SlideShare une entreprise Scribd logo

Utilizing PKI to Reduce Risk & Cost

Chin Wan Lim
Chin Wan Lim

http://www.bankingvn.com.vn/hn2011/

Technologie
1  sur  37
Télécharger pour lire hors ligne
Utilizing PKI to Reduce Business Risks and Costs May 2011 Lim Chin Wan
WASTE! WASTE! WASTE!
400% 40 Years 4 Billion
1 tree makes 16.67 reams of copy paper or 8,333.3 sheets
Time is money!
8 WEEKS!
THE ENEMY – PAPER CHASE •Offices with only 11% of their documents in paper spends less than 10 minutes a day locating information! •However, offices with 52% documents in paper spends more than 2 hours a day locating information! •For every paper document: • 19 copies are made • 1 out of 20 are lost • 150 hours/year lost looking for incorrectly filed documents • 25 hours are spent recreating documents •IDC reported an enterprise with 1,000 Information Workers spend an average of 3 hours a week recreating content which is an average cost per worker per week of $87 and $4,501 for a year. This adds up to a staggering $4,500,600 spent annually. TIME LOST CANNOT BE REGAINED!
THAT IS A LOT OF WASTAGE!
Let’s convert every paper to digital!
PROBLEM SOLVED?
The Traditional Paper Approach • Agreements, contracts, application forms etc. – all written on paper • Authenticity – achieved using hand signatures • Confidentiality – achieved using sealed envelopes, couriers etc.
Problems with The Traditional Approach • It takes / wastes a lot of time – Preparing paper – Sending paper to various people – Checking it has all arrived • Document Amendments – Resource intensive – Error prone • A False Sense of Security – Documents can be tampered – Signatures can be copied / forged – It is easy to make mistakes – And what about archiving the paper?
Problems with Archiving • Paper Archive issues – Expensive – Searching & retrieving is not easy – Misfiling is easy – Disaster recovery is even more expensive • Image Archive – Still expensive – Indexing errors – Large file sizes
Cost estimates • How expensive is paper? – Printing: $0.02/page – Transportation: expensive! with prices varying depending on method (courier, postage, fax, etc.) – Scanning: $0.05/page + $15/hour for operator cost – Archiving: $0.02/page + $15/hour for operator cost This is substantial for a large organisation • E-documents avoid these costs but require: – Strong user authentication so you can independently prove who signed, approved etc…both now and in the future – Strong data integrity so any changes to the document invalidate the digital signatures that can be applied
From Paper to e-Documents The Risks of Simple Electronic Transactions: • “I did not authorise or send that report !” • “That information is not what I sent !” • “I sent the tender before the deadline not after!” • “I said BUY not SELL” • “Is this the final approved version?” • “Has anything changed?”
Approval and Sign Off
Why are Trust Services Needed for e-Business? • To prevent fraud – Stop changes to final documents – Mandating sign-off and approval – Clearly identifying the author and approvers – Provide undeniable evidence • Meet legislative requirements – Enable legal acceptance of documents – Strengthen internal and external processes – Ensure traceability, audit and compliance • To enable cost savings and reduce risk – Reduced costs of paper, postage, handling, storage It must be easy to apply and manage these services
One Ring to Rule Them All…
Digital Signatures Provide Trust • The provide strong security: – Authenticity: a valid signature implies the signer deliberately signed the associated document – Non-Repudiation: the signer cannot deny having signed a document which has a valid signature – Data Integrity: to ensure the contents of the document have not been modified – Unique: the signature of the document cannot be used with another document – Unforgeable: only the signer can give a valid signature for the associated document • What’s else is required? – How can it be shown to be role or limit authorised? – How easy is it to sign and to verify and be understood?
What to Consider in a Solution • A flexible yet easy to implement solution – Provide multiple signing and verification options – Support multiple platforms and languages (Java, .NET) – Provide flexible integration options (API, folders, email) – Handle multiple document types and signature formats to that future needs are covered • Provide effective management so business applications do not need to handle this – Manage all the signing keys and certificates – Manage HSMs and USB tokens and/or soft keys/certs – Manage detailed event and transactional logs to ensure traceability and accountability and reporting – Manage application authorisation for all actions – Provide security with separation from O/S admin staff
A Typical Business Solution Architecture
What security services are needed? Sign Verify PDF Documents - Basic signature (visible / invisible) ? ? - Certify Sign ? ? - PAdES basic, timestamp & Long-term signatures ? ? XML Documents - XML DSig (XAdES ES) ? ? - Timestamps (XAdES ES-T) ? ? - Long-term signatures (XAdES X, X-Long) ? ? - Explicit Policy and Archive (-EPES, ES–A) ? ? PKCS#7 / CMS / SMIME - Basic signature (CAdES ES) ? ? - Timestamps (CAdES ES-T) - Long-term signatures (CAdES X, X-Long) ? ? ? ? - Explicit Policy and Archive (-EPES, ES–A) ? ? Historic Verification OCSP Validation (immediate verify & long term sign) - ? Time Stamp Authority (TSA) Server ? ? ? ? You only need license and use what is needed today
