dsi-asp-pr-3924 - Thales Alenia Space
Transcription
dsi-asp-pr-3924 - Thales Alenia Space
Page de signatures électroniques / Electronic Signatures Page Information Documentaire / Document Information PROCEDURE TO EXTERNALLY VERIFY ELECTRONIC SIGNATURE Titre / Title : Auteur / Author : GENOTELLE ERIC Reference : DSI-ASP-PR-3924 Vged=6 Signed by: FR, Thales Alenia Space, DERREY HELENE, [email protected] Cert. issued by: FR, Thales Alenia Space, "TAS Signature Service CA ", [email protected] Signing reason: Initiateur Signing date: 24/07/2007 11:01:33 Signed by: FR, Thales Alenia Space, BOURDEAU ERIC, [email protected] Cert. issued by: FR, Thales Alenia Space, "TAS Signature Service CA ", [email protected] Signing reason: signature Signing date: 28/08/2007 19:52:47 Signed by: FR, Thales Alenia Space, NAUT PIERRE LOUIS, [email protected] Cert. issued by: FR, Thales Alenia Space, "TAS Signature Service CA ", [email protected] Signing reason: Approver Signing date: 30/08/2007 11:00:36 This document has been digitally signed and timestamped. To verify signatures validity, please refer to procedure and tools available on web site pki.thalesaleniaspace.fr/pki/ By default, signatures validity is unknown. The ? icon is present on each signature. After verification, the ? icon disappears if signature is valid. Last product update: july 2006. Tous droits réservés Thales Alenia Space All rights reserved Page laissée blanche intentionnellement Blank page intentionally left Tous droits réservés Thales Alenia Space All rights reserved REFERENCE : DSI-ASP-PR-3924 SIGNATURE VERIFICATION DATE : 28/05/2007 ISSUE : 5 PROCEDURE TO EXTERNALLY VERIFY ELECTRONIC SIGNATURE Written by Responsibility-Company Hélène DERREY Engineer – ATOS ORIGIN Verified by PL NAUT IS/ES/PS Approved E. BOURDEAU IS/ES Tous droits réservés Ó Thales Alenia Space All rights reserved Page : 1 / 20 REFERENCE : DSI-ASP-PR-3924 SIGNATURE VERIFICATION DATE : 28/05/2007 ISSUE : 5 Page : 2 / 20 CHANGE RECORDS ISSUE DATE 1 2 3 4 5 17/10/03 01/05/04 20/09/04 01/07/06 28/05/2007 § : CHANGE RECORD Creation General correction Addition of a FAQ, external access Timestamp and new Alcatel Alenia Space certificate authorities Convergence Thales Alenia Space Tous droits réservés Ó Thales Alenia Space All rights reserved AUTHOR Eric GENOTELLE Eric GENOTELLE Eric GENOTELLE Eric GENOTELLE Hélène DERREY REFERENCE : DSI-ASP-PR-3924 SIGNATURE VERIFICATION DATE : 28/05/2007 ISSUE : 5 Page : 3 / 20 TABLE OF CONTENTS 1. INTRODUCTION 4 2. ELECTRONIC SIGNATURE CONCEPTS 5 3. 2.1 WHAT IS ELECTRONIC SIGNATURE ? 5 2.2 WHAT ARE ELECTRONIC SIGNATURE BENEFITS ? 5 2.3 HOW DOES IT WORK ? 5 2.4 THALES ALENIA SPACE ELECTRONIC SIGNATURE FEATURES 6 SIGNATURE VERIFICATION PROCEDURE 8 3.1 PREREQUISITE 8 3.2 SIGNATURE VERIFICATION POINTS 8 3.3 VERIFICATION PROCEDURE 3.3.1 NORMAL WORK 3.3.2 IF THE DOCUMENT HAS BEEN MODIFIED… 3.3.3 IF SIGNATURE CERTIFICATES ARE NOT VALID… 4. 5. 6. ANNEX A: SOFTWARE INSTALLATION 8 8 10 10 12 4.1 INSTALLATION OF ADOBE ACROBAT READER 4.1.1 PRODUCT DOWNLOAD 4.1.2 INSTALLATION 12 12 12 4.2 INSTALLATION OF UTIMACO SIGN&CRYPT FOR ACROBAT 4.2.1 PRODUCT DOWNLOAD 4.2.2 INSTALLATION 4.2.3 CONFIGURATION 12 12 12 12 4.3 13 INSTALLATION OF CERTIFICATE AUTHORITY CERTIFICATES ANNEX B: ELECTRONIC SIGNATURE PRINCIPLES 17 5.1 SIGNATURE APPOSITION 17 5.2 SIGNATURE VERIFICATION 17 ANNEX C - FAQ AND PROBLEM 18 Tous droits réservés Ó Thales Alenia Space All rights reserved SIGNATURE VERIFICATION REFERENCE : DSI-ASP-PR-3924 DATE : 28/05/2007 ISSUE : 5 Page : 4 / 20 1. INTRODUCTION This document describes how to verify electronic signatures of Thales Alenia Space documents. This document is intended to anyone who: · has to electronically verify digital signatures of documents delivered by Thales Alenia Space · wishes to get an overview of electronic signature concepts, · wishes to get an overview of electronic signature solution in Thales Alenia Space. The electronic signature After a presentation on electronic signature concepts and its application to