SignCloud. Remote Digital Signature System
|
|
- Ellen Warren
- 6 years ago
- Views:
Transcription
1 SignCloud Remote Digital Signature System
2 All the information in this document is CONFIDENTIAL and can t be used entirely or in part without a written permission from Bit4id SRL.
3 Contents 1. Executive Summary SignCloud System Architecture Remote Credentials Enrollment Remote Digital Signature on Desktop Remote Digital Signature on Mobile Devices References Consejo de la Judicatura (ECUADOR) College of Notaries (Notartel, ITALY) Technical specifications
4 1. Executive Summary This document describes SignCloud, the Bit4id solution for the enrolment and usage of PKI-based Remote Digital Identities. SignCloud allows to digitally sign any document from any platform (desktop and mobile) exploiting a Secure Element on the Cloud, thus releasing the End User from the burden of dealing with a smart card or PKI token. SignCloud has been developed with modular and scalable state-of-the art architecture offering best-in-class security thanks to the FIPS certified HSMs used for the protection of the digital identities. SignCloud can be easily integrated with any existing PKI infrastructure both on the client-side and on the server side thanks to well-known standardized digital signatures protocols and interfaces. This white paper presents an high level overview of the SignCloud architecture (par. 2) as well as some relevant use cases, showing how easy is the process of Remote Digital Identity enrolment (par. 3) and its usage for digital signature both on desktop (par. 4) and mobile platforms (par. 5). Finally some important references are outlined (par. 6) and technical specifications are provided (par. 7). 4
5 2. SignCloud System Architecture SignCloud is an enterprise-grade client-server solution for expanding your PKI infrastructure with remote digital signature functionality. The Client side of SignCloud, named Universal Key Chain (UKC), is available both as lightweight desktop agent and as mobile app. The UKC client is able to interoperate seamlessly with any web browser and thirdparty desktop application through widespread and well accepted digital signature standards. SignCloud solution makes remote digital signature possible in the widest range of mobile and non-mobile scenarios. The SignCloud server, that we see sketched in figure 1, integrates the following functionalities: Authentication Server Digital Signature Engine Secure DB HSM Log and Audit System Figure 1 Functional Architecture of SignCloud Server. The SignCloud Client (UKC) offers several standard interfaces (PKCS#11, CSP, tokend) as well as advanced high-level APIs to ensure abstraction and remotization of the secure signature creation device for the benefit of third-party applications requesting a digital signature service or the creation of a new a digital identity (key-pair and related X.509 digital certificate). The Authentication Server module supports several Authenticators means such as: Physical OTP device Mobile App OTPs SMS OTPs Biometric-based (on request) 5
6 SignCloud can be easily connected with already existing PKI infrastructures and Credential Management Systems provided the full interoperability with multiple PKCS#11-compliant devices. This integration is achieved thanks to a lightweight Registration Authority (RA) Client Connector (UKC for RA) that in fact extends the RA functionality to enroll new remote certificates and key-pairs on the SignCloud platform. SignCloud is natively integrated with Bit4id Universal Identity Manager Registration Authority (Bit4id UIM RA), the Credential Management System (CMS) and RA platform of BIT4ID and could work with any CMS that is PKCS#11 compliant. SignCloud can be easily scaled up both vertically and horizontally by integrating HSM of growing cryptographic computing power or by clustering the SignCloud servers to ensure not only increased performance but also fault tolerance and load balancing. SignCloud features an advanced secure logging system to keep track of performed transactions. Audit trail is sequentially hashed and digitally signed in order to guarantee both the integrity of the single records and of their sequence. In figure 2 we report a high level overview of a typical architectural subset. As already mentioned above, the SignCloud Server, available both as network-attached appliance or as virtual machine, can host an embedded PCI HSM or can be optionally interfaced with more powerful net-hsms when increased number of transactions per second is required. The performance scales linearly adding more SignCloud Server in a clustered configuration; this has the added benefit of fault tolerance and load balancing. Figure 2 High-level architecture of the SignCloud System and interfacing with external entities. 6