What integration options are available Sign Verify Web Services - via OASIS DSS XML/SOAP messaging ? ? - via a provided high level .NET API ? ? - via a provided high level Java API ? ? Using a Browser Applet - For PDF, XML, PKCS#7, CMS signing ? ? - Optional PDF Viewer/ Signer/ Verifier ? ? - Local file & Central file hash & sign ? ? Using an intelligent watched folder client - For fast processing of one or more watched folders ? ? Using a gateway for confidentiality - to extract signatures from documents - ? Using a secure email server - to handle emails and/or attachments ? ? Using a workflow sign-off solution - within a SaaS collaboration environment ? ?
Where should data security be applied • Protecting information output – signing and timestamping, notarising and archiving services for e- invoicing, statements, acceptances, reports etc • Protecting inbound information – notarising/timestamping and archiving services for any received information for larger organisations • Protecting internal document workflows – signing/approving documents or data to confirm a chain of approval (Server or Client held documents) • Confirming external transactions – Using intelligent web-forms that results in both end-user signing and corporate counter signing – Allowing client documents and files to be signed + uploaded
PDF Options Explored • PDF provides a strong format for e-business – World-wide use - since 1993 – A de facto standard for web documents, – A royalty-free specification - anyone can build PDF solutions – Freely available Reader software for anyone to use – A variety of other desktop, Java applet and server products • Now standardised – As ISO standard 32000-1:2008 – As PDF/A ISO 19005-1:2005 • Platform independent – displays documents in consistent way regardless of software, operating system or hardware specifications • Good security features – including digital signatures, rights management and encryption
PDF Digital Signatures • A good range of security options for multiple uses – Visible and invisible signatures – Multiple signatures – Certify signatures, for controlling further edits to the document (e.g. one-way publishing and form content) – Supports long-term signatures with embedded timestamps and signer revocation information – Supports the latest algorithms SHA-2, RSA & DSA • Free Reader shows the document trust status – Signature verification including certificate validation – Long-term signature verification • PDF attachments are supported – So other file types such as Word, Excel, Visio, etc. can be attached and also protected by the digital signature(s)
Signature Appearances Labels can be All aspects of the signature appearance are translated to customisable: other languages - Text item: colour, font type and size and (Unicode) location - graphic images: position, size and order Engineering/Architectural drawings have particular requirements for signature appearances
Invisible Signatures Invisible signatures leave the original document unchanged. The signature details are visible only from the signature panel. Useful for some business documents but note printed document will not have any indication that it has been signed.
Certifying Signatures Certifying signatures allow you to control further changes to the document Shown in Reader with blue ribbon
Signer Certificate Expiry • Documents signed today may need to be verified in two weeks, two months, two years or two decades • “Houston we have a problem” – certificates have a finite lifetime • After a signer’s certificate has expired an existing signature on a document will appear like this: • Long-term signatures are needed
Long-term Signatures • Designed to stop certificate expiry or later revocation issues • Long-term signatures prove – When the signature was created (timestamp from a trusted TSA) – The signer’s certificate status at the time of signing • This evidential information is stored inside each signature • Such signatures are referred to as advanced or long-term signatures Validation Authority Time Stamp Authority (TSA) OCSP/CRLs TSP At time of signing the software must: a) obtain the revocation status of her certificate from a Validation Authority b) obtain a timestamp for the document from a Time Stamp Authority c) embed these in a compliant way within the signature
Verifying Long-term signatures • First verify the embedded timestamp to determine when the signature was applied (timestamp must be trusted in order to be used) • Then verify whether the signer’s certificate status was valid at time of signing • It doesn’t matter what happened later – this signature was good at the time of signing
Server-side Signatures • Server functions – Hashing and signing – Secure management of the keys (optional HSM) • Signer should authorise key use before signing – passwords, biometrics, OTPs, two factor • Where is the document to sign? – May be on the server or may uploading from desktop – Signer should be able to see it before and after signing – Signer should be allowed to save the data locally
Conclusions • Long-term signatures are strongly recommended – for any serious business documents or data so that verification can be done offline or without reference to online systems • For historic verification of basic signatures – an online verification service with access to old CRL data is required • Long-term evidence archiving may be needed – for long-lived documents even with a long-term signature! • The document format, signature format and algorithms and key lengths need to be carefully considered • A flexible, well managed security solution is needed that ensures investment protection
Summary •Reduced paper storage •Improved retrieval time •Saves paper, printer and toner costs •Improved staff productivity •Improved disaster recovery •Reduce Fraud with PKI •Meet Legislative Requirements
Formula for Strong Digital Security sales@securemetric.com www.securemetric.com Questions: Chin Wan Lim H : +6 016 261 8925 O : +6 03 8996 8225 chinwan@securemetric.com

