Post on 14-Dec-2015
24th, September, 20092
ContentWhy is PenalNet a secure service?
Digital Certificate
Digital Signature & Encryption
Notifications & Acknowledges
Public Information
Messaging platform
Functional & Technical Description
A walk through PenalNet
Secure Functionality
24th, September, 20093
ContentWhy is PenalNet a secure service?
Digital Certificate
Digital Signature & Encryption
Notifications & Acknowledges
Public Information
Messaging platform
Functional & Technical Description
A walk through PenalNet
Secure Functionality
24th, September, 20094
Why is PenalNet a Secure Service?
• In order to access it one must have a qualified digital certificate (X509v3):
– The most secure way to validate professional identity on the
Internet
– Lawyer identity guaranteed by the national bar association,
which verifies their identity and lawyer condition before issuing
the certificate
• The qualified digital signature makes the authorship of the messages sent and received unquestionable, which guarantees that the issuing party can not refute them
• The messages sent and received through PenalNet are encrypted and can not be manipulated or modified in any way
• The platform provides confirmation of reception and a return receipt, and users can be notified of any message sent to them through the means they prefer (e-Mail or SMS)
• PenalNet features present advantages over conventional e-mail
ConfidentialityAuthenticationIntegrity Non repudiation
24th, September, 20095
ContentWhy is PenalNet a secure service?
Digital Certificate
Digital Signature & Encryption
Notifications & Acknowledges
Public Information
Messaging platform
Functional & Technical Description
A walk through PenalNet
Secure Functionality
24th, September, 20096
Secure Service – Digital Certificate
• PenalNet Certificates and signature cover two different aspects of security:– electronic security. Standard algorithms,
policies and best practices implementing PenalNet portal (X509v3, RSA algorithms)
– legal security:• European Directive on Electronic Signature
(1999/93/EC). It determines legally a digital signature is equivalent to hand-written signature
• “CCBE Policies for qualified lawyers” specify the minimum requirements that should be observed by national Bar Certification Authorities which identify those lawyers registered with them on the Internet through qualified Certificates
24th, September, 20097
Secure Service – Digital Certificate
PenalNet Certificates
• Identify the person and their lawyer condition
• Allow secure communications and transactions and guarantee Confidentiality, Authentication, Integrity and Non repudiation
• Are issued on a SSCD (secure signature creation device)
Certificates are delivered with
• Smart Card Reader• CD including the following
components:• Smart Card Drivers• Smart Card Reader Drivers• CA Certificates• Wizard for an easy Kit installation• User manuals
24th, September, 20098
Secure Service – Digital Certificate
• PenalNet certificates– comply with standards:
• X.509 V3 • RFC3280 “Internet X.509 Public Key Infrastructure Certificate and CRL Profile”• ETSI TS 101 862 “European profile for Qualified Certificates” • RFC 3739 “Qualified Certificates Profile”
• PenalNet certification policies– Comply with:
• CCBE Recommendations about Policies for qualified lawyers • Directive 1999/93/EC
• PenalNet certification Authority (ACA)
– CA infrastructure is allocated • in a maximum security Data Center with a high level of Environmental and
Physical protection – Certification authority follows the best security practices:
• holds WebTrust Seal of Assurance for Certification Authorities and is preloaded into Microsoft´s browser as a trusted CA
– The CA’s private signing key is stored on hardware certified to FIPS 140-1 level 3 with two-person control enforced
– ACA is participating in STORK project– ACA is being audited under ISO-27001 security standards
24th, September, 20099
• RSA algorithms– The RSA algorithm is based on the fact that it’s easy to multiply two
large prime numbers together and get a product. But you can’t take that product and reasonably guess the two original numbers, or guess one of the original primes if only the other is known
– The public and private keys are carefully generated using the RSA algorithm (Public Key Infrastructure, PKI)
– They are used to sign and generate keys in PenalNet
• PenalNet Certificates:– are Qualified Certificates according to Directive 1999/93/CE – are generated in a Secure Signature Creation Device (SSCD), which
means having a Common Criteria Certification and a security level EAL 4+, that involves meeting the CWA 14169 requirements
– users’ Key pairs are 1024 bit using the RSA algorithm– are protected with a PIN and PUK numbers that only the user knows– is also signed by Certification’s Authority with RSA sha1
Secure Service – Digital Certificate
24th, September, 200910
ContentWhy is PenalNet a secure service?
Digital Certificate
Digital Signature & Encryption
Notifications & Acknowledges
Public Information
Messaging platform
Functional & Technical Description
A walk through PenalNet
Secure Functionality
24th, September, 200911
• PenalNet generates xml from the message data, XML signature:– W3C recommendation that
defines an XML syntax for digital signature
– Information about Sender and receiver is included in the PenalNet XML
– Attached documents, size and format are also embedded in the PenalNet XML
– XML signature process:• An applet create a XML
with the message data• Sign the XML including a
new node using PenalNet lawyer’s certificate
– Guarantees interoperability (other formats don’t do it: SMIME, PDF)
Secure Service – Digital Signature & Encryption
24th, September, 200912
• PenalNet Message Encryption:1. Encryption component server
generates a symmetric key2. XML message is encrypted with the
symmetric key generated previously3. Signature component encrypt the
symmetric key generated previously with the public key from the certificate which is used by PenalNet server
4. Distribution of the message to the mailboxes. Message is stored in each user folder totally encrypted
Secure Service – Digital Signature & Encryption
24th, September, 200913
ContentWhy is PenalNet a secure service?
