UELMA Exploring Authentication Options Nov 4, 2011

Size: px
Start display at page:

Download "UELMA Exploring Authentication Options Nov 4, 2011"

Transcription

1 UELMA Exploring Authentication Options Nov 4, 2011 A U T H E N T I C A T I O N M E T H O D S P R E L I M I N A R Y R E P O R T B R A D L E E C H A N G X C E N T I A L G R O U P B R A X C E N T I A L. C O M

2 Overview Many ways to authenticate primary legal documents Solutions have varying capabilities Costs range from nearly free to nearly $200,000. We explored: Basic Methods Commercial Product Offerings Six Typical Configurations Advantages & Disadvantages Costs 2

3 Agenda 3 I. Requirements II. Authentication Methods II. Components of Authentication Solutions III. Sample Scenarios, Costs and Benefits IV. Discussion

4 Requirements 4 Authenticity of Origin - verification that the document is actually from the source that it claims to come from (e.g. the State of California Office of Legislative Counsel). Document Integrity - verification that the document has not been altered since it left its source.

5 What We Are Authenticating 5 Chaptered Bills (Statutes) Chaptered Resolutions Constitutional Amendments State Constitution State Codes

6 For Whom 6 General Public Future Public Libraries Other Governmental Bodies Private Sector Organizations

7 Agenda 7 I. Requirements II. Authentication Methods II. Components of Authentication Solutions III. Sample Scenarios, Costs and Benefits IV. Discussion

8 Authentication Building Blocks 8 fb4e a67d CA CA CA

9 Hash Codes 9 fb4e a67d

10 Hash Codes (a.k.a. Digests) Fingerprint of a document If doc changes hash changes Impossible to recreate doc from hash Infeasible to forge a doc matching a hash 10 Hashing Algorithms SHA-1 Widely used, but no longer recommended 1 SHA-2 Currently recommended 1 SHA-3 Future development MD5 Widely used, but proven to be weak (1)

11 Creating a Hash Code 11 Generate Hash Code fb4e a67d Many hash generation utilities

12 Verifying a Hash Code 12 Generate Hash Code fb4e a67d Compare Secure Server/ Website Retrieve Hash Code Secure Communications fb4e a67d

13 Advantages Simple to implement Ensures Document Integrity Hash Codes Can be extended to ensure Authenticity of Origin Supports any file type Disadvantages Does not explicitly authenticate the origin Can be vulnerable to man-in-the-middle and phishing attacks Requires trusted retrieval of hash codes or a trusted verification service Must have a method to match a document with its stored hash Vulnerable to loss or corruption of true hash codes Examples: Utah, Minnesota 13

14 Digital Signatures 14 fb4e a67d Adds Encryption and Certificates to Hashing Enables Authentication without external service or data

15 Public Key Encryption Mathematically created key pair Private key Public key 15 Encrypt data using private key Only public key can decrypt Encrypt data using public key Only private key can decrypt

16 Encrypting the Hash 16 Generate Hash Code Encrypt with Private Key fb4e a67d 37ac d2f6 37ac d2f6

17 Verifying an Encrypted Hash 17 37ac d2f6 Decrypt with Public Key fb4e a67d Generate Hash Code fb4e a67d Compare

18 Digital Certificates 18 International Standard Format (x.509) Identity Contact Information Issuing Authority Public Key Self-Created Issued by a Certificate Authority

19 Creating a Signed Document 19 Generate Hash Code Encrypt with Private Key Certificate fb4e a67d 37ac d2f6 fb4e a67d Signed Document

20 Signed Document in Adobe Reader 20 Reader must be told to trust this Certificate

21 Advantages Digital Signatures Verifiable Document Integrity Verifiable Authenticity of Origin Robust Industry Support (esp. Certificates, PDF) Disadvantages The signer must be trusted Signer could be impersonated 21 Example: See Self-Signed PDF

22 Public Key Infrastructure (PKI) 22 fb4e a67d CA CA CA

23 Public Key Infrastructure Trusted Certification Authorities (CAs) Verifies identity and issue Certificates: Public Key Verified info (identity) Signed by CA, vouches for identity of public key owner Trust CA Trust Certificates issued by CA E.g. web browsers have list of trusted CAs for secure web connections (SSL) E.g. Adobe Reader has list of CAs for PDF sigs 23

24 PKI Signed Document 24 Same as Signed Document Only the Certificate is Different Adobe VeriSign CA Office of Leg. Counsel

25 PKI Signed Document in Adobe Reader 25

26 Advantages PKI Certificates Same as Signed Document, plus: Verifiable as long as any certificate in the chain is trusted Can be verified even if the source is no longer available. Automatic verification in Adobe Reader (CDS) Disadvantages More expensive to implement 26 Example: GPO

27 Hashing Methods Summary Core feature of all authentication Partial solution which can be made whole Vulnerable to some risks Digital Signature Complete solution Must trust the signer Vulnerable to impersonation Public Key Infrastructure Establishes a Chain of Trust High level of security 27

28 Other Considerations 28 Archiving Formats (e.g. PDF/A) Long Term Authentication Controlling Document Usage Printing, form filling, etc. Key Management Certificate renewal, revocation

