Title: Smart cards and document exchange security
1Smart cards and document exchange security
legal requirements in EU and Bulgaria.
Practical implementation in eConfidence SystemTM
International Symposium Recent Developments in
Cryptography and Information Security
August 29-31, 2007 National
Institute of Education, Oriahovitza, Bulgaria
Miroslav Nachev
Robert Kuenstler
Todor Petrov
2Requirements of the Business in connection to
globalization in all parts of public life and IT
technologies
- confidentiality of business information trusted
protected document exchange
- reliable Authentication of parts in data exchange
- guarantee Integrity of information
- Non-repudiation of business transactions
- Digital Signing and Encrypting of exchanged
information
- Effective interaction of application software
- Vertically connections to SW of Certification
Service Provider (CSP)
- Horizontally between different application SW.
- user friendly application software
3Some real problems with current digital
certificates, by CSP
- Non-conformity of the certificate format to the
structures of validation data (CRL)
- very common (and frequently inexact) revoke
reasons
- presence of CRL with revoke reason, incongruous
to inscribed in the generated certificates CRL
reasons
- Different schemes and certificate paths for
access to authority certificates
- Absence in the certificates store of higher level
certificates
- Incorrect application of the authority
certificates in the certificate path
? onerous vertical interoperability
- Support of own structures of digital signature,
regarding to the applicable algorithms as
company secrets.
? next to impossible horizontal interoperability
4Problem reasons
- IETF standards (RFCs) cover a wide variety of
computer and communications applications and
provide great flexibility in technical aspects
(communication protocols, data formats,
procedures, etc.). For the realization of
interoperable applications, the standards may be
too flexible
- at some aspects they offer too many
implementation alternatives to choose from
Choice of irrelevant profiles
- other aspects relevant for the specific
application area may not be covered by them
- Striving for Market Monopoly Position
- Interpretation of company know-how by CSP and
application developers
- forcing the use of explicit indicated
application SW
for instance XML exchanged documents
- evasion (or ignorance) of structures with exact
definition and interpretation
- often very common recommendations and regulations
for data structures, protocols ? algorithms
- do not regulate the application of the modern IT
technologies
5Main directions for problem solving
The problems are not Bulgarian patent
- XML Advanced Electronic Signatures (XAdES) - ETSI
TS 101 903
- compliant with the European Directive
- include validity confirmations
- the signature remains valid over long periods
- Estonian DigiDoc System - www.sk.ee
- personal ID card digital certificate
- ISIS-MTT Common specifications for interoperable
PKI applications
www.isis-mtt.org
- specifying a selection of the numerous technical
standards that are relevant for the target
application area and that are to be followed by
implementers
- restricting the possible implementation
alternatives in order to promote interoperability
as well as to reduce the costs of implementation
and conformity tests
- extends the international standards to cover
specific needs or aspects that are not covered by
those standards, but that need regulation for the
sake of interoperability
6Time Stamp Service
ISIS-MTT Model
data structures protocols
procedures
validated data
signature format
algorithms
7About eConfidence SystemTM
eConfidence SystemTM is a trade mark of Plan C
Ltd. www.planc.biz
- Enterprise version server and client modules,
complete functionality
- Standalone (Lite) version module eCS Protector
- Free of charge module eCS CheckUp - for checkup
and decrypting of eCS-documents
8Basic concepts and models in eConfidence SystemTM
- store (media) for the private key
smart card (PKCS11)
p12 / pfx file (PKCS12)
- digital signature generation (digital signing)
- check-up digital signature validity (validation)
- file protection (self-encrypting)
9Basic concepts and models in eConfidence SystemTM
- Advanced electronic signatures based on a
qualified certificates Directive 1999/93/EC
- hierarchical (embedded, nested)
- mixed embedded and independent
- Certificate validation online (via OCSP, CRL),
offline (via CRL)
10Basic concepts and models in eConfidence SystemTM
- The last operation by security reasons
- Combined (mixed) encrypting for higher
cryptographic reliability and high speed
processing
- Symmetrical encrypting - the document content is
compressed and ciphered with a symmetrical random
session key
- Asymmetrical encrypting the symmetrical random
session key is ciphered asymmetrically with the
public key of the addressee of the enciphered
document
11Basic concepts and models in eConfidence SystemTM
- Container for the document, digital signatures
and other qualified security information
- Sequence of digital signatures
- European standard for application in electronic
- Commerce ETSI TS 101 903 XML Advanced
Electronic Signatures (XAdES)
- Evidence for legality of certificate and digital
signature
- Protection from illegal actions and changes
- Long-term digital signatures
12Basic concepts and models in eConfidence SystemTM
- Serial document processing package generation
- Uniform operations single user action at all
documents (files) in the package
- Documents from different sources / folders
- Dispatch with additional recipients information
- Input file types (file extension)
- principle excluding of forbidden file types
- Exchange of protected documents
13Main functionality of eCS Protector
Serial crypto-processing
Formation of file package
Self-encrypting
Digital signing
Encrypting
Final operations
- Sending of e-mail
- Encrypting sending of e-mail
- Encrypting sending of e-mail
14 Reverse crypto-processing
Select file
Decrypt
Validation
Optional operations
- Extract save original document
- Save correspondent certificate
15Process flow of eConfidence SystemTM
Customer 1
IS
Customer 2
User 3
User 1
User 2
16Features of eConfidence SystemTM
- Completely compliance with Bulgarian and EC
legislation for electronic certificate, digital
signature and electronic commerce
- Open structure and easy integration with others
IT systems / corporate PKI system through
standard XML structure)
- Interoperable with different CSP
- Support different signing schemes (signing
policies)
- User-friendly GUI usual for Windows
applications
- Independent Java application independent by
operation system, e-mail client , etc...
Pursuit of interoperability standardization