Recommandé

SecureMAG Vol 3
SecureMAG Vol 3SecureMAG Vol 3
SecureMAG Vol 3Chin Wan Lim
 
SecureMetric's SecureMAG Volume 8
SecureMetric's SecureMAG Volume 8SecureMetric's SecureMAG Volume 8
SecureMetric's SecureMAG Volume 8Chin Wan Lim
 
Digital signature efficient, cut cost and manage risk
Digital signature efficient, cut cost and manage riskDigital signature efficient, cut cost and manage risk
Digital signature efficient, cut cost and manage riskChunJia Sio
 
Digital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDFDigital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDFiText Group nv
 
Digital Signatures solution by ComsignTrust
Digital Signatures solution by ComsignTrustDigital Signatures solution by ComsignTrust
Digital Signatures solution by ComsignTrustZeev Shetach
 
Ascertia Adss Server Capabilities
Ascertia Adss Server CapabilitiesAscertia Adss Server Capabilities
Ascertia Adss Server Capabilitiesandrei_gosman
 
Significant Server
Significant ServerSignificant Server
Significant ServerNamirial GmbH
 
Significant Server
Significant ServerSignificant Server
Significant ServerNamirial GmbH
 

Recommandé

SecureMAG Vol 3
SecureMAG Vol 3SecureMAG Vol 3
SecureMAG Vol 3Chin Wan Lim
 
SecureMetric's SecureMAG Volume 8
SecureMetric's SecureMAG Volume 8SecureMetric's SecureMAG Volume 8
SecureMetric's SecureMAG Volume 8Chin Wan Lim
 
Digital signature efficient, cut cost and manage risk
Digital signature efficient, cut cost and manage riskDigital signature efficient, cut cost and manage risk
Digital signature efficient, cut cost and manage riskChunJia Sio
 
Digital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDFDigital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDFiText Group nv
 
Digital Signatures solution by ComsignTrust
Digital Signatures solution by ComsignTrustDigital Signatures solution by ComsignTrust
Digital Signatures solution by ComsignTrustZeev Shetach
 
Ascertia Adss Server Capabilities
Ascertia Adss Server CapabilitiesAscertia Adss Server Capabilities
Ascertia Adss Server Capabilitiesandrei_gosman
 
Significant Server
Significant ServerSignificant Server
Significant ServerNamirial GmbH
 
Significant Server
Significant ServerSignificant Server
Significant ServerNamirial GmbH
 
SIGNificant Enterprise Platform (Server based)
SIGNificant Enterprise Platform (Server based)SIGNificant Enterprise Platform (Server based)
SIGNificant Enterprise Platform (Server based)Namirial GmbH
 
Document Management System- nTireDMS from SunSmart Technology
Document Management System- nTireDMS from SunSmart TechnologyDocument Management System- nTireDMS from SunSmart Technology
Document Management System- nTireDMS from SunSmart Technologydigitaldigital4
 
Unlock Efficiency With nTireDMS - Document Management System - SunSmart Techn...
Unlock Efficiency With nTireDMS - Document Management System - SunSmart Techn...Unlock Efficiency With nTireDMS - Document Management System - SunSmart Techn...
Unlock Efficiency With nTireDMS - Document Management System - SunSmart Techn...digitaldigital4
 
Smartfish Presentation 2007
Smartfish Presentation 2007Smartfish Presentation 2007
Smartfish Presentation 2007waynehooper
 
Ascertia Adss Server Signing & Verifying
Ascertia Adss Server Signing & VerifyingAscertia Adss Server Signing & Verifying
Ascertia Adss Server Signing & Verifyingandrei_gosman
 
CASE-7 Scanning and OCR the Open Source Way
CASE-7 Scanning and OCR the Open Source WayCASE-7 Scanning and OCR the Open Source Way
CASE-7 Scanning and OCR the Open Source WayAlfresco Software
 
Document Management and Digitization solutions for medium sized Enterprises
Document Management and Digitization solutions for medium sized EnterprisesDocument Management and Digitization solutions for medium sized Enterprises
Document Management and Digitization solutions for medium sized EnterprisesTeamBreota
 
eMsigner
eMsignereMsigner
eMsignerKalyana Sundaram
 
Implementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated EnvironmentImplementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated EnvironmentPerficient, Inc.
 
