24 th, September, 2009 Technical Presentation Mr José Luis Ruiz López, IT-CGAE Manager

24th, September, 2009

Technical Presentation Mr José Luis Ruiz López, IT-CGAE Manager


ContentWhy is PenalNet a secure service?

Digital Certificate

Digital Signature & Encryption

Notifications & Acknowledges

Public Information

Messaging platform

Functional & Technical Description

A walk through PenalNet

Secure Functionality



Digital Certificate



Public Information

Messaging platform





Why is PenalNet a Secure Service?

• In order to access it one must have a qualified digital certificate (X509v3):

– The most secure way to validate professional identity on the

Internet

– Lawyer identity guaranteed by the national bar association,

which verifies their identity and lawyer condition before issuing

the certificate

• The qualified digital signature makes the authorship of the messages sent and received unquestionable, which guarantees that the issuing party can not refute them

• The messages sent and received through PenalNet are encrypted and can not be manipulated or modified in any way

• The platform provides confirmation of reception and a return receipt, and users can be notified of any message sent to them through the means they prefer (e-Mail or SMS)

• PenalNet features present advantages over conventional e-mail

ConfidentialityAuthenticationIntegrity Non repudiation



Digital Certificate



Public Information

Messaging platform





Secure Service – Digital Certificate

• PenalNet Certificates and signature cover two different aspects of security:– electronic security. Standard algorithms,

policies and best practices implementing PenalNet portal (X509v3, RSA algorithms)

– legal security:• European Directive on Electronic Signature

(1999/93/EC). It determines legally a digital signature is equivalent to hand-written signature

• “CCBE Policies for qualified lawyers” specify the minimum requirements that should be observed by national Bar Certification Authorities which identify those lawyers registered with them on the Internet through qualified Certificates



PenalNet Certificates

• Identify the person and their lawyer condition

• Allow secure communications and transactions and guarantee Confidentiality, Authentication, Integrity and Non repudiation

• Are issued on a SSCD (secure signature creation device)

Certificates are delivered with

• Smart Card Reader• CD including the following

components:• Smart Card Drivers• Smart Card Reader Drivers• CA Certificates• Wizard for an easy Kit installation• User manuals



• PenalNet certificates– comply with standards:

• X.509 V3 • RFC3280 “Internet X.509 Public Key Infrastructure Certificate and CRL Profile”• ETSI TS 101 862 “European profile for Qualified Certificates” • RFC 3739 “Qualified Certificates Profile”

• PenalNet certification policies– Comply with:

• CCBE Recommendations about Policies for qualified lawyers • Directive 1999/93/EC

• PenalNet certification Authority (ACA)

– CA infrastructure is allocated • in a maximum security Data Center with a high level of Environmental and

Physical protection – Certification authority follows the best security practices:

• holds WebTrust Seal of Assurance for Certification Authorities and is preloaded into Microsoft´s browser as a trusted CA

– The CA’s private signing key is stored on hardware certified to FIPS 140-1 level 3 with two-person control enforced

– ACA is participating in STORK project– ACA is being audited under ISO-27001 security standards


• RSA algorithms– The RSA algorithm is based on the fact that it’s easy to multiply two

large prime numbers together and get a product. But you can’t take that product and reasonably guess the two original numbers, or guess one of the original primes if only the other is known

– The public and private keys are carefully generated using the RSA algorithm (Public Key Infrastructure, PKI)

– They are used to sign and generate keys in PenalNet

• PenalNet Certificates:– are Qualified Certificates according to Directive 1999/93/CE – are generated in a Secure Signature Creation Device (SSCD), which

means having a Common Criteria Certification and a security level EAL 4+, that involves meeting the CWA 14169 requirements

– users’ Key pairs are 1024 bit using the RSA algorithm– are protected with a PIN and PUK numbers that only the user knows– is also signed by Certification’s Authority with RSA sha1




Digital Certificate



Public Information

Messaging platform





• PenalNet generates xml from the message data, XML signature:– W3C recommendation that

defines an XML syntax for digital signature

– Information about Sender and receiver is included in the PenalNet XML

– Attached documents, size and format are also embedded in the PenalNet XML

– XML signature process:• An applet create a XML

with the message data• Sign the XML including a

new node using PenalNet lawyer’s certificate

– Guarantees interoperability (other formats don’t do it: SMIME, PDF)