29 Long Term Validation Sig validity at signing time is what matters Certificates expire, can be revoked Need to prove when signature was made Crypto algorithms can weaken over time EU Directive 1999/93/EC requirements Technical solutions: ETSI standards CAdES, XAdES, PAdES Involve authenticated timestamping & embedding of certificate chain in signatures 29

30 Agenda 30 I. Requirements II. Authentication Methods II. Components of Authentication Solutions III. Sample Scenarios, Costs and Benefits IV. Discussion

31 Components of a Solution File Type Considerations 2. Certificates 3. Signing Software 4. Validation Software

32 1. File Type Considerations Some Files Support Embedded Signatures PDF, some word processing formats XMLDSig External Signatures & Envelopes Any file format can have detached signature Validation highly inconvenient Anything goes into a signed envelope Slightly less inconvenient (can't lose sig) PDF can be a signed envelope Automated Validation PDF Only 32

33 Self-signed 2. Certificates Who signed it? 33 Free! Nobody trusts it! Need trusted distribution (e.g. secure web site) Well-known CA (PKI) Not free Various purposes, levels of assurance, prices VeriSign, GeoTrust, Entrust, GlobalSign CDS Certificate Automatically trusted by Adobe Reader Requires hardware support

34 3. Signing Software 34 Desktop PDF Standard Programming Libraries itext Adobe LiveCycle

35 Desktop PDF Signing Apps Adobe Acrobat, Aloaha PDF Signator PDF only Low cost, unless many copies needed Any kind of certificate Including hardware tokens Fully manual signing Open PDF, sign and save Aloaha has batch mode, scripting capability 35

36 Standard Programming Libraries Java, MS-CAPI,.NET, etc. Crypto algorithms, certificate handling XML DSig implementations Not applications => custom software needed to use Free => cost is in developing app Can be used to sign XML, HTML, anything 36 But not embedded PDF signatures Can validate same

37 itext 37 Programming library for PDF documents Not an application => custom software needed to use Free (open source) and paid versions Any kind of certificate Including hardware tokens (to be confirmed) Suitable for automated mass signing

38 Adobe LiveCycle ES 2 Large server-side application Digital Signatures is one module PDF only Expensive CDS certificates Supports HSMs Fully automated mass signing 38

39 4. Validation Software 39 PDF Readers Hash Comparators Signature Validation Libraries Online Services (Austria, MN)

40 Adobe Reader PDF Readers Automatically validates signed PDFs Trusts certificates tracing back to: Adobe Root (Reader v6 & up) Any root cert in AATL (Reader v9 and up) (at user option) Any cert in Windows cert store Free, highly convenient, proprietary Foxit Reader User activates signature validation Seems to trust only certs in Windows store Free, slightly less convenient, bug encountered 40

41 Hash Comparators 41 Essentially the same as Hash Generators and Signing Libraries. Contained in many programming libraries For integration in validation apps Desktop apps (often free) Web apps

42 Signature Validation Libraries Ready-made libraries to validate digital signatures 42 Built on top of standard libraries Additional capabilities: server integration, file type detection, file type handling, certificate management, etc. E.g. Open Source library used officially in Austria Can be integrated in mass validation application Can be integrated in online validation service

43 Online Services Web site allowing file upload for signature/hash verification Hash verification requires access to trusted hash list Must rely on file name, or search list for matching hash Minnesota prototype Signature verification more generic Except for list of trusted root certificates State of Austria implementation: 43

44 44

45 Agenda 45 I. Requirements II. Authentication Methods II. Components of Authentication Solutions III. Sample Scenarios, Costs and Benefits IV. Discussion

46 Sample Configurations 46 Wide Range of Combinations possible Picked 6 Typical Configurations Manual to High Volume Automated

47 Six Samples Manual PDF 2. Mass Signing with itext 3. Highly Automated with Adobe LiveCycle 4. XML Signing with Java Libraries 5. PDF with Embedded XML and HTML 6. Signing and Secure Website

48 Six Samples Sample Security Volume Doc Types 48 Initial Cost Annual Cost Manual PDF High Low PDF $1,049 $618 PDF with itext High High PDF $22,100 $9,670 PDF with LiveCycle High High PDF $170,100 $39,270 XML with Java Medium High XML Dev. Only (Moderate) PDF (XML, HTML) High High XML, HTML, PDF Multi-Doc Type High High Any Dev. Only (Higher) TBD $22,100 $9,670 TBD (Higher)

49 1. Manual PDF signing 49 Entrust Group CDS certificate Unsigned PDF Signed PDF Adobe Acrobat X with operator

50 1. Manual PDF signing Initial Cost : $1,049 (Cert,Acrobat) + labor + PC On-going Cost : $618/year for certificate renewal Advantages 50 Low Initial Cost (for low volume) CDS Certificate Simple Process Disadvantages: Labor Intensive impractical for high volume Error Prone

51 2. Mass Signing with IText 51 HSM Entrust CDS certificate Unsigned PDF itext Libraries + Custom Software Signed PDF