Digital Certificate
Digital Signature & Encryption
Notifications & Acknowledges
Public Information
Messaging platform
Functional & Technical Description
A walk through PenalNet
Secure Functionality
24th, September, 200914
• Users can choose how to send and receive notifications in Control Panel section and in every new message creation
• Notifications and receipts are sent and signed by the platform• None of them requires user intervention:
– Notifications: The receiver is informed about the reception of a new PenalNet message
– Notifications: The sender is informed if the receiver has been notified about the reception of a new PenalNet message
– Receipt: The sender is informed when the PenalNet message has been opened
• All notifications are electronically signed by the secure platform
Secure Service – Notifications & Acknowledges
24th, September, 200916
ContentWhy is PenalNet a secure service?
Digital Certificate
Digital Signature & Encryption
Notifications & Acknowledges
Public Information
Messaging platform
Functional & Technical Description
A walk through PenalNet
Secure Functionality
24th, September, 200917
Secure Service – Secure Functionality
• PenalNet functionality and processes provide extra security in comparison with conventional e-Mail, thus adapting to the lawyers needs:
– Standard E-Mail (SMTP), includes attachments, travels from one server to another with no encryption, whilst PenalNet is based upon SSL communications
– In PenalNet, messages travel from sender to platform and from platform to receiver. No other servers take part in the process. Moreover, information travels encrypted
– In PenalNet messages are linked to persons, so they are not received by a machine (generic mailbox) due to the identification through certificate (Identify the person and their lawyer condition)
– PenalNet guarantees that receivers are actually lawyers, since it is the first requirement to hold a certificate
– In PenalNet, all notifications and acknowledges of reception are signed and sent automatically by the server, so receiver can not manipulate it (contents, dates, etc.) in any sense
– PenalNet establishes a secure professional communication between lawyers who are in PenalNet database, thanks to preview information compiled through lawyers’ CV (background, expertises, languages, ...)
– It avoids the traditional previous communications to spell email addresses and to know the professional experience. All people are voluntarily available and share professional details
24th, September, 200918
Internet
Mr Smith
Received Mailbox
Sent Mailbox
SMS
Mr Smith Place
Receipt Acknowledge
Received Mailbox
Sent Mailbox
Mr Perez Place
Receipt Acknowledge
Internet
Mr Perez
SMS
groupOfUniqueNames2
Country 2
groupOfUniqueNames2
Country 1
groupOfUniqueNames2
Country N
DIRECTORY
SSL SessionSSL Session
EUROPEAN LAWYERS DIRECTORY SECURE COMUNICATION NETWORK
Secure Service – Secure Functionality
24th, September, 200919
ContentWhy is PenalNet a secure service?
Digital Certificate
Digital Signature & Encryption
Notifications & Acknowledges
Public Information
Messaging platform
Functional & Technical Description
A walk through PenalNet
Secure Functionality
24th, September, 200920
• Web Platform– Development:
• Microsoft IIS front-end• Weblogic Application Server• Oracle DB• Java, Struts, AJAX, …, XML
– Platform• Platform availability 24x7• Versatile, modular and scalable• VM Ware Virtualized servers• DB clusters
• Optical fibre
Functional & Technical Description
24th, September, 20092121
www.penalnet.eu + Penalnet Digital certificate
• System requirements– Operating System: Windows 2000, XP, or Vista– Browser: IE 6, IE7 and IE8 (Compatibility and Trusted site)– Computer Processor : no special requirements– Computer Memory: no special requirements– Internet Connection
Functional & Technical Description
24th, September, 200922
Message Data Lawyers Data
Contacts Data Folders Data
Messages Exchange
Folders Management
Contacts
Notifications
PenalNet Directory
Users Data Users Management
Usage System Data
Configuration Data
Preferences Templates Data
Systems Administration
Templates Management
Reports
General Administrator can see administrator features related to all National Bars and user features
Lawyer is the end-user and uses the platform to exchange secure messages
Regional Administrator can administer some aspects of PenalNet platform limited to a region
Functional & Technical Description
24th, September, 20092323
• PenalNet is structured in two sections: Public and private
• Public section:– Public information of PenalNet,
Certificates, Partners, methodology, objectives...
– News and events– Bulletins subscription
• Private section or Messaging platform:– Locate professional colleagues who
practice in other countries involved in the project, accessing contact information and professional and academic experience
– Communicate with them using a secure tool to send and receive messages containing highly confidential information. The platform instantly generates an official record of the sending and reception of messages
Functional & Technical Description
24th, September, 200924
ContentWhy is PenalNet a secure service?