7 In the same figure it is also sketched the interfacing with the Registration Authority for the enrolment of the End Users and issuance of the remote digital identities. For this specific case we referred to Bit4id RA and Credential Management System Bit4id UIM RA however SignCloud can be immediately integrated with any CMS platform thanks to the SignCloud RA Client that exposes a standard PKCS#11 interface toward the enrolment station while virtualizing the smart card on the SignCloud HSM. 3. Remote Credentials Enrolment SignCloud is agnostic toward the used Certification Authority software; any CA can be used as long as it offers a suitable RA interface being it a native one or an additional CMS layer. Although Bit4id UIM RA is an optional element of the Remote Digital Signature infrastructure, nevertheless it enriches the architecture thanks to the native integration with SignCloud System, offering a simple way to decouple the process of End Users registration and certificates issuance from the CA. In fact, Bit4id UIM RA features a CA gateway that enables the submission of Certificate Signing Requests to multiple CA back-ends. As an example we report in figure 3 a screenshot of Bit4id UIM RA where a new End User (a new Credentials Holder) has been created and his/her request is pending for approval. The request was created by selecting the SignCloud HSM as key container, meaning that the End User will have remote credentials available for digital signature or other purposes as described in the key usage of the certificate profile selected during registration. Figure 3 Bit4id Credential Management System Web Interface: managing approval workflow. Once the request has been approved by the Registration Officer and the new digital identity has been enrolled on the SignCloud platform, the secret codes are communicated to the End User. 7
8 There are many different options to let the end user receive his/her secret codes, here we see that we enrolment workflow has been configured to use an method. Other possibilities include PIN mailer, scratch cards Figure 4 addressed to the End User and containing the secret codes for the use of remote identity. Figure 4 shows the generated by the CMS that reports the following information needed by the End User to exploit his/her digital identity by means of the SignCloud Client: User ID Password PIN PUK ERC Emergency Code The first two credentials are needed in order to identify the virtual smart card assigned to the End User on the SignCloud platform, while the PIN is used, as for the physical smart card, to authorize the use of the private key, e.g. for an operation of digital signature or authentication; PUK code is used to unlock the PIN code if the number of allowed attempts for inserting a correct PIN is inadvertently reached. Finally the ERC code is used if a life-cycle management operation, such as a certificate suspension request, is required by the End User to the RA Help Desk. It is worth to remind here that the authentication of the End User towards the SignCloud platform can be performed by means of different Authenticators. Therefore instead of a static PIN code a dynamically generated OTP could be used. 8
9 4. Remote Digital Signature on Desktop In figure 5[1] we show the connection of the SignCloud Client to the server, here UserID and Password are required to access the virtual smart card containing the End User certificate. 1 2 Figure 5 [1] Connection of the UKC Client to the SignCloud Platform; [2]Display of the available digital identities in to the UKC. After successful login (figure 5[2]) the certificate information is displayed inside the SignCloud Client that also acts as a typical smart card manager allowing the user to perform typical operations like change PIN/unlock PIN. Once remote credentials have been enrolled and SignCloud Client has been authenticated by using the credentials of the End User, this can then perform any typical operation involving digital certificates as if he/she would be in possession of a physical smart card, simply by exploiting the remotization offered by SignCloud system. We show in figure 6 a digital signature operation on a Microsoft Word file. As it can be clearly noticed the remote certificate is made available to the application by means of the CSP library installed by the SignCloud client. By accepting to sign the document (Fig. 7), the SignCloud client requires the End-User to authorize the transaction by means of the suitable Authenticator that in this case is the PIN code. It is apparent how a similar workflow would be in place for any other application requiring the services of the smart card, also those applications that requires a PKCS#11 library (e.g. Firefox, Bit4id Firma4NG, etc.) 9
10 Figure 6 Adding a digital signature to a Word document. The certificate is made available by the UKC through the CSP library. Figure 7 The decision to sign the document produces the PIN request from the UKC client exactly in the same fashion as it would happen if a physical smart card is used. 10
11 5. Remote Digital Signature on Mobile Devices (Soon Available) In order to describe the remote digital signature on mobile devices we consider the following use case. The End User is already authenticated to a specific Web Application (in the case shown in the example below it is an Internet banking website, but it is apparent that this is valid for any type of Web Application). Figures from 8 to 10 show screenshots of relevant phases where the following elements are part of the use case: The Web Application produces a document to be digitally signed by the End User; The Web Application requires the End User to sign the document; The End User accepts to sign the document; The Web Application, by means of a Service Platform sends a push notification to the End User Device; The End User clicks on the notification; The Client App is started to manage the digital signature request; The UKC Client App presents the document to be signed to the End User who can review the document before deciding; The End User selects the available Secure Element on the Cloud (remote smart card on HSM) in order to make certificates available for the application; The End User selects the appropriate certificate for digital signature; The End User inserts the PIN number (or other Authenticator); The signed document is returned to the Web Application that verifies and stores the digitally signed document. Another common use case is that the End User receives a document to be signed by . By opening the attached document with the SignCloud mobile client App, the End User can review the content of the document ad digitally sign it according to the required format. 11
