Digital%20 signatures%20overview

Digital
Signatures
Stefanie García Laule
Security Product Management
SAP AG

© SAP AG 2004, SAP TechEd / SCUR104 / 2
Agenda
Technology: Electronic Signatures
Interfaces SAP NetWeaver
Legal Requirements

Agenda
Legal Requirements

Up to now: Handwritten Signatures
„Document content“
VerificationSignature
• Document unchanged
• Identity of signer
• Legally binding
• Visibility of document
• Copy / Print
Thomas Smith

Digitally Signed Documents
sign verifyContract
Integrity
Authenticity
Validity
Legally binding
CA(register) trust
Private Key
Public Key

Certificates = Digital Identity
Certificate contains
Name of the subject
Name of the issuer
Validity interval
Public key
issues
Private key (secret!)
1-1
CA
certification
authority
Trust Center
Service
Can be in software (e.g. PSE Management)
Or in Hardware (e.g. SmartCard)

The Signing Process I
Document
Cryptographic
Hash-Algorithm
Document
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639 50.0
50 80000711 10
Cryptographic
Checksum
010110..

The Signing Process II
Cryptographic
Hash-Algorithm
Document
Document
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639 50.0
50 80000711 10
Cryptographic
Checksum
Private Key of
Signer
Signature
Value
Public Key
Algorithm
Signed Document
Document
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639 50.0
50 80000711 10
010110..

The Verification Process I
Cryptographic
Hash-Algorithm
Docu
ment
Signed Document
Document
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639 50.0
50 80000711 10
Cryptographic
Checksum
010110..

The Verification Process II
Public Key of
Signer
Cryptographic
Hash-Algorithm
Cryptographic
Checksum
Docu
ment 010110..
010110..
Signed Document
Document
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639 50.0
50 80000711 10
Public Key
Algorithm

The Verification Process III
Public Key of
Signer
Cryptographic
Hash-Algorithm
Dokument
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639 50.0
50 80000711 10
Cryptographic
Checksum
Docu
ment
Public Key
Algorithm
=
?
Dokument
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639 50.0
50 80000711 10
Wrong
OK
Signature of CA OK?
Certificate not revoked?
010110..
010110..
Signed Document
Document
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639 50.0
50 80000711 10
No
Yes
No?
Yes

Technical Calculation of Digital Signatures
Crypto-
graphic
Hash
Algorithm
Document
Dokument
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639 50.0
50 80000711 10
Cryptographic
Check Sum
Private key of
the signer
signature
value
Public Key
Algorithm
signed document
Dokument
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639 50.0
50 80000711 10
Public Key of
the signer
Crypto-
graphic
Hash
Algorithm
Dokument
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639 50.0
50 80000711 10
Cryptographic
Check Sum
Doku
ment
Public Key
Algorithm
=
?
Dokument
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639 50.0
50 80000711 10
Yes
No
Yes
Incorrect
OK
Signature of CA OK?
Certificate not revoked?
No
010110..
010110..
010110..
signed document
Dokument
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639 50.0
50 80000711 10

Advantages of Digital Signatures
Authenticity
Integrity
Validity
Legally Binding

Agenda
Legal Requirements

Secure Store & Forward (SSF) Interface
SSF
ABAP JAVA
SAP NetWeaver
SAP
Application
SAP
Application
SAP
Application
SSF Partner Product
SAPSECULIB
IAIK Toolkit

SSF-API
ABAP
ABAP
ABAP
Applications
with Electronic
Signatures
Signing in SAP GUI for Windows
Frontend (Software Partner
Program SPP)
without Signaturcontrol
Signaturcontrol: BSP (6.20) or
WinGUI (7.0)
Application server signs
(SAPSECULIB)

ABAP
ABAP
ABAP
Java
Java
Java
SAPSECULIB supports:
digital signatures without
cryptographic hardware
(Smartcards, Cryptoboards)
IAIK Toolkit supports:
- Electronic Signatures without
cryptographic hardware
Application server
signs with Electronic
Signatures

Supported Signature Formats:
ABAP
PKCS#7 PKCS#7
S/MIME
XML
SAP Java Cryptographic
Toolkit
IAIK S/MIME
SAP XML Toolkit
SSF
Partner product
Valid for Web Application Server 6.30
Java
• No Partner Certification
• No support of Cryptographic Hardware
• SSF Partner Certification
• Support of Cryptographic Hardware

