adss server trusted archive services (tas aug08)
DESCRIPTION
TRANSCRIPT
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
ADSS Server / Trusted Archive Server
Saving Time & Money, Avoiding Risk & Fraud
2
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Agenda
• ADSS Server – Key features
• ADSS Server– Current Signing / timestamp capabilities
• Trusted Archive Server – Interaction with ADSS Server
• Requirements & Standards
• Archive Process
• Refreshing Evidence Records
3
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Why use ADSS Server Trust Services?
• Maximises options and enables easy usage– Supports multiple document formats– Supports multiple signature locations and formats – Creates and verifies one or more corporate signatures,
end-user signatures
• Minimises internal effort to apply trust– High level services – even using just one line of code !– Manages all keys, certificates, external authorities, etc– Built-in management, logging, audit, reporting
• A world-class product for today and tomorrow – All the required business trust services in one product– Supports multiple concurrent applications– High availability and scalability– Easy to use, fully managed, controlled security
4
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Ascertia ADSS Server Integration Options
Note: You only need license and use what is needed today
ADSS Server Web Services - via XML/SOAP messaging - via a provided high level .NET API - via a provided high level Java API
Using ADSS GoSign - Within a web-browser (GoSign Applet) - Within a desktop .NET app (GoSign .NET) - Within a desktop Java app (GoSign Java)
Using ADSS Server Auto File Processor - For one or more watched folders
Using ADSS Gateway for confidentiality - to extract signatures from documents
Using the Secure eMail Server - to handle emails and/or attachments
ADSS Server HTTP fast interface - For Signing and Verification services
Sign Verify
Q3 2008 Q3 2008
-
5
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Ascertia ADSS Server Trust Services
Note: You only need license and use what is needed today
PDF Documents - Basic signature (visible / invisible) - Certify - Sign & timestamp - Long-term signatures
XML Documents - XML DSig (XAdES ES) - Timestamps (XAdES ES-T) - Long-term signatures (XAdES X-Long)
PKCS#7 / CMS / SMIME - Basic signature (CAdES ES) - Timestamps (CAdES ES-T) - Long-term signatures (CAdES X-Long)
Historic VerificationOCSP Validation (immediate verify & long term sign)Time Stamp Authority (TSA) Server
Sign Verify
-
6
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
ADSS Server Product Architecture
ApplicationWeb Services
ApplicationJava API
Email Gateway
WatchedFolder
OCSP Clients SCVP clientsXKMS clientsusingHTTPHTTP/SXML/SOAP
Synchronous Asynchronous
= Q1 2008
7
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
ADSS Notary Signing / Archive Options
• ADSS Server supports Notary services today - driven by a business application– Sign / Sign & Timestamp / Long-term signatures– As PDFs wrapped objects– As XML wrapped objects (future includes XAdES/A)– As PKCS#7/CMS objects– Timestamp “Postmarks” (delivered if required)
8
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Archiving Standards
• Standards in this area are not yet stable
• IETF Long-Term Archive and Notary Service (LTANS) group:– Long-Term Archive Protocol: provides the
request/response message specs for communicating with TAS (http://www.ietf.org/proceedings/07dec/IDs/draft-ietf-ltans-ltap-05.txt)
– XML Evidence Record Syntax (XMLERS): provides details on the structure of timestamp evidence records and the renewal process (http://www.ietf.org/proceedings/07dec/IDs/draft-ietf-ltans-xmlers-00.txt)
9
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Trusted Archive Server
• Ascertia’s Trusted Archive Server will follow the IETF LTANS draft standard
• Features– Provides built in archive application functions– Delivery Q3 2008– Multiple profile options for signing, verification,
timestamping, archive, re-evidencing, deletion.
