Embed Size (px)
Citation preview
The proof of your digital documents
1UN/CEFACT August 29, 2008
UN/CEFACT August 29, 2008 2
What is a digital signature ?
How it works
Dear Alice, Let’s meet inVenice next weekend.Bob
x6fR7890cv
y9jl09cw56
1. Imprint
Dear Alice, Let’s meet inVenice next weekend.Bob
y9jl09cw56
x6fR7890cv
x6fR7890cv
4. Imprint
Alice
Bob
If equality then :1. Message comes
from Bob2. Message has not
been modified
Bob
Bob
2. Cypher
3. Decypher
Bob
Bob
Signature
UN/CEFACT August 29, 2008 3
Digital signature formats : PKCS#7, CMS, XAdES
• Influenced by structured data models– ASN.1 (Abstract Syntax Notation 1)
• Message and communication oriented• Compact• Binary data support• Performance• Abstruse
– XML (eXtensible Markup Language)• Applications oriented• Verbose• Binary data not supported -> required Base64 encoding
(x 4/3)• High CPU and memory requirements• Open – self described
History of digital signature formats
UN/CEFACT August 29, 2008 4
Digital signature formats : PKCS#7, CMS, XAdESHistory of digital signature formats (continued)
ASN.11990
XML1998
PKCS#71993
CMS2004
CAdES2005
XMLDSIG2000
XAdES2003
Public Key Cryptographic Standard
Cryptographic Message Syntax
CMS AdvancedElectronicSignature
XMLDigital Signature
XML AdvancedElectronic Signature
t
UN/CEFACT August 29, 2008 5
Different types of signature
• Enveloping attached : signature contains signed content (through internal URI)
• Enveloping detached : signature references signed content (external URI reference)
• Enveloped: signature is included in the document it signs (internal URI which excluedes itself)
3 types of signatures = 3 types of proof
UN/CEFACT August 29, 2008 6
Different types of signature
Pros and cons of different types of signatures• Enveloping attached
– Contains signature(s), content, timestamps, etc.– Ease of verification and use– Can sometimes be complex to manipulate if huge
• Enveloping detached– Only contains signature– Difficult to verify because access to signed content is
required : file system, database, network resources, etc.– Allows the signature to be communicated independantly of
signed content• Enveloped
– Signature is inside content– Only works with XML content or proprietary (PDF, Microsoft)– Implementation is tied to data structure– Adapted to internal applications, low interoperability
UN/CEFACT August 29, 2008 7
Digital signature properties
• Signed properties– Date & time– Signature production place– Signature policy– Etc…– Signed properties participate in digital signature
computation
• Unsigned properties– Timestamp– LCR, OCSP– Note : these properties are not signed by the signatory but
are nevertheless signed !– Unsigned properties do not participate in digital signature
computation and hence do not participate in the document’s integrity.
Properties are important to signature contextualization
UN/CEFACT August 29, 2008 8
Different types of signature
• XAdES format as defined in RGI (French e-Administration interoperability framework)– BES (SigningCertificate or KeyInfo mandatory)– EPES (signature policy mandatory)
• Enveloping attached signature required• Signature policy :
– Identifyer : 1.2.250.1.115.200.300.1 (OID)– http://www.banque-france.fr/igc/signature/ps/
ps_1_2_250_1_115_200_300_1.pdf– 1 file = 1 signature– Canonicalisation algorithm de
http://www.w3.org/2001/10/xml-exc-c14n# (because XBRL)
– Supported certificates, digital evidence agreement, etc.
French banking commission
Zoom on XAdES signature policy
http://www.w3.org/TR/XAdES/#Syntax_for_XAdES_The_SignaturePolicyIdentifier_element
<xad:SignaturePolicyIdentifier><xad:SignaturePolicyId><xad:SigPolicyId><xad:Identifier Qualifier="OIDAsURN">urn:oid:1.2.250.1.115.200.300.1</xad:Identifier></xad:SigPolicyId><xad:SigPolicyHash><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>q+ahW33Qg36KEeKdQLs94R4zb1c=</ds:DigestValue></xad:SigPolicyHash><xad:SigPolicyQualifiers><xad:SigPolicyQualifier><xad:SPURI>http://www.banque-france.fr/igc/signature/ps/
ps_1_2_250_1_115_200_300_1.pdf</xad:SPURI></xad:SigPolicyQualifier></xad:SigPolicyQualifiers></xad:SignaturePolicyId></xad:SignaturePolicyIdentifier>
UN/CEFACT August 29, 2008 9
