Remote Signature Solution Powered by PkBox 22 July 2014 Remote Signature Solution powered by PkBox CONFIDENTIAL Le informazioni contenute in questo documento sono da considerarsi CONFIDENZIALI e non possono essere utilizzate o riprodotte - sia in parte che interamente - senza un permesso scritto rilasciato da Intesi Group S.p.A. All the information in this document is CONFIDENTIAL and can’t be used entirely or in part without a written permission from Intesi Group S.p.A. www.intesigroup.com Via Torino, 48 - 20123 Milano | Tel: +39 02 6760641 - Fax: +39 02 67382279 Pag. 2 di 13 Remote Signature Solution powered by PkBox CONFIDENTIAL Index 1. PkBox ................................................................................................................. 4 2. Remote signature................................................................................................. 5 3. Strong authentication ........................................................................................... 6 4. Configurations ..................................................................................................... 8 4.1. Configuring remote signature in house............................................................. 10 4.2. Configuring remote signature in service ........................................................... 10 4.3. Configuring remote signature locally................................................................ 11 5. Registration Authority and Certificates Enrollment ................................................... 12 5.1. Certificate enrollment steps ............................................................................ 12 www.intesigroup.com Via Torino, 48 - 20123 Milano | Tel: +39 02 6760641 - Fax: +39 02 67382279 Pag. 3 di 13 Remote Signature Solution powered by PkBox CONFIDENTIAL 1. PkBox PkBox is the ideal product to create centralized signature solutions. Designed for companies of any size meets all the requirements of functionality, performance, capacity, reliability, scalability and price. PkBox complies with all Italian and European regulatory requirements, and has been designed to offer programming interfaces absolutely simple and easy to integrate into existing applications to be configured and sized according to user needs without any operation on source code. PkBox is currently adopted by the biggest banks and the Italian service centers as main platform for the provision of all the signature verification services required and offered to users. www.intesigroup.com Via Torino, 48 - 20123 Milano | Tel: +39 02 6760641 - Fax: +39 02 67382279 Pag. 4 di 13 Remote Signature Solution powered by PkBox CONFIDENTIAL 2. Remote signature The Italian legislation on digital signature allows the use of a qualified signature solution with legal value requiring the use of cryptographic keys generated and on board an HSM device (certified for Common Criteria EAL4 +). The HSM can be installed remotely and replaces in its own right, as permitted, the personal device operated directly by the user (smartcard or token). For the purposes of the legal value of the remote signature, the exclusive possession of the credential and the expressed will of the signature must be guaranteed by means of strong authentication tools that allow to verify with certainty the identity of the person and the controlled release of the transaction. The demand for strong authentication, during the signature operation, diversify the qualified remote signature from the automatic signature (also massive). In the second case, user authentication must take place only when you activate or suspend the service. Once activated, the signature service may proceed independently without the involvement of the user who owns the credential. PkBox can manage the credentials indicating individually for each of them, the authentication mode and if necessary, the Authentication Provider to be used. Then properly configuring the credentials you can make, on the same server, both remote signature operations and automatic signature. www.intesigroup.com Via Torino, 48 - 20123 Milano | Tel: +39 02 6760641 - Fax: +39 02 67382279 Pag. 5 di 13 Remote Signature Solution powered by PkBox CONFIDENTIAL 3. Strong authentication The Italian legislation does not exactly indicate what are the proper authentication technologies to be adopted for a remote signature solution. It should therefore adopt a solution that would be sufficiently safe and reliable, possibly considering the authoritative opinion of the qualified entities entitled to validate and "self-certify" the grip of the signature infrastructure to regulatory requirements, the Certification Authority (CA). If we take into account the essential aspects of security and of protection of the copy of cryptographic algorithms and security of the keys, you can certainly consider valid approaches based on dynamic generation of valid codes for a single authentication (OTP codes, One Time Password). Alternatively, it is possible to adopt biometric technologies but these are not yet openly liked by control Italian bodies and should therefore be treated with caution. The possible solutions are distinguishable on the basis of the specific device and / or channel used for code generation and the subsequent notice to user. PkBox offers maximum flexibility of configuration allowing to freely set, for each of the credentials, the authentication mechanism to use and the associated provider. Authentication mechanisms provided Authentication Provider available in the basic