120 likes | 242 Views
The proof of your digital documents. What is a digital signature ?. Bob. Bob. How it works. Alice. Dear Alice, Let’s meet in Venice next weekend. Bob. Dear Alice, Let’s meet in Venice next weekend. Bob. Bob. 4. Imprint. x6fR7890cv. y9jl09cw56. 1. Imprint. x6fR7890cv. 3. Decypher.
E N D
The proof of your digital documents UN/CEFACT August 29, 2008
What is a digital signature ? Bob Bob How it works Alice Dear Alice, Let’s meet in Venice next weekend. Bob Dear Alice, Let’s meet in Venice next weekend. Bob Bob 4. Imprint x6fR7890cv y9jl09cw56 1. Imprint x6fR7890cv 3. Decypher Bob 2. Cypher • If equality then : • Message comes from Bob • Message has not been modified Bob y9jl09cw56 x6fR7890cv Signature UN/CEFACT August 29, 2008
Digital signature formats : PKCS#7, CMS, XAdES History of digital signature formats • Influenced by structured data models • ASN.1 (Abstract Syntax Notation 1) • Message and communication oriented • Compact • Binary data support • Performance • Abstruse • XML (eXtensible Markup Language) • Applications oriented • Verbose • Binary data not supported -> required Base64 encoding (x 4/3) • High CPU and memory requirements • Open – self described UN/CEFACT August 29, 2008
Digital signature formats : PKCS#7, CMS, XAdES History of digital signature formats (continued) ASN.1 1990 PKCS#7 1993 XML 1998 Public Key Cryptographic Standard XML Digital Signature XMLDSIG 2000 Cryptographic Message Syntax CMS 2004 XML Advanced Electronic Signature XAdES 2003 CMS Advanced Electronic Signature CAdES 2005 t UN/CEFACT August 29, 2008
Different types of signature 3 types of signatures = 3 types of proof • Enveloping attached : signature contains signed content (through internal URI) • Enveloping detached : signature references signed content (external URI reference) • Enveloped: signature is included in the document it signs (internal URI which excluedes itself) UN/CEFACT August 29, 2008
Different types of signature Pros and cons of different types of signatures • Enveloping attached • Contains signature(s), content, timestamps, etc. • Ease of verification and use • Can sometimes be complex to manipulate if huge • Enveloping detached • Only contains signature • Difficult to verify because access to signed content is required : file system, database, network resources, etc. • Allows the signature to be communicated independantly of signed content • Enveloped • Signature is inside content • Only works with XML content or proprietary (PDF, Microsoft) • Implementation is tied to data structure • Adapted to internal applications, low interoperability UN/CEFACT August 29, 2008
Digital signature properties Properties are important to signature contextualization • Signed properties • Date & time • Signature production place • Signature policy • Etc… • Signed properties participate in digital signature computation • Unsigned properties • Timestamp • LCR, OCSP • Note : these properties are not signed by the signatory but are nevertheless signed ! • Unsigned properties do not participate in digital signature computation and hence do not participate in the document’s integrity. UN/CEFACT August 29, 2008
Different types of signature French banking commission • XAdES format as defined in RGI (French e-Administration interoperability framework) • BES (SigningCertificate or KeyInfo mandatory) • EPES (signature policy mandatory) • Enveloping attached signature required • Signature policy : • Identifyer : 1.2.250.1.115.200.300.1 (OID) • http://www.banque-france.fr/igc/signature/ps/ps_1_2_250_1_115_200_300_1.pdf • 1 file = 1 signature • Canonicalisation algorithm de http://www.w3.org/2001/10/xml-exc-c14n# (because XBRL) • Supported certificates, digital evidence agreement, etc. UN/CEFACT August 29, 2008
Zoom on XAdES signature policy http://www.w3.org/TR/XAdES/#Syntax_for_XAdES_The_SignaturePolicyIdentifier_element <xad:SignaturePolicyIdentifier> <xad:SignaturePolicyId> <xad:SigPolicyId> <xad:Identifier Qualifier="OIDAsURN">urn:oid:1.2.250.1.115.200.300.1</xad:Identifier> </xad:SigPolicyId> <xad:SigPolicyHash> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod> <ds:DigestValue>q+ahW33Qg36KEeKdQLs94R4zb1c=</ds:DigestValue> </xad:SigPolicyHash> <xad:SigPolicyQualifiers> <xad:SigPolicyQualifier> <xad:SPURI>http://www.banque-france.fr/igc/signature/ps/ps_1_2_250_1_115_200_300_1.pdf</xad:SPURI> </xad:SigPolicyQualifier> </xad:SigPolicyQualifiers> </xad:SignaturePolicyId> </xad:SignaturePolicyIdentifier> UN/CEFACT August 29, 2008
Contact Francois Devoret Lex Persona +33 6 72 74 35 53 fdevoret@lex-persona.com www.lex-persona.com UN/CEFACT August 29, 2008