Digital Certificate
Digital Signature & Encryption
Notifications & Acknowledges
Public Information
Messaging platform
Functional & Technical Description
A walk through PenalNet
24th, September, 200925
Functional & Technical Description – Public Information
What is PenalNet Page
• This is the first page shown when the user enters www.penalnet.eu
• It explains what PenalNet is and it shows the latest news
• Users can freely navigate using the top menu
24th, September, 200926
News Page
• It contains relevant new information about PenalNet; presentations, congresses, events or meetings are shown in this section
• Subsections:– Today’s News– Historical– Bulletins
• All PenalNet lawyers are automatically subscribed to receive PenalNet e-newsletter by mail. This is the page where anyone can join the distribution list
Functional & Technical Description – Public Information
24th, September, 200927
Upcoming Events Page
• It contains a Calendar of events related to PenalNet
• By clicking on each of them, the user is provided with further information
Functional & Technical Description – Public Information
24th, September, 200928
Digital Certificate Information Page
• Digital certificate, as the most important security tool implemented in PenalNet, has its own section to explain all possible questions regarding itself:– What is it?– How to get it?– How to use it?– How to revoke it?– Downloads, FAQs, etc
Functional & Technical Description – Public Information
24th, September, 200929
Legal Fundamentals Page
• The aim of this page is to provide useful information to the European lawyers that will access the PenalNet portal
• The information is structured in 5 parts. Each of them includes important issues for the Legal Practice in the EU regarding criminal Law
1. Preventive detention2. Accused´s rights 3. Habeas Corpus4. Fundamental rights and
obtaining of pieces of evidence
5. Right to judicial protection
Functional & Technical Description – Public Information
24th, September, 200930
ContentWhy is PenalNet a secure service?
Digital Certificate
Digital Signature & Encryption
Notifications & Acknowledges
Public Information
Messaging platform
Functional & Technical Description
A walk through PenalNet
24th, September, 200931
PenalNet Access
• Via secure SSL connection (https). Click through “Access to PenalNet” at the top menu bar and see “Click here to access” below a description about the platform
• Home is displayed in a new window showing user’s contact details, storage usage and links to main folders
• It is recommendable to set PenalNet as a trusted site before access
• It is necessary to introduce the certificate into the smart card reader and know pin code
• Lawyers will be able to access their own CV in this section
Functional & Technical Description – Messaging Platform
24th, September, 200932
PenalNet Secure Messages Exchange
• Access “Mail” button at the top menu bar and see messages saved into inbox folder
• It is structured in three sections:– Message Folders, where user can
check, search and/or edit messages, which can be deleted or moved to another folder as well
– Message Reader shows a specific message that users can “Reply”, “Reply all” or “Forward”
– Message Editor, where users can create or change a message
Functional & Technical Description – Messaging Platform
24th, September, 200933
PenalNet Secure Messages Creation
Allows message creation and edition from the following options:• Top Bar: send, draft, clear and “add to my directory”
icons• To field. User should click on any lawyer name or group
to add any receiver. New contact s are added by clicking “add to my directory” icon
• Acknowledge field. User specifies if want, or not, to receive any acknowledge (to know if user have read the message)
• Notification field. User select how a notification will be informed (in addition to receiver’s configuration)
• Subject and body. Detail of the message
• Once the user has finished editing, the user can send the message or create a draft of it
• In both cases the user starts with the signing process
Functional & Technical Description – Messaging Platform
24th, September, 200934
PenalNet Personal Directoy
User can manage all personal contacts (lawyers or administrators) in “My Directory” section. This section allows:
• Add contacts to personal directory• Filter alphabetically• Remove contact (only in user contact list)• Manage groups. Create, edit or remove groups’ user and move its contacts
Functional & Technical Description – Messaging Platform
24th, September, 200935
PenalNet Directory
This is a lawyer’s directory and all users can search any PenalNet lawyer filtering by all CV fields:• User can see any CV detail• Add a lawyer in user’s directory• Export lawyers’ detail• Lawyers can access to edit their own CV in this section
In addition, administrators can upload new CVs in order to register a new PenalNet lawyer
Functional & Technical Description – Messaging Platform
24th, September, 200936
Control Panel
This section allows customized configuration (dependant on user’s role):• Administrator:
• Application: users management, profiles, modules and storage limits• Reports: messages usage, storage usage and access• Personal configuration: notifications
• Bar Administrator:• Application: users management and storage limits• Reports: messages usage, storage usage and access• Personal configuration: notifications
• Lawyer:• Personal configuration: notifications
Functional & Technical Description – Messaging Platform
24th, September, 200937
ContentWhy is PenalNet a secure service?
Digital Certificate
Digital Signature & Encryption
Notifications & Acknowledges
Public Information
Messaging platform
Functional & Technical Description
A walk through PenalNet