Proposal of ISO/NP 14533 Part3 (the profiles for PAdES) from Japan (JISC) Masashi Sato SECOM CO.,LTD Research Engineer, Specialist Intelligent Systems Laboratory e-mail: masas-sato@secom.co.jp
Copyright (c) 2014 Japan Network Security Association Topics Abstract of ISO 14533 Introduction of Electronic Signature Purpose and Scope of ISO 14533 Proposal of ISO 14533-3 (The profiles for PAdES) purpose concept outline Copyright (c) 2014 Japan Network Security Association
Copyright (c) 2014 Japan Network Security Association ISO 14533 ISO 14533 Part1 and Part2 were published in Sep 2012. ISO 14533-1:2012 Processes, data elements and documents in commerce, industry and administration -- Long term signature profiles -- Part 1: Long term signature profiles for CMS Advanced Electronic Signatures (CAdES) The part 1 are currently revising . (editor: Mr. Peter Rybar) ISO 14533-2:2012 Part 2: Long term signature profiles for XML Advanced Electronic Signatures (XAdES) The purpose of these profiles is to ensure the interoperability of electronic signature implementations and to make electronic signatures verifiable for a long term. These profiles define the requirements of electronic signature formats that enable a long term archiving. Copyright (c) 2014 Japan Network Security Association
What is electronic signature? Electronic signatures provide the following two functions; 1) Non-repudiation Identification who signed the contents. [documents, e-mails, webpages ....] ・If the secret key of signer is protected and is not (have not been) leaked, its validation identifies proprietary owner. 2) Integrity checking Detection of whether the contents is modified or not. (to avoid falsification risks) ・As the hash value to be signed consists of some objects including document contents, its validation enables to derive its Integrity. Copyright (c) 2014 Japan Network Security Association
How electronic signature works Certification Authority (CA) Issuing Certificate Certificate (Including signer’s public key) Signer private key Copyright (c) 2014 Japan Network Security Association
How electronic signature works Certification Authority (CA) Issuing Certificate Certificate (Including signer’s public key) ・・・ Signer Document to be signed private key Copyright (c) 2014 Japan Network Security Association
How electronic signature works Certification Authority (CA) Issuing Certificate Certificate (Including signer’s public key) ・・・ Signer The signer generate the signature using own private key. private key Authenticity of document Identification of signer Integrity of document Copyright (c) 2014 Japan Network Security Association
How electronic signature works Certification Authority (CA) The verifier checks the signature using the signer certificate (public key) and checks that the certificate is issued by the trusted CA. Issuing Certificate Certificate (Including signer public key) ・・・ Signer The signer generate the signature using own private key. Verifier private key Authenticity of document Identification of signer Integrity of document Copyright (c) 2014 Japan Network Security Association
Application of Electronic Signature Electronic Signature is effective to prove the identity of the signer and the integrity of the signed documents. There are many applications: contract, invoice, tax form, application form, notification, etc. Copyright (c) 2014 Japan Network Security Association
Need for a long term protection Electronic signature can be stored for a long term. For example, documents related to long term contracts (insurance, etc.) The storage period depending on the type of documents can be regulated by law. For example, in Japan, books and documents (invoice, receipt, etc.) must be stored for 7 years. Copyright (c) 2014 Japan Network Security Association
Need for a long term protection Electronic signature can be stored for a long term. For example, documents related to long term contracts (insurance, etc.) The storage period depending on the type of documents can be regulated by law. For example, in Japan, books and documents (invoice, receipt, etc.) must be stored for 7 years. However, there are limits on electronic signature. If the validity period of certificates is expired, the signature is judged to be invalid. Generally, the validity period of certificates is a few years. If the cryptography used for electronic signature weakens for a long term after signing, there is a risk that the signed document can be forged. Copyright (c) 2014 Japan Network Security Association
