ecm & digital signature

Leonardo da Silva

[email protected]

@lapsbr

Leonardo da Silva

[email protected]

@lapsbr

Enterprise Content Management (ECM) & Digital signature

Enterprise Content Management (ECM) & Digital signature

Date 15/09/2014Date 15/09/2014

mailto:[email protected]

http://twitter.com/lapsbr

mailto:[email protected]

http://twitter.com/lapsbr

© 2

014 E

ng

ineeri

ng

Gro

up

ECM & DIGITAL SIGNATURE ECM & DIGITAL SIGNATURE WWW.ENG.IT / WWW.ENGDB.COM.BR WWW.ENG.IT / WWW.ENGDB.COM.BR

System ArchitectECM Competence Center - Brazilbr.linkedin.com/in/dasilvaleonardo@lapsbr

Leonardo da SilvaLeonardo da Silva

2

I've worked for 10 years in IT as many roles (developer, analyst, consultant and architect) with participation in the whole software development lifecycle (SDLC) for several projects in energy and engineering, mining, chemical, utilities, financial services and public sector (government) industries.

Also, I’m specialist in ECM/BPM/EDMS/WCM solutions, especially in the Documentum platform (5, 6 and 7 versions).

ECM & DIGITAL SIGNATURE / Bio

● ●

● ●

● ●

● ●

● ●

●

http://br.linkedin.com/in/dasilvaleonardo

http://www.twitter.com/lapsbr

© 2

014 E

ng

ineeri

ng

Gro

up

ECM & DIGITAL SIGNATURE ECM & DIGITAL SIGNATURE WWW.ENG.IT / WWW.ENGDB.COM.BR WWW.ENG.IT / WWW.ENGDB.COM.BR 3

ECM & DIGITAL SIGNATURE / Agenda

•Context (5w2h)•How it works•Integrating with ECM•Conclusion

© 2

014 E

ng

ineeri

ng

Gro

up


Why?•On average, 3 days is added to most processes in order to collect physical signatures and 22% of organizations add a week or more to their processes. •60% frequently print and sign documents and then scan them back in to their DM/ECM system. 64% frequently print, sign and file manually. 33% regularly print, sign and courier documents..

4

48%48%

DOCUMENTS ARE PRINTED ONLY FOR ADDING SIGNATURES PURPOSE

ECM & DIGITAL SIGNATURE / Context (5w2h)

What? Firstly, I like how the AIIM introduces our current scenario: “As we rely more and more on electronic workflows and less and less on physical document exchange (via post, fax or courier), the discontinuities and delays caused by physical signing have become harder and harder to ignore”.

Thus, we can define the digital signature as the same process of signing documents, but in our case, via electronic mechanisms using digital certificates that belongs to a person or a company. And why not integrate this process with the ECM of the companies, where the documents are or they will be.?

*AIIM Survey 2012 Digital Signatures - making the business case (© AIIM 2012 www.aiim.org / © ARX 2012 www.arx.com)

● ●

● ●

● ●

● ●

● ●

● ●

●

© 2

014 E

ng

ineeri

ng

Gro

up



Where?•Departments where signatures are used for internal compliance, external regulation, and authorizations for contracts or payments are prevalent.•60% have a strong legal requirement for signatures.

Who?•Internal departments from your company that use digital signatures.


When?•We have seen that the adoption of electronic and digital signatures has moved since 2010, rising from 24% to 35% in 2012.•Driven by the very high ROI reported by the companies, the time is now.

20102010 20122012

24%24% 35%35%

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

●

© 2

014 E

ng

ineeri

ng

Gro

up



How much?•Wasteful practices include the 60% who frequently print born-digital documents for signature and then scan them

into a document management

or ECM system.


81%81%USERS HAVE SEEN A PAYBACKIN A 12-MONTH BUDGET CYCLE

25%25%SAW ROI IN THREE MONTHSOR LESS

How?•Through the ECM system, where your current documents to be signed reside or they will reside.

© 2

014 E

ng

ineeri

ng

Gro

up


ECM & DIGITAL SIGNATURE / How it works

When we talk about digital signature, we need to have in mind three important aspects, which are:•authentication (unambiguous identification of the signatory);•non-repudiation(impossibility to challenge authorship by its signatory);•integrity(legitimacy of signed information);

Before get into the digital signature details, we should read a little bit of some additional concepts:•Encryption;•Digital certificate;•Hashing;

● ● ● ● ● ● ● ● ●

● ●

● ●

● ●

● ●

● ● ● ● ● ● ● ● ● ●

● ●

● ●

● ●

● ●

● ● ● ● ● ● ● ● ● ●

● ●

● ●

● ●

● ●

●

© 2

014 E

ng

ineeri

ng

Gro

up


This subject is so broadly that we can take several slides talking about algorithms, keys and etc. However, let’s get straight to the point related to the digital signature.

EncryptionEncryption

8

For digital signatures, we use the asymmetric keys (a.k.a. public keys) concept:

• public keys use a pair of keys (private and public), where any of these keys can be used in addition with an algorithm to encrypt messages, and the other key is used to decrypt;

• thus, the encrypted message with one of the two keys, can be decrypted with the other correspondent key; the private key is keep in safe and the other one is public, that means, it can be shared with anyone;


Msg

MsgMsg

Key

Encrypt Decrypt

● ●

● ●

● ●

●

© 2

014 E

ng

ineeri

ng

Gro

up



Digital certificatesCan be defined as electronic documents digitally signed by its emissary (CA), which associates data from an individual or a company to a public key. Certificates issued follow ITU-T (International Telecommunication Union) standards and works as a virtual identity of the author. Certificates can be stored either in software (SO`s, programs, etc.) or hardware (tokens, smart-cards, etc.)

