Creating Signatures at User Agents - PowerPoint PPT Presentation

creating signatures at user agents n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Creating Signatures at User Agents PowerPoint Presentation
Download Presentation
Creating Signatures at User Agents

play fullscreen
1 / 24
Creating Signatures at User Agents
88 Views
Download Presentation
xanthus-clemons
Download Presentation

Creating Signatures at User Agents

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Creating Signaturesat User Agents Comparing Transport Bindings

  2. Use Case Assumptions • A User-Agent is connected to used as a Signature Creation Device, possibly by means of an SSCD. , but cannot perform all verification functions nor all kinds of complex signature creation functions. • This User-Agent may be equipped with a gradual set of signature-related functionality ranging from the simple forwarding of APDUs e.g. according to ISO/IEC 7816 to the (S)SCD to full blown signature functionality according to the different OASIS DSS(-X) profiles. • A User-Agent may have has limited software & performance capabilities and hence may be supported by a remote Digital Signature Service to handle the complexities of the signature creation if it cannot manipulate the document itself. • A User-Agent always initiates the transaction and serves as HTTP-client. • A document may remain on the client or server side s or move from one side to the other. at it’s current location at the Remote-End. • A remote Digital Signature Service may be is used to handle the complexities of the signature creation (see above). • As an example, a User-Agent can be a Mobile Device or an Applet in the browser. • The OASIS DSS Core is used.

  3. Use Case Actor • The End-User of the User-Agent. System • The User-Agent, communicating with a remote system for document handling and signature creation.

  4. Use Case • Basic Flow • Actor selects document. • User Agent remembers the selected document at the remote end. • Actor requests a signing operation for the document. • User Agent asks the user for a PIN or Password. • Actor enters the PIN or Password • User Agent calculates the signature using the (Secure) Signature Creation Device and presents the signed document, at the remote end, to the user. • Actor views the signed document.

  5. System Aspects • The User Agent is capable of creating a raw digital signature; it needs the hash of the document to create the raw signature. • The document is at the Remote End. • Scenario’s • 1: Remote End requests DSS to do the signature creation; DSS delegates the raw signature creation to the User Agent. • 2: Remote End calculates the hash, requests the User Agent to create a raw signature and requests DSS to ‘complete’ the signature creation (the request contains the raw signature). • Case 2 requires the User Agent to have a ‘thin’ implemention of the DSS interface. • Both cases require 2 interactions between the User Agent and the Remote End for the signature creation. 1 2

  6. Sequence Diagram 1 – Delegated DSS User Agent Remote System Digital Signature Service (S)SCD @ User Agent Select document 1 Sign document Prepare request for document DSS-Request(Complex) Calculate Hash 2 DSS-Request(PKCS#1) Sign Hash DSS-Response Verification, Timestamping, Revocation Info, etc. ... DSS-Response Document signed

  7. Sequence Diagram 2 – Composite DSS User Agent Remote System Digital Signature Service (S)SCD @ User Agent Select document 1 Sign document Prepare request for document Calculate Hash 2 DSS-Request(PKCS#1) Sign Hash DSS-Response DSS-Request(Complex) Verification, Timestamping, Revocation Info, etc. ... DSS-Response Document signed

  8. Sequence Diagram 3 – “Rich DSS Client” (S)SCD @ User Agent User Agent Remote System Select document Prepare request for document Calculate Hash (optional) 1 SignRequest 2 Sign-APDU Sign Hash PKCS#1-Signature SignResponse Verification, Timestamping, Revocation Info, etc. (optional) signed Document

  9. Sequence Diagram 4 – “SAL-Client (ISO/IEC 24727 / CEN 15480)” (S)SCD @ User Agent User Agent Remote System Select document Prepare request for document 0 or Hash(Message) Calculate Hash HashResponse(hash) Sign(DID,hash) 1 2 Sign-APDU Sign Hash PKCS#1-Signature SignResponse(Signature) Verification, Timestamping, Revocation Info, etc. (optional) signed Document

  10. Sequence Diagram 5 – “IFD-Client (ISO/IEC 24727 / CEN 15480)” (S)SCD @ User Agent User Agent Remote System Select document Prepare request for document Calculate Hash (optional) Transmit(Sign-APDU) 1 2 Sign-APDU Sign Hash PKCS#1-Signature TransmitResponse(Signature) Verification, Timestamping, Revocation Info, etc. (optional) signed Document