12 Figure 8 Web application requesting the user to sign a transaction. Figure 9 Push notification alerting the user on the digital signature request. By clicking on the notification the related Client App, responsible for handling the required action is opened. Figure 10 The transaction to be signed is presented to the End User which can accept or decline the invitation. If the user decides to sign the transaction, he/she have to insert the PIN number (or other authenticators, e.g. fingerprint) to unlock and leverage the capabilities of one among the several secure elements supported by the Client App. 12
13 6. References SignCloud has been successfully deployed in many scenarios and for many different customers. Here we provided only a handful of references, for more details please contact your Bit4id sales manager Consejo de la Judicatura (ECUADOR) The Judicial Council of Ecuador requested a complete PKI solution for country s lawyers and judges who need to identify themselves, sign and possibly encrypt sensitive documents. Bit4id developed and deployed the entire PKI infrastructure, including two Certification Authorities sites. In particular, the infrastructure comprised a SignCloud platform to enable remote digital signature. Some notable features of the delivered solution: Root CA and Sub-CAs installation and configuration High security network segmentation Key Ceremony preparation and celebration EJBCA certification authority software with many customization and improvements Two sites established: main and disaster recovery High Availability infrastructure ensured for both sites More than users and counting RA implemented with proprietary software (Bit4id UIM RA) RA Workflows customization TSA system implemented with proprietary software (Bit4id smarttsa) Validation authority with CRL and OCSP (EJBCA configured as VA) Digital signature based on physical SSCD and Remote Digital Signature with Key Custody on HSM Alfresco Enterprise Content Management System Integration Auditing log with BIT4ID smartlog advanced logging system 6.2. College of Notaries (Notartel, ITALY) The Italian council of notaries needed a complete PKI solution to allow its associates getting digital certificates relevant to their needs. Bit4id s solution allows notaries to self-manage their enrolment: they can compose their requests for different kinds of digital certificates and different key usages by accessing a dedicated and protected web site. Users manage the initialization and setup of their smart cards (key pair generation) from their web browsers, thanks to our UKC Client technology. Certificates could be also stored within the HSM and then accessed with an OTP (software or hardware). Bit4id developed the entire PKI infrastructure, integrating its services with the Notartel systems. Notable features: A complete PKI system with Certification Authority based on open source EJBCA CA Safenet HSM in High Availability configuration Key Ceremony designed and supervised by Bit4id 13
14 Many different authentication backends: smart card, username and password, Single Sign On with SAML, grid card with secret codes Integration with Bit4id Universal Key Chain as remote identity client API integration with Notartel business systems High availability front-end system 7. Technical specifications Supported desktop platforms Supported mobile platforms Supported Browsers : Certificate profiles: Windows Linux MacOS 10.5 or later Android IOS Windows Mobile Internet Explorer Edge Chrome Firefox Safari X.509, ETSI TS V1.3.2 HSM Certification FIPS Level 3 Signature Formats: Hashing Alghoritms: XAdES (ETSI TS V1.3.2), CAdES (ETSI TS V1.7.4), PAdES (ETSI TS V1.1.1, TS V1.2.1, TS V1.1.1, TS V1.1.1, TS V1.1.1) SHA-256, SHA-1, MD2, MD5 Keylenght: 2048/1024 Verification: CRL, OCSP, LDAP Encryption Alghoritms: AES-256, 3-DES Encoding: ASN.1-DER (ISO 8824, 8825), BASE64 (RFC 1421) Time stamped data: RFC
15 Bit4id in the world ITALY Naples: Via Diocleziano, Naples Italy Tel Fax SPAIN Barcelona: Barcelona Advanced Industry Park C/ Marie Curie, Barcelona - Spain Tel: UNITED KINGDOM 2 London Wall Buildings London Wall, London EC2M 5UU - UK Tel Fax PERU Mártir Olaya, nº 169 Oficina 406 (Miraflores) - Lima (Perú) Tel: +(51) info.pe@bit4id.com Rome: Via Tirone, Rome Tel Fax Milan: Tel Fax
KeyOne. Certification Authority
Certification Description KeyOne public key infrastructure (PKI) solution component that provides certification authority (CA) functions. KeyOne CA provides: Public key infrastructure deployment for governments,
More informationPublic. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2
Atos Trustcenter Server Certificates + Codesigning Certificates Version 1.2 20.11.2015 Content 1 Introduction... 3 2 The Atos Trustcenter Portfolio... 3 3 TrustedRoot PKI... 4 3.1 TrustedRoot Hierarchy...