Need for a long term protection Electronic signature can be stored for a long term. For example, documents related to long term contracts (insurance, etc.) The storage period depending on the type of documents can be regulated by law. For example, in Japan, books and documents (invoice, receipt, etc.) must be stored for 7 years. However, there are limits on electronic signature. If the validity period of certificates is expired, the signature is judged to be invalid. Generally, the validity period of certificates is a few years. If the cryptography used for electronic signature weakens for a long term after signing, there is a risk that the signed document can be forged. Therefore, a solution of keeping the validity of electronic signature for a long term is required. The solution is Advanced Electronic Signature (ISO 14533) ! Copyright (c) 2014 Japan Network Security Association
Simple Electronic Signature Certification Authority (CA) Issuing Certificate Certificate (Including signer’s public key) ・・・ Signer The signer generate the signature using own private key. private key Authenticity of document Identification of signer Integrity of document Copyright (c) 2014 Japan Network Security Association
Advanced Electronic Signature Certification Authority (CA) Timestamp Authority (TSA) TSA Issuing Certificate TimeStampToken (Time Information signed by TSA) TimeStampToken Certificate (Including signer’s public key) ・・・ immediately after signing ・・・ after some period of time ・・・ update as needed Signer The signer generate the signature using own private key. The TSA generate the TimeStampToken for the signed document. Protecting the signature, the TimeStampToken and the validation data (certificate, revocation list.). private key Authenticity of document Identification of signer Integrity of document Proof of existence for signed document Time of signing (Trusted time information) Protection against weakness of cryptography. Copyright (c) 2014 Japan Network Security Association
(signature timestamp) (Time Information signed by TSA) ISO 14533 ES-T profile (signature timestamp) ISO 14533 ES-A profile (archive timestamp) Certification Authority (CA) Timestamp Authority (TSA) TSA Issuing Certificate TimeStampToken (Time Information signed by TSA) TimeStampToken Certificate (Including signer’s public key) ・・・ immediately after signing ・・・ after some period of time ・・・ update as needed Signer The signer generate the signature using own private key. The TSA generate the TimeStampToken for the signed document. Protecting the signature, the TimeStampToken and the validation data (certificate, revocation list.). private key Authenticity of document Identification of signer Integrity of document Proof of existence for signed document Time of signing (Trusted time information) Protection against weakness of cryptography, etc. Copyright (c) 2014 Japan Network Security Association
Relationship between ES-T and ES-A The form of ES-A is the extended form of ES-T. ES-A profile In addition to the requirements of ES-T, the requirements of ES-A contains the rules of creating/verifying the signature data which stores the validation information and timestamps for long term protection. The requirements of ES-T contains the rules of creating/verifying the signature data which stores the signature value and the timestamp for the signature value (called signature timestamp). ES-T profile Copyright (c) 2014 Japan Network Security Association
