions? Inter-Disciplinary ICAM Program