SignCloud - Bit4id5 2. SignCloud System Architecture SignCloud is an enterprise-grade client-server...

Post on 15-Jul-2020

3 views 0 download

Transcript of SignCloud - Bit4id5 2. SignCloud System Architecture SignCloud is an enterprise-grade client-server...


Remote Digital Signature System

All the information in this document is CONFIDENTIAL and can’t

be used entirely or in part without a written permission from Bit4id SRL.


Contents 1. Executive Summary ................................................................................................................................... 4

2. SignCloud System Architecture ................................................................................................................. 5

3. Remote Credentials Enrollment ................................................................................................................ 7

4. Remote Digital Signature on Desktop ....................................................................................................... 9

5. Remote Digital Signature on Mobile Devices .......................................................................................... 11

6. References ............................................................................................................................................... 13

6.1. Consejo de la Judicatura (ECUADOR) .................................................................................................. 13

6.2. College of Notaries (Notartel, ITALY) ................................................................................................... 13

7. Technical specifications ........................................................................................................................... 14


1. Executive Summary

This document describes SignCloud, the Bit4id solution for the enrolment and usage of PKI-based Remote Digital Identities.

SignCloud allows to digitally sign any document from any platform (desktop and mobile) exploiting a Secure Element on the Cloud, thus releasing the End User from the burden of dealing with a smart card or PKI token.

SignCloud has been developed with modular and scalable state-of-the art architecture offering best-in-class security thanks to the FIPS certified HSMs used for the protection of the digital identities.

SignCloud can be easily integrated with any existing PKI infrastructure both on the client-side and on the server side thanks to well-known standardized digital signatures protocols and interfaces.

This white paper presents an high level overview of the SignCloud architecture (par. 2) as well as some relevant use cases, showing how easy is the process of Remote Digital Identity enrolment (par. 3) and its usage for digital signature both on desktop (par. 4) and mobile platforms (par. 5). Finally some important references are outlined (par. 6) and technical specifications are provided (par. 7).


2. SignCloud System Architecture

SignCloud is an enterprise-grade client-server solution for expanding your PKI infrastructure with remote digital signature functionality.

The Client side of SignCloud, named Universal Key Chain (UKC), is available both as lightweight desktop agent and as mobile app. The UKC client is able to interoperate seamlessly with any web browser and third-party desktop application through widespread and well accepted digital signature standards. SignCloud solution makes remote digital signature possible in the widest range of mobile and non-mobile scenarios.

The SignCloud server, that we see sketched in figure 1, integrates the following functionalities:

Authentication Server Digital Signature Engine Secure DB HSM Log and Audit System

Figure 1 – Functional Architecture of SignCloud Server.

The SignCloud Client (UKC) offers several standard interfaces (PKCS#11, CSP, tokenD) as well as advanced high-level APIs to ensure abstraction and remotization of the secure signature creation device for the benefit of third-party applications requesting a digital signature service or the creation of a new a digital identity (key-pair and related X.509 digital certificate).

The Authentication Server module supports several Authenticators means such as:

Physical OTP device Mobile App OTPs SMS OTPs Biometric-based (on request)


SignCloud can be easily connected with already existing PKI infrastructures and Credential Management Systems provided the full interoperability with multiple PKCS#11-compliant devices. This integration is achieved thanks to a lightweight Registration Authority (RA) Client Connector (UKC for RA) that in fact extends the RA functionality to enroll new remote certificates and key-pairs on the SignCloud platform.

SignCloud is natively integrated with Bit4id Universal Identity Manager Registration Authority (Bit4id UIM RA), the Credential Management System (CMS) and RA platform of BIT4ID and could work with any CMS that is PKCS#11 compliant.

SignCloud can be easily scaled up both vertically and horizontally by integrating HSM of growing cryptographic computing power or by clustering the SignCloud servers to ensure not only increased performance but also fault tolerance and load balancing.

SignCloud features an advanced secure logging system to keep track of performed transactions. Audit trail is sequentially hashed and digitally signed in order to guarantee both the integrity of the single records and of their sequence.

In figure 2 we report a high level overview of a typical architectural subset. As already mentioned above, the SignCloud Server, available both as network-attached appliance or as virtual machine, can host an embedded PCI HSM or can be optionally interfaced with more powerful net-HSMs when increased number of transactions per second is required. The performance scales linearly adding more SignCloud Server in a clustered configuration; this has the added benefit of fault tolerance and load balancing.

Figure 2 – High-level architecture of the SignCloud System and interfacing with external entities.


In the same figure it is also sketched the interfacing with the Registration Authority for the enrolment of the End Users and issuance of the remote digital identities. For this specific case we referred to Bit4id RA and Credential Management System – Bit4id UIM RA – however SignCloud can be immediately integrated with any CMS platform thanks to the SignCloud RA Client that exposes a standard PKCS#11 interface toward the enrolment station while virtualizing the smart card on the SignCloud HSM.

