adss server trusted archive services (tas aug08)

www.ascertia.com

© Copyright 2001-2008 Ascertia Ltd.

ADSS Server / Trusted Archive Server

Saving Time & Money, Avoiding Risk & Fraud

2

www.ascertia.com


Agenda

• ADSS Server – Key features

• ADSS Server– Current Signing / timestamp capabilities

• Trusted Archive Server – Interaction with ADSS Server

• Requirements & Standards

• Archive Process

• Refreshing Evidence Records

3

www.ascertia.com


Why use ADSS Server Trust Services?

• Maximises options and enables easy usage– Supports multiple document formats– Supports multiple signature locations and formats – Creates and verifies one or more corporate signatures,

end-user signatures

• Minimises internal effort to apply trust– High level services – even using just one line of code !– Manages all keys, certificates, external authorities, etc– Built-in management, logging, audit, reporting

• A world-class product for today and tomorrow – All the required business trust services in one product– Supports multiple concurrent applications– High availability and scalability– Easy to use, fully managed, controlled security

4

www.ascertia.com


Ascertia ADSS Server Integration Options

Note: You only need license and use what is needed today

ADSS Server Web Services - via XML/SOAP messaging - via a provided high level .NET API - via a provided high level Java API

Using ADSS GoSign - Within a web-browser (GoSign Applet) - Within a desktop .NET app (GoSign .NET) - Within a desktop Java app (GoSign Java)

Using ADSS Server Auto File Processor - For one or more watched folders

Using ADSS Gateway for confidentiality - to extract signatures from documents

Using the Secure eMail Server - to handle emails and/or attachments

ADSS Server HTTP fast interface - For Signing and Verification services

Sign Verify

Q3 2008 Q3 2008

-

5

www.ascertia.com


Ascertia ADSS Server Trust Services

Note: You only need license and use what is needed today

PDF Documents - Basic signature (visible / invisible) - Certify - Sign & timestamp - Long-term signatures

XML Documents - XML DSig (XAdES ES) - Timestamps (XAdES ES-T) - Long-term signatures (XAdES X-Long)

PKCS#7 / CMS / SMIME - Basic signature (CAdES ES) - Timestamps (CAdES ES-T) - Long-term signatures (CAdES X-Long)

Historic VerificationOCSP Validation (immediate verify & long term sign)Time Stamp Authority (TSA) Server

Sign Verify

-

6

www.ascertia.com


ADSS Server Product Architecture

ApplicationWeb Services

ApplicationJava API

Email Gateway

WatchedFolder

OCSP Clients SCVP clientsXKMS clientsusingHTTPHTTP/SXML/SOAP

Synchronous Asynchronous

= Q1 2008

7

www.ascertia.com


ADSS Notary Signing / Archive Options

• ADSS Server supports Notary services today - driven by a business application– Sign / Sign & Timestamp / Long-term signatures– As PDFs wrapped objects– As XML wrapped objects (future includes XAdES/A)– As PKCS#7/CMS objects– Timestamp “Postmarks” (delivered if required)

8

www.ascertia.com


Archiving Standards

• Standards in this area are not yet stable

• IETF Long-Term Archive and Notary Service (LTANS) group:– Long-Term Archive Protocol: provides the

request/response message specs for communicating with TAS (http://www.ietf.org/proceedings/07dec/IDs/draft-ietf-ltans-ltap-05.txt)

– XML Evidence Record Syntax (XMLERS): provides details on the structure of timestamp evidence records and the renewal process (http://www.ietf.org/proceedings/07dec/IDs/draft-ietf-ltans-xmlers-00.txt)

9

www.ascertia.com


Trusted Archive Server

• Ascertia’s Trusted Archive Server will follow the IETF LTANS draft standard

• Features– Provides built in archive application functions– Delivery Q3 2008– Multiple profile options for signing, verification,

timestamping, archive, re-evidencing, deletion.

10

www.ascertia.com


Interaction with ADSS Server

ADSS Server

Signature Verification

Service

Trusted Archive Service

Signature Generation

Service

ADSS Enterprise Server offers a variety of digital signature creation, verification, timestamp client and validation services

ADSS Infrastructure server offers CA, TSA and OCSP VA services

LTANS Archiving

Timestamp client

OCSP Client


CRL Manager

VerificationSignature

Draft IETF LTANS processing of archive requestsMulti-policy archive management

CAsTSAVA

11

www.ascertia.com



Key Features:

• Provide time based evidence of existence– that electronic documents or data (emails, audit data,

reports) existed at a particular moment in time

• Ensure data authentication / integrity – To prove that throughout the entire archival period the

data has not changed

• Provide a means of refreshing the security– Today’s security measures can only last a defined period

so the Trusted Archive Server must be capable of ensuring the validity of its archived data and documents for the required archival period, i.e. beyond certificate expiry/revocation, timestamp expiry and weakness in key lengths and hash or signing algorithms

12

www.ascertia.com


Data types that can be archived

Submitters can archive any type of data, including:

• Raw data – i.e. unsigned, unencrypted

• Signed data – Including PDF, PKCS#7/CMS, S/MIME, XML DSig

• Advanced Signatures – Including CAdES, XAdES and PDF long-term signatures

• Encrypted data – treated as an opaque block

13

www.ascertia.com


Services offered by Trusted Archive Server

• Submitting of data objects to Archive– Under a specified or default archive policy

• Searching within Archive objects – within specified timeframes or data references

• Retrieval (export) of data objects from Archive

• Requesting deletion of Archive objects– Manual (role based permissions, dual controls) – Automatic deletion based on archive policy

• Verifying Archive object integrity – Manual (role based permissions, dual controls) – Automatic check every policy set time interval

14

www.ascertia.com


Submitting basic data

Data Object

Meta Data

Verify request & client

authorisationc

Gather Archive Process Meta

Data

Request timestamp for

full archive object

c


Time Stamp Authority

(e.g. Ascertia ADSS TSA Service)

DB

Meta data sent by client may include: Filename, Author details, digital signature, etc. Archive Process Meta data may include archiving time, retention period, cryptographic info, etc. ERS stands for Evidence Record Syntax – this includes the timestamp information obtained from RFC3161 compliant TSA (see next slide)

Data Object

Meta Data

Archive Process Meta Data

ERS

Hash&

TimestampSubmission by people

or applications

15

www.ascertia.com


Evidence Record Syntax (ERS)

<EvidenceRecord> <Version /> <ArchiveTimeStampSequence> <CanonicalizationMethod /> <ArchiveTimeStampChain Order> <DigestMethod /> <ArchiveTimeStamp Order> <HashTree /> * <TimeStamp /> + <CryptographicInformation /> * </ArchiveTimeStamp>) + </ArchiveTimeStampChain> + </ArchiveTimeStampSequence> </EvidenceRecord>

An Evidence Record must contain at least one timestamps in the TimeStampChain

Additional timestamps may be added as the old timestamp nears its expiry. These are all contained within a single TimeStampChain

A new TimeStampChain is created with the underlying hash algorithms need to be renewed (due to weakness in original algorithm)

Note: Ascertia ADSS TAS Service will use a timestamp for each data object rather than using hash trees. This provides best security and immediate response (compared to hash trees). Support for Merkle hash trees will be added later

16

www.ascertia.com


ERS - Timestamp Renewal StructureEvidenceRecord

ArchiveTimeStampSequence

ArchiveTimeStampChain Order =1

DigestMethod

ArchiveTimeStamp Order =1

TimeStampCryptographic Information

ArchiveTimeStamp Order =2

TimeStampCryptographic Information

ArchiveTimeStampChain Order =2

The first timestamp is over the archive object including meta data

Cryptographic Information is used to store CRLs/certs/TAs required to verify the timestamp

A new timestamp is requested before expiry of a previous timestamp (or configurable period, e.g. annually). This timestamp is only over the last timestamp.

A new chain is created when the digest algorithm is changed. Note this timestamp will be over original data object and all previous chains

17

www.ascertia.com


Verify / Archive Signed Data

Data Object

Meta Data (e.g. detached signature)


authorizationc


Data


full archive object

c



DB

Meta data: may include detached signature, alternatively signature maybe enveloped inside document (e.g. signed PDF)Archive Process Meta data: signature will be verified, certificate chains, CRL/OCSP responses and final Trust Anchors (TAs) will be added as archive process meta data

Verify signatures by gathering cert

chains, OCSP responses, TAs

OCSP Responder (e.g. Ascertia

ADSS OCSP Service)

• TAS Service verifies existing signatures• Gathers signature verification info• Archives data object + signature verification info


18

www.ascertia.com


Verify / Archive Options

• Signatures may be:– Detached (supplied separately from data)– Enveloped (e.g. PDF signatures, XML signatures)

• Document formats– Any type of file with detached PKCS#7/CMS or XML DSig– PDF (with embedded PKCS#7 sig)– XML (with embedded XML DSig)

• Multiple signatures are supported

• Long-term signatures are supported– CAdES or XAdES with timestamps and revocation data

Note: ADSS Server Verification Service already supports the verification of all these complex and advanced signatures!

19

www.ascertia.com


Notary Signing and Archiving

Signed Data Object



authorizationc


Data


full archive object

c



DB

Archive Meta data will include a notary signature over the Archive Data object. This can be PKCS#7/CMS signature or XML DigSigERS will cover the notary signature so that the whole package including notary signature is protected for long-term

Compute a signature over Archive Object

HSM (e.g. SafeNet

LunaSA)


20

www.ascertia.com


ADSS Server – Admin Console

• Web-based with strong client/server authentication• Easy to use management interface with role based access rights • Trusted Archive Server will follow the same principle

Service ModulesUtility Modules

21

www.ascertia.com


ADSS Server – Customer Console

• A web-based customer console [Q4]– Using strong user authentication with role based rights

• Able to recover archived data and process, e.g.– Review Archive data and its associated information– Verify Archive data and original signatures, timestamps, etc