Alfresco Records Management 2.0
Alfresco Records Management 2.0Alfresco Records Management 2.0
Alfresco Records Management 2.0Paul Hampton
 
Drivve overview
Drivve overviewDrivve overview
Drivve overviewLembit
 
GO AnyWhere - MFT
GO AnyWhere - MFTGO AnyWhere - MFT
GO AnyWhere - MFTDaniele Fittabile
 
TechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile ComputingTechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile ComputingAvtex
 
Ephesoft @ Alfresco DevCon in London
Ephesoft @ Alfresco DevCon in LondonEphesoft @ Alfresco DevCon in London
Ephesoft @ Alfresco DevCon in LondonEphesoft, Inc.
 
I doc on cloud
I doc on cloudI doc on cloud
I doc on cloudSom Imaging Informatics Pvt. Ltd
 
Let's Encrypt + DANE
Let's Encrypt + DANELet's Encrypt + DANE
Let's Encrypt + DANEDeploy360 Programme (Internet Society)
 
'Keep' by MITIE
'Keep' by MITIE'Keep' by MITIE
'Keep' by MITIEpaulbaum1982
 
Capture Discovery
Capture DiscoveryCapture Discovery
Capture Discoverywlucina
 
ECM Renovation Roadshow - ECM System Migration
ECM Renovation Roadshow - ECM System MigrationECM Renovation Roadshow - ECM System Migration
ECM Renovation Roadshow - ECM System MigrationZia Consulting
 
DS-Entrust-SSL-Document-Signing-APR16-WEB2
DS-Entrust-SSL-Document-Signing-APR16-WEB2DS-Entrust-SSL-Document-Signing-APR16-WEB2
DS-Entrust-SSL-Document-Signing-APR16-WEB2Lucas Gritziotis
 
Enhancing System Security Using PKI
Enhancing System Security Using PKIEnhancing System Security Using PKI
Enhancing System Security Using PKIChin Wan Lim
 
How To Rob A Bank In The 21st Century - PKI Version
How To Rob A Bank In The 21st Century - PKI VersionHow To Rob A Bank In The 21st Century - PKI Version
How To Rob A Bank In The 21st Century - PKI VersionChin Wan Lim
 

Contenu connexe

Similaire à Utilizing PKI to Reduce Risk & Cost

SIGNificant Enterprise Platform (Server based)
SIGNificant Enterprise Platform (Server based)SIGNificant Enterprise Platform (Server based)
SIGNificant Enterprise Platform (Server based)Namirial GmbH
 
Document Management System- nTireDMS from SunSmart Technology
Document Management System- nTireDMS from SunSmart TechnologyDocument Management System- nTireDMS from SunSmart Technology
Document Management System- nTireDMS from SunSmart Technologydigitaldigital4
 
Unlock Efficiency With nTireDMS - Document Management System - SunSmart Techn...
Unlock Efficiency With nTireDMS - Document Management System - SunSmart Techn...Unlock Efficiency With nTireDMS - Document Management System - SunSmart Techn...
Unlock Efficiency With nTireDMS - Document Management System - SunSmart Techn...digitaldigital4
 
Smartfish Presentation 2007
Smartfish Presentation 2007Smartfish Presentation 2007
Smartfish Presentation 2007waynehooper
 
Ascertia Adss Server Signing & Verifying
Ascertia Adss Server Signing & VerifyingAscertia Adss Server Signing & Verifying
Ascertia Adss Server Signing & Verifyingandrei_gosman
 
CASE-7 Scanning and OCR the Open Source Way
CASE-7 Scanning and OCR the Open Source WayCASE-7 Scanning and OCR the Open Source Way
CASE-7 Scanning and OCR the Open Source WayAlfresco Software
 
Document Management and Digitization solutions for medium sized Enterprises
Document Management and Digitization solutions for medium sized EnterprisesDocument Management and Digitization solutions for medium sized Enterprises
Document Management and Digitization solutions for medium sized EnterprisesTeamBreota
 
Implementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated EnvironmentImplementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated EnvironmentPerficient, Inc.
 