3. Remote Credentials Enrolment

SignCloud is agnostic toward the used Certification Authority software; any CA can be used as long as it offers a suitable RA interface being it a native one or an additional CMS layer. Although Bit4id UIM RA is an optional element of the Remote Digital Signature infrastructure, nevertheless it enriches the architecture thanks to the native integration with SignCloud System, offering a simple way to decouple the process of End Users registration and certificates issuance from the CA. In fact, Bit4id UIM RA features a CA gateway that enables the submission of Certificate Signing Requests to multiple CA back-ends.

As an example we report in figure 3 a screenshot of Bit4id UIM RA where a new End User (a new Credentials Holder) has been created and his/her request is pending for approval. The request was created by selecting the SignCloud HSM as key container, meaning that the End User will have remote credentials available for digital signature or other purposes as described in the key usage of the certificate profile selected during registration.

Figure 3 – Bit4id Credential Management System Web Interface: managing approval workflow.

Once the request has been approved by the Registration Officer and the new digital identity has been enrolled on the SignCloud platform, the secret codes are communicated to the End User.


There are many different options to let the end user receive his/her secret codes, here we see that we enrolment workflow has been configured to use an email method. Other possibilities include PIN mailer, scratch cards

Figure 4 – Email addressed to the End User and containing the secret codes for the use of remote identity.

Figure 4 shows the email generated by the CMS that reports the following information needed by the End User to exploit his/her digital identity by means of the SignCloud Client:

User ID Password PIN PUK ERC – Emergency Code

The first two credentials are needed in order to identify the virtual smart card assigned to the End User on the SignCloud platform, while the PIN is used, as for the physical smart card, to authorize the use of the private key, e.g. for an operation of digital signature or authentication; PUK code is used to unlock the PIN code if the number of allowed attempts for inserting a correct PIN is inadvertently reached. Finally the ERC code is used if a life-cycle management operation, such as a certificate suspension request, is required by the End User to the RA Help Desk.

It is worth to remind here that the authentication of the End User towards the SignCloud platform can be performed by means of different Authenticators. Therefore instead of a static PIN code a dynamically generated OTP could be used.


4. Remote Digital Signature on Desktop

In figure 5[1] we show the connection of the SignCloud Client to the server, here UserID and Password are required to access the virtual smart card containing the End User certificate.

Figure 5 – [1] Connection of the UKC Client to the SignCloud Platform; [2]Display of the available digital identities in to the UKC.

After successful login (figure 5[2]) the certificate information is displayed inside the SignCloud Client that also acts as a typical smart card manager allowing the user to perform typical operations like change PIN/unlock PIN.

Once remote credentials have been enrolled and SignCloud Client has been authenticated by using the credentials of the End User, this can then perform any typical operation involving digital certificates as if he/she would be in possession of a physical smart card, simply by exploiting the remotization offered by SignCloud system.

We show in figure 6 a digital signature operation on a Microsoft Word file. As it can be clearly noticed the remote certificate is made available to the application by means of the CSP library installed by the SignCloud client.

By accepting to sign the document (Fig. 7), the SignCloud client requires the End-User to authorize the transaction by means of the suitable Authenticator that in this case is the PIN code.

It is apparent how a similar workflow would be in place for any other application requiring the services of the smart card, also those applications that requires a PKCS#11 library (e.g. Firefox, Bit4id Firma4NG, etc.)

1 2


Figure 6 – Adding a digital signature to a Word document. The certificate is made available by the UKC through the CSP library.

Figure 7 – The decision to sign the document produces the PIN request from the UKC client exactly in the same fashion as it would happen if a physical smart card is used.


5. Remote Digital Signature on Mobile Devices (Soon Available)

In order to describe the remote digital signature on mobile devices we consider the following use case. The End User is already authenticated to a specific Web Application (in the case shown in the example below it is an Internet banking website, but it is apparent that this is valid for any type of Web Application). Figures from 8 to 10 show screenshots of relevant phases where the following elements are part of the use case:

The Web Application produces a document to be digitally signed by the End User; The Web Application requires the End User to sign the document; The End User accepts to sign the document; The Web Application, by means of a Service Platform sends a push notification to the End User

Device; The End User clicks on the notification; The Client App is started to manage the digital signature request; The UKC Client App presents the document to be signed to the End User who can review the

document before deciding; The End User selects the available Secure Element on the Cloud (remote smart card on HSM) in

order to make certificates available for the application; The End User selects the appropriate certificate for digital signature; The End User inserts the PIN number (or other Authenticator); The signed document is returned to the Web Application that verifies and stores the digitally signed


Another common use case is that the End User receives a document to be signed by email. By opening the attached document with the SignCloud mobile client App, the End User can review the content of the document ad digitally sign it according to the required format.