SSF ABAP Functions
SSF_SIGN create digital signature(s)
SSF_VERIFY verify digital signature(s)
SSF_ENVELOPE encrypt for recipient(s)
SSF_DEVELOPE decrypt for recipient
SSF_ADDSIGN add a digital signature
…..
SSFS_CALL_CONTROL starts the signature control
SSFS_GET_SIGNATURE gets the signature value from the control
…
SSF_KRN_… done directly by the AS

Signature in Web Browser: Signature control

System Signatures
SAP System
PDF
Document
ADS
Adobe Document
Server
HTTP
HTTPS
S/MIME
FTP
Company A Company B
PDF
Document
SAP System
Archiving
Createelectronic
signature
Checkelectronic
signature
ADS
Adobe Document
Server
Automation of processes requiring approval and/or handwritten
signatures, such as invoices
Cost reduction through the elimination of manual tasks and process
steps

User Signatures
PDF
Document
Acrobat
Reader
HTTP
HTTPS
S/MIME
FTP
User Frontend Company
PDF
Document
SAP System
Archiving
ADS
Adobe Document
Server
Createelectronic
signature
Checkelectronic
signature
Standardized format
Legally binding

Applications with Electronic Signatures
SAP NetWeaver
Public Sector
SAP Content Server
ERP MM-FI
Healthcare
PLM ECH
ERP FI
ERP FI/IHC
ERP SD/CRM
EBPCRM
PLM DMS
PLM PP-PI
PLM QM
HCM Belgium

Agenda
Legal Requirements

Legal Requirements
Electronic Signature Acts all over the world
German Electronic Signature Act
Japan Electronic Commerce Promotion Council
EU Directive 1999/93/EC
US E-Sign Act
Singapore Digital Signature Law and Regulations
Malaysian Digital Signature Law
Argentina Digital Signature Law
Canada Uniform Electronic Commerce Act

Legal Requirements
Let‘s have a look at:
FDA: 21 CFR Part 11
US: E-Sign Act
EU: Directive 1999/93/EC
Germany: Signature Act and Ordinance

FDA: 21 CFR Part 11
In 1997 the United States Food and Drug Administration (FDA)
issued a regulation 21 CFR Part 11 (Code of Federal Regulations
Electronic Records) entitled ‚Electronic Records and Electronic
Signatures‘:
The regulations provide guidance for the use of electronic records
and electronic signatures in the biotechnology, pharmaceutical,
medical devices, radiological health, food, cosmetics and veterinary
medicine fields.

FDA: 21 CFR Part 11
Definitions:
Electronic Signature
means a computer data compilation of any symbol or series of
symbols executed, adopted, or authorized by an individual to be the
legally binding equivalent to the individual‘s handwritten signature.
Digital Signature
means an electronic signature based upon cryptographic methods
of originator authentication, computed by using a set of rules and a
set of parameters such that the identity of the signer and the
integrity of the data can be verified.

FDA: 21 CFR Part 11
General implementation of Electronic Signatures:
System Signature with authorization by userID and password
First shipment with SAP R/3 Release 4.6C
Usage of PKCS#7 standard, encryption executed by 128 bit
No external security product is necessary
When logging on to the system, users identify themselves by entering their
user IDs and passwords. The SAP system then executes the digital
signature. The user name and ID are part of the signed document. Public
key infrastructure can be administered by the customers themselves,
which is sufficient according to Part 11 for Digital Signatures.

FDA: mySAP ERP Business Processes
The following components support Electronic Signatures:
PP-PI: Process step completion within process instructions sheet
and acceptance of process values outside predefined tolerance
limits
ECM: Status change of Engineering Change Order and Object
Management Records
EBR: Electronic batch record approval
QM: Inspection lot, Usage decision, Physical Sample Drawing
DMS: Document Management Status create/change
cProjects: document approval, project activities status change
approval, …
for multiple signatures mySAP ERP provides Signature
Strategies that define allowed signatures and the sequence in
which they must be executed