Alfresco Records Management 2.0
Alfresco Records Management 2.0Alfresco Records Management 2.0
Alfresco Records Management 2.0Paul Hampton
 
Drivve overview
Drivve overviewDrivve overview
Drivve overviewLembit
 
TechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile ComputingTechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile ComputingAvtex
 
Ephesoft @ Alfresco DevCon in London
Ephesoft @ Alfresco DevCon in LondonEphesoft @ Alfresco DevCon in London
Ephesoft @ Alfresco DevCon in LondonEphesoft, Inc.
 
Capture Discovery
Capture DiscoveryCapture Discovery
Capture Discoverywlucina
 
ECM Renovation Roadshow - ECM System Migration
ECM Renovation Roadshow - ECM System MigrationECM Renovation Roadshow - ECM System Migration
ECM Renovation Roadshow - ECM System MigrationZia Consulting
 
DS-Entrust-SSL-Document-Signing-APR16-WEB2
DS-Entrust-SSL-Document-Signing-APR16-WEB2DS-Entrust-SSL-Document-Signing-APR16-WEB2
DS-Entrust-SSL-Document-Signing-APR16-WEB2Lucas Gritziotis
 

Similaire à Utilizing PKI to Reduce Risk & Cost (20)

SIGNificant Enterprise Platform (Server based)
SIGNificant Enterprise Platform (Server based)SIGNificant Enterprise Platform (Server based)
SIGNificant Enterprise Platform (Server based)
 
Document Management System- nTireDMS from SunSmart Technology
Document Management System- nTireDMS from SunSmart TechnologyDocument Management System- nTireDMS from SunSmart Technology
Document Management System- nTireDMS from SunSmart Technology
 
Unlock Efficiency With nTireDMS - Document Management System - SunSmart Techn...
Unlock Efficiency With nTireDMS - Document Management System - SunSmart Techn...Unlock Efficiency With nTireDMS - Document Management System - SunSmart Techn...
Unlock Efficiency With nTireDMS - Document Management System - SunSmart Techn...
 
Smartfish Presentation 2007
Smartfish Presentation 2007Smartfish Presentation 2007
Smartfish Presentation 2007
 
Ascertia Adss Server Signing & Verifying
Ascertia Adss Server Signing & VerifyingAscertia Adss Server Signing & Verifying
Ascertia Adss Server Signing & Verifying
 
CASE-7 Scanning and OCR the Open Source Way
CASE-7 Scanning and OCR the Open Source WayCASE-7 Scanning and OCR the Open Source Way
CASE-7 Scanning and OCR the Open Source Way
 
Document Management and Digitization solutions for medium sized Enterprises
Document Management and Digitization solutions for medium sized EnterprisesDocument Management and Digitization solutions for medium sized Enterprises
Document Management and Digitization solutions for medium sized Enterprises
 
eMsigner
eMsignereMsigner
eMsigner
 
Implementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated EnvironmentImplementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated Environment
 
Alfresco Records Management 2.0
Alfresco Records Management 2.0Alfresco Records Management 2.0
Alfresco Records Management 2.0
 
Drivve overview
Drivve overviewDrivve overview
Drivve overview
 
GO AnyWhere - MFT
GO AnyWhere - MFTGO AnyWhere - MFT
GO AnyWhere - MFT
 
TechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile ComputingTechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile Computing
 
Ephesoft @ Alfresco DevCon in London
Ephesoft @ Alfresco DevCon in LondonEphesoft @ Alfresco DevCon in London
Ephesoft @ Alfresco DevCon in London
 
I doc on cloud
I doc on cloudI doc on cloud
I doc on cloud
 
Let's Encrypt + DANE
Let's Encrypt + DANELet's Encrypt + DANE
Let's Encrypt + DANE
 
'Keep' by MITIE
'Keep' by MITIE'Keep' by MITIE
'Keep' by MITIE
 
Capture Discovery
Capture DiscoveryCapture Discovery
Capture Discovery
 
ECM Renovation Roadshow - ECM System Migration
ECM Renovation Roadshow - ECM System MigrationECM Renovation Roadshow - ECM System Migration
ECM Renovation Roadshow - ECM System Migration
 
DS-Entrust-SSL-Document-Signing-APR16-WEB2
DS-Entrust-SSL-Document-Signing-APR16-WEB2DS-Entrust-SSL-Document-Signing-APR16-WEB2
DS-Entrust-SSL-Document-Signing-APR16-WEB2
 