52 Initial Cost: 2. Mass Signing with IText $2,000 itext (1 server, free dev servers) $7,000 Entrust Enterprise Lite Certificate $13,100 SafeNet Luna SA HSM $22,100 Total Plus customization, system integration, server hardware On-going Cost: $400 itext Maintenance $6,650 Entrust Enterprise Lite Certificate Renewal $2,620 SafeNet Luna SA HSM Maintenance $9,670/year Total 52

53 Advantages 2. Mass Signing with IText Automated High Volume PKI/CDS Certificate Moderate Cost Disadvantages Custom software needs to be developed 53

54 3. Highly Automated with Adobe LiveCycle 54 HSM Entrust CDS certificate Unsigned PDF Signed PDF

55 3. Highly Automated with Adobe LiveCycle Initial Cost $150,000 LiveCycle DS (2 CPU + 1 Dev Server) $7,000 Entrust Enterprise Lite Certificate $13,100 SafeNet Luna SA HSM $170,100 Total Plus customization, system integration, server hardware On-going Cost $30,000 LiveCycle DS Maintenance $6,650 Entrust Enterprise Lite Certificate Renewal $2,620 SafeNet Luna SA HSM Maintenance $39,270/year Total 55

56 3. Highly Automated with Adobe LiveCycle Advantages High Volume PKI/CDS Certificate 56 Integrated in a larger document management framework: Workflow, Forms, PDF generation from MS Office documents Disadvantages Expensive Cost increases for multi-cpu setups

57 4. XML Signing with Java Libraries 57 A certificate (self-signed) Unsigned XML Signed XML Java Libraries + Custom Software

58 4. XML Signing with Java Libraries 58 Initial Cost : Custom software Optional certificate from a CA On-going Cost Optional certificate Advantages Inexpensive Standardized Authentication (XMLDSig) Disadvantages Validation needs additional software

59 5. PDF with Embedded XML and HTML 59 Unsigned Documents HSM Entrust CDS certificate itext Libraries + Custom Software Signed PDF

60 5. PDF with Embedded XML and HTML 60

61 5. PDF with Embedded XML and HTML Initial Cost: $2,000 itext (1 server, free dev servers) $7,000 Entrust Enterprise Lite Certificate $13,100 SafeNet Luna SA HSM $22,100 Total Plus customization, system integration, server hardware On-going Cost: $400 itext Maintenance $6,650 Entrust Enterprise Lite Certificate Renewal $2,620 SafeNet Luna SA HSM Maintenance $9,670/year Total 61

62 5. PDF with Embedded XML and HTML Advantages Automated High Volume PKI/CDS Certificate Validation of PDF, XML and HTML in one step Moderate Cost Disadvantages Custom software needs to be developed Human requires Adobe Reader or Acrobat to extract data Automated processes need a PDF library to extract data 62

63 5. PDF with Embedded XML and HTML Advantages 63 Automatic validation of PDF, XML and HTML in one step Disadvantages Human requires Adobe Reader or Acrobat to extract data Automated processes need a PDF library to extract data

64 6. Multi-Doc Signing and Validation 64 A certificate (self-signed) Signing Process Java Libraries + Custom Software XML, HTML, PDF, etc. XmlDSig, Signed PDF, CMS/PKCS #7, etc.

65 6. Multi-Doc Signing and Validation 65 Validation Process Document Secure Server Integration Software Validates SSL Internet Open Source Code Supported documents: XMLDSig, Signed PDF, CMS/PKCS #7, etc. Authentic or Altered or Bad Sig

66 6. Multi-Doc Signing and Validation Initial Cost Development costs Web server On-going Cost Little Advantages Numerous types of document may be verified Disadvantages 66 Requires online access to verify document s authenticity Validation service must be maintained

67 Agenda 67 I. Requirements II. Authentication Methods II. Components of Authentication Solutions III. Sample Scenarios, Costs and Benefits IV. Discussion

68 Discussion 68 Questions? Suggestions? Additional Topics? Next Steps?

69 Discussion Ideas 69 Individual User Convenience Batch Validation Visual Fidelity Source Content Images Archive File Formats - PDF, XML HTML,?

Digital signatures: How it s done in PDF

Digital signatures: How it s done in PDF Digital signatures: How it s done in PDF Agenda Why do we need digital signatures? Basic concepts applied to PDF Digital signatures and document workflow Long term validation Why do we need digital signatures?

More information

EDTA, itext and INBATEK Conference. Bangkok, July 27, 2017

EDTA, itext and INBATEK Conference. Bangkok, July 27, 2017 EDTA, itext and INBATEK Conference Bangkok, July 27, 2017 Digital Signatures in PDF Basic concepts applied to PDF Architectures: server-side vs. client-side Digital signatures and document workflow Long

More information

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1 Information Security message M one-way hash fingerprint f = H(M) 4/19/2006 Information Security 1 Outline and Reading Digital signatures Definition RSA signature and verification One-way hash functions

More information

eidas-compliant signing of PDF

eidas-compliant signing of PDF PDF Days Europe 2018 eidas-compliant signing of PDF Technical implications of eidas conformance in PDF processing Bernd Wild intarsys AG, Member of the Board of A Presentation 2018 by!11 72% of EU individuals