Formats of Advanced Electronic Signature (this proposal) ISO 14533-3 the profiles for PAdES ISO 14533-1 the profiles for CAdES ISO 14533-2 the profiles for XAdES CAdES: CMS Advanced Electronic Signature XAdES: XML Advanced Electronic Signature PAdES: PDF Advanced Electronic Signature Data Format : ASN.1 and BER/DER (binary encoding) Data Format : XML Data Format : PDF (and a part of CAdES) Applicable data: Any text data and binary data (Image, etc. ) However, unsuitable for PDF Applicable data: Any text data and binary data Suitable for XML documents However, unsuitable for PDF Applicable data: PDF Relevant specifications: ETSI TS 101 733 EN 319 122 (draft) Relevant specifications: ETSI TS 101 903 EN 319 123 (draft) Relevant specifications: ETSI TS 102 778 EN 319 124 (draft) ISO 32000-2 (DIS) Copyright (c) 2014 Japan Network Security Association Copyright (c) 2014 Japan Network Security Association
PDF (Portable Document Format) standard: ISO 32000-1:2008 Document management -- Portable document format -- Part 1: PDF 1.7 ISO 32000-2 (DIS) Document management -- Portable document format -- Part 2: PDF 2.0 PDF has big influence on the market of electronic document exchange. Copyright (c) 2014 Japan Network Security Association
Copyright (c) 2014 Japan Network Security Association PAdES (PDF Advanced Electronic Signature) - Background (Problem of PDF) - %PDF %%EOF 20 0 obj << / Type /Sig /Filter /Adobe.PPKLite /SubFilter /adbe.pkcs7.detached /ByteRange [ 0, 840, 960, 240 ] /Contents < > >> endobj Signature Data 30820a0506092a864886f70d010702 … 840 bytes 240 bytes PDF Document 840 960 1200 Byte CAdES and XAdES are unsuitable for PDF documents. A signature data can be embedded in the structure of PDF. But the size of a signature data needs to be fixed. The size of CAdES/ XAdES data becomes larger when the data is extended to the format for long term validation. The enlarged signature data overflows fixed signature area and destroys the structure of the PDF. FIXED Range Signing target. Add two blocks. Total 1080 bytes. Copyright (c) 2014 Japan Network Security Association
Concept of PAdES Extended data is located in update section of PDF (outside of signature). Original PDF %PDF-1.7 /Type/Sig /Contents< > /ByteRange […] %%EOF Signature binary data (PKCS#7 or CAdES) Signarure + Timestamp 3082160006092a8a : 0000000000000000 00000 %PDF %%EOF ES1 SigTS Increment DSS Certificates CRLs / OCSPs VRI %%EOF Long Term Validation LTV (Validation data) LTV (DSS/VRI) Certs,CRLs,OCSPs DocTS Increment /Type/DocTimeStamp /Contents< > /ByteRange […] %%EOF 30820f7306092a86 : 0000000000000000 0000000 DocumentTimestamp Timestamp Token Copyright (c) 2014 Japan Network Security Association
Need for the profiles for PAdES The base specification of PAdES : ETSI TS 102 778 (PAdES) It will be updated to EN 319 124 [draft]. ISO 32000-2 (PDF 2.0) [DIS] It contains the same specification as ETSI TS 102 778. The PAdES specification defines the basic elements and parameters: signature, timestamp (called Document Timestamp), fields of storing certificates and revocation information, etc. The specification has a lot of flexibility in order to enable the use of elements for various uses. The combination of elements and parameters are depended on applications and implementations. The specification enable the signature to extend the form of a long term validation, but it is not necessary. It is necessary to make the PAdES profiles that ensure the interoperability of electronic signature implementations and to make electronic signatures verifiable for a long term. Motivation, purpose and scope are the same as the profiles of CAdES/XAdES(ISO 14533-1/2). Copyright (c) 2014 Japan Network Security Association
Scope of the PAdES profiles The PAdES profiles define the requirements of elements and parameters in the PAdES format with respect to long term validation. Out of scope Cryptographic Algorithm Adding new elements or parameters which are not defined in the base specification Copyright (c) 2014 Japan Network Security Association
Proposal of the PAdES profiles Copyright (c) 2014 Japan Network Security Association
The structure of the long term signature profiles for PAdES ISO 14533-1 the profiles for CAdES ISO 14533-2 the profiles for XAdES Electronic Signature with Signature Timestamp PAdES-T profile CAdES-T profile XAdES-T profile Electronic Signature with Archive Timestamp PAdES-A profile CAdES-A profile XAdES-A profile Content Timestamp PAdES-CTS profile Copyright (c) 2014 Japan Network Security Association
