ecm & digital signature
DESCRIPTION
Presentation regarding the integration between an ECM (Documentum) platform with digital signature framework enabling process efficiency, cost reduction and regulation adherence . Also, it explains how digital signature works and how it is integrated with an DMS solution.TRANSCRIPT
Leonardo da Silva
@lapsbr
Leonardo da Silva
@lapsbr
Enterprise Content Management (ECM) & Digital signature
Enterprise Content Management (ECM) & Digital signature
Date 15/09/2014Date 15/09/2014
© 2
014 E
ng
ineeri
ng
Gro
up
ECM & DIGITAL SIGNATURE ECM & DIGITAL SIGNATURE WWW.ENG.IT / WWW.ENGDB.COM.BR WWW.ENG.IT / WWW.ENGDB.COM.BR
System ArchitectECM Competence Center - Brazilbr.linkedin.com/in/dasilvaleonardo@lapsbr
Leonardo da SilvaLeonardo da Silva
2
I've worked for 10 years in IT as many roles (developer, analyst, consultant and architect) with participation in the whole software development lifecycle (SDLC) for several projects in energy and engineering, mining, chemical, utilities, financial services and public sector (government) industries.
Also, I’m specialist in ECM/BPM/EDMS/WCM solutions, especially in the Documentum platform (5, 6 and 7 versions).
ECM & DIGITAL SIGNATURE / Bio
● ●
● ●
● ●
● ●
● ●
●
© 2
014 E
ng
ineeri
ng
Gro
up
ECM & DIGITAL SIGNATURE ECM & DIGITAL SIGNATURE WWW.ENG.IT / WWW.ENGDB.COM.BR WWW.ENG.IT / WWW.ENGDB.COM.BR 3
ECM & DIGITAL SIGNATURE / Agenda
•Context (5w2h)•How it works•Integrating with ECM•Conclusion
© 2
014 E
ng
ineeri
ng
Gro
up
ECM & DIGITAL SIGNATURE ECM & DIGITAL SIGNATURE WWW.ENG.IT / WWW.ENGDB.COM.BR WWW.ENG.IT / WWW.ENGDB.COM.BR
Why?•On average, 3 days is added to most processes in order to collect physical signatures and 22% of organizations add a week or more to their processes. •60% frequently print and sign documents and then scan them back in to their DM/ECM system. 64% frequently print, sign and file manually. 33% regularly print, sign and courier documents..
4
48%48%
DOCUMENTS ARE PRINTED ONLY FOR ADDING SIGNATURES PURPOSE
ECM & DIGITAL SIGNATURE / Context (5w2h)
What? Firstly, I like how the AIIM introduces our current scenario: “As we rely more and more on electronic workflows and less and less on physical document exchange (via post, fax or courier), the discontinuities and delays caused by physical signing have become harder and harder to ignore”.
Thus, we can define the digital signature as the same process of signing documents, but in our case, via electronic mechanisms using digital certificates that belongs to a person or a company. And why not integrate this process with the ECM of the companies, where the documents are or they will be.?
*AIIM Survey 2012 Digital Signatures - making the business case (© AIIM 2012 www.aiim.org / © ARX 2012 www.arx.com)
● ●
● ●
● ●
● ●
● ●
● ●
●
© 2
014 E
ng
ineeri
ng
Gro
up
ECM & DIGITAL SIGNATURE ECM & DIGITAL SIGNATURE WWW.ENG.IT / WWW.ENGDB.COM.BR WWW.ENG.IT / WWW.ENGDB.COM.BR 5
ECM & DIGITAL SIGNATURE / Context (5w2h)
Where?•Departments where signatures are used for internal compliance, external regulation, and authorizations for contracts or payments are prevalent.•60% have a strong legal requirement for signatures.
Who?•Internal departments from your company that use digital signatures.
*AIIM Survey 2012 Digital Signatures - making the business case (© AIIM 2012 www.aiim.org / © ARX 2012 www.arx.com)
When?•We have seen that the adoption of electronic and digital signatures has moved since 2010, rising from 24% to 35% in 2012.•Driven by the very high ROI reported by the companies, the time is now.
20102010 20122012
24%24% 35%35%
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
●
© 2
014 E
ng
ineeri
ng
Gro
up
ECM & DIGITAL SIGNATURE ECM & DIGITAL SIGNATURE WWW.ENG.IT / WWW.ENGDB.COM.BR WWW.ENG.IT / WWW.ENGDB.COM.BR 6
ECM & DIGITAL SIGNATURE / Context (5w2h)
How much?•Wasteful practices include the 60% who frequently print born-digital documents for signature and then scan them
into a document management
or ECM system.
*AIIM Survey 2012 Digital Signatures - making the business case (© AIIM 2012 www.aiim.org / © ARX 2012 www.arx.com)
81%81%USERS HAVE SEEN A PAYBACKIN A 12-MONTH BUDGET CYCLE
25%25%SAW ROI IN THREE MONTHSOR LESS
How?•Through the ECM system, where your current documents to be signed reside or they will reside.
