1 / 24

Creating Signatures at User Agents

Creating Signatures at User Agents. Comparing Transport Bindings. Use Case. Assumptions A User-Agent is connected to used as a Signature Creation Device, possibly by means of an SSCD . , but cannot perform all verification functions nor all kinds of complex signature creation functions.

xanthus-clemons
Download Presentation

Creating Signatures at User Agents

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Creating Signaturesat User Agents Comparing Transport Bindings

  2. Use Case Assumptions • A User-Agent is connected to used as a Signature Creation Device, possibly by means of an SSCD. , but cannot perform all verification functions nor all kinds of complex signature creation functions. • This User-Agent may be equipped with a gradual set of signature-related functionality ranging from the simple forwarding of APDUs e.g. according to ISO/IEC 7816 to the (S)SCD to full blown signature functionality according to the different OASIS DSS(-X) profiles. • A User-Agent may have has limited software & performance capabilities and hence may be supported by a remote Digital Signature Service to handle the complexities of the signature creation if it cannot manipulate the document itself. • A User-Agent always initiates the transaction and serves as HTTP-client. • A document may remain on the client or server side s or move from one side to the other. at it’s current location at the Remote-End. • A remote Digital Signature Service may be is used to handle the complexities of the signature creation (see above). • As an example, a User-Agent can be a Mobile Device or an Applet in the browser. • The OASIS DSS Core is used.

  3. Use Case Actor • The End-User of the User-Agent. System • The User-Agent, communicating with a remote system for document handling and signature creation.

  4. Use Case • Basic Flow • Actor selects document. • User Agent remembers the selected document at the remote end. • Actor requests a signing operation for the document. • User Agent asks the user for a PIN or Password. • Actor enters the PIN or Password • User Agent calculates the signature using the (Secure) Signature Creation Device and presents the signed document, at the remote end, to the user. • Actor views the signed document.

  5. System Aspects • The User Agent is capable of creating a raw digital signature; it needs the hash of the document to create the raw signature. • The document is at the Remote End. • Scenario’s • 1: Remote End requests DSS to do the signature creation; DSS delegates the raw signature creation to the User Agent. • 2: Remote End calculates the hash, requests the User Agent to create a raw signature and requests DSS to ‘complete’ the signature creation (the request contains the raw signature). • Case 2 requires the User Agent to have a ‘thin’ implemention of the DSS interface. • Both cases require 2 interactions between the User Agent and the Remote End for the signature creation. 1 2

  6. Sequence Diagram 1 – Delegated DSS User Agent Remote System Digital Signature Service (S)SCD @ User Agent Select document 1 Sign document Prepare request for document DSS-Request(Complex) Calculate Hash 2 DSS-Request(PKCS#1) Sign Hash DSS-Response Verification, Timestamping, Revocation Info, etc. ... DSS-Response Document signed

  7. Sequence Diagram 2 – Composite DSS User Agent Remote System Digital Signature Service (S)SCD @ User Agent Select document 1 Sign document Prepare request for document Calculate Hash 2 DSS-Request(PKCS#1) Sign Hash DSS-Response DSS-Request(Complex) Verification, Timestamping, Revocation Info, etc. ... DSS-Response Document signed

  8. Sequence Diagram 3 – “Rich DSS Client” (S)SCD @ User Agent User Agent Remote System Select document Prepare request for document Calculate Hash (optional) 1 SignRequest 2 Sign-APDU Sign Hash PKCS#1-Signature SignResponse Verification, Timestamping, Revocation Info, etc. (optional) signed Document

  9. Sequence Diagram 4 – “SAL-Client (ISO/IEC 24727 / CEN 15480)” (S)SCD @ User Agent User Agent Remote System Select document Prepare request for document 0 or Hash(Message) Calculate Hash HashResponse(hash) Sign(DID,hash) 1 2 Sign-APDU Sign Hash PKCS#1-Signature SignResponse(Signature) Verification, Timestamping, Revocation Info, etc. (optional) signed Document

  10. Sequence Diagram 5 – “IFD-Client (ISO/IEC 24727 / CEN 15480)” (S)SCD @ User Agent User Agent Remote System Select document Prepare request for document Calculate Hash (optional) Transmit(Sign-APDU) 1 2 Sign-APDU Sign Hash PKCS#1-Signature TransmitResponse(Signature) Verification, Timestamping, Revocation Info, etc. (optional) signed Document

