More Related Content Similar to ECM & Digital Signature (20) ECM & Digital Signature2. © 2014 Engineering Group
ECM & DIGITAL SIGNATURE / Bio
Leonardo da Silva
System Architect
ECM Competence Center - Brazil
br.linkedin.com/in/dasilvaleonardo
@lapsbr
● ● ● ● ● ● ● ● ● ● ●
I've worked for 10 years in IT as many roles (developer, analyst, consultant
and architect) with participation in the whole software development
lifecycle (SDLC) for several projects in energy and engineering, mining,
chemical, utilities, financial services and public sector (government)
industries.
Also, I’m specialist in ECM/BPM/EDMS/WCM solutions, especially in the
Documentum platform (5, 6 and 7 versions).
2
ECM & WWW.ENG.IT / WWW.ENGDB.COM.BR DIGITAL SIGNATURE
3. © 2014 Engineering Group
ECM & DIGITAL SIGNATURE / Agenda
•Context (5w2h)
•How it works
•Integrating with ECM
•Conclusion
ECM & WWW.ENG.IT / WWW.ENGDB.COM.BR 3 DIGITAL SIGNATURE
4. © 2014 Engineering Group
ECM & DIGITAL SIGNATURE / Context (5w2h)
What?
Firstly, I like how the AIIM introduces our current scenario: “As we rely more and more on
electronic workflows and less and less on physical document exchange (via post, fax or courier), the
discontinuities and delays caused by physical signing have become harder and harder to ignore”.
Thus, we can define the digital signature as the same process of signing documents, but in our
case, via electronic mechanisms using digital certificates that belongs to a person or a company.
And why not integrate this process with the ECM of the companies, where the documents are or
they will be.?
Why?
•On average, 3 days is added to most
processes in order to collect physical
signatures and 22% of organizations add a
week or more to their processes.
•60% frequently print and sign documents
and then scan them back in to their
DM/ECM system. 64% frequently print,
sign and file manually. 33% regularly
print, sign and courier documents..
4
48%
DOCUMENTS ARE
PRINTED ONLY FOR
ADDING SIGNATURES
PURPOSE
● ● ● ● ● ● ● ● ● ● ● ● ●
*AIIM Survey 2012 Digital Signatures - making the business case
(© AIIM 2012 www.aiim.org / © ARX 2012 www.arx.com)
ECM & WWW.ENG.IT / WWW.ENGDB.COM.BR DIGITAL SIGNATURE
5. © 2014 Engineering Group
ECM & DIGITAL SIGNATURE / Context (5w2h)
Where?
•Departments where
signatures are used for internal
compliance, external
regulation, and authorizations
for contracts or payments are
prevalent.
•60% have a strong legal
requirement for signatures.
Who?
•Internal departments from
your company that use digital
signatures.
When?
•We have seen that the
adoption of electronic and
digital signatures has moved
since 2010, rising from 24% to
35% in 2012.
•Driven by the very high ROI
reported by the companies, the
time is now.
2010 2012
24% 35%
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
*AIIM Survey 2012 Digital Signatures - making the business case
(© AIIM 2012 www.aiim.org / © ARX 2012 www.arx.com)
ECM & WWW.ENG.IT / WWW.ENGDB.COM.BR 5 DIGITAL SIGNATURE
6. © 2014 Engineering Group
ECM & DIGITAL SIGNATURE / Context (5w2h)
How much?
•Wasteful practices include the
60% who frequently print
born-digital documents for
signature and then scan them
into a document management
or ECM system.
81%
USERS HAVE SEEN A PAYBACK
IN A 12-MONTH BUDGET CYCLE
25%
SAW ROI IN THREE MONTHS
OR LESS
How?
•Through the ECM system,
where your current documents
to be signed reside or they will
reside.