Plus de Chin Wan Lim

Enhancing System Security Using PKI
Enhancing System Security Using PKIEnhancing System Security Using PKI
Enhancing System Security Using PKIChin Wan Lim
 
How To Rob A Bank In The 21st Century - PKI Version
How To Rob A Bank In The 21st Century - PKI VersionHow To Rob A Bank In The 21st Century - PKI Version
How To Rob A Bank In The 21st Century - PKI VersionChin Wan Lim
 
SecureMag 2015 :: Volume 7
SecureMag 2015 :: Volume 7SecureMag 2015 :: Volume 7
SecureMag 2015 :: Volume 7Chin Wan Lim
 
What Miss World 2013 Can Teach A Bank About PKI
What Miss World 2013 Can Teach A Bank About PKIWhat Miss World 2013 Can Teach A Bank About PKI
What Miss World 2013 Can Teach A Bank About PKIChin Wan Lim
 
SecureMAG Volume 6 - 2014
SecureMAG Volume 6 - 2014SecureMAG Volume 6 - 2014
SecureMAG Volume 6 - 2014Chin Wan Lim
 
SecureMAG Vol. 5 2012
SecureMAG Vol. 5 2012SecureMAG Vol. 5 2012
SecureMAG Vol. 5 2012Chin Wan Lim
 
AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECAEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECChin Wan Lim
 
SecureMetric Newsletter: SecureMag Volume 2
SecureMetric Newsletter: SecureMag Volume 2SecureMetric Newsletter: SecureMag Volume 2
SecureMetric Newsletter: SecureMag Volume 2Chin Wan Lim
 
Future of Public Key Infrastructure
Future of Public Key InfrastructureFuture of Public Key Infrastructure
Future of Public Key InfrastructureChin Wan Lim
 

Plus de Chin Wan Lim (11)

Enhancing System Security Using PKI
Enhancing System Security Using PKIEnhancing System Security Using PKI
Enhancing System Security Using PKI
 
How To Rob A Bank In The 21st Century - PKI Version
How To Rob A Bank In The 21st Century - PKI VersionHow To Rob A Bank In The 21st Century - PKI Version
How To Rob A Bank In The 21st Century - PKI Version
 
SecureMag 2015 :: Volume 7
SecureMag 2015 :: Volume 7SecureMag 2015 :: Volume 7
SecureMag 2015 :: Volume 7
 
What Miss World 2013 Can Teach A Bank About PKI
What Miss World 2013 Can Teach A Bank About PKIWhat Miss World 2013 Can Teach A Bank About PKI
What Miss World 2013 Can Teach A Bank About PKI
 
SecureMAG Volume 6 - 2014
SecureMAG Volume 6 - 2014SecureMAG Volume 6 - 2014
SecureMAG Volume 6 - 2014
 
PKI-In-A-Box
PKI-In-A-BoxPKI-In-A-Box
PKI-In-A-Box
 
SecureMAG Vol. 5 2012
SecureMAG Vol. 5 2012SecureMAG Vol. 5 2012
SecureMAG Vol. 5 2012
 
SecureMAG Vol 4.
SecureMAG Vol 4.SecureMAG Vol 4.
SecureMAG Vol 4.
 
AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECAEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSEC
 
SecureMetric Newsletter: SecureMag Volume 2
SecureMetric Newsletter: SecureMag Volume 2SecureMetric Newsletter: SecureMag Volume 2
SecureMetric Newsletter: SecureMag Volume 2
 
Future of Public Key Infrastructure
Future of Public Key InfrastructureFuture of Public Key Infrastructure
Future of Public Key Infrastructure
 

Dernier

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Dernier (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 

