AOL AIM and Document Signing
description
Transcript of AOL AIM and Document Signing
AOL AIM and Document Signing
Dartmouth College PKI Lab
Instant Messaging• AOL AIM for Windows implements PKI for
secure messaging:– Each message signed and encrypted using
personal PKI credentials– Assures identity of sender– Guarantees privacy of contents of messages
• Not necessarily overkill:– ISTS system administrators discuss sensitive
network and server configuration information– No noticeable delay due to overhead for signature
and encryption
Instant Messaging
• Kudos to AOL for a clean and innovative product.
• But…– Encryption and signing not (yet) interoperable
with other IM implementations– Should be easier to import trusted root certificates
Document Signing
• Digital signature embedded in a document authenticates its source and enables detection of tampering:– Text documents (Word, Acrobat)– Spreadsheets (Excel)– Presentations (PowerPoint)– XML forms (Infomosaic)
Document Signing Uses• Streamline business processes:
– Move paper-based processes online without sacrificing security (e.g. hiring authorization, requisitions, expense reports, grant applications)
– Electronic forms transmission, tracking, and processing while still allowing the crucial human authorization steps
– Secure transmission of business information without requiring it be sent on signed paper
• Intra-institutional transactions (within or between departments)
• Inter-institutional transactions (among Higher Education institutions or with government) – use HEBCA or USHER for inter-institutional trust
Signed Word Document
Signed PowerPoint Document
Signed Excel Spreadsheet
Signing Office Documents• To sign, select “Tools -> Options -> Digital
Signatures…”• Must save before signing• Saving changes after signing removes
signatures (to protect against tampering after signing)
• Can have multiple signatures• User interface could use some improvement• Beware of macros – can change apparent
content without requiring a save (sort of like changing ink on a signed paper document)
Signed Acrobat (PDF) Document• Requires proper version of Acrobat.• No macro vulnerability.• Can use write-only form (write protected by
institution) with user digital signature to implement electronic signed “fill in the blanks” style forms.
Signed XML Forms• End user signing requires an application like
Infomosaic’s SecureSign/SecureXML.• Uses XML digital signatures standards.• Standard XML forms can be generated and
processed by any application that adheres to the proper standards.
• Enables truly platform and application independent digital signing of electronic transactions (critical component of Web Services).
NIH EDUCAUSE HEBCA Demo
• XML form signing with two signatures:– Signer– Institutional co-signer (pre-registered with Federal
receipt server)
• Document is signed by signer and co-signer at one institution and then submitted to another institution.
• Current proof of concept has Federal government as recipient, but can work for any two organizations.
NIH EDUCAUSE HEBCA Demo• Uses HEBCA & FBCA bridges so the receipt
server can trust signatures made with Higher Education PKI credentials
• Read-only form provided by recipient (Federal agency in the proof of concept) and processed automatically upon receipt
• Fine work by Peter Alterman and many others (including a number of our colleagues)
• Award winning proof of concept
NIH EDUCAUSE HEBCA Demo• Federal receipt and authorization server:
– Checks validity of signer and co-signer certificates and if they are issued by a trusted institution’s PKI
– Verifies that the co-signer is properly registered as an authorized co-signer for the signer’s institution
– Verifies that the co-signer and signer are different individuals
– Acknowledges secure and proper receipt of submission via web page and email
– Use secure SSL for all transactions
Federal AgencyPortal
UN IVERSITY
College/University
Internalworkflow
Applicant & cosigner
Internet
Receipt andAuthorization
Server
Agency Server
FBCA
HEBCA
AuditLog
UN VERS TY
CA @ College/University
IBM
Agency Back EndProcessing (Phase 4)
DigitallySigned
XML form
DigitallySigned
XML form.
DigitallySigned
XML form.
DigitallySigned
XML form.
Validate certs
XML form
Receipt message
XML form
XML formcerts
Transactionrecord
NIH EDUCAUSE HEBCA Demo
• Caveats:– I’m new to this application– Just got everything running properly today ;-)– I had to use a test certificate for the signer since I
only have one Dartmouth identity– This is a proof of concept