CryptoSign Server: Centralized and Secure Digital Signature from REALSEC
• HSM + Digital Signature Platform + Auditing in one single appliance
• Centralized key custody and safeguards certificates
The aim of this article is to identify which is the most adequate, reliable, and secure support or physical device for the Digital Signature process. It must be able to store and protect the private certificate keys used in the signing process, as well as offer the possibility to audit, at all times, the certificate usability.
It is well known that certificates allow the identification of third parties; but it is also important to know that we can divide them into two groups: individuals and legal entities, also known as company certificates.
Although it is quite clear up until this point, it becomes more complicated once we begin to talk about the different types of certificates while keeping in mind the following facts.
• Without a doubt, the most basic and fundamental certificate is the personal identity certificate which is located in the chip in the national identity card or document.
• There are certificates that identify us as title holders or professional associations which are used, for example, to identify groups such as doctors, lawyers, etc. This type of certificate links us to a specific professional group.
• Public employees can identify themselves as employees of public administrations also using certificates linked to the entity where they carry out their role or functions. This same type of certificate can also be applied to private companies.
• There are also certificates that identify the holder as a legal representative or proxy of an organization, a department, a functional responsibility within the entity, etc.
Both in the business and public sector, different types of certificates are used depending on its purpose. Here are some examples:
• Corporate body, according to corporate powers and variants
• Public entity organizational seal
• Corporate seal
• Electronic billing
• Authentication of websites for the public sector
• Timestamp service
• Secure server (SSL)
• Executable code signature for software developers
Currently, the certificate and its private keys are stored in four different types of devices:
1. USB Token: it is a portable, personal, and secure electronic device that stores the certificate for the owner’s authentication.
2. Smart-card: a card that includes a secure cryptographic processor. The best-known examples are the national identity document and credit cards (only for EMV cards since the magnetic stripe has no chip).
3. Stored on the PC hard drive. This type of storage has multiple risks. It is easy for an expert to access the computer, obtain the private keys and use them to steal the identity of the certificate holder.
4. HSM (Hardware Security Module): hardware that stores and protects cryptographic keys securely. This device functions and normally is in the custody of an entity, administration, professional association… i.e. the location and control is centralized.
According to the information above, it is clear that the option of storing certificates on our computer’s hard drive should be discarded since it does not reduce the risks of identity theft.
Additionally and based on legal requirements, we should always carry our personal identity certificate with us in order to identify ourselves in any situation. Such is the case with our bank card which allows us to identify ourselves with the issuing financial institution.
In this case, both certificates complement each other. During a payment transaction, the establishment will ask for two cards… the first identifies the individual and the second identifies the individual to the bank.
Regarding the USB token, no one can question that it is a portable and secure device. Although its portability is, in itself, a security weakness compared to devices such as the HSM (Hardware Security Module).
Here are some of the weak points of the USB tokens:
• Forgetting the device which means that the necessary function or process cannot be carried out.
• Loss or theft of the device. The user must request a new certificate and USB token. The time required to perform this procedure can be problematic in case of an emergency. This can then result in a lack of productivity, in addition to the added cost of a new device and other expenses associated with the management and administration of the USB tokens by the entity.
Possible situations, such as the two mentioned previously, can generate uneasiness in the users and possibly affect their work in the case of neglect or loss of the device. Imagine professionals, such as doctors or lawyers, in cases such as… I can’t pay the payroll because I’ve forgotten the USB token…
Additionally, the USB tokens are limited in that they are not a suitable tool for mass document signature. Take into consideration, for example, processes such as: mass signature for invoices, payroll receipts, bank statements, etc.
Ultimately, an HSM Hardware Security Module (which can be compared to a large shared USB token), with its integration into an adequate Digital Signature platform, manages to overcome the above risks and disadvantages while, at the same time, providing the following advantages:
• Centralized and secure management of keys and certificates
• Control of expiration dates
• Automatic generation of certification applications
• Secure import and export of certificates
• The signature or signature verification of any document
• Integration with other processes or systems
• The audit and monitoring of who, when, and what was signed
In short, only a solution like CryptoSign Server, which integrates signature, hardware and software, provides users with high performance and secure access to private certificate keys without using external storage devices. All of which will contribute to digital signature processes of documents and electronic invoices that are more secure and efficient.
Also, CryptoSign Server controls expiration dates and automatically generates keys and certificate applications.
One other thing that must be noted is the option of signature and signature verification of any document with the capability to choose the format and certificate to be used (text, graphic, office, voice, etc., and PDF, XAdES, or PKCS #7).
It also has supported client software that is compatible with any programming language and operating system allowing it to be executed from the web applications as well as any management application.
Its administration via the Web, simple and user-friendly, authorizes the creation and the secure storage of the private key in real time; at the same time facilitating secure certificate importation, signed by any accredited certification entity.
For more information about our digital signature server, click HERE.
Ángel de Inés.
Business Development Director REALSEC Argentina, Paraguay and Uruguay.
Source in Spanish: Caal AR