US: E-Sign Act
Most of the laws began with the Utah Digital Signature Act of 1995
focused on a narrow set of Digital Signature technologies based on PKI
California realized that focusing on specific technologies in law was pointless
because technology advances so quickly chose a minimalist and technology
neutral approach, which became the foundation of the US E-Sign Act
In order to avoid each American state from having conflicting law, the
National Conference of Commissioners on Uniform State Laws
developed the Uniform Electronic Transactions Act (UETA), while the
European Union proposed its Directive on a Common Framework for
Electronic Signatures for the European Union
In the United States, all of these incompatible state laws were
superseded by the Electronic Signatures in Global and National
Commerce Act (US E-Sign Act), which was signed into law in 2000. It is
technology neutral, provided certain disclosures are provided and the
basic requirements of Electronic Signatures are followed.

US: E-Sign Act
The term ‘Electronic Signature' means an electronic sound, symbol,
or process, attached to or logically associated with a contract or
other record and executed or adopted by a person with the intent to
sign the record."
However, for such an electronic "symbol" to be legally binding, it is
important that the symbol provide authentication of the party who
created it, ensure that what was signed cannot be altered, ensure
that the party understood that by creating the symbol the party was
willingly signing, and that the party is able to keep an original of the
data and his electronic signature for his own records.

US: E-Sign Act
Can anything be signed electronically?
Not everything, but most common documents can be. The E-SIGN
Act specifically forbids a narrow range of documents that may not
be signed electronically. The exceptions primarily relate to wills,
testamentary trusts, adoption, divorce, court orders, termination of
utilities, repossession, foreclosure, eviction, cancellation of life
insurance, product recalls and documents related to the
transportation of hazardous materials.

US: E-Sign Act
Key features of legal electronic signatures include:
Knowing who the parties are when they sign;
Having those parties agree to use electronic signatures and
show they are technically capable of signing electronically;
Ensuring each party who signs receives a copy of the
electronically signed documents (including the ability to re-
verify those signatures electronically); and
Ensuring that a forged or tampered electronic document can be
detected.

Directive 1999/93/EC of the European Parliament and of the Council
of 13 December 1999 on a Community framework for Electronic
Signatures for the European Union
Article 5 : Legal effects of Electronic Signatures
Member States shall ensure that advanced electronic signatures
which are based on a qualified certificate and which are created by
a secure-signature-creation device:
a) satisfy the legal requirements of a signature in relation to data in
electronic form in the same manner as a hand-written signature
satisfies those requirements in relation to paper-based data; and
b) are admissible as evidence in legal proceedings
Handwritten Signature = Electronic Signature

Electronic signatures
Advanced electronic signatures
Qualified signatures
“Qualified signature”:
advanced electronic signature
+ qualified certificate (Annex I + II)
+ secure signature creation device (Annex III)

Germany: Multilevel Law
Implementation of EU Directive 1999/93/EC in Germany:
Signature Act (Signaturgesetz SigG) provides general
framework, 22nd May 2001
defines a digital signature
defines the role of a CA
defines certificates and outlines how they are handled
Signature Ordinance (Signaturverordnung SigV), 24th October
2001
sets out operational details and responsibilities of a CA

Germany: Electronic Signature Act
1. Electronic Signature
shall be data in electronic form that are attached to other electronic
data or logically linked to them and used for authentication;
2. Advanced Electronic Signature
shall be electronic signature as 1. above that
a) are exclusively assigned to the owner of the signature code
b) enable the owner of signature code to be identified
c) are produced with means which the owner of the signature code
can keep under his sole control and
d) are so linked to the data to which they refer that any subsequent
alteration of such data may be detected;

Germany: Electronic Signature Act
3. Qualified Electronic Signature
shall be electronic signatures as in 2. above that
a) are based on a qualified certificate valid at the time of their
creation and
b) have been produced with a secure signature-creation device;

Copyright 2004 SAP AG. All Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries,
pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or
registered trademarks of IBM Corporation in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered
trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium,
Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and
implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein
as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other
countries all over the world. All other product and service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group
shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional warranty.

Digital%20 signatures%20overview

Recommandé

Recommandé

Contenu connexe

Similaire à Digital%20 signatures%20overview

Similaire à Digital%20 signatures%20overview (20)

Dernier

Dernier (20)

Digital%20 signatures%20overview