*AIIM Survey 2012 Digital Signatures - making the business case
(© AIIM 2012 www.aiim.org / © ARX 2012 www.arx.com)
ECM & WWW.ENG.IT / WWW.ENGDB.COM.BR 6 DIGITAL SIGNATURE
7. © 2014 Engineering Group
ECM & DIGITAL SIGNATURE / How it works
When we talk about digital signature, we need to have in mind three
important aspects, which are:
•authentication (unambiguous identification of the signatory);
•non-repudiation(impossibility to challenge authorship by its signatory);
•integrity(legitimacy of signed information);
Before get into the digital signature details, we should read a little bit of
some additional concepts:
•Encryption;
•Digital certificate;
•Hashing;
● ● ● ● ● ● ● ● ●
● ● ● ● ● ● ● ● ●
● ● ● ● ● ● ● ● ●
● ● ● ● ● ● ● ● ●
● ● ● ● ● ● ● ● ●
● ● ● ● ● ● ● ● ●
ECM & WWW.ENG.IT / WWW.ENGDB.COM.BR 7 DIGITAL SIGNATURE
8. © 2014 Engineering Group
ECM & DIGITAL SIGNATURE / How it works
Encryption
This subject is so broadly that we can
take several slides talking about
algorithms, keys and etc. However, let’s
get straight to the point related to the
digital signature.
Msg
Key
Encrypt Decrypt
Msg Msg
● ● ● ● ● ● ●
For digital signatures, we use the asymmetric keys (a.k.a. public keys) concept:
• public keys use a pair of keys (private and public), where any of these keys can be
used in addition with an algorithm to encrypt messages, and the other key is used
to decrypt;
• thus, the encrypted message with one of the two keys, can be decrypted with the
other correspondent key; the private key is keep in safe and the other one is public,
that means, it can be shared with anyone;
8
ECM & WWW.ENG.IT / WWW.ENGDB.COM.BR DIGITAL SIGNATURE
9. © 2014 Engineering Group
ECM & DIGITAL SIGNATURE / How it works
Digital certificates
Can be defined as electronic documents digitally signed by its emissary (CA), which
associates data from an individual or a company to a public key. Certificates issued
follow ITU-T (International Telecommunication Union) standards and works as a
virtual identity of the author. Certificates can be stored either in software (SO`s,
programs, etc.) or hardware (tokens, smart-cards, etc.)
Hashing
The hashing mechanism is used to optimize the performance of the digital signature.
In practice, during the digital signature, if we used the original documents, such as
CAD, DOC, etc., the signing process could take minutes or even hours. Thus, we use the
hashing which generates a small file (summary) that derives from document intended
to be signed. This mechanism provides agility in digital signatures, also integrity, once
any changes in the original document will result in the generation of a different
summary.
ECM & WWW.ENG.IT / WWW.ENGDB.COM.BR 9 DIGITAL SIGNATURE
10. © 2014 Engineering Group
ECM & DIGITAL SIGNATURE / How it works
Digital signature
Well, explained those concepts, let's get into the digital signature. Like we said it signs
the summary of a document along with the private key of the signer, producing a
package that is the digital signature.
To validate a digital signature, we process in runtime the summary of the document to
be validated, comparing it with the summary of the digital signature package, already
decrypted with the public key of the supposed signer, then we have two summaries.
If they are equal, it is the validation that content was signed by the signatory,
otherwise is the proof that content has changed or the signer is not the same.
This ensures the authenticity, integrity and non-repudiation.
ECM & WWW.ENG.IT / WWW.ENGDB.COM.BR 10 DIGITAL SIGNATURE
11. © 2014 Engineering Group
ECM & DIGITAL SIGNATURE / How it works
Priv. key
Encrypt
Digital
signature
Summary
Validating
Documents and signatures once stored and
related within repository can be validated.
For that, a summary of the document to be
verified is generated and it is compared
with the document summary hold in the
digital signature package already decrypted
with the signer public key, stored within
digital signature package.
11
Signing
Document hashing is generated and
in addition with the private key of
signer, retrieved from digital
certificate, it generates a digital
signature package.
Then, within ECM repository we
have original documents and their
respective signatures.
Digital
signature
Pub. key
Decrypt
Signature
Summary Summary
ECM & WWW.ENG.IT / WWW.ENGDB.COM.BR DIGITAL SIGNATURE
12. © 2014 Engineering Group
ECM & DIGITAL SIGNATURE / Integrating with ECM
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
Digital signature framework
The digital signature framework, that among others functionalities,
generates the signature package can be third-party and/or proprietary.