Thales Alenia Space, this document describes the procedure to verify electronic signature. An annex describes all installation software you need to perform. Another one presents signature principles. This document may be download from: · http://ged/doc.htm?ref=DSI-ASP-PR-3924 for Thales Alenia Space people · http://pki.thalesaleniaspace.fr/pki/doc/DSI-ASP-PR-3924.pdf for everyone (Internet access) Tous droits réservés Ó Thales Alenia Space All rights reserved SIGNATURE VERIFICATION REFERENCE : DSI-ASP-PR-3924 DATE : 28/05/2007 ISSUE : 5 Page : 5 / 20 2. ELECTRONIC SIGNATURE CONCEPTS 2.1 What is electronic signature ? Electronic signature provides two services: · integrity of the document : it guarantees the document has not been modified since it was signed. I received a document signed by Alice. How can I be sure it has not been modified since the signature ? · · Bob Alice non-repudiation : it guarantees the signer cannot deny he does not sign it. How can I be sure that Alice will not pretend she has not signed the document ? Bob Alice 2.2 What are electronic signature benefits ? Electronic signature allows: · to exchange contractually electronic documents · to reduce cost for the provider: · no more paper signature to be manually distributed, archived,… · no more document "physical" delivery (.i.e. through DHL…). Paper document weight is significant. · it reduces signature duration process thanks to a signature workflow · to reduce cost for the customer · electronic verification process may be performed much quicker than manual control. · to improve signature process quality · to reduce exchange duration 2.3 How does it work ? · It is based on ciphering algorithms using private/public key of a signer. · A signer is identified through the mean of a certificate. · A certificate is a person’s digital identity. It links some information about the person with its public key. · Certificates are delivered, signed and maintained by a Certification Authority (CA). They follow standards (X.509 v3) Tous droits réservés Ó Thales Alenia Space All rights reserved REFERENCE : DSI-ASP-PR-3924 SIGNATURE VERIFICATION DATE : 28/05/2007 ISSUE : 5 Page : 6 / 20 Serial Number : 6cb0dad0137a5fa79888f Validity : Nov. 08, 2002 - Nov. 08, 2004 Thales’s X.509 Certificate Subject / Name / Organization Organization = Thales Alenia Space Common Name = Pierre-Louis NAUT Email Address = [email protected] Public Key: ie86502hhd009dkias736ed55ewfgk98dszbcvcq m85k309nviidywtoofkkr2834kl Signed By : Thales Alenia Space kdiowurei495729hshsg0925h309afhwe09721h481 903207akndnxnzkjoaioeru10591328y5 CA Digital Signature Thales’s CA 1 Figure 1 : Certificate feature · Signature is produced with the private key of the signer · Signature is verified with the public key of the signer. · If one character of document is modified since signature apposition, the signature verification will detect it ! · · The annex B details signature principles. · 2.4 Thales Alenia Space Electronic signature features · Thales Alenia Space provides a signature system allowing to sign PDF documents. · Signatures are embedded in the PDF documents. · Signature proofs, i.e. signer certificates and CA certificates, are also embedded in the PDF document, so that verifier has all the necessary elements to check signatures. · PDF documents are signed though Acrobat plug-in technology, using UTIMACO Sign&Crypt plugin. · Thales Alenia Space signature is compliant to signature standards: X.509v3, PKCS#7, … · Signatures may be verified through free tools according to the procedure defined in § 3. · · Thanks to Acrobat technology, signatures have also a visible render, mentioning : · signer identify (full name, email address) · CA identity · signature date · signature reason (i.e. Writer, Approving, …) All visible signatures are stored in a heading page. Tous droits réservés Ó Thales Alenia Space All rights reserved SIGNATURE VERIFICATION REFERENCE : DSI-ASP-PR-3924 DATE : 28/05/2007 ISSUE : 5 Page : 7 / 20 Figure 2 : Visible signatures of heading