© 2
014 E
ng
ineeri
ng
Gro
up
ECM & DIGITAL SIGNATURE ECM & DIGITAL SIGNATURE WWW.ENG.IT / WWW.ENGDB.COM.BR WWW.ENG.IT / WWW.ENGDB.COM.BR 7
ECM & DIGITAL SIGNATURE / How it works
When we talk about digital signature, we need to have in mind three important aspects, which are:•authentication (unambiguous identification of the signatory);•non-repudiation(impossibility to challenge authorship by its signatory);•integrity(legitimacy of signed information);
Before get into the digital signature details, we should read a little bit of some additional concepts:•Encryption;•Digital certificate;•Hashing;
● ● ● ● ● ● ● ● ●
● ●
● ●
● ●
● ●
● ● ● ● ● ● ● ● ● ●
● ●
● ●
● ●
● ●
● ● ● ● ● ● ● ● ● ●
● ●
● ●
● ●
● ●
●
© 2
014 E
ng
ineeri
ng
Gro
up
ECM & DIGITAL SIGNATURE ECM & DIGITAL SIGNATURE WWW.ENG.IT / WWW.ENGDB.COM.BR WWW.ENG.IT / WWW.ENGDB.COM.BR
This subject is so broadly that we can take several slides talking about algorithms, keys and etc. However, let’s get straight to the point related to the digital signature.
EncryptionEncryption
8
For digital signatures, we use the asymmetric keys (a.k.a. public keys) concept:
• public keys use a pair of keys (private and public), where any of these keys can be used in addition with an algorithm to encrypt messages, and the other key is used to decrypt;
• thus, the encrypted message with one of the two keys, can be decrypted with the other correspondent key; the private key is keep in safe and the other one is public, that means, it can be shared with anyone;
ECM & DIGITAL SIGNATURE / How it works
Msg
MsgMsg
Key
Encrypt Decrypt
● ●
● ●
● ●
●
© 2
014 E
ng
ineeri
ng
Gro
up
ECM & DIGITAL SIGNATURE ECM & DIGITAL SIGNATURE WWW.ENG.IT / WWW.ENGDB.COM.BR WWW.ENG.IT / WWW.ENGDB.COM.BR 9
ECM & DIGITAL SIGNATURE / How it works
Digital certificatesCan be defined as electronic documents digitally signed by its emissary (CA), which associates data from an individual or a company to a public key. Certificates issued follow ITU-T (International Telecommunication Union) standards and works as a virtual identity of the author. Certificates can be stored either in software (SO`s, programs, etc.) or hardware (tokens, smart-cards, etc.)
HashingThe hashing mechanism is used to optimize the performance of the digital signature. In practice, during the digital signature, if we used the original documents, such as CAD, DOC, etc., the signing process could take minutes or even hours. Thus, we use the hashing which generates a small file (summary) that derives from document intended to be signed. This mechanism provides agility in digital signatures, also integrity, once any changes in the original document will result in the generation of a different summary.
© 2
014 E
ng
ineeri
ng
Gro
up
ECM & DIGITAL SIGNATURE ECM & DIGITAL SIGNATURE WWW.ENG.IT / WWW.ENGDB.COM.BR WWW.ENG.IT / WWW.ENGDB.COM.BR 10
ECM & DIGITAL SIGNATURE / How it works
Digital signatureWell, explained those concepts, let's get into the digital signature. Like we said it signs the summary of a document along with the private key of the signer, producing a package that is the digital signature.
To validate a digital signature, we process in runtime the summary of the document to be validated, comparing it with the summary of the digital signature package, already decrypted with the public key of the supposed signer, then we have two summaries.
If they are equal, it is the validation that content was signed by the signatory, otherwise is the proof that content has changed or the signer is not the same.
This ensures the authenticity, integrity and non-repudiation.
© 2
014 E
ng
ineeri
ng
Gro
up
ECM & DIGITAL SIGNATURE ECM & DIGITAL SIGNATURE WWW.ENG.IT / WWW.ENGDB.COM.BR WWW.ENG.IT / WWW.ENGDB.COM.BR
ECM & DIGITAL SIGNATURE / How it works
11
Document hashing is generated and in addition with the private key of signer, retrieved from digital certificate, it generates a digital signature package.
Then, within ECM repository we have original documents and their respective signatures.
SigningSigning
Documents and signatures once stored and related within repository can be validated.
For that, a summary of the document to be verified is generated and it is compared
with the document summary hold in the digital signature package already decrypted
with the signer public key, stored within digital signature package.