More informationPublic Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman
Public Key Infrastructure PKI National Digital Certification Center Information Technology Authority Sultanate of Oman Agenda Objectives PKI Features etrust Components Government eservices Oman National
More informationCertificate Enrollment- and Signing Services for the Cloud. A behind-the-scenes presentation of a successful cooperation between
Certificate Enrollment- and Signing Services for the Cloud A behind-the-scenes presentation of a successful cooperation between Introduction Based on our experience and the request from the market we would
More informationAxway Validation Authority Suite
Axway Validation Authority Suite PKI safeguards for secure applications Around the world, banks, healthcare organizations, governments, and defense agencies rely on public key infrastructures (PKIs) to
More informationEnterprise Certificate Console. Simplified Control for Digital Certificates from the Cloud
Enterprise Certificate Console Simplified Control for Digital Certificates from the Cloud HydrantID Enterprise Management Console HydrantID s HydrantSSL Enterprise service and HydrantCloud Managed PKI
More informationDCCKI Interface Design Specification. and. DCCKI Repository Interface Design Specification
DCCKI Interface Design Specification and DCCKI Repository Interface Design Specification 1 INTRODUCTION Document Purpose 1.1 Pursuant to Section L13.13 of the Code (DCCKI Interface Design Specification),
More informationPKI is Alive and Well: The Symantec Managed PKI Service
PKI is Alive and Well: The Symantec Managed PKI Service Marty Jost Product Marketing, User Authentication Lance Handorf Technical Enablement, PKI Solutions 1 Agenda 1 2 3 PKI Background: Problems and Solutions
More informationAXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure
AXIAD IDS CLOUD SOLUTION Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure Logical Access Use Cases ONE BADGE FOR CONVERGED PHYSICAL AND IT ACCESS Corporate ID badge for physical
More informationA r c h i t e c t u r e & D e p l o y m e n t
SigningHub A r c h i t e c t u r e & D e p l o y m e n t A S C E R T I A LTD F E B R U A R Y 2 0 1 8 D o c u m e n t V e r s i o n - 1. 0. 1. 0 Ascertia Limited. All rights reserved. This document contains
More informationDigital signatures: How it s done in PDF
Digital signatures: How it s done in PDF Agenda Why do we need digital signatures? Basic concepts applied to PDF Digital signatures and document workflow Long term validation Why do we need digital signatures?
More informationSxS Authentication solution. - SXS
SxS Authentication solution. - SXS www.asseco.com/see SxS Single Point of Authentication Solution Asseco Authentication Server (SxS) is a two-factor authentication solution specifically designed to meet
More informationBusting the top 5 myths of cloud-based authentication
Busting the top 5 myths of cloud-based authentication Insert Your Name Jason Hart CISSP CISM Vice President, Cloud Solutions SafeNet, Inc. Insert Your Title Insert Date Overview Cloud benefits Agility
More informationFAQ. General Information: Online Support:
FAQ General Information: info@cionsystems.com Online Support: support@cionsystems.com CionSystems Inc. Mailing Address: 16625 Redmond Way, Ste M106 Redmond, WA. 98052 http://www.cionsystems.com Phone:
More informationWho s Protecting Your Keys? August 2018
Who s Protecting Your Keys? August 2018 Protecting the most vital data from the core to the cloud to the field Trusted, U.S. based source for cyber security solutions We develop, manufacture, sell and
More informationSymantec Managed PKI Overview. v8.15
Symantec Managed PKI Overview v8.15 Legal Notice Copyright 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of
More informationAdding value to your MS customers
Securing Microsoft Adding value to your MS customers Authentication - Identity Protection Hardware Security Modules DataSecure - Encryption and Control Disc Encryption Offering the broadest range of authentication,
More informationThales e-security. Security Solutions. PosAm, 06th of May 2015 Robert Rüttgen
Thales e-security Security Solutions PosAm, 06th of May 2015 Robert Rüttgen Hardware Security Modules Hardware vs. Software Key Management & Security Deployment Choices For Cryptography Software-based
More informationINFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT
INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT SUBSCRIBER S GUIDE VERSION 1.3 ECB-PUBLIC 15-April-2014 ESCB-PKI - Subscriber's Procedures v.1.3.docx Page 2 of 26 TABLE OF CONTENTS GLOSSARY AND ACRONYMS...
More informationIndeed Card Management Smart card lifecycle management system
Indeed Card Management Smart card lifecycle management system Introduction User digital signature, strong authentication and data encryption have become quite common for most of the modern companies. These
More informationXceedium Xsuite. Secured by RSA Implementation Guide for 3rd Party PKI Applications. Partner Information. Last Modified: February 10 th, 2014
Secured by RSA Implementation Guide for 3rd Party PKI Applications Last Modified: February 10 th, 2014 Partner Information Product Information Partner Name Xceedium Web Site www.xceedium.com Product Name
More informationThe SafeNet Security System Version 3 Overview
The SafeNet Security System Version 3 Overview Version 3 Overview Abstract This document provides a description of Information Resource Engineering s SafeNet version 3 products. SafeNet version 3 products
More informationRegistration and Renewal procedure for Belfius Certificate
Registration and Renewal procedure for Belfius Certificate Table of contents TABLE OF CONTENTS... 2 1. INTRODUCTION... 3 2. CONTACT... 3 3. CONFIGURATION... 3 4. REGISTRATION PROCEDURE... 4 4.1 PRE-REQUISITES...