page · A signed PDF document may be viewed with a standard ADOBE Acrobat Reader. · Signatures of a signed PDF document may be viewed (but not checked) and print from a standard ADOBE Acrobat Reader. · Signatures of a signed PDF document may be checked with ADOBE Acrobat Reader and an additional UTIMACO plug-in for a ADOBE Acrobat Reader (see 4.2). This plug-in is free of charge. · Signatures are put according to a signature process defined below: · Most signers sign with internal certificates. Thales Alenia Space delivers internal certificates to all Thales Alenia Space users. · A qualified user may sign with a Corporate certificate, in order to certify/guarantee the signature process. Thales Corporate (ASKI) delivers Corporate certificates to "qualified" users such as document manager, program manager, … Document to be signed Internal Signatures Signature Signature 1 Signature 2 … Certifying Signature Signature 1 Signature 2 … Corporate Signature PDF Internal certificates Corporate certificates Figure 3 : Thales Alenia Space signature Process · Signer may be identified in the signature according to his email address (i.e. [email protected]) or his full name (i.e. Pierre-Louis NAUT). Email address and full name are parts of the signer certificate subject. · The signature server provides the signature date. · Since 2006, signature are timestamped thanks to a timestamp server. Tous droits réservés Ó Thales Alenia Space All rights reserved REFERENCE : DSI-ASP-PR-3924 SIGNATURE VERIFICATION DATE : 28/05/2007 ISSUE : 5 Page : 8 / 20 3. SIGNATURE VERIFICATION PROCEDURE 3.1 Prerequisite To verify signatures of PDF documents signed by Thales Alenia Space, you need to have installed on a PC: · Adobe Acrobat Reader 5.1 or higher (cf. installation in 4.1) · UTIMACO Sign&Crypt for Acrobat Reader (cf. installation in 4.2) · Certificates of CA (cf. installation in 4.3) All of these components are free of charge. PC operating system may be Windows NT 4.0, Windows 2000, Win XP. 3.2 Signature verification points The following table defines signature verification points: Signature verification points Document signature Signer certificate signature Signer certificate validity date Certificate Authority trust chain Comment See principles in § 5.2 See principles in § 5.2 where the document to be signed is the certificate Look if the signature date is between the "Not before" date and the "Not after" date. These date are parts of certificate. Check certificates signature of all CA involved in trust chain. At that time, there is no CRL (Certificate Revocation List) check. 3.3 Verification procedure 3.3.1 Normal work · Open the PDF signed document from ADOBE Acrobat Reader. · Display all signatures thanks to Signatures tab. · All signatures are tagged with a question mark ("?"), which means that signer certificates have not been yet verified. · Go to Signature button and select the option "Authenticate all signatures" (in French "Authentifier toutes les signatures") · Tous droits réservés Ó Thales Alenia Space All rights reserved SIGNATURE VERIFICATION REFERENCE : DSI-ASP-PR-3924 DATE : 28/05/2007 ISSUE : 5 Page : 9 / 20 · If signer certificates are OK, Acrobat Reader tags them with a green V (ü). · In expanding signature in the left frame, we may see signature properties: signer name, signature date, signature reason, … · To get details on signature and certificate, click right on signature of the left frame. Select Properties menu item. A window displaying signature properties appears. To have information on certificate, select Show button Tous droits réservés Ó Thales Alenia Space All rights reserved SIGNATURE VERIFICATION REFERENCE : DSI-ASP-PR-3924 DATE : 28/05/2007 ISSUE : 5 Page : 10 / 20 3.3.2 If the document has been modified… · If the document has been modified since signature, Acrobat indicates it the signature left frame "The document has been modified". 