More information

Digital Certificates. PKI and other TTPs. 3.3

Digital Certificates. PKI and other TTPs. 3.3 Digital Certificates. PKI and other TTPs. 3.3 1 Certification-service providers Spanish Law 59/03 Art. 2.2 or Directive 1999/93/EC Art. 2.11: Certification-service providers means an entity or a legal

More information

IBM i Version 7.2. Security Digital Certificate Manager IBM

IBM i Version 7.2. Security Digital Certificate Manager IBM IBM i Version 7.2 Security Digital Certificate Manager IBM IBM i Version 7.2 Security Digital Certificate Manager IBM Note Before using this information and the product it supports, read the information

More information

EXBO e-signing Automated for scanned invoices

EXBO e-signing Automated for scanned invoices EXBO e-signing Automated for scanned invoices Signature Policy Document OID: 0.3.2062.7.2.1.12.1.0 Approval Status: Approved Version: 1.0 Page #: 1 of 13 1. Introduction 1.1. Scope This document covers

More information

IFY e-signing Automated for scanned invoices

IFY e-signing Automated for scanned invoices IFY e-signing Automated for scanned invoices Signature Policy Document OID: 0.3.2062.7.2.1.13.1.0 Approval Status: Approved Version: 1.0 Page #: 1 of 13 1. Introduction 1.1. Scope This document covers

More information

Transforming the Document Signing Process

Transforming the Document Signing Process July 2015 Transforming the Document Signing Process Copyright Ascertia 2015 Sam Crook Key Account Manger Agenda About us Why are digital signatures inevitable? What are digital signatures? What can you

More information

Adding value to your MS customers

Adding value to your MS customers Securing Microsoft Adding value to your MS customers Authentication - Identity Protection Hardware Security Modules DataSecure - Encryption and Control Disc Encryption Offering the broadest range of authentication,

More information

Security Digital Certificate Manager

Security Digital Certificate Manager System i Security Digital Certificate Manager Version 6 Release 1 System i Security Digital Certificate Manager Version 6 Release 1 Note Before using this information and the product it supports, be sure

More information

Security Fundamentals

Security Fundamentals COMP 150-IDS: Internet Scale Distributed Systems (Spring 2015) Security Fundamentals Noah Mendelsohn Tufts University Email: noah@cs.tufts.edu Web: http://www.cs.tufts.edu/~noah Copyright 2012 & 2015 Noah

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through

More information

IBM. Security Digital Certificate Manager. IBM i 7.1

IBM. Security Digital Certificate Manager. IBM i 7.1 IBM IBM i Security Digital Certificate Manager 7.1 IBM IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in

More information

Electronic Seal Administrator Guide Published:December 27, 2017

Electronic Seal Administrator Guide Published:December 27, 2017 Electronic Seal Administrator Guide Published:December 27, 2017 Copyright Version 4.25.2.3 Copyright 2003-2018 DocuSign, Inc. All rights reserved. For information about DocuSign trademarks, copyrights

More information

Certificate Enrollment- and Signing Services for the Cloud. A behind-the-scenes presentation of a successful cooperation between

Certificate Enrollment- and Signing Services for the Cloud. A behind-the-scenes presentation of a successful cooperation between Certificate Enrollment- and Signing Services for the Cloud A behind-the-scenes presentation of a successful cooperation between Introduction Based on our experience and the request from the market we would

More information

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper

More information

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment. CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How

More information

Digital Certificates Demystified

Digital Certificates Demystified Digital Certificates Demystified Ross Cooper, CISSP IBM Corporation RACF/PKI Development Poughkeepsie, NY Email: rdc@us.ibm.com August 9 th, 2012 Session 11622 Agenda Cryptography What are Digital Certificates

More information

Handwritten signatures are EOL Panos Vassiliadis

Handwritten signatures are EOL Panos Vassiliadis Handwritten signatures are EOL Panos Vassiliadis Managing Director The use of paper would be reduced and maybe eliminated in offices by 1995 and all documents would be on computer and electronic due to

More information

DECISION OF THE EUROPEAN CENTRAL BANK

DECISION OF THE EUROPEAN CENTRAL BANK L 74/30 Official Journal of the European Union 16.3.2013 DECISIONS DECISION OF THE EUROPEAN CENTRAL BANK of 11 January 2013 laying down the framework for a public key infrastructure for the European System

More information

Intertek esignature Customer Reference Document

Intertek esignature Customer Reference Document Version 3.8 Page 1 of 17 Document History Version Amendments Date Amended by 2.1 Corrected index numbering, revised Section 1.6 and references to 1.6; Corrected formatting 30-Jul-2014 Application Support

More information

SHA-1 to SHA-2. Migration Guide

SHA-1 to SHA-2. Migration Guide SHA-1 to SHA-2 Migration Guide Web-application attacks represented 40 percent of breaches in 2015. Cryptographic and server-side vulnerabilities provide opportunities for cyber criminals to carry out ransomware

More information

Public-Key Infrastructure NETS E2008

Public-Key Infrastructure NETS E2008 Public-Key Infrastructure NETS E2008 Many slides from Vitaly Shmatikov, UT Austin slide 1 Authenticity of Public Keys? private key Alice Bob public key Problem: How does Alice know that the public key