Utilizing PKI to Reduce Risk & Cost

  • 1. Utilizing PKI to Reduce Business Risks and Costs May 2011 Lim Chin Wan
  • 4. 1 tree makes 16.67 reams of copy paper or 8,333.3 sheets
  • 7. THE ENEMY – PAPER CHASE •Offices with only 11% of their documents in paper spends less than 10 minutes a day locating information! •However, offices with 52% documents in paper spends more than 2 hours a day locating information! •For every paper document: • 19 copies are made • 1 out of 20 are lost • 150 hours/year lost looking for incorrectly filed documents • 25 hours are spent recreating documents •IDC reported an enterprise with 1,000 Information Workers spend an average of 3 hours a week recreating content which is an average cost per worker per week of $87 and $4,501 for a year. This adds up to a staggering $4,500,600 spent annually. TIME LOST CANNOT BE REGAINED!
  • 8. THAT IS A LOT OF WASTAGE!
  • 11. The Traditional Paper Approach • Agreements, contracts, application forms etc. – all written on paper • Authenticity – achieved using hand signatures • Confidentiality – achieved using sealed envelopes, couriers etc.
  • 12. Problems with The Traditional Approach • It takes / wastes a lot of time – Preparing paper – Sending paper to various people – Checking it has all arrived • Document Amendments – Resource intensive – Error prone • A False Sense of Security – Documents can be tampered – Signatures can be copied / forged – It is easy to make mistakes – And what about archiving the paper?
  • 13. Problems with Archiving • Paper Archive issues – Expensive – Searching & retrieving is not easy – Misfiling is easy – Disaster recovery is even more expensive • Image Archive – Still expensive – Indexing errors – Large file sizes
  • 14. Cost estimates • How expensive is paper? – Printing: $0.02/page – Transportation: expensive! with prices varying depending on method (courier, postage, fax, etc.) – Scanning: $0.05/page + $15/hour for operator cost – Archiving: $0.02/page + $15/hour for operator cost This is substantial for a large organisation • E-documents avoid these costs but require: – Strong user authentication so you can independently prove who signed, approved etc…both now and in the future – Strong data integrity so any changes to the document invalidate the digital signatures that can be applied
  • 15. From Paper to e-Documents The Risks of Simple Electronic Transactions: • “I did not authorise or send that report !” • “That information is not what I sent !” • “I sent the tender before the deadline not after!” • “I said BUY not SELL” • “Is this the final approved version?” • “Has anything changed?”
  • 17. Why are Trust Services Needed for e-Business? • To prevent fraud – Stop changes to final documents – Mandating sign-off and approval – Clearly identifying the author and approvers – Provide undeniable evidence • Meet legislative requirements – Enable legal acceptance of documents – Strengthen internal and external processes – Ensure traceability, audit and compliance • To enable cost savings and reduce risk – Reduced costs of paper, postage, handling, storage It must be easy to apply and manage these services
  • 18. One Ring to Rule Them All…
  • 19. Digital Signatures Provide Trust • The provide strong security: – Authenticity: a valid signature implies the signer deliberately signed the associated document – Non-Repudiation: the signer cannot deny having signed a document which has a valid signature – Data Integrity: to ensure the contents of the document have not been modified – Unique: the signature of the document cannot be used with another document – Unforgeable: only the signer can give a valid signature for the associated document • What’s else is required? – How can it be shown to be role or limit authorised? – How easy is it to sign and to verify and be understood?
  • 20. What to Consider in a Solution • A flexible yet easy to implement solution – Provide multiple signing and verification options – Support multiple platforms and languages (Java, .NET) – Provide flexible integration options (API, folders, email) – Handle multiple document types and signature formats to that future needs are covered • Provide effective management so business applications do not need to handle this – Manage all the signing keys and certificates – Manage HSMs and USB tokens and/or soft keys/certs – Manage detailed event and transactional logs to ensure traceability and accountability and reporting – Manage application authorisation for all actions – Provide security with separation from O/S admin staff
  • 21. A Typical Business Solution Architecture
  • 22. What security services are needed? Sign Verify PDF Documents - Basic signature (visible / invisible) ? ? - Certify Sign ? ? - PAdES basic, timestamp & Long-term signatures ? ? XML Documents - XML DSig (XAdES ES) ? ? - Timestamps (XAdES ES-T) ? ? - Long-term signatures (XAdES X, X-Long) ? ? - Explicit Policy and Archive (-EPES, ES–A) ? ? PKCS#7 / CMS / SMIME - Basic signature (CAdES ES) ? ? - Timestamps (CAdES ES-T) - Long-term signatures (CAdES X, X-Long) ? ? ? ? - Explicit Policy and Archive (-EPES, ES–A) ? ? Historic Verification OCSP Validation (immediate verify & long term sign) - ? Time Stamp Authority (TSA) Server ? ? ? ? You only need license and use what is needed today
  • 23. What integration options are available Sign Verify Web Services - via OASIS DSS XML/SOAP messaging ? ? - via a provided high level .NET API ? ? - via a provided high level Java API ? ? Using a Browser Applet - For PDF, XML, PKCS#7, CMS signing ? ? - Optional PDF Viewer/ Signer/ Verifier ? ? - Local file & Central file hash & sign ? ? Using an intelligent watched folder client - For fast processing of one or more watched folders ? ? Using a gateway for confidentiality - to extract signatures from documents - ? Using a secure email server - to handle emails and/or attachments ? ? Using a workflow sign-off solution - within a SaaS collaboration environment ? ?