Figure 8 – Web application requesting the user to sign a transaction.

Figure 9 – Push notification alerting the user on the digital signature request. By clicking on the notification the related

Client App, responsible for handling the required action is opened.

Figure 10 – The transaction to be signed is presented to the End User which can accept or decline the invitation. If the user decides to sign the transaction, he/she have to insert the PIN number (or other authenticators, e.g. fingerprint) to unlock and

leverage the capabilities of one among the several secure elements supported by the Client App.


6. References

SignCloud has been successfully deployed in many scenarios and for many different customers. Here we provided only a handful of references, for more details please contact your Bit4id sales manager.

6.1. Consejo de la Judicatura (ECUADOR)

The Judicial Council of Ecuador requested a complete PKI solution for country’s lawyers and judges who

need to identify themselves, sign and possibly encrypt sensitive documents. Bit4id developed and deployed the entire PKI infrastructure, including two Certification Authorities sites.

In particular, the infrastructure comprised a SignCloud platform to enable remote digital signature.

Some notable features of the delivered solution:

Root CA and Sub-CAs installation and configuration High security network segmentation Key Ceremony preparation and celebration EJBCA certification authority software with many customization and improvements Two sites established: main and disaster recovery High Availability infrastructure ensured for both sites More than 50.000 users and counting RA implemented with proprietary software (Bit4id UIM RA) RA Workflows customization TSA system implemented with proprietary software (Bit4id smartTSA) Validation authority with CRL and OCSP (EJBCA configured as VA) Digital signature based on physical SSCD and Remote Digital Signature with Key Custody on HSM Alfresco Enterprise Content Management System Integration Auditing log with BIT4ID smartLOG advanced logging system

6.2. College of Notaries (Notartel, ITALY)

The Italian council of notaries needed a complete PKI solution to allow its associates getting digital certificates relevant to their needs.

Bit4id’s solution allows notaries to self-manage their enrolment: they can compose their requests for different kinds of digital certificates and different key usages by accessing a dedicated and protected web site. Users manage the initialization and setup of their smart cards (key pair generation) from their web browsers, thanks to our UKC Client technology.

Certificates could be also stored within the HSM and then accessed with an OTP (software or hardware). Bit4id developed the entire PKI infrastructure, integrating its services with the Notartel systems.

Notable features:

A complete PKI system with Certification Authority based on open source EJBCA CA Safenet HSM in High Availability configuration Key Ceremony designed and supervised by Bit4id


Many different authentication backends: smart card, username and password, Single Sign On with

SAML, grid card with secret codes Integration with Bit4id Universal Key Chain as remote identity client API integration with Notartel business systems High availability front-end system

7. Technical specifications

Supported desktop platforms Windows Linux MacOS 10.5 or later

Supported mobile platforms Android IOS Windows Mobile

Supported Browsers : Internet Explorer Edge Chrome Firefox Safari

Certificate profiles: X.509, ETSI TS 101 862 V1.3.2

HSM Certification FIPS 140-2 Level 3

Signature Formats: XAdES (ETSI TS 101 903 V1.3.2), CAdES (ETSI TS 101 733 V1.7.4), PAdES (ETSI TS 102 778-1 V1.1.1, TS 102 778-2 V1.2.1, TS 102 778-3 V1.1.1, TS 102 778-4 V1.1.1, TS 102 778-5 V1.1.1)

Hashing Alghoritms: SHA-256, SHA-1, MD2, MD5

Keylenght: 2048/1024

Verification: CRL, OCSP, LDAP

Encryption Alghoritms: AES-256, 3-DES

Encoding: ASN.1-DER (ISO 8824, 8825), BASE64 (RFC 1421)

Time stamped data: RFC 5544


ITALY Naples: Via Diocleziano, 107 80125 Naples – Italy Tel. +39 081 7625600 Fax. +39 081 19731930 Rome: Via Tirone, 11 00146 Rome Tel. +39 06 32803708 Fax. +39 06 99335481 Milan: Tel. +39 02 430019163 Fax. +39 02 45500675

SPAIN Barcelona: Barcelona Advanced Industry Park C/ Marie Curie, 8-14 08042 Barcelona - Spain Tel: +34 902 60 20 30

UNITED KINGDOM 2 London Wall Buildings London Wall, London EC2M 5UU - UK Tel. +44 1422 570673 Fax. +44 20 78553780

PERU Mártir Olaya, nº 169 Oficina 406 (Miraflores) - Lima (Perú) Tel: +(51) 1 242 9994

Bit4id in the world