More information

QUANTUM SAFE PKI TRANSITIONS

QUANTUM SAFE PKI TRANSITIONS QUANTUM SAFE PKI TRANSITIONS Quantum Valley Investments Headquarters We offer quantum readiness assessments to help you identify your organization s quantum risks, develop an upgrade path, and deliver

More information

Profile for High-Performance Digital Signatures

Profile for High-Performance Digital Signatures CYBERNETICA Institute of Information Security Profile for High-Performance Digital Signatures Version 1.2 Margus Freudenthal T-4-23 / 2017 Copyright c 2017 Margus Freudenthal. Cybernetica AS, Department

More information

Chapter 9: Key Management

Chapter 9: Key Management Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange

More information

Security Vulnerabilities of the NDEF Signature Record Type

Security Vulnerabilities of the NDEF Signature Record Type Security Vulnerabilities of the NDEF Signature Record Type Michael Roland Upper Austria University it of Applied Sciences,, Austria 3 rd International Workshop on Near Field Communication 22 February 2011,,

More information

Certificates, Certification Authorities and Public-Key Infrastructures

Certificates, Certification Authorities and Public-Key Infrastructures (Digital) Certificates Certificates, Certification Authorities and Public-Key Infrastructures We need to be sure that the public key used to encrypt a message indeed belongs to the destination of the message

More information

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO e-government Survey 2014 United Nations Page 2 EGDI: E-Government Development Index National ID & Digital Signature Estonian Prime Minister Andrus Ansip

More information

Certificate implementation The good, the bad, and the ugly

Certificate implementation The good, the bad, and the ugly Certificate implementation The good, the bad, and the ugly DOE Security Training Workshop James A. Rome Oak Ridge National Laboratory April 29, 1998 A wealth of riches? I decided to use certificates for

More information

Government PKI Factors Influencing Architecture for the Equal Employment Opportunity Commission

Government PKI Factors Influencing Architecture for the Equal Employment Opportunity Commission Government PKI Factors Influencing Architecture for the Equal Employment Opportunity Commission December 14, 2000 Steve Bruck Khurram Chaudry Francis Yuan 1 EEOC Business Cases for PKI Citizens complaints

More information

Authentication Methods

Authentication Methods CERT-EU Security Whitepaper 16-003 Authentication Methods D.Antoniou, K.Socha ver. 1.0 20/12/2016 TLP: WHITE 1 Authentication Lately, protecting data has become increasingly difficult task. Cyber-attacks

More information

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

Introduction to SSL. Copyright 2005 by Sericon Technology Inc. Introduction to SSL The cornerstone of e-commerce is a Web site s ability to prevent eavesdropping on data transmitted to and from its site. Without this, consumers would justifiably be afraid to enter

More information

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific DNS/DNSSEC Workshop In Collaboration with APNIC and HKIRC Hong Kong Champika Wijayatunga Regional Security Engagement Manager Asia Pacific 22-24 January 2018 1 DNSSEC 2 2 DNS: Data Flow Zone administrator

More information

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu X.509 CPSC 457/557 10/17/13 Jeffrey Zhu 2 3 X.509 Outline X.509 Overview Certificate Lifecycle Alternative Certification Models 4 What is X.509? The most commonly used Public Key Infrastructure (PKI) on

More information

Implementing Secure Socket Layer

Implementing Secure Socket Layer This module describes how to implement SSL. The Secure Socket Layer (SSL) protocol and Transport Layer Security (TLS) are application-level protocols that provide for secure communication between a client

More information

SSL/TSL EV Certificates

SSL/TSL EV Certificates SSL/TSL EV Certificates CA/Browser Forum Exploratory seminar on e-signatures for e-business in the South Mediterranean region 11-12 November 2013, Amman, Jordan Moudrick DADASHOW CEO, Skaitmeninio Sertifikavimo

More information

UNIT - IV Cryptographic Hash Function 31.1

UNIT - IV Cryptographic Hash Function 31.1 UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service

More information

Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution

Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University

More information

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006 PKI-An Operational Perspective NANOG 38 ARIN XVIII October 10, 2006 Briefing Contents PKI Usage Benefits Constituency Acceptance Specific Discussion of Requirements Certificate Policy Certificate Policy

More information

bbc Migrating and Sharing Secuity Settings: Using Security Settings Import/Export and FDF Files Acrobat and Adobe Reader PDF Creation Date:

bbc Migrating and Sharing Secuity Settings: Using Security Settings Import/Export and FDF Files Acrobat and Adobe Reader PDF Creation Date: bbc PDF Creation Date: September 5, 2008 Migrating and Sharing Secuity Settings: Using Security Settings Import/Export and FDF Files Acrobat and Adobe Reader Version 9.0 2008 Adobe Systems Incorporated.

More information

But where'd that extra "s" come from, and what does it mean?