version OTP for remote signature (must indicate which provider to use) Intesi PassID SMS OTP to unlock automatic signature (must indicate which provider to use) Intesi PassID Mobile Double PIN RSA Authentication Manager Single PIN RSA SecurID Authentication Engine (SAE) No authentication Vasco Identikey Authentication Server Vasco Vacman Controller Currently is under evaluation authentication based on cell. phone trough voice call for communication of authentication code. www.intesigroup.com Via Torino, 48 - 20123 Milano | Tel: +39 02 6760641 - Fax: +39 02 67382279 Pag. 6 di 13 Remote Signature Solution powered by PkBox CONFIDENTIAL For companies that have already implemented an authentication system, it’s possible to create a Custom Authentication Provider integrated with PkBox that is able to call external service without requiring the managing of a further system to be attached to the one already in use. Similarly, the integration of strong authentication systems other than those already supported is possible without difficulty. The commitment to be planned is fully equivalent to the integration of the considered system with any other application server developed in Java and running under Tomcat. www.intesigroup.com Via Torino, 48 - 20123 Milano | Tel: +39 02 6760641 - Fax: +39 02 67382279 Pag. 7 di 13 Remote Signature Solution powered by PkBox CONFIDENTIAL 4. Configurations PkBox is highly flexible and can be configured to fully meet the requirements of the customer, both in terms of load capacity and credentials, both as regards the overall architecture of the system. In the definition of a PkBox configuration, the degrees of freedom are: guest OS (Windows and Linux are supported) cryptographic device (Pkcs # 11 sw, Smartcard / Token in the pool, HSM, netHSM) Set of signature functions enabled (Cades, Pades, XAdES, Full Options) No. of Servers in production (Fault Tolerance and Load Balancing) Possible COD architecture with credentials on the database (Oracle, MySQL) No. of Servers for other environments (DR, Testing, Testing, Development) Strong Authentication System No. of Intermediate Servers for processing documents (configurations at three levels) Depending on the device chosen cryptographic vary the resulting values of: Number credentials can be installed on a PkBox server Number of signature operations per unit of time With a smartcard or USB token is possible to achieve a rate of about 3/4 thousand signatures per hour. With an HSM can also treat hundreds / thousands of signatures per second. Clearly the size of the documents to be signed greatly influence the time necessary to the operation of signature since the calculation of the hash is requested. By installing multiple servers in parallel, it’s possible to distribute requests of signature on the available machines increasing in proportion to the overall capacity of the system. The module PkBox Client, to be used as library of interface of applications with PkBox Servers, it’s able to address servers distributing requests without requiring additional components such as hardware or software balancers. The balancing equipment can still be used both in situations in which the user wants to adopt them, or he doesn’t use PkBox Client and he prefers the Web Services interfaces. www.intesigroup.com Via Torino, 48 - 20123 Milano | Tel: +39 02 6760641 - Fax: +39 02 67382279 Pag. 8 di 13 Remote Signature Solution powered by PkBox CONFIDENTIAL Adopting the configuration COD, PkBox is able to manage the signature credentials on an a database external to HSM. The key pair is generated within the cryptographic device, is then encrypted with a master key and the result can be brought out of the safety data sheet without running the risk of using it fraudulently. Thanks to the structure COD, you exceed the limits imposed by HSM on the total number of credentials manageable by a single security system. Intesi Group developed configurations that can handle millions of remote and automatic signature certificates. Hooking more PkBox to a common database it’s possible to optimize the number of certificates to be issued, avoiding certificates duplication for each HSM, and minimizing the recovery time of a signature server as a result of a hardware failure. The only information to transfer on the new HSM is indeed the master key (which can be securely transferred using a set of smartcard). The COD configuration requires the use of a specific HSM device: Thales nCipher nShield as to ensure the necessary security, cryptographic operations and export credentials are performed through calls to the API specifications of this product. If there is a logical or geographical separation between the signature servers and the applications that manage the documents to be signed, it’s possible to create a three-tier configuration where the PkBox server is divided into two specialized machines: PkBox HSM (which manages the cryptographic device) PkBox Remote (which manages the handling of documents, applications side) The mechanisms of dialogue between the PkBox Client, HSM and Remote enable the load balancing at all levels. It’s possible to have for example three PkBox HSM and two Remotes. The application will, through PkBox Client the two PkBox Remote and each Remote will see in pool the three PkBox HSM. The number of PkBox Remote can be decided both by the size and the number of documents to be treated, both considering the number of applications and different geographic locations to support. The number of PkBox HSM depends solely on the load of signature transactions that you want to support. www.intesigroup.com Via Torino, 48 - 20123 Milano | Tel: +39 02 6760641 - Fax: +39 02 67382279 Pag. 9 di 13 Remote Signature Solution powered by PkBox CONFIDENTIAL The sizing of a solution without Remote should consider that all the processing job of document and signature on the device should be done by the same machine. 