More informationVAM. Epic epcs Value-Added Module (VAM) Deployment Guide
VAM Epic epcs Value-Added Module (VAM) Deployment Guide Copyright Information 2018. SecureAuth is a registered trademark of SecureAuth Corporation. SecureAuth s IdP software, appliances, and other products
More informationQuoVadis Trustlink Schweiz AG Teufenerstrasse 11, 9000 St. Gallen
QuoVadis The Swiss solution for digital certificates with worldwide distribution QuoVadis Trustlink Schweiz AG Teufenerstrasse 11, 9000 St. Gallen Overview!! Check list for Root signing or managed PKI!!
More informationDr. Jassine Boulkheir International Sales and Marketing Manager
Dr. Jassine Boulkheir International Sales and Marketing Manager ybo@bit4id.com www.bit4id.com About BIT4ID Established in 2004 with headquarters in Italy, Bit4id was born to make simple, secure and consistent
More informationOverview. Premium Data Sheet. DigitalPersona. DigitalPersona s Composite Authentication transforms the way IT
DigitalPersona Premium Data Sheet Overview DigitalPersona s Composite Authentication transforms the way IT executives protect the integrity of the digital organization by going beyond traditional two-factor
More informationBioPassport TM Enterprise Server
BioPassport TM Enterprise Server The BioPassport Enterprise AD Server is the intelligence behind all of IdentAlink s biometric modules. Password management for a network or application can cost hundreds
More informationSafeNet Authentication Client
SafeNet Authentication Client Integration Guide All information herein is either public information or is the property of and owned solely by Gemalto NV and/or its subsidiaries who shall have and keep
More informationDHS ID & CREDENTIALING INITIATIVE IPT MEETING
DHS ID & CREDENTIALING INITIATIVE IPT MEETING October 14, 2004 Part 02 of 02 IMS/CMS Functional Specification General Issuance Requirements Issue a GSC-IS 2.1 compliant dual chip hybrid ICC/DESFire v0.5
More informationPKI Knowledge Dissemination Program. PKI Standards. Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore
PKI Standards Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore Under the Aegis of Controller of Certifying Authorities (CCA) Government of India 1 PKCS Why PKCS? Even
More informationBlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module
BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE Cryptographic Appliances with Integrated Level 3+ Hardware Security Module The BlackVault hardware security platform keeps cryptographic material
More informationGuide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1
Guide to Deploying VMware Workspace ONE VMware Identity Manager 2.9.1 VMware AirWatch 9.1 Guide to Deploying VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware
More informationAn Overview of Secure and Authenticated Remote Access to Central Sites
Workshop on Data Access to Micro-Data (WDA) Nuernberg, August 20-21 An Overview of Secure and Authenticated Remote Access to Central Sites Dr Milan Marković Banca Intesa ad Beograd, Serbia milan.markovic@bancaintesabeograd.com
More informationSphinx Feature List. Summary. Windows Logon Features. Card-secured logon to Windows. End-user managed Windows logon data
Sphinx List Summary Version Order # Included software components Sphinx Enterprise S-30 Install Sphinx Logon Manager software and desktop card readers on end-user computers. Pre-configured Sphinx CardMaker
More informationGuide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE
Guide to Deploying VMware Workspace ONE with VMware Identity Manager SEP 2018 VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
More informationMonitise. RSA Adaptive Authentication On-Premise Implementation Guide. Partner Information. Monitise Mobile Banking Solution
RSA Adaptive Authentication On-Premise Implementation Guide Partner Information Last Modified: June 12, 2013 Product Information Partner Name Web Site www.monitise.com Product Name Version & Platform 5.0
More informationAS emas emudhra Authentication Solution
AS emas emudhra Authentication Solution Create your own trusted enterprise network of users, devices, applications! With malware, ransomware and other cyber threats constantly thrown at Enterprises, a
More informationTransforming the Document Signing Process
July 2015 Transforming the Document Signing Process Copyright Ascertia 2015 Sam Crook Key Account Manger Agenda About us Why are digital signatures inevitable? What are digital signatures? What can you
More informationGlobalSign Integration Guide
GlobalSign Integration Guide GlobalSign Enterprise PKI (EPKI) and MobileIron Cloud 1 v.1.1 Table of Contents Table of Contents... 2 Introduction... 3 GlobalSign Enterprise PKI (EPKI)... 3 Partner Product
More informationTLS. RFC2246: The TLS Protocol. (c) A. Mariën -
TLS RFC2246: The TLS Protocol What does it achieve? Confidentiality and integrity of the communication Server authentication Eventually: client authentication What is does not do Protect the server Protect
More informationGuide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1
Guide to Deploying VMware Workspace ONE DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
More informationIntegrating AirWatch and VMware Identity Manager
Integrating AirWatch and VMware Identity Manager VMware AirWatch 9.1.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a
More informationPKI Credentialing Handbook
PKI Credentialing Handbook Contents Introduction...3 Dissecting PKI...4 Components of PKI...6 Digital certificates... 6 Public and private keys... 7 Smart cards... 8 Certificate Authority (CA)... 10 Key
More informationSecure Lightweight Activation and Lifecycle Management
Secure Lightweight Activation and Lifecycle Management Nick Stoner Senior Program Manager 05/07/2009 Agenda Problem Statement Secure Lightweight Activation and Lifecycle Management Conceptual Solution
More informationCertification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure
Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure 1.0 INTRODUCTION 1.1 Overview The Federal Reserve Banks operate a public key infrastructure (PKI) that manages
More informationCertAgent. Certificate Authority Guide
CertAgent Certificate Authority Guide Version 7.0 July 5, 2018 Information in this document is subject to change without notice and does not represent a commitment on the part of Information Security Corporation.