However, it must follow industry standards and it is regulated in Brazil
by ICP-Brasil, which regulates standards for digital certificate and digital
signature (see more in Appendix A).
In our integration the Scytl framework was used and integrated with the
document management system (DMS).
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
ECM & WWW.ENG.IT / WWW.ENGDB.COM.BR 12 DIGITAL SIGNATURE
13. © 2014 Engineering Group
ECM & DIGITAL SIGNATURE / Integrating with ECM
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
ECM (Documentum)
The DMS solution, built upon Documentum platform, was integrated
with digital signature framework. Also, Documentum has some digital
signature features.
Documentum has methods for generating and validating summaries,
content encryption capabilities for its repository, among others.
To ensure interoperability we use SOA techniques, available by the
Documentum, creating services (SBO’s) for the digital signature,
providing the signature functionalities for the whole platform.
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
ECM & WWW.ENG.IT / WWW.ENGDB.COM.BR 13 DIGITAL SIGNATURE
14. © 2014 Engineering Group
ECM & DIGITAL SIGNATURE / Integrating with ECM
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
Functionalities
All the functionalities were implemented through a DMS, which is an
web application, increasing the user adoption.
•The signing operation, allowing users to electronically sign
documents.;
•Once document signed, it holds for its whole lifecycle all the signature
data that comprises the signer and certification information, such as
certification validity and signer ID;
•Finally, the validation operation verify the digital signature consistent
and the signature package over a document;
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
14
ECM & WWW.ENG.IT / WWW.ENGDB.COM.BR DIGITAL SIGNATURE
15. © 2014 Engineering Group
ECM & DIGITAL SIGNATURE / Integrating with ECM
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
Functionalities
Thus, the integration aims to keep all the features of the digital
signature, ensuring authenticity, integrity and non-repudiation.
For that, the Documentum repository creates a relationship between the
signature and the document, ensuring consistency for the future
validation. Thus, a digital signature package corresponds to a version of
a document that can not be changed. If the document requires
modification, another version should be created, and this will not have
signature. Additionally, the previous version in the repository remains
unchanged and signed.
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
15
ECM & WWW.ENG.IT / WWW.ENGDB.COM.BR DIGITAL SIGNATURE
16. © 2014 Engineering Group
ECM & DIGITAL SIGNATURE / Conclusion
The digital signature is intended to facilitate the authenticity, integrity,
however, it does not manage documents and their signatures.
You can imagine finding and managing digital signatures and their
documents on a file server. Another used method is to use tools to
en/decrypt signed documents, however, there is no standard tool and you
will not have signature data within a repository nor indexed in enterprise
search platform.
Through an integration with ECM platform, which is where your documents
already are or they will be, it is possible to ensure all legal aspects of digital
signature in addition with content management capabilities for the entire
corporation, enabling search on documents and their information from
signatures and certificates.
ECM & WWW.ENG.IT / WWW.ENGDB.COM.BR 16 DIGITAL SIGNATURE
18. © 2014 Engineering Group
ECM & DIGITAL SIGNATURE / Appendix A – ICP Brasil
The ICP-Brasil (Brazilian Public Key Infrastructure and Public Key
Infrastructure) , established in 2001, issues digital certificates for
identification of citizens and companies based on a model in which its
infrastructure allows use of digital certificates in a trusted and secure
environment.
ICP-Brasil also defines rules and laws that allow to trust their
infrastructure, since the digital certificates issued by them are safe; as well
as playing the role of Root Certification Authority (CA Root); accreditation
of participants in their infrastructure; issuance of the certificate revocation
list (CRL); auditing of Certification Authorities (CAs) and Registration
Authorities (RAs).
The standard format defined by ICP-Brasil to issue of digital certificates to
their holders is the PKCS # 7, RSA.
ECM & WWW.ENG.IT / WWW.ENGDB.COM.BR 18 DIGITAL SIGNATURE