4.1. Configuring remote signature in house Combining the options shown, the standard configuration of reference for the management of remote signatures is the following: One or more servers PkBox COD (production and disaster recovery environments) A Thales HSM for each PkBox A Database for host encrypted credentials One or more systems Strong Authentication Clearly it is possible to use PkBox Remote configurations at multiple levels. If it is necessary the creation of environments for development, test and validation, can be defined configurations less complex because the APIs and services of interface remain unchanged under varying configurations. Products should be selected among those supported, as indicated above. 4.2. Configuring remote signature in service The three-tier architecture can be profitably exploited to develop solutions for remote signature which offers a service of custody of credentials and remote signature to companies that want to use applications with signature functionalities without having the burden to acquire and manage complex HSM. The planned configuration for the in-house solution can be transferred to the service provider, leaving the company using the service simply one or more PkBox Remote In this case, the provider must provide a redundant configuration of PkBox HSM and possibly replicated at production sites (Primary and Disaster Recovery). www.intesigroup.com Via Torino, 48 - 20123 Milano | Tel: +39 02 6760641 - Fax: +39 02 67382279 Pag. 10 di 13 Remote Signature Solution powered by PkBox CONFIDENTIAL It must also make available the Data Base that will host the users’ signing credentials and make it accessible through appropriate communication lines - redundant and replicated - in order to maximize service levels and the availability of the solution. The feature of Strong Authentication can be made available either by the provider either by the customer. It’s desirable that a basic feature of authentication is however proposed by the provider in order not to impose the customer having to equip even if he doesn’t feel the need. 4.3. Configuring remote signature locally For the completion of a remote signature configuration in service, the customer simply need to install one or more PkBox Remote who are responsible for receiving requests from applications, to treat the data to be signed and sent to the PkBox HSM hashes and authentication data for the execution of signature operations. All operations are carried out locally by Remote PkBox and only when it is strictly necessary to operate on private keys, are involved PkBox HSMs installed at the service provider. Since data to be signed are never sent to the provider but only hashes locally computed, the solution ensures the necessary confidentiality of information processed by the client applications. www.intesigroup.com Via Torino, 48 - 20123 Milano | Tel: +39 02 6760641 - Fax: +39 02 67382279 Pag. 11 di 13 Remote Signature Solution powered by PkBox CONFIDENTIAL 5. Registration Authority and Certificates Enrollment Regardless of the cryptographic device adopted, in case you want the signatures have legal value, it is necessary that the process of certificates issuing respects the law and follows the rules established by the Certification Authority to which certificates are required. 5.1. Certificate enrollment steps The steps for issuing a certificate are: 1. Creating an RSA key pair on the HSM device 2. Recognition of a user by a RAO (Registration Authority Officer) 3. Preparing a certificate request with all the required data 4. Sending the request to the Certification Authority 5. Registration of the user by the RA 6. Issue of Certificate by the CA 7. Sending the certificate to the client 8. Uploading of the certificate on the cryptographic device Should also be considered the mode of generation that could be in line for a single user, or batch, for the generation of massive credentials. The operations listed are carried out in part by the Certification Authority, with tools made available by this body, and partly on the PkBox. In particular PkBox public Web Services interfaces to perform the steps 1, 3 and 8. The Certification Authority must ensure the steps 5, 6 and 7. The operations 2 and 4 are typically carried out by the RAO or by his agent. Both in the interactive case, both for batch jobs, it is necessary to prepare an application that integrates PkBox interfaces and those of the CA in order to achieve the overall procedure. If you adopt the in service solution, the certificates enrollment procedure of certificates is typically offered by the Service Provider as a complement to the basic services of remote and massive signature. www.intesigroup.com Via Torino, 48 - 20123 Milano | Tel: +39 02 6760641 - Fax: +39 02 67382279 Pag. 12 di 13 Remote Signature Solution powered by PkBox CONFIDENTIAL As for the certificates, the difference between qualified signature and remote automatic signature is only given by the restrictions of use defined on the certificate at the time of its issue. www.intesigroup.com Via Torino, 48 - 20123 Milano | Tel: +39 02 6760641 - Fax: +39 02 67382279 Pag. 13 di 13
© Copyright 2024 Paperzz