More informationSecurity Guide Zoom Video Communications Inc.
Zoom unifies cloud video conferencing, simple online meetings, group messaging, and a softwaredefined conference room solution into one easy-to-use platform. Zoom offers the best video, audio, and wireless
More informationEDTA, itext and INBATEK Conference. Bangkok, July 27, 2017
EDTA, itext and INBATEK Conference Bangkok, July 27, 2017 Digital Signatures in PDF Basic concepts applied to PDF Architectures: server-side vs. client-side Digital signatures and document workflow Long
More informationCertificate Enrollment for the Atlas Platform
Certificate Enrollment for the Atlas Platform Certificate Distribution Challenges Digital certificates can provide a secure second factor for authenticating connections from MAP-wrapped enterprise apps
More informationSingle Sign-On. Introduction
Introduction DeliverySlip seamlessly integrates into your enterprise SSO to give your users total email security and an extra set of robust communications tools. Single sign-on (SSO) systems create a single
More informationXenApp 5 Security Standards and Deployment Scenarios
XenApp 5 Security Standards and Deployment Scenarios 2015-03-04 20:22:07 UTC 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Contents XenApp 5 Security Standards
More informationSymantec Managed PKI. Integration Guide for AirWatch MDM Solution
Symantec Managed PKI Integration Guide for AirWatch MDM Solution ii Symantec Managed PKI Integration Guide for AirWatch MDM Solution The software described in this book is furnished under a license agreement
More informationEnterSpace Data Sheet
EnterSpace 7.0.4.3 Data Sheet ENTERSPACE BUNDLE COMPONENTS Policy Engine The policy engine is the heart of EnterSpace. It evaluates digital access control policies and makes dynamic, real-time decisions
More information5 OAuth EssEntiAls for APi AccEss control layer7.com
5 OAuth Essentials for API Access Control layer7.com 5 OAuth Essentials for API Access Control P.2 Introduction: How a Web Standard Enters the Enterprise OAuth s Roots in the Social Web OAuth puts the
More informationSingle Secure Credential to Access Facilities and IT Resources
Single Secure Credential to Access Facilities and IT Resources HID PIV Solutions Securing access to premises, applications and networks Organizational Challenges Organizations that want to secure access
More informationSSL Certificates Certificate Policy (CP)
SSL Certificates Last Revision Date: February 26, 2015 Version 1.0 Revisions Version Date Description of changes Author s Name Draft 17 Jan 2011 Initial Release (Draft) Ivo Vitorino 1.0 26 Feb 2015 Full
More informationMobilePASS. Security Features SOFTWARE AUTHENTICATION SOLUTIONS. Contents
MobilePASS SOFTWARE AUTHENTICATION SOLUTIONS Security Features Contents Introduction... 2 Technical Features... 2 Security Features... 3 PIN Protection... 3 Seed Protection... 3 Security Mechanisms per
More informationIdentity & security CLOUDCARD+ When security meets convenience
Identity & security CLOUDCARD+ When security meets convenience CLOUDCARD+ When security meets convenience We live in an ever connected world. Digital technology is leading the way to greater mobility and
More informationSSH Communications Tectia SSH
Secured by RSA Implementation Guide for 3rd Party PKI Applications Last Modified: December 8, 2014 Partner Information Product Information Partner Name Web Site Product Name Version & Platform Product
More informationVST Hospital Administrator Guide. Version 2.0.4
VST Hospital Administrator Guide Version 2.0.4 Notice Copyright 2002- Vocera Communications, Inc. All rights reserved. Vocera is a registered trademark of Vocera Communications, Inc. This software is licensed,
More informationAeroMACS Public Key Infrastructure (PKI) Users Overview
AeroMACS Public Key Infrastructure (PKI) Users Overview WiMAX Forum Proprietary Copyright 2019 WiMAX Forum. All Rights Reserved. WiMAX, Mobile WiMAX, Fixed WiMAX, WiMAX Forum, WiMAX Certified, WiMAX Forum
More informationAuthentication Technology for a Smart eid Infrastructure.