  11. eCard-API-Framework Rich DSS Client SAL Client IFD-Client

  12. OASIS DSS (-X) Major standards ISO/IEC 24727(CEN 15480)

  13. Signature-related functions

  14. ISO/IEC 24727 is based on DSS <?xmlversion="1.0" encoding="UTF-8"?> <schemaxmlns="http://www.w3.org/2001/XMLSchema" targetNamespace="urn:iso:std:iso-iec:24727:tech:schema" xmlns:iso="urn:iso:std:iso-iec:24727:tech:schema" xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema" elementFormDefault="qualified" attributeFormDefault="unqualified"> <importnamespace="urn:oasis:names:tc:dss:1.0:core:schema" schemaLocation="http://docs.oasis-open.org/dss/v1.0/oasis-dss-core-schema-v1.0-os.xsd"> </import> <!– […] --> <!-- Define Response Type --> <complexTypename="RequestType"> <complexContent> <restrictionbase="dss:RequestBaseType"></restriction> </complexContent> </complexType> <complexTypename="ResponseType"> <complexContent> <restrictionbase="dss:ResponseBaseType"> <sequence> <elementref="dss:Result" /> </sequence> </restriction> </complexContent> </complexType> </schema>

  15. Interaction User Agent • Initiate Request • Hash is calculated at the ‘Remote End’ • Create signature • Hash is signed at the User Agent In all cases the client (User Agent) initiates the requests to the Remote End. Possible Transport Bindings: • PAOS, reverse SOAP. • ebMS v3, using the ‘polling’ mode. • Two separate SOAP calls.

  16. PAOAS – Sequence 1 Remote System Digital Signature Service (1) Sign document Prepare DSS request DSS-Request(Complex) Calculate Hash (2) DSS-Request(PKCS#1) Sign Hash Different session! (2) DSS-Response DSS (1) Document signed DSS-Response

  17. PAOAS – Sequence 2 Remote System Digital Signature Service (1) Sign document Calculate Hash (2) DSS-Request(PKCS#1) Sign Hash (2) DSS-Response DSS-Request(Complex) DSS (1) Document signed DSS-Response

  18. PAOS – Sequence 3 Remote System (1) Sign document Calculate Hash (optional) (2) SignRequest Sign Hash (2) SignResponse DSS (optional) (1) Document signed

  19. PAOS – Sequence 4 Remote System (1) Sign document Calculate Hash (optional) (2) Sign (ISO/IEC 24727) Sign Hash (2) SignResponse (ISO/IEC 24727) DSS (optional) (1) Document signed

  20. PAOS – Sequence 5 Remote System (1) Sign document Calculate Hash (optional) (2) Transmit(APDU) Sign Hash (2) TransmitResponse(Signature) DSS (optional) (1) Document signed

  21. Itseemsthatthe „additional complexity“ stemsfromtheseparationofthe Remote System andthe DSS PAOAS Usage • Sequence 1 seems more complex than Sequence 2 • The request/response “(2) DSS-Request(PKCS#1)” is a new session, initiated by the DSS server ... • ... That request has to be correlated, by the Remote End, to the first PAOAS R/R, to put the “(2) DSS-Request(PKCS#1)” into the POAS response. • Sequence 3-5 show integration of OASIS DSS(-X) and ISO/IEC 24727 / CEN 15480

  22. ebMSv3 – Sequence 1 User Agent Remote System Digital Signature Service (S)SCD @ User Agent MSH A MSH B MSH C MSH A PUSH(Request(Sign document)) (1) Sign document Calculate Hash DSS-Request(Complex) PULL(Request) (2) DSS-Request(PKCS#1) Sign Hash PUSH(Response) (2) DSS-Response Verification, Timestamping, Revocation Info, etc. ... DSS-Response PULL(Response) (1) Document signed

  23. ebMSv3 – Sequence 2 User Agent Remote System Digital Signature Service (S)SCD @ User Agent MSH A MSH B MSH A PUSH(Request(Sign document)) (1) Sign document Calculate Hash PULL(Request) (2) DSS-Request(PKCS#1) Sign Hash PUSH(Response) (2) DSS-Response DSS-Request(Complex) Verification, Timestamping, Revocation Info, etc. DSS-Response PULL(Response) (1) Document signed

  24. ebMS Usage • Sequence 1 • Requires DSS server to use ebMSv3 • Pull Request from User Agent has to be routed via the Remote System. • Sequence 2 • Does not require DSS server to use ebMSv3 • No routing issue • How does the ebMSv3 ‘client’ compare to the PAOAS ‘client’ at the User Agent regarding implementation complexity? • A simple PAOS-applet may be as small as 100 kB.

More Related