10
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Interaction with ADSS Server
ADSS Server
Signature Verification
Service
Trusted Archive Service
Signature Generation
Service
ADSS Enterprise Server offers a variety of digital signature creation, verification, timestamp client and validation services
ADSS Infrastructure server offers CA, TSA and OCSP VA services
LTANS Archiving
Timestamp client
OCSP Client
Trusted Archive Server
CRL Manager
VerificationSignature
Draft IETF LTANS processing of archive requestsMulti-policy archive management
CAsTSAVA
11
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Trusted Archive Server
Key Features:
• Provide time based evidence of existence– that electronic documents or data (emails, audit data,
reports) existed at a particular moment in time
• Ensure data authentication / integrity – To prove that throughout the entire archival period the
data has not changed
• Provide a means of refreshing the security– Today’s security measures can only last a defined period
so the Trusted Archive Server must be capable of ensuring the validity of its archived data and documents for the required archival period, i.e. beyond certificate expiry/revocation, timestamp expiry and weakness in key lengths and hash or signing algorithms
12
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Data types that can be archived
Submitters can archive any type of data, including:
• Raw data – i.e. unsigned, unencrypted
• Signed data – Including PDF, PKCS#7/CMS, S/MIME, XML DSig
• Advanced Signatures – Including CAdES, XAdES and PDF long-term signatures
• Encrypted data – treated as an opaque block
13
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Services offered by Trusted Archive Server
• Submitting of data objects to Archive– Under a specified or default archive policy
• Searching within Archive objects – within specified timeframes or data references
• Retrieval (export) of data objects from Archive
• Requesting deletion of Archive objects– Manual (role based permissions, dual controls) – Automatic deletion based on archive policy
• Verifying Archive object integrity – Manual (role based permissions, dual controls) – Automatic check every policy set time interval
14
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Submitting basic data
Data Object
Meta Data
Verify request & client
authorisationc
Gather Archive Process Meta
Data
Request timestamp for
full archive object
c
Trusted Archive Server
Time Stamp Authority
(e.g. Ascertia ADSS TSA Service)
DB
Meta data sent by client may include: Filename, Author details, digital signature, etc. Archive Process Meta data may include archiving time, retention period, cryptographic info, etc. ERS stands for Evidence Record Syntax – this includes the timestamp information obtained from RFC3161 compliant TSA (see next slide)
Data Object
Meta Data
Archive Process Meta Data
ERS
Hash&
TimestampSubmission by people
or applications
15
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Evidence Record Syntax (ERS)
<EvidenceRecord> <Version /> <ArchiveTimeStampSequence> <CanonicalizationMethod /> <ArchiveTimeStampChain Order> <DigestMethod /> <ArchiveTimeStamp Order> <HashTree /> * <TimeStamp /> + <CryptographicInformation /> * </ArchiveTimeStamp>) + </ArchiveTimeStampChain> + </ArchiveTimeStampSequence> </EvidenceRecord>
An Evidence Record must contain at least one timestamps in the TimeStampChain
Additional timestamps may be added as the old timestamp nears its expiry. These are all contained within a single TimeStampChain
A new TimeStampChain is created with the underlying hash algorithms need to be renewed (due to weakness in original algorithm)
Note: Ascertia ADSS TAS Service will use a timestamp for each data object rather than using hash trees. This provides best security and immediate response (compared to hash trees). Support for Merkle hash trees will be added later
16
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
ERS - Timestamp Renewal StructureEvidenceRecord
ArchiveTimeStampSequence
ArchiveTimeStampChain Order =1
DigestMethod
ArchiveTimeStamp Order =1
TimeStampCryptographic Information
ArchiveTimeStamp Order =2
TimeStampCryptographic Information
ArchiveTimeStampChain Order =2
The first timestamp is over the archive object including meta data
Cryptographic Information is used to store CRLs/certs/TAs required to verify the timestamp
A new timestamp is requested before expiry of a previous timestamp (or configurable period, e.g. annually). This timestamp is only over the last timestamp.
A new chain is created when the digest algorithm is changed. Note this timestamp will be over original data object and all previous chains
17
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Verify / Archive Signed Data
Data Object
Meta Data (e.g. detached signature)
Verify request & client
authorizationc
Gather Archive Process Meta
Data
Request timestamp for
full archive object
c
Time Stamp Authority
(e.g. Ascertia ADSS TSA Service)
DB
Meta data: may include detached signature, alternatively signature maybe enveloped inside document (e.g. signed PDF)Archive Process Meta data: signature will be verified, certificate chains, CRL/OCSP responses and final Trust Anchors (TAs) will be added as archive process meta data
Verify signatures by gathering cert
chains, OCSP responses, TAs
OCSP Responder (e.g. Ascertia
ADSS OCSP Service)
• TAS Service verifies existing signatures• Gathers signature verification info• Archives data object + signature verification info
Trusted Archive Server
18
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Verify / Archive Options
• Signatures may be:– Detached (supplied separately from data)– Enveloped (e.g. PDF signatures, XML signatures)
• Document formats– Any type of file with detached PKCS#7/CMS or XML DSig– PDF (with embedded PKCS#7 sig)– XML (with embedded XML DSig)
• Multiple signatures are supported
• Long-term signatures are supported– CAdES or XAdES with timestamps and revocation data
Note: ADSS Server Verification Service already supports the verification of all these complex and advanced signatures!