  11. eCard-API-Framework Rich DSS Client SAL Client IFD-Client

  12. OASIS DSS (-X) Major standards ISO/IEC 24727(CEN 15480)

  13. Signature-related functions

  14. ISO/IEC 24727 is based on DSS <?xmlversion="1.0" encoding="UTF-8"?> <schemaxmlns="http://www.w3.org/2001/XMLSchema" targetNamespace="urn:iso:std:iso-iec:24727:tech:schema" xmlns:iso="urn:iso:std:iso-iec:24727:tech:schema" xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema" elementFormDefault="qualified" attributeFormDefault="unqualified"> <importnamespace="urn:oasis:names:tc:dss:1.0:core:schema" schemaLocation="http://docs.oasis-open.org/dss/v1.0/oasis-dss-core-schema-v1.0-os.xsd"> </import> <!– […] --> <!-- Define Response Type --> <complexTypename="RequestType"> <complexContent> <restrictionbase="dss:RequestBaseType"></restriction> </complexContent> </complexType> <complexTypename="ResponseType"> <complexContent> <restrictionbase="dss:ResponseBaseType"> <sequence> <elementref="dss:Result" /> </sequence> </restriction> </complexContent> </complexType> </schema>

  15. Interaction User Agent • Initiate Request • Hash is calculated at the ‘Remote End’ • Create signature • Hash is signed at the User Agent In all cases the client (User Agent) initiates the requests to the Remote End. Possible Transport Bindings: • PAOS, reverse SOAP. • ebMS v3, using the ‘polling’ mode. • Two separate SOAP calls.

  16. PAOAS – Sequence 1 Remote System Digital Signature Service (1) Sign document Prepare DSS request DSS-Request(Complex) Calculate Hash (2) DSS-Request(PKCS#1) Sign Hash Different session! (2) DSS-Response DSS (1) Document signed DSS-Response

  17. PAOAS – Sequence 2 Remote System Digital Signature Service (1) Sign document Calculate Hash (2) DSS-Request(PKCS#1) Sign Hash (2) DSS-Response DSS-Request(Complex) DSS (1) Document signed DSS-Response

  18. PAOS – Sequence 3 Remote System (1) Sign document Calculate Hash (optional) (2) SignRequest Sign Hash (2) SignResponse DSS (optional) (1) Document signed

  19. PAOS – Sequence 4 Remote System (1) Sign document Calculate Hash (optional) (2) Sign (ISO/IEC 24727) Sign Hash (2) SignResponse (ISO/IEC 24727) DSS (optional) (1) Document signed

  20. PAOS – Sequence 5 Remote System (1) Sign document Calculate Hash (optional) (2) Transmit(APDU) Sign Hash (2) TransmitResponse(Signature) DSS (optional) (1) Document signed

  21. Itseemsthatthe „additional complexity“ stemsfromtheseparationofthe Remote System andthe DSS PAOAS Usage • Sequence 1 seems more complex than Sequence 2 • The request/response “(2) DSS-Request(PKCS#1)” is a new session, initiated by the DSS server ... • ... That request has to be correlated, by the Remote End, to the first PAOAS R/R, to put the “(2) DSS-Request(PKCS#1)” into the POAS response. • Sequence 3-5 show integration of OASIS DSS(-X) and ISO/IEC 24727 / CEN 15480

  22. ebMSv3 – Sequence 1 User Agent Remote System Digital Signature Service (S)SCD @ User Agent MSH A MSH B MSH C MSH A PUSH(Request(Sign document)) (1) Sign document Calculate Hash DSS-Request(Complex) PULL(Request) (2) DSS-Request(PKCS#1) Sign Hash PUSH(Response) (2) DSS-Response Verification, Timestamping, Revocation Info, etc. ... DSS-Response PULL(Response) (1) Document signed

  23. ebMSv3 – Sequence 2 User Agent Remote System Digital Signature Service (S)SCD @ User Agent MSH A MSH B MSH A PUSH(Request(Sign document)) (1) Sign document Calculate Hash PULL(Request) (2) DSS-Request(PKCS#1) Sign Hash PUSH(Response) (2) DSS-Response DSS-Request(Complex) Verification, Timestamping, Revocation Info, etc. DSS-Response PULL(Response) (1) Document signed

  24. ebMS Usage • Sequence 1 • Requires DSS server to use ebMSv3 • Pull Request from User Agent has to be routed via the Remote System. • Sequence 2 • Does not require DSS server to use ebMSv3 • No routing issue • How does the ebMSv3 ‘client’ compare to the PAOAS ‘client’ at the User Agent regarding implementation complexity? • A simple PAOS-applet may be as small as 100 kB.