Authentication Technology for a Smart eid Infrastructure. www.aducid.com One app to access all public and private sector online services. One registration allows users to access all their online accounts
More informationOperated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA
Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA LANL s Multi-Factor Authentication (MFA) Initiatives NLIT Summit 2018 Glen Lee Network and Infrastructure Engineering
More informationNCP Exclusive Remote Access Management
Centrally Managed VPN Fully Automatic Operation of a Remote Access VPN via a Single Console Administration and license management system for NCP Exclusive Remote Access Clients Enables easy rollout and
More informationCirius Secure Messaging Single Sign-On
Cirius Secure Messaging seamlessly integrates into your enterprise SSO to give your users total email security and an extra set of robust communications tools. Single sign-on (SSO) systems create a single
More informationSafeNet Authentication Service
SafeNet Authentication Service Push OTP Integration Guide All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have
More informationTFS WorkstationControl White Paper
White Paper Intelligent Public Key Credential Distribution and Workstation Access Control TFS Technology www.tfstech.com Table of Contents Overview 3 Introduction 3 Important Concepts 4 Logon Modes 4 Password
More informationHARDWARE SECURITY MODULES (HSMs)
HARDWARE SECURITY MODULES (HSMs) Cryptography: The basics Protection of data by using keys based on complex, randomly-generated, unique numbers Data is processed by using standard algorithms (mathematical
More informationThe Match On Card Technology
Precise Biometrics White Paper The Match On Card Technology Magnus Pettersson Precise Biometrics AB, Dag Hammarskjölds väg 2, SE 224 67 Lund, Sweden 22nd August 2001 Abstract To make biometric verification
More informationCREDENTSYS CARD FAMILY
CREDENTSYS CARD FAMILY Credentsys is a secure smart card family that is designed for national ID systems, passports, and multi-use enterprise security environments. The family is certified to FIPS 140-2
More informationTHE INTEROPERATION BETWEEN CASIDP AND INCOMMON ETC. JIWU JING
THE INTEROPERATION BETWEEN IDP AND INCOMMON ETC. JIWU JING OUTLINE Introduction of IDP( s IDP) Concerns on the IDP s Interoperability An Approach of Interoperation Project IDP SYSTEM Identity Management
More informationSafeNet Authentication Client
SafeNet Authentication Client Integration Guide All information herein is either public information or is the property of and owned solely by Gemalto and/or its subsidiaries who shall have and keep the
More informationTwo-Factor Authentication over Mobile: Simplifying Security and Authentication
SAP Thought Leadership Paper SAP Digital Interconnect Two-Factor Authentication over Mobile: Simplifying Security and Authentication Controlling Fraud and Validating End Users Easily and Cost-Effectively
More informationSecurity Specifications
Security Specifications Overview Password Manager Pro deals with administrative passwords that offer secure access to enterprise credentials and devices. Any compromise on the security of these passwords
More informationYubiKey Smart Card Deployment Guide
YubiKey Smart Card Deployment Guide Best Practices and Basic Setup YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n Copyright 2017 Yubico Inc. All rights reserved. Trademarks
More informationCertAgent. Certificate Authority Guide
CertAgent Certificate Authority Guide Version 6.0.0 December 12, 2013 Information in this document is subject to change without notice and does not represent a commitment on the part of Information Security
More informationSSL/TSL EV Certificates
SSL/TSL EV Certificates CA/Browser Forum Exploratory seminar on e-signatures for e-business in the South Mediterranean region 11-12 November 2013, Amman, Jordan Moudrick DADASHOW CEO, Skaitmeninio Sertifikavimo
More informationhidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION
HID ActivOne USER FRIENDLY STRONG AUTHENTICATION We understand IT security is one of the TOUGHEST business challenges today. HID Global is your trusted partner in the fight against data breach due to misused
More informationVMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1
VMware Workspace ONE Quick Configuration Guide VMware AirWatch 9.1 A P R I L 2 0 1 7 V 2 Revision Table The following table lists revisions to this guide since the April 2017 release Date April 2017 June
More information5 OAuth Essentials for API Access Control
5 OAuth Essentials for API Access Control Introduction: How a Web Standard Enters the Enterprise OAuth s Roots in the Social Web OAuth puts the user in control of delegating access to an API. This allows
More informationSystem Overview. Security
ImageSilo is an ultra-secure, on-demand Enterprise Content Management (ECM) system. As the largest on-demand installation of PaperVision Enterprise, it offers all the same features and functionality. ImageSilo
More informationEntrust Technical Integration Guide for Entrust Security Manager 7.1 SP3 and SafeNet Luna CA4
Entrust Technical Integration Guide for Entrust Security Manager 7.1 SP3 and SafeNet Luna CA4 July 2008 Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries.