PAdES-T profile PAdES-T PAdES-T has 3 types of forms depending on the location of the timestamp. Simple signature %PDF Note: DocumentTimestamp is the name of timestamp which embedded in the field of PDF. (ISO/DIS 32000-2) Signature Data (not include timestamp) %%EOF PAdES-T Type 1: signature timestamp inside signature data Type2: document timestamp acts as signature timestamp Type3: posterior signature timestamp acts as prior signature timestamp %PDF %PDF %PDF Signature Data (not include timestamps Signature Data (not include timestamp) Signature Data signature timestamp %%EOF %%EOF DocumentTimestamp Signature Data %%EOF %%EOF signature timestamp The signature timestamp proves the existence of signature. This DocumentTimestamp proves the existence of signature. %%EOF The posterior timestamp also proves the existence of the prior signature data. Copyright (c) 2014 Japan Network Security Association
Copyright (c) 2014 Japan Network Security Association PAdES-CTS profile The PAdES-CTS is the PDF data format which contains only document timestamps. PAdES-CTS %PDF Document Timestamp %%EOF The PAdES-CTS is used to prove the existence of the document. If the PAdES-T is applied to the PAdES-CTS data, the PDF data conforms to the PAdES-T. Copyright (c) 2014 Japan Network Security Association
Document Security Store PAdES-A profile The PAdES-A is the long term archiving data that protects the PAdES-T data or the PAdES-CTS data. PAdES-T PAdES-CTS PAdES-A PAdES-T or PAdES-CTS DSS shall store the validation data for all signatures and timestamps. Document Security Store (DSS) DocumentTimestamp This DocumentTimestamp protects all archived data. %%EOF Copyright (c) 2014 Japan Network Security Association
Additional Information Copyright (c) 2014 Japan Network Security Association
Basic mechanism of signatures 2018/1/28 Basic mechanism of signatures CA(Certificate Authority) Cert. Status Table A B C D Status Revoked Good Out of date repositories CRL VA services CA issues a Signer's Certificate with Keys Private key Certificate Public key (included into the certificate) Signer (LDAP, http..) (OCSP, SCVP..) Signer's Certificate Input SignatureValue generation (with using Priv. key) validation data Signature Value Output Validation #2 Verify certificate(s) ・Certificate path checking ・Revocation checking Signature Body Signed Info <DigestValues [Base64 data] > Doc 1 Doc 2 Doc N ・・・ Signed data Canonicalization and Hashing Validation #1 Check SignaureValue with using signer's certificate (reverse order calculation from generation) Validator Copyright (c) 2014 Japan Network Security Association Copyright (C) 2000-2014NPO日本ネットワークセキュリティ協会
Certificate validation 2018/1/28 Certificate validation Certificate Path Checking Validator must verify all certificates in concerning with the signature and confirm the logical reachability of EE to TA. Trust Anchor(TA) ARL: Authority Revocation List (for CA) CRL: Certificate Revocation List (for EE) Root CA VA CA ARL Generally, as the TA's cert is self signed, there is no ARL for TA. issuing signed by the root CA Check whether SubCA's certificate have been revoked or not. CA substitute CA Validator VA Check whether EE's certificate have been revoked or not. (Issuer of the EE Cert.) CRL issuing signed by the sub CA End entity(EE) user subject (signer) Signed Info Signature Value Signer's Certificate signature creation Copyright (c) 2014 Japan Network Security Association Copyright (C) 2000-2014NPO日本ネットワークセキュリティ協会
Time-stamping services 2018/1/28 Time-stamping services Time-Stamping (ISO/IEC 18014, RFC3161) ・A TTP service to provide evidence that the data existed prior to a certain point in time. Doc Requester Data to be time-stamped TSA(Time-stamping Authority) Time source (adjusted and synchronized to the UTC) Hashing header part DER encoded DigestValue Timestamp request message over HTTP(s) or TCP send DigestValue receive misc info.s (eg.TSA cert) TimeValue Signature Value Signing hashing MD TST Validation (in case of RFC3161) ・Digest value checking ・Signature value checking ・Certificates checking (includes revocation checking) Timestamp token(TST) merging send TST header part Timestamp response message over HTTP(s) or TCP receive TST Copyright (c) 2014 Japan Network Security Association Copyright (C) 2000-2014NPO日本ネットワークセキュリティ協会