3.3.3 If signature certificates are not valid… · If signer certificates cannot be verified or are not OK, Acrobat Reader indicates it: the signature is tagged with a red cross X. Tous droits réservés Ó Thales Alenia Space All rights reserved SIGNATURE VERIFICATION · REFERENCE : DSI-ASP-PR-3924 DATE : 28/05/2007 ISSUE : 5 Page : 11 / 20 To know the reason, click right on signature then Properties. Acrobat displays the problem reason in the validity area. Tous droits réservés Ó Thales Alenia Space All rights reserved REFERENCE : DSI-ASP-PR-3924 SIGNATURE VERIFICATION DATE : 28/05/2007 ISSUE : 5 Page : 12 / 20 4. ANNEX A: SOFTWARE INSTALLATION This section describes the components you have to install to verify Thales Alenia Space document signatures. It consists in: 1. installing ADOBE Acrobat Reader 5.1 or higher 2. installing UTIMACO Sign&Crypt for Acrobat Reader 4.0.0006 or higher 3. installing CA certificates 4.1 Installation of ADOBE Acrobat Reader 4.1.1 Product download · With a browser, go to the site http://www.adobe.com · Then get ADOBE Acrobat Reader by clicking on Follow instruction and fill ADOBE forms. Select the option "Do not use Adobe Download Manager" if you want to download the full installable version. · Then ADOBE asks you where to save the installable file, whose default name is for example AdbeRdr60_fra_full.exe. 4.1.2 Installation · With the file explorer, run the installable file then follow instructions. 4.2 Installation of UTIMACO Sign&Crypt for Acrobat 4.2.1 Product download · With a browser, go to the site http://pki.thalesaleniaspace.fr/pki/tools/ then download the product Sign&Crypt for Acrobat Reader 4.2.2 Installation · You should have Acrobat Reader 5.1 or more higher installed. · With the file explorer, run the installable file then follow instructions. 4.2.3 Configuration · Run Acrobat Reader · An UTIMACO splash window should briefly appear when Acrobat is starting. · Go to the menu Edition / Preferences / TS SafeGuard Sign&Crypt… Tous droits réservés Ó Thales Alenia Space All rights reserved REFERENCE : DSI-ASP-PR-3924 SIGNATURE VERIFICATION DATE : 28/05/2007 ISSUE : 5 Page : 13 / 20 In the CRL tab: · Select the option Check certificate trust chain when validating signature. This option allows to check, in addition to signature check and certificate validity date check, certificate trust chain. · Select the option Do not use CA/Root certificates stored in the message. This option allows to perform the trust chain according to the Windows certificate store, and not CA certificates located in the document. In the “horodatage” tab, leave all fields empty. 4.3 Installation of Certificate Authority certificates Because trust chain verification is performed according to Windows certificate store (more reliable than the document), all the certificate authorities have to be declared in this store. The following table lists all the CA certificates to be installed. Tous droits réservés Ó Thales Alenia Space All rights reserved REFERENCE : DSI-ASP-PR-3924 SIGNATURE VERIFICATION DATE : 28/05/2007 ISSUE : 5 Page : 14 / 20 CA certificates Download URL Description Thales Alenia Space http://pki.thalesaleniaspace.fr/pki/cer/tas_root_ca.c Father of Thales Alenia Space Ged Root CA er CA Subject: E = [email protected] CN = Thales Alenia Space RootCA O = Thales Alenia Space C = FR Signature : 85 3a 96 69 3c 83 a6 37 d4 36 83 f7 76 41 3c 1b 98 9e 5d 06 Thales Alenia Space http://pki.thalesaleniaspace.fr/pki/cer/tas_cacert.ce Ged CA r CA delivering internal certificates for all Thales Alenia Space signers Subject: E = [email protected] CN = TAS Signature Service CA O = Thales Alenia Space C = FR Signature : b5 15 7f a5 61 44 da d6 7b a1 59 b4 54 a7 d2 33 6e 1a f1 33 Tableau 1 : CA involved in signature trust chain (*) These certificates have to be installed only if Thales Corporate certificates are involved in signature process. · Download the CA certificate from URL · With the file explorer, double-click on the certificate file (.cer). · It opens certificate properties Windows. · Click on Install certificate… button. Tous droits réservés Ó Thales Alenia Space All rights reserved