More informationEXBO e-signing Automated for scanned invoices
EXBO e-signing Automated for scanned invoices Signature Policy Document OID: 0.3.2062.7.2.1.12.1.0 Approval Status: Approved Version: 1.0 Page #: 1 of 13 1. Introduction 1.1. Scope This document covers
More informationSafeNet Authentication Client
SafeNet Authentication Client Integration Guide All information herein is either public information or is the property of and owned solely by Gemalto NV and/or its subsidiaries who shall have and keep
More informationBlackBerry Dynamics Security White Paper. Version 1.6
BlackBerry Dynamics Security White Paper Version 1.6 Page 2 of 36 Overview...4 Components... 4 What's New... 5 Security Features... 6 How Data Is Protected... 6 On-Device Data... 6 In-Transit Data... 7
More informationDIGITALSIGN - CERTIFICADORA DIGITAL, SA.
DIGITALSIGN - CERTIFICADORA DIGITAL, SA. TIMESTAMP POLICY VERSION 1.1 21/12/2017 Page 1 / 18 VERSION HISTORY Date Edition n.º Content 10/04/2013 1.0 Initial drafting 21/12/2017 1.1 Revision AUTHORIZATIONS
More informationSurePassID ServicePass User Guide. SurePassID Authentication Server 2017
SurePassID ServicePass User Guide SurePassID Authentication Server 2017 Introduction This technical guide shows how users can manage their SurePassID security tokens that are compatible with SurePassID
More informationDesign and Implementation of a RFC3161-Enhanced Time-Stamping Service
Design and Implementation of a RFC3161-Enhanced Time-Stamping Service Chung-Huang Yang, 1 Chih-Ching Yeh, 2 and Fang-Dar Chu 3 1 Institute of Information and Computer Education, National Kaohsiung Normal
More informationSingle Sign-On. Introduction. Feature Sheet
Feature Sheet Single Sign-On Introduction CipherPost Pro seamlessly integrates into your enterprise single sign-on (SSO) to give your users total email security and an extra set of robust communications
More informationUnbound and Oasis KMIP Interoperability
Unbound and Oasis KMIP Interoperability Thad Roemer, Solutions Architect April 2018 What does KMIP do? Security Applications or Appliances Key Material & Metadata Transport KMIP Key Management Server Create,
More informationSafeNet Authentication Service
SafeNet Authentication Service Integration Guide Using SafeNet Authentication Service as an Identity Provider for Tableau Server All information herein is either public information or is the property of
More informationRSA Authentication Manager 8.2
RSA Authentication Manager 8.2 Over 25,000 customers 50 60 million active tokens in circulation 10 million units shipped per year More than 50% market share RSA Ready Partner Program: 400 Partners with
More informationCipherMail encryption. CipherMail white paper
CipherMail email encryption CipherMail white paper Copyright 2009-2017, ciphermail.com. Introduction Most email is sent as plain text. This means that anyone who can intercept email messages, either in
More informationTestpassport http://www.testpassport.net Exam : SY0-301 Title : Security+ Certification Exam 2011 version Version : Demo 1 / 5 1.Which of the following is the BEST approach to perform risk mitigation of
More informationSecurity Specification
Security Specification Security Specification Table of contents 1. Overview 2. Zero-knowledge cryptosystem a. The master password b. Secure user authentication c. Host-proof hosting d. Two-factor authentication
More informationDBsign for HTML Applications Version 4.0 Release Notes
DBsign for HTML Applications Version 4.0 Release Notes Copyright 2010 Version 4.0 Copyright Notice: The Release Notes has a copyright of 2000-2010 by Gradkell Computers, Inc. This work contains proprietary
More informationGiovanni Carnovale Technical Account Manager Southeast Europe VASCO Data Security
Giovanni Carnovale Technical Account Manager Southeast Europe The concept of strong authentication Something you have Something you know We authenticate the world 2 Authenticate where? We authenticate
More informationJUNIPER NETWORKS PRODUCT BULLETIN
PRODUCT BULLETIN JUNIPER NETWORKS PRODUCT BULLETIN Junos Pulse Mobile Security Suite 4.2 What s New for Enterprises and Service Providers Bulletin Date January 24, 2013 Bulletin Number 8000022 Applicable
More informationCertDigital Certification Services Policy
CertDigital Certification Services Policy Page: 2 ISSUED BY : DEPARTAMENT NAME DATE ELECTRONIC SERVICES COMPARTMENT COMPARTMENT CHIEF 19.03.2011 APPROVED BY : DEPARTMENT NAME DATE MANAGEMENT OF POLICIES
More information