Secure Service – Digital Signature & Encryption


• PenalNet Message Encryption:1. Encryption component server

generates a symmetric key2. XML message is encrypted with the

symmetric key generated previously3. Signature component encrypt the

symmetric key generated previously with the public key from the certificate which is used by PenalNet server

4. Distribution of the message to the mailboxes. Message is stored in each user folder totally encrypted

Secure Service – Digital Signature & Encryption



Digital Certificate



Public Information

Messaging platform





• Users can choose how to send and receive notifications in Control Panel section and in every new message creation

• Notifications and receipts are sent and signed by the platform• None of them requires user intervention:

– Notifications: The receiver is informed about the reception of a new PenalNet message

– Notifications: The sender is informed if the receiver has been notified about the reception of a new PenalNet message

– Receipt: The sender is informed when the PenalNet message has been opened

• All notifications are electronically signed by the secure platform

Secure Service – Notifications & Acknowledges


Secure Service – Notifications & Acknowledges



Digital Certificate



Public Information

Messaging platform





Secure Service – Secure Functionality

• PenalNet functionality and processes provide extra security in comparison with conventional e-Mail, thus adapting to the lawyers needs:

– Standard E-Mail (SMTP), includes attachments, travels from one server to another with no encryption, whilst PenalNet is based upon SSL communications

– In PenalNet, messages travel from sender to platform and from platform to receiver. No other servers take part in the process. Moreover, information travels encrypted

– In PenalNet messages are linked to persons, so they are not received by a machine (generic mailbox) due to the identification through certificate (Identify the person and their lawyer condition)

– PenalNet guarantees that receivers are actually lawyers, since it is the first requirement to hold a certificate

– In PenalNet, all notifications and acknowledges of reception are signed and sent automatically by the server, so receiver can not manipulate it (contents, dates, etc.) in any sense

– PenalNet establishes a secure professional communication between lawyers who are in PenalNet database, thanks to preview information compiled through lawyers’ CV (background, expertises, languages, ...)

– It avoids the traditional previous communications to spell email addresses and to know the professional experience. All people are voluntarily available and share professional details


Internet

Mr Smith

Received Mailbox

Sent Mailbox

E-mail

SMS

Mr Smith Place

Receipt Acknowledge

Received Mailbox

Sent Mailbox

Mr Perez Place

Receipt Acknowledge

Internet

Mr Perez

E-mail

SMS

groupOfUniqueNames2

Country 2

groupOfUniqueNames2

Country 1

groupOfUniqueNames2

Country N

DIRECTORY

SSL SessionSSL Session

EUROPEAN LAWYERS DIRECTORY SECURE COMUNICATION NETWORK

Secure Service – Secure Functionality



Digital Certificate



Public Information

Messaging platform





• Web Platform– Development:

• Microsoft IIS front-end• Weblogic Application Server• Oracle DB• Java, Struts, AJAX, …, XML

– Platform• Platform availability 24x7• Versatile, modular and scalable• VM Ware Virtualized servers• DB clusters

• Optical fibre



www.penalnet.eu + Penalnet Digital certificate

• System requirements– Operating System: Windows 2000, XP, or Vista– Browser: IE 6, IE7 and IE8 (Compatibility and Trusted site)– Computer Processor : no special requirements– Computer Memory: no special requirements– Internet Connection



Message Data Lawyers Data

Contacts Data Folders Data

Messages Exchange

Folders Management

Contacts

Notifications

PenalNet Directory

Users Data Users Management

Usage System Data

Configuration Data

Preferences Templates Data

Systems Administration

Templates Management

Reports

General Administrator can see administrator features related to all National Bars and user features

Lawyer is the end-user and uses the platform to exchange secure messages

Regional Administrator can administer some aspects of PenalNet platform limited to a region



• PenalNet is structured in two sections: Public and private

• Public section:– Public information of PenalNet,

Certificates, Partners, methodology, objectives...