  • 24. Where should data security be applied • Protecting information output – signing and timestamping, notarising and archiving services for e- invoicing, statements, acceptances, reports etc • Protecting inbound information – notarising/timestamping and archiving services for any received information for larger organisations • Protecting internal document workflows – signing/approving documents or data to confirm a chain of approval (Server or Client held documents) • Confirming external transactions – Using intelligent web-forms that results in both end-user signing and corporate counter signing – Allowing client documents and files to be signed + uploaded
  • 25. PDF Options Explored • PDF provides a strong format for e-business – World-wide use - since 1993 – A de facto standard for web documents, – A royalty-free specification - anyone can build PDF solutions – Freely available Reader software for anyone to use – A variety of other desktop, Java applet and server products • Now standardised – As ISO standard 32000-1:2008 – As PDF/A ISO 19005-1:2005 • Platform independent – displays documents in consistent way regardless of software, operating system or hardware specifications • Good security features – including digital signatures, rights management and encryption
  • 26. PDF Digital Signatures • A good range of security options for multiple uses – Visible and invisible signatures – Multiple signatures – Certify signatures, for controlling further edits to the document (e.g. one-way publishing and form content) – Supports long-term signatures with embedded timestamps and signer revocation information – Supports the latest algorithms SHA-2, RSA & DSA • Free Reader shows the document trust status – Signature verification including certificate validation – Long-term signature verification • PDF attachments are supported – So other file types such as Word, Excel, Visio, etc. can be attached and also protected by the digital signature(s)
  • 27. Signature Appearances Labels can be All aspects of the signature appearance are translated to customisable: other languages - Text item: colour, font type and size and (Unicode) location - graphic images: position, size and order Engineering/Architectural drawings have particular requirements for signature appearances
  • 28. Invisible Signatures Invisible signatures leave the original document unchanged. The signature details are visible only from the signature panel. Useful for some business documents but note printed document will not have any indication that it has been signed.
  • 29. Certifying Signatures Certifying signatures allow you to control further changes to the document Shown in Reader with blue ribbon
  • 30. Signer Certificate Expiry • Documents signed today may need to be verified in two weeks, two months, two years or two decades • “Houston we have a problem” – certificates have a finite lifetime • After a signer’s certificate has expired an existing signature on a document will appear like this: • Long-term signatures are needed
  • 31.
  • 32. Long-term Signatures • Designed to stop certificate expiry or later revocation issues • Long-term signatures prove – When the signature was created (timestamp from a trusted TSA) – The signer’s certificate status at the time of signing • This evidential information is stored inside each signature • Such signatures are referred to as advanced or long-term signatures Validation Authority Time Stamp Authority (TSA) OCSP/CRLs TSP At time of signing the software must: a) obtain the revocation status of her certificate from a Validation Authority b) obtain a timestamp for the document from a Time Stamp Authority c) embed these in a compliant way within the signature
  • 33. Verifying Long-term signatures • First verify the embedded timestamp to determine when the signature was applied (timestamp must be trusted in order to be used) • Then verify whether the signer’s certificate status was valid at time of signing • It doesn’t matter what happened later – this signature was good at the time of signing
  • 34. Server-side Signatures • Server functions – Hashing and signing – Secure management of the keys (optional HSM) • Signer should authorise key use before signing – passwords, biometrics, OTPs, two factor • Where is the document to sign? – May be on the server or may uploading from desktop – Signer should be able to see it before and after signing – Signer should be allowed to save the data locally
  • 35. Conclusions • Long-term signatures are strongly recommended – for any serious business documents or data so that verification can be done offline or without reference to online systems • For historic verification of basic signatures – an online verification service with access to old CRL data is required • Long-term evidence archiving may be needed – for long-lived documents even with a long-term signature! • The document format, signature format and algorithms and key lengths need to be carefully considered • A flexible, well managed security solution is needed that ensures investment protection
  • 36. Summary •Reduced paper storage •Improved retrieval time •Saves paper, printer and toner costs •Improved staff productivity •Improved disaster recovery •Reduce Fraud with PKI •Meet Legislative Requirements
  • 37. Formula for Strong Digital Security sales@securemetric.com www.securemetric.com Questions: Chin Wan Lim H : +6 016 261 8925 O : +6 03 8996 8225 chinwan@securemetric.com