ValidatingValidating
Priv. key
Encrypt
Digitalsignature
Summary
Digitalsignature
Pub. key
Summary Summary
Signature
Decrypt
© 2
014 E
ng
ineeri
ng
Gro
up
ECM & DIGITAL SIGNATURE ECM & DIGITAL SIGNATURE WWW.ENG.IT / WWW.ENGDB.COM.BR WWW.ENG.IT / WWW.ENGDB.COM.BR 12
ECM & DIGITAL SIGNATURE / Integrating with ECM●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
Digital signature frameworkDigital signature frameworkThe digital signature framework, that among others functionalities, generates the signature package can be third-party and/or proprietary.
However, it must follow industry standards and it is regulated in Brazil by ICP-Brasil, which regulates standards for digital certificate and digital signature (see more in Appendix A).
In our integration the Scytl framework was used and integrated with the document management system (DMS).
© 2
014 E
ng
ineeri
ng
Gro
up
ECM & DIGITAL SIGNATURE ECM & DIGITAL SIGNATURE WWW.ENG.IT / WWW.ENGDB.COM.BR WWW.ENG.IT / WWW.ENGDB.COM.BR 13
ECM & DIGITAL SIGNATURE / Integrating with ECM●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
ECM (Documentum)ECM (Documentum)The DMS solution, built upon Documentum platform, was integrated with digital signature framework. Also, Documentum has some digital signature features.
Documentum has methods for generating and validating summaries, content encryption capabilities for its repository, among others.
To ensure interoperability we use SOA techniques, available by the Documentum, creating services (SBO’s) for the digital signature, providing the signature functionalities for the whole platform.
© 2
014 E
ng
ineeri
ng
Gro
up
ECM & DIGITAL SIGNATURE ECM & DIGITAL SIGNATURE WWW.ENG.IT / WWW.ENGDB.COM.BR WWW.ENG.IT / WWW.ENGDB.COM.BR
ECM & DIGITAL SIGNATURE / Integrating with ECM●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
14
FunctionalitiesFunctionalitiesAll the functionalities were implemented through a DMS, which is an web application, increasing the user adoption.
•The signing operation, allowing users to electronically sign documents.;•Once document signed, it holds for its whole lifecycle all the signature data that comprises the signer and certification information, such as certification validity and signer ID;•Finally, the validation operation verify the digital signature consistent and the signature package over a document;
© 2
014 E
ng
ineeri
ng
Gro
up
ECM & DIGITAL SIGNATURE ECM & DIGITAL SIGNATURE WWW.ENG.IT / WWW.ENGDB.COM.BR WWW.ENG.IT / WWW.ENGDB.COM.BR
ECM & DIGITAL SIGNATURE / Integrating with ECM●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
15
FunctionalitiesFunctionalitiesThus, the integration aims to keep all the features of the digital signature, ensuring authenticity, integrity and non-repudiation.
For that, the Documentum repository creates a relationship between the signature and the document, ensuring consistency for the future validation. Thus, a digital signature package corresponds to a version of a document that can not be changed. If the document requires modification, another version should be created, and this will not have signature. Additionally, the previous version in the repository remains unchanged and signed.
© 2
014 E
ng
ineeri
ng
Gro
up
ECM & DIGITAL SIGNATURE ECM & DIGITAL SIGNATURE WWW.ENG.IT / WWW.ENGDB.COM.BR WWW.ENG.IT / WWW.ENGDB.COM.BR 16
ECM & DIGITAL SIGNATURE / Conclusion
The digital signature is intended to facilitate the authenticity, integrity, however, it does not manage documents and their signatures.
You can imagine finding and managing digital signatures and their documents on a file server. Another used method is to use tools to en/decrypt signed documents, however, there is no standard tool and you will not have signature data within a repository nor indexed in enterprise search platform.
Through an integration with ECM platform, which is where your documents already are or they will be, it is possible to ensure all legal aspects of digital signature in addition with content management capabilities for the entire corporation, enabling search on documents and their information from signatures and certificates.
© 2
014 E
ng
ineeri
ng
Gro
up
ECM & DIGITAL SIGNATURE ECM & DIGITAL SIGNATURE WWW.ENG.IT / WWW.ENGDB.COM.BR WWW.ENG.IT / WWW.ENGDB.COM.BR 18
ECM & DIGITAL SIGNATURE / Appendix A – ICP Brasil
The ICP-Brasil (Brazilian Public Key Infrastructure and Public Key Infrastructure) , established in 2001, issues digital certificates for identification of citizens and companies based on a model in which its infrastructure allows use of digital certificates in a trusted and secure environment.
ICP-Brasil also defines rules and laws that allow to trust their infrastructure, since the digital certificates issued by them are safe; as well as playing the role of Root Certification Authority (CA Root); accreditation of participants in their infrastructure; issuance of the certificate revocation list (CRL); auditing of Certification Authorities (CAs) and Registration Authorities (RAs).
The standard format defined by ICP-Brasil to issue of digital certificates to their holders is the PKCS # 7, RSA.