HashingThe hashing mechanism is used to optimize the performance of the digital signature. In practice, during the digital signature, if we used the original documents, such as CAD, DOC, etc., the signing process could take minutes or even hours. Thus, we use the hashing which generates a small file (summary) that derives from document intended to be signed. This mechanism provides agility in digital signatures, also integrity, once any changes in the original document will result in the generation of a different summary.

© 2

014 E

ng

ineeri

ng

Gro

up



Digital signatureWell, explained those concepts, let's get into the digital signature. Like we said it signs the summary of a document along with the private key of the signer, producing a package that is the digital signature.

To validate a digital signature, we process in runtime the summary of the document to be validated, comparing it with the summary of the digital signature package, already decrypted with the public key of the supposed signer, then we have two summaries.

If they are equal, it is the validation that content was signed by the signatory, otherwise is the proof that content has changed or the signer is not the same.

This ensures the authenticity, integrity and non-repudiation.

© 2

014 E

ng

ineeri

ng

Gro

up



11

Document hashing is generated and in addition with the private key of signer, retrieved from digital certificate, it generates a digital signature package.

Then, within ECM repository we have original documents and their respective signatures.

SigningSigning

Documents and signatures once stored and related within repository can be validated.

For that, a summary of the document to be verified is generated and it is compared

with the document summary hold in the digital signature package already decrypted

with the signer public key, stored within digital signature package.

ValidatingValidating

Priv. key

Encrypt

Digitalsignature

Summary

Digitalsignature

Pub. key

Summary Summary

Signature

Decrypt

© 2

014 E

ng

ineeri

ng

Gro

up


ECM & DIGITAL SIGNATURE / Integrating with ECM●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●

Digital signature frameworkDigital signature frameworkThe digital signature framework, that among others functionalities, generates the signature package can be third-party and/or proprietary.

However, it must follow industry standards and it is regulated in Brazil by ICP-Brasil, which regulates standards for digital certificate and digital signature (see more in Appendix A).

In our integration the Scytl framework was used and integrated with the document management system (DMS).

© 2

014 E

ng

ineeri

ng

Gro

up



● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●

ECM (Documentum)ECM (Documentum)The DMS solution, built upon Documentum platform, was integrated with digital signature framework. Also, Documentum has some digital signature features.

Documentum has methods for generating and validating summaries, content encryption capabilities for its repository, among others.

To ensure interoperability we use SOA techniques, available by the Documentum, creating services (SBO’s) for the digital signature, providing the signature functionalities for the whole platform.

© 2

014 E

ng

ineeri

ng

Gro

up



● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●

14

FunctionalitiesFunctionalitiesAll the functionalities were implemented through a DMS, which is an web application, increasing the user adoption.

•The signing operation, allowing users to electronically sign documents.;•Once document signed, it holds for its whole lifecycle all the signature data that comprises the signer and certification information, such as certification validity and signer ID;•Finally, the validation operation verify the digital signature consistent and the signature package over a document;

© 2

014 E

ng

ineeri

ng

Gro

up



● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ●

● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●

15

FunctionalitiesFunctionalitiesThus, the integration aims to keep all the features of the digital signature, ensuring authenticity, integrity and non-repudiation.

For that, the Documentum repository creates a relationship between the signature and the document, ensuring consistency for the future validation. Thus, a digital signature package corresponds to a version of a document that can not be changed. If the document requires modification, another version should be created, and this will not have signature. Additionally, the previous version in the repository remains unchanged and signed.

© 2

014 E

ng

ineeri

ng

Gro

up


ECM & DIGITAL SIGNATURE / Conclusion

The digital signature is intended to facilitate the authenticity, integrity, however, it does not manage documents and their signatures.

You can imagine finding and managing digital signatures and their documents on a file server. Another used method is to use tools to en/decrypt signed documents, however, there is no standard tool and you will not have signature data within a repository nor indexed in enterprise search platform.

Through an integration with ECM platform, which is where your documents already are or they will be, it is possible to ensure all legal aspects of digital signature in addition with content management capabilities for the entire corporation, enabling search on documents and their information from signatures and certificates.

© 2

014 E

ng

ineeri

ng

Gro

up


ECM & DIGITAL SIGNATURE / Appendix A – ICP Brasil

The ICP-Brasil (Brazilian Public Key Infrastructure and Public Key Infrastructure) , established in 2001, issues digital certificates for identification of citizens and companies based on a model in which its infrastructure allows use of digital certificates in a trusted and secure environment.

ICP-Brasil also defines rules and laws that allow to trust their infrastructure, since the digital certificates issued by them are safe; as well as playing the role of Root Certification Authority (CA Root); accreditation of participants in their infrastructure; issuance of the certificate revocation list (CRL); auditing of Certification Authorities (CAs) and Registration Authorities (RAs).

The standard format defined by ICP-Brasil to issue of digital certificates to their holders is the PKCS # 7, RSA.

ecm & digital signature

Technology