– News and events– Bulletins subscription

• Private section or Messaging platform:– Locate professional colleagues who

practice in other countries involved in the project, accessing contact information and professional and academic experience

– Communicate with them using a secure tool to send and receive messages containing highly confidential information. The platform instantly generates an official record of the sending and reception of messages




Digital Certificate



Public Information

Messaging platform




Functional & Technical Description – Public Information

What is PenalNet Page

• This is the first page shown when the user enters www.penalnet.eu

• It explains what PenalNet is and it shows the latest news

• Users can freely navigate using the top menu


News Page

• It contains relevant new information about PenalNet; presentations, congresses, events or meetings are shown in this section

• Subsections:– Today’s News– Historical– Bulletins

• All PenalNet lawyers are automatically subscribed to receive PenalNet e-newsletter by mail. This is the page where anyone can join the distribution list



Upcoming Events Page

• It contains a Calendar of events related to PenalNet

• By clicking on each of them, the user is provided with further information



Digital Certificate Information Page

• Digital certificate, as the most important security tool implemented in PenalNet, has its own section to explain all possible questions regarding itself:– What is it?– How to get it?– How to use it?– How to revoke it?– Downloads, FAQs, etc



Legal Fundamentals Page

• The aim of this page is to provide useful information to the European lawyers that will access the PenalNet portal

• The information is structured in 5 parts. Each of them includes important issues for the Legal Practice in the EU regarding criminal Law

1. Preventive detention2. Accused´s rights 3. Habeas Corpus4. Fundamental rights and

obtaining of pieces of evidence

5. Right to judicial protection




Digital Certificate



Public Information

Messaging platform




PenalNet Access

• Via secure SSL connection (https). Click through “Access to PenalNet” at the top menu bar and see “Click here to access” below a description about the platform

• Home is displayed in a new window showing user’s contact details, storage usage and links to main folders

• It is recommendable to set PenalNet as a trusted site before access

• It is necessary to introduce the certificate into the smart card reader and know pin code

• Lawyers will be able to access their own CV in this section

Functional & Technical Description – Messaging Platform


PenalNet Secure Messages Exchange

• Access “Mail” button at the top menu bar and see messages saved into inbox folder

• It is structured in three sections:– Message Folders, where user can

check, search and/or edit messages, which can be deleted or moved to another folder as well

– Message Reader shows a specific message that users can “Reply”, “Reply all” or “Forward”

– Message Editor, where users can create or change a message



PenalNet Secure Messages Creation

Allows message creation and edition from the following options:• Top Bar: send, draft, clear and “add to my directory”

icons• To field. User should click on any lawyer name or group

to add any receiver. New contact s are added by clicking “add to my directory” icon

• Acknowledge field. User specifies if want, or not, to receive any acknowledge (to know if user have read the message)

• Notification field. User select how a notification will be informed (in addition to receiver’s configuration)

• Subject and body. Detail of the message

• Once the user has finished editing, the user can send the message or create a draft of it

• In both cases the user starts with the signing process



PenalNet Personal Directoy

User can manage all personal contacts (lawyers or administrators) in “My Directory” section. This section allows:

• Add contacts to personal directory• Filter alphabetically• Remove contact (only in user contact list)• Manage groups. Create, edit or remove groups’ user and move its contacts



PenalNet Directory

This is a lawyer’s directory and all users can search any PenalNet lawyer filtering by all CV fields:• User can see any CV detail• Add a lawyer in user’s directory• Export lawyers’ detail• Lawyers can access to edit their own CV in this section

In addition, administrators can upload new CVs in order to register a new PenalNet lawyer



Control Panel

This section allows customized configuration (dependant on user’s role):• Administrator:

• Application: users management, profiles, modules and storage limits• Reports: messages usage, storage usage and access• Personal configuration: notifications

• Bar Administrator:• Application: users management and storage limits• Reports: messages usage, storage usage and access• Personal configuration: notifications

• Lawyer:• Personal configuration: notifications




Digital Certificate



Public Information

Messaging platform




A walk Through PenalNet

www.penalnet.eu


Technical Presentation Mr Jose Luis Ruiz López, IT-CGAE Manager Director

Documents

24 th, September, 2009 Technical Presentation Mr José Luis Ruiz López, IT-CGAE Manager