But where'd that extra s come from, and what does it mean? SSL/TLS While browsing Internet, some URLs start with "http://" while others start with "https://"? Perhaps the extra "s" when browsing websites that require giving over sensitive information, like paying

More information

Sectigo Security Solution

Sectigo  Security Solution Sectigo Email Security Solution 2018 Sectigo. All rights reserved. Email hacking is a commonly used malicious tactic in our increasingly connected world. Business email compromise (BEC), or email account

More information

Resolution of comments on Drafts ETSI EN to ETSI EN May 2014

Resolution of comments on Drafts ETSI EN to ETSI EN May 2014 Resolution of comments on Drafts ETSI EN 319 142-1 to ETSI EN 319 142-7 31 May 2014 PAdES Foreword: Please note that the following disposition of comments is provided to the light of the current context

More information

INSTRUCTION FOR OPERATION WITH DESKTOP SIGNER

INSTRUCTION FOR OPERATION WITH DESKTOP SIGNER INSTRUCTION FOR OPERATION WITH DESKTOP SIGNER Version 1.50, February 2017 B-Trust Instruction Page 1 TABLE OF CONTENTS I. About the Program... 3 II. System requirements... 3 III. Installation... 4 IV.

More information

Cian Kinsella CEO, Digiprove

Cian Kinsella CEO, Digiprove Cian Kinsella CEO, Digiprove cian.kinsella@digiprove.com Malaga 7 th June 2013 Been developing software since 1972 Commercial and Freelance Co-founder of 3 Software Product Companies Have had many different

More information

Redesigning PKI To Solve Revocation, Expiration, & Rotation Problems. Brian

Redesigning PKI To Solve Revocation, Expiration, & Rotation Problems. Brian Redesigning PKI To Solve Revocation, Expiration, & Rotation Problems Brian Knopf @DoYouQA WHO AM I Sr Director of Security Research & IoT Architect @Neustar @DoYouQA 20+ Home Previously years in IT, QA,

More information

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation Overview Key exchange Session vs. interchange keys Classical, public key methods Key generation Cryptographic key infrastructure Certificates Key storage Key escrow Key revocation Digital signatures May

More information

The Uniform Electronic Legal Material Act

The Uniform Electronic Legal Material Act The Uniform Electronic Legal Material Act Implementation in Minnesota Prepared By: Melissa Patsch, Software Developer Office of the Revisor of Statutes For: NALIT Professional Development Seminar Date:

More information

Certificate-based authentication for data security

Certificate-based authentication for data security Technical white paper Certificate-based authentication for data security Table of Contents Introduction... 2 Analogy: A simple checking account... 2 Verifying a digital certificate... 2 Summary... 8 Important

More information

Public-key Infrastructure Options and choices

Public-key Infrastructure Options and choices Public-key Infrastructure Options and choices Tim Moses Director, Advanced Security Technology April 98 1997 Entrust Technologies Overview General-purpose and Dedicated PKIs Trust models Two-key architecture

More information

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Data Security and Privacy. Topic 14: Authentication and Key Establishment Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt

More information

Crypto meets Web Security: Certificates and SSL/TLS

Crypto meets Web Security: Certificates and SSL/TLS CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,

More information

Most Common Security Threats (cont.)

Most Common Security Threats (cont.) Most Common Security Threats (cont.) Denial of service (DoS) attack Distributed denial of service (DDoS) attack Insider attacks. Any examples? Poorly designed software What is a zero-day vulnerability?

More information

Cryptographic Checksums

Cryptographic Checksums Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits;

More information

Test Signature Policy Version 1.0

Test Signature Policy Version 1.0 Test Signature Policy Version 1.0 This document describes the policy requirements for the creation of test signatures. 04-10-2018 Name COMPL_POL_TestSignaturePolicy OID 1.3.6.1.4.1.49274.1.1.5.1.0 Applicable

More information

Introducing Hardware Security Modules to Embedded Systems

Introducing Hardware Security Modules to Embedded Systems Introducing Hardware Security Modules to Embedded Systems for Electric Vehicles charging according to ISO/IEC 15118 V1.0 2017-03-17 Agenda Hardware Trust Anchors - General Introduction Hardware Trust Anchors

More information

UELMA Preservation. Jason Judt & Daniel Kruse Office of the Revisor of Statutes, Minnesota

UELMA Preservation. Jason Judt & Daniel Kruse Office of the Revisor of Statutes, Minnesota UELMA Preservation Jason Judt & Daniel Kruse Office of the Revisor of Statutes, Minnesota UELMA System Overview Server-side authentication Complete versioning system Tracking and auditing tools developed

More information

Automated Court Reporter Application. Digital Signatures

Automated Court Reporter Application. Digital Signatures Automated Court Reporter Application Digital Signatures Doc Version 1.5 December 1, 2010 Administrative Office of the U.S. Courts Revision History Date Version Description of Revision 2/10/2009 1.0 Initial

More information

Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14 Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 14 Key Management and Distribution No Singhalese, whether man or woman, would venture

More information

Overview & Specification

Overview & Specification Electronic Signature Overview & Specification Version: 1.0 Author: Qatar Public Key Infrastructure Section Document Classification: PUBLIC Published Date: May 2018 Version: 1.0 Page 1 of 31 Document Information

More information

Rethinking IoT Authentication & Authorization Models

Rethinking IoT Authentication & Authorization Models Rethinking IoT Authentication & Authorization Models 2017 ISSA SoCal Security Symposium September 14, 2017 Hilton Orange County, Costa Mesa Brian Knopf @DoYouQA WHO AM I Sr Director of Security Research

More information

Public Key Algorithms

Public Key Algorithms CSE597B: Special Topics in Network and Systems Security Public Key Cryptography Instructor: Sencun Zhu The Pennsylvania State University Public Key Algorithms Public key algorithms RSA: encryption and

More information

Certificateless Public Key Cryptography

Certificateless Public Key Cryptography Certificateless Public Key Cryptography Mohsen Toorani Department of Informatics University of Bergen Norsk Kryptoseminar November 9, 2011 1 Public Key Cryptography (PKC) Also known as asymmetric cryptography.