• Able to review transaction logs– View, search, create reports– Only for requests / responses belonging to this Customer

• Able to make requests for service change– E.g. Acceptable Trust Anchors– New Archive policies– Client Management – when multiple clients are assigned– Dual control based accept / reject by authorised ADSS operators

22

www.ascertia.com


Archive Profiles – to enforce controls

ADSS TAS Archive Profile defines:

• How long an archive object is to be archived for

• Archive object deletion policy – Delete at the end of the archive period – Allow to “fade” without refreshing the timestamps

• Deletion policy – Can a client request the deletion of archive object under this profile

• Timestamp Authority (TSA) selection– Defines TSA and policy for handling timestamp requests

• How often the evidence information is to be refreshed– Never– After configurable time period (e.g. every 10 years)– A configurable period before the expiry of that TSA certificate (3

months before expiry of TSA cert)– When manually requested by the TAS administrators

Multiple Profiles can be defined within ADSS Trusted Archive Service (TAS)

Client requests can reference the Archive Profile to be used (or the default one will be used)

ADSS Client Manager defines which clients can use which Archive Profiles

23

www.ascertia.com


Archive Profile – continued

• Signed data processing policy– Defines if signatures are verified first– Final trust anchors and full certificate chains of each signature (and

each OCSP response/CRL/timestamp) are also archived– OCSP is recommended over CRL due to the smaller size

• Notary Archive Signature policy– Should the Archive Service itself sign the data being archived using

a wrapping signature (CMS or XML DigSig)?– Archive Profile defines the key and signing algorithm to use– The notary archive signature is archived in full– The Notary signature may include its own timestamp (in this case

need to store full crypto info for this timestamp)

• External ECM information policy– Defines links to ECM Systems

24

www.ascertia.com


Data Storage within an ECM System

Data Object


Verify request and ECM system authorisation

c

Create response and send to ECM using

identifiers provided in the request, logs to DB

c

ADSS TAS Service

DBProcess Archive Service request (Archive, Verify, Export, Search

Request System: Could be any system, but expected to be the ECM (or EPM, ERP or CRM) systemERS data: This is not stored in ADSS TAS database area but passed back to defined ECM system for secure storage and retrieval under given identifiers. ECM system is responsible for storing data Object, Meta data, Archive Process Meta Data and ERS dataTransaction Data: The request / response details are held by ADSS Server within the TAS transaction log and the actions and results can be viewed there, provides details of ECM storage identifiers

Archive Process Meta Data

ERS data

cLOGS

ECM SystemArchive request

Archive response/ data management

Option to return all data to the

ECM environment

25

www.ascertia.com


Authenticating and Authorising Clients

• ADSS Server Clients – Registered within Client Manager module– Authentication options defined for signed requests or requests

over Client/server mutually authenticated SSL or application ID

• Fine Grained Client application authorisation– To submit data for specific Archival Profiles– To retrieve / export archive objects from archive – To delete archive objects – To verify archive objects– To request information on archive objects

• ADSS Server provides security management– Authenticated each client (signatures & certificates are checked– Authorisation rights are confirmed– Secure Transaction logs are created

26

www.ascertia.com


Trusted Archive Server Security

• ADSS Server has security designed in– Optional dual controls for all operator actions– Designed to meet CWA requirements– Strong authentication of all administrators / operators– Fine-grained role-based operator rights– HMAC secured logs with view, search, report options– Log and email alerting system

• ADSS Server supports multiple clients– Strong client authentication with certificate based trust– Strong client authorisation based on client and service profiles

• FIPS 140 and CC EAL 4 HSMs are supported

• SQL Server EE and Oracle RACs are supported

27

www.ascertia.com


ADSS Server Scalability / Resilience

CRLs

CRLs

CRLs

OCSP

OCSP

OCSP

Hardware Load Balancer

ADSSServer

Databasereplication

E.g.Big-IPCisco

HSM 1

ADSSServer

HSM 2

SQL Server or Oracleor PostgreSQL

Archive requests and responses

Option for 1 or more CAs supported Optional HSMs

CA 1

CA 2

CA n

28

www.ascertia.com


Use Case Example - Workflow Archive services

Request

Sign

Protect

ReviewApprove

Countersign

Later audit / review

ERPCRMECM

Verify Verify

ADSS Server + TASSign & Timestamp Evidence Archive

Approval required

business flows

Approval granted

business flows

29

www.ascertia.com


Summary

• Meets all business needs for easy to deploy secure archive and archive management

– Documents, transactions and even email

• Easy to integrate – A separate security service for any business application– High level .NET and Java APIs with sample applications– An option on signature creation or verification requests– Secure eMail Server integration

• Multi-platform – Windows 2003 Server– Unix: Solaris (Sparc, X86) and other Unix options by request

• Secure Storage – Uses industry leading databases with secured content

• Secure Management– A well proven multi-functional platform with security designed in

30

www.ascertia.com


Questions:Rod Crook+44 1256 [email protected]

adss server trusted archive services (tas aug08)

Technology