SIGNATURE VERIFICATION · It opens a certificate import wizard Windows. · Click on Next button. · Let the default option (Automatically…) · Click on Next button. · Click on Finish button. · To the question "Do you want to add the following certificate to the XXX store…", answer Yes. Tous droits réservés Ó Thales Alenia Space REFERENCE : DSI-ASP-PR-3924 DATE : 28/05/2007 ISSUE : 5 All rights reserved Page : 15 / 20 SIGNATURE VERIFICATION · REFERENCE : DSI-ASP-PR-3924 DATE : 28/05/2007 ISSUE : 5 The CA importation is terminated. Tous droits réservés Ó Thales Alenia Space All rights reserved Page : 16 / 20 REFERENCE : DSI-ASP-PR-3924 SIGNATURE VERIFICATION DATE : 28/05/2007 ISSUE : 5 Page : 17 / 20 5. ANNEX B: ELECTRONIC SIGNATURE PRINCIPLES This section describes electronic signature principles defined by the following figure. CA Document Document Document secret public public HASH HASH Sign RSA HASH RSA Digital Signature Digital Signature Verify Internet Document Document Document Figure 4 : Signature principles 5.1 Signature apposition · A hash of a document is computed , according to a hash function (typically MD5 algorithm) · The hash is coded with the private key of the signer, according to a crypt function (typically RSA algorithm) · This crypted hash is the document signature. · The document and the signature are sent to the recipient. 5.2 Signature verification · The recipient receives the document and the signature. · The hash of a document is computed, with the same hash algorithm as the one used for signature apposition. · The signature (crypted hash) is decrypted, with the same algorithm as the one used for signature apposition and with the public key of the signer. The public key may be found in the certificate that is usually annexed with document and signature. · The 2 hashes are compared. If they are the same, the signature is OK. If not, the signature is KO. Tous droits réservés Ó Thales Alenia Space All rights reserved SIGNATURE VERIFICATION REFERENCE : DSI-ASP-PR-3924 DATE : 28/05/2007 ISSUE : 5 Page : 18 / 20 6. ANNEX C - FAQ AND PROBLEM Question Answer Question Answer Question Answer Question Answer Sign&Crypt for Acrobat Reader can not be installed. When running Sign&Crypt for Acrobat Reader setup, this one is indicating Acrobat Reader version is incorrect Please check the version of Acrobat Reader. It should be greater than 5.1 I have the full Acrobat 6.0 pack installed. Sign&Crypt for Acrobat Reader cannot be installed. The full Acrobat 6.0 pack may not include Acrobat Reader. Sign&Crypt for Acrobat Reader works only with Acrobat Reader. In this case, please first install Acrobat Reader. When I'm trying to verify a signature, I get an error message pointing out that signature cannot be verified due to an invalid or missing signature pilot. Sign&Crypt for Acrobat Reader is not installed. Please install it. I have the full Acrobat 6.0 pack and Acrobat Reader installed on my PC. When I'm opening a PDF document with the explorer or with IE navigator, the PDF document is opened with Acrobat and not Acrobat Reader, so I cannot verify signatures. It's a normal and standard behavior of Acrobat product. To solve the problem, start Acrobat Reader before opening PDF document. It will force PDF document opening with Acrobat Reader. Question Answer When opening a digitally signed PDF document with IE, Acrobat Reader traps. It happens sometimes with Acrobat Reader 6.0 and when the option 'authenticate all signatures when opening a document'. Please unselect this option. Nevertheless, it is not recommended to have this option selected. Verifying signatures may take time, so may penalize the user whereas it is not necessary to systematically perform signature verification. Question When performing signatures verification on a PDF document containing multiple signatures with Acrobat Reader 6.0, all signatures status are OK, but for all signatures except the last one, Acrobat indicates the document has been modified since the signature apposition. It's a behavior