More information

Introduction to Cryptography Lecture 10

Introduction to Cryptography Lecture 10 Introduction to Cryptography Lecture 10 Digital signatures, Public Key Infrastructure (PKI) Benny Pinkas January 1, 2012 page 1 Non Repudiation Prevent signer from denying that it signed the message I.e.,

More information

VSP18 Venafi Security Professional

VSP18 Venafi Security Professional VSP18 Venafi Security Professional 13 April 2018 2018 Venafi. All Rights Reserved. 1 VSP18 Prerequisites Course intended for: IT Professionals who interact with Digital Certificates Also appropriate for:

More information

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier Presented by Joshua Schiffman & Archana Viswanath Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier Trust Models Rooted Trust Model! In a

More information

Chapter 6: Digital Certificates Introduction Authentication Methods PKI Digital Certificate Passing

Chapter 6: Digital Certificates Introduction Authentication Methods PKI Digital Certificate Passing Chapter 6: Digital Certificates Introduction Methods PKI Digital Certificate Passing Prof Bill Buchanan OBE http://asecuritysite.com/crypto06 http://asecuritysite.com/encryption Identity on the Internet

More information

PKI Credentialing Handbook

PKI Credentialing Handbook PKI Credentialing Handbook Contents Introduction...3 Dissecting PKI...4 Components of PKI...6 Digital certificates... 6 Public and private keys... 7 Smart cards... 8 Certificate Authority (CA)... 10 Key

More information

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14 Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.

More information

Who s Protecting Your Keys? August 2018

Who s Protecting Your Keys? August 2018 Who s Protecting Your Keys? August 2018 Protecting the most vital data from the core to the cloud to the field Trusted, U.S. based source for cyber security solutions We develop, manufacture, sell and

More information

Digital Certificate Operation in a Complex Environment PKI ARCHITECTURE QUESTIONNAIRE

Digital Certificate Operation in a Complex Environment PKI ARCHITECTURE QUESTIONNAIRE Digital Certificate Operation in a Complex Environment A project within the Joint Information Systems Committee s Authentication, Authorisation and Accounting middleware programme PKI ARCHITECTURE QUESTIONNAIRE

More information

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman Public Key Infrastructure PKI National Digital Certification Center Information Technology Authority Sultanate of Oman Agenda Objectives PKI Features etrust Components Government eservices Oman National

More information

Securing Internet Communication: TLS

Securing Internet Communication: TLS Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Today s Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases

More information

Document Signing Certificate Getting Started Guide

Document Signing Certificate Getting Started Guide Certificate Services Document Signing Certificate Getting Started Guide Using the SafeNet Authentication Client: 8.3 Document issue: 1.0 Date of issue: March 2017 For software release 12.1 Document Signing

More information

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE Cryptographic Appliances with Integrated Level 3+ Hardware Security Module The BlackVault hardware security platform keeps cryptographic material

More information

Man in the Middle Attacks and Secured Communications

Man in the Middle Attacks and Secured Communications FEBRUARY 2018 Abstract This document will discuss the interplay between Man in The Middle (MiTM/ MITM) attacks and the security technologies that are deployed to prevent them. The discussion will follow

More information

Add or remove a digital signature in Office files

Add or remove a digital signature in Office files Add or remove a digital signature in Office files This article explains digital signatures (also known as digital ID), what they can be used for, and how you can use digital signatures in the following

More information

PRICE LIST TRUST SERVICE PRODUCTS. Price List Version 5.9 Berlin, April Copyright 2018, Bundesdruckerei GmbH. Seite 1/9

PRICE LIST TRUST SERVICE PRODUCTS. Price List Version 5.9 Berlin, April Copyright 2018, Bundesdruckerei GmbH. Seite 1/9 PRICE LIST TRUST SERVICE PRODUCTS Price List Version 5.9 Berlin, April 2018 Copyright 2018, Bundesdruckerei GmbH Seite 1/9 Qualified Single Signature Cards D-TRUST Card 3.0 EU Signature card according

More information

FIS and DCS User Guide - Supplement

FIS and DCS User Guide - Supplement FIS and DCS User Guide - Supplement Adobe Acrobat and Adobe Reader Configuration How to Digitally Sign PDF Documents with Adobe Acrobat and Adobe Reader Version 1.0 Exostar LLC September 2016 1 Table of

More information

Interagency Advisory Board Meeting Agenda, February 2, 2009

Interagency Advisory Board Meeting Agenda, February 2, 2009 Interagency Advisory Board Meeting Agenda, February 2, 2009 1. Opening Remarks (Tim Baldridge, NASA) 2. Mini Tutorial on NIST SP 800-116 AND PIV use in Physical Access Control Systems (Bill MacGregor,

More information

KEY DISTRIBUTION AND USER AUTHENTICATION

KEY DISTRIBUTION AND USER AUTHENTICATION KEY DISTRIBUTION AND USER AUTHENTICATION Key Management and Distribution No Singhalese, whether man or woman, would venture out of the house without a bunch of keys in his hand, for without such a talisman

More information

CertDigital Certification Services Policy

CertDigital Certification Services Policy CertDigital Certification Services Policy Page: 2 ISSUED BY : DEPARTAMENT NAME DATE ELECTRONIC SERVICES COMPARTMENT COMPARTMENT CHIEF 19.03.2011 APPROVED BY : DEPARTMENT NAME DATE MANAGEMENT OF POLICIES

More information

PKI is Alive and Well: The Symantec Managed PKI Service

PKI is Alive and Well: The Symantec Managed PKI Service PKI is Alive and Well: The Symantec Managed PKI Service Marty Jost Product Marketing, User Authentication Lance Handorf Technical Enablement, PKI Solutions 1 Agenda 1 2 3 PKI Background: Problems and Solutions

More information

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from Lecture 15 PKI & Authenticated Key Exchange COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Today We will see how signatures are used to create public-key infrastructures

More information

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1 SSL/TLS & 3D Secure CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk SSL/TLS & 3DSec 1 SSLv2 Brief History of SSL/TLS Released in 1995 with Netscape 1.1 Key generation algorithm

More information

Fall 2010/Lecture 32 1

Fall 2010/Lecture 32 1 CS 426 (Fall 2010) Key Distribution & Agreement Fall 2010/Lecture 32 1 Outline Key agreement without t using public keys Distribution of public keys, with public key certificates Diffie-Hellman Protocol

More information

An Overview of Secure and Authenticated Remote Access to Central Sites

An Overview of Secure and Authenticated Remote Access to Central Sites Workshop on Data Access to Micro-Data (WDA) Nuernberg, August 20-21 An Overview of Secure and Authenticated Remote Access to Central Sites Dr Milan Marković Banca Intesa ad Beograd, Serbia milan.markovic@bancaintesabeograd.com

More information

How Next Generation Trusted Identities Can Help Transform Your Business

How Next Generation Trusted Identities Can Help Transform Your Business SESSION ID: SPO-W09B How Next Generation Trusted Identities Can Help Transform Your Business Chris Taylor Senior Product Manager Entrust Datacard @Ctaylor_Entrust Identity underpins our PERSONAL life 2

More information

ETSI TR V1.1.1 ( )

ETSI TR V1.1.1 ( ) TR 119 400 V1.1.1 (2016-03) TECHNICAL REPORT Electronic Signatures and Infrastructures (ESI); Guidance on the use of standards for trust service providers supporting digital signatures and related services

More information

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Authentication Professor Trent Jaeger 1 Kerberos History: from UNIX to Networks (late 80s) Solves: password eavesdropping Also mutual authentication

More information

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Authentication Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 Kerberos History: from UNIX to Networks (late

More information

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L CS 3461/5461: Introduction to Computer Networking and Internet Technologies Network Security Study: 21.1 21.5 Kannan Srinivasan 11-27-2012 Security Attacks, Services and Mechanisms Security Attack: Any

More information

Information Security CS 526

Information Security CS 526 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric

More information

Electronic Signature Format. ECOM Interoperability Plug Test 2005

Electronic Signature Format. ECOM Interoperability Plug Test 2005 Electronic Signature Format ECOM Interoperability Plug Test 2005 Final Report Executive Summary January 2006 Next Generation Electronic Commerce Promotion Council of Japan (ECOM) Security Working Group

More information

Enterprise / Insurance Companies. Safe Online Operations

Enterprise / Insurance Companies. Safe Online Operations Enterprise / Insurance Companies Safe Online Operations Introduction: Meet the presenter VP Strategic Sales - EMEA Senior Executive GlobalSign - Belgium RONALD DE TEMMERMAN T +32 (0) 16 891908 M +32 (0)

More information

Key Management and Distribution

Key Management and Distribution Key Management and Distribution Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/

More information

Internet Engineering Task Force (IETF) Request for Comments: 6283 Category: Standards Track. July 2011

Internet Engineering Task Force (IETF) Request for Comments: 6283 Category: Standards Track. July 2011 Internet Engineering Task Force (IETF) Request for Comments: 6283 Category: Standards Track ISSN: 2070-1721 A. Jerman Blazic S. Saljic SETCCE T. Gondrom July 2011 Abstract Extensible Markup Language Evidence

More information

ADOBE 9A Adobe LiveCycle ES Application Developer.

ADOBE 9A Adobe LiveCycle ES Application Developer. ADOBE 9A0-081 Adobe LiveCycle ES Application Developer http://killexams.com/exam-detail/9a0-081 QUESTION: 57 Which three technologies are used to create digital signatures? (Choose three.) A. hashing B.

More information