19
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Notary Signing and Archiving
Signed Data Object
Meta Data (e.g. detached signature)
Verify request & client
authorizationc
Gather Archive Process Meta
Data
Request timestamp for
full archive object
c
Time Stamp Authority
(e.g. Ascertia ADSS TSA Service)
DB
Archive Meta data will include a notary signature over the Archive Data object. This can be PKCS#7/CMS signature or XML DigSigERS will cover the notary signature so that the whole package including notary signature is protected for long-term
Compute a signature over Archive Object
HSM (e.g. SafeNet
LunaSA)
Trusted Archive Server
20
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
ADSS Server – Admin Console
• Web-based with strong client/server authentication• Easy to use management interface with role based access rights • Trusted Archive Server will follow the same principle
Service ModulesUtility Modules
21
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
ADSS Server – Customer Console
• A web-based customer console [Q4]– Using strong user authentication with role based rights
• Able to recover archived data and process, e.g.– Review Archive data and its associated information– Verify Archive data and original signatures, timestamps, etc
• Able to review transaction logs– View, search, create reports– Only for requests / responses belonging to this Customer
• Able to make requests for service change– E.g. Acceptable Trust Anchors– New Archive policies– Client Management – when multiple clients are assigned– Dual control based accept / reject by authorised ADSS operators
22
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Archive Profiles – to enforce controls
ADSS TAS Archive Profile defines:
• How long an archive object is to be archived for
• Archive object deletion policy – Delete at the end of the archive period – Allow to “fade” without refreshing the timestamps
• Deletion policy – Can a client request the deletion of archive object under this profile
• Timestamp Authority (TSA) selection– Defines TSA and policy for handling timestamp requests
• How often the evidence information is to be refreshed– Never– After configurable time period (e.g. every 10 years)– A configurable period before the expiry of that TSA certificate (3
months before expiry of TSA cert)– When manually requested by the TAS administrators
Multiple Profiles can be defined within ADSS Trusted Archive Service (TAS)
Client requests can reference the Archive Profile to be used (or the default one will be used)
ADSS Client Manager defines which clients can use which Archive Profiles
23
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Archive Profile – continued
• Signed data processing policy– Defines if signatures are verified first– Final trust anchors and full certificate chains of each signature (and
each OCSP response/CRL/timestamp) are also archived– OCSP is recommended over CRL due to the smaller size
• Notary Archive Signature policy– Should the Archive Service itself sign the data being archived using
a wrapping signature (CMS or XML DigSig)?– Archive Profile defines the key and signing algorithm to use– The notary archive signature is archived in full– The Notary signature may include its own timestamp (in this case
need to store full crypto info for this timestamp)
• External ECM information policy– Defines links to ECM Systems
24
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Data Storage within an ECM System
Data Object
Meta Data (e.g. detached signature)
Verify request and ECM system authorisation
c
Create response and send to ECM using
identifiers provided in the request, logs to DB
c
ADSS TAS Service
DBProcess Archive Service request (Archive, Verify, Export, Search
Request System: Could be any system, but expected to be the ECM (or EPM, ERP or CRM) systemERS data: This is not stored in ADSS TAS database area but passed back to defined ECM system for secure storage and retrieval under given identifiers. ECM system is responsible for storing data Object, Meta data, Archive Process Meta Data and ERS dataTransaction Data: The request / response details are held by ADSS Server within the TAS transaction log and the actions and results can be viewed there, provides details of ECM storage identifiers
Archive Process Meta Data
ERS data
cLOGS
ECM SystemArchive request
Archive response/ data management
Option to return all data to the
ECM environment
25
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Authenticating and Authorising Clients
• ADSS Server Clients – Registered within Client Manager module– Authentication options defined for signed requests or requests
over Client/server mutually authenticated SSL or application ID
• Fine Grained Client application authorisation– To submit data for specific Archival Profiles– To retrieve / export archive objects from archive – To delete archive objects – To verify archive objects– To request information on archive objects
• ADSS Server provides security management– Authenticated each client (signatures & certificates are checked– Authorisation rights are confirmed– Secure Transaction logs are created
26
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Trusted Archive Server Security
• ADSS Server has security designed in– Optional dual controls for all operator actions– Designed to meet CWA requirements– Strong authentication of all administrators / operators– Fine-grained role-based operator rights– HMAC secured logs with view, search, report options– Log and email alerting system
• ADSS Server supports multiple clients– Strong client authentication with certificate based trust– Strong client authorisation based on client and service profiles
• FIPS 140 and CC EAL 4 HSMs are supported
• SQL Server EE and Oracle RACs are supported
27
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
ADSS Server Scalability / Resilience
CRLs
CRLs
CRLs
OCSP
OCSP
OCSP
Hardware Load Balancer
ADSSServer
Databasereplication
E.g.Big-IPCisco
HSM 1
ADSSServer
HSM 2
SQL Server or Oracleor PostgreSQL
Archive requests and responses
Option for 1 or more CAs supported Optional HSMs
CA 1
CA 2
CA n
28
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Use Case Example - Workflow Archive services
Request
Sign
Protect
ReviewApprove
Countersign
Later audit / review
ERPCRMECM
Verify Verify
ADSS Server + TASSign & Timestamp Evidence Archive
Approval required
business flows
Approval granted
business flows
29
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Summary
• Meets all business needs for easy to deploy secure archive and archive management
– Documents, transactions and even email
• Easy to integrate – A separate security service for any business application– High level .NET and Java APIs with sample applications– An option on signature creation or verification requests– Secure eMail Server integration
• Multi-platform – Windows 2003 Server– Unix: Solaris (Sparc, X86) and other Unix options by request
• Secure Storage – Uses industry leading databases with secured content
• Secure Management– A well proven multi-functional platform with security designed in
30
www.ascertia.com
© Copyright 2001-2008 Ascertia Ltd.
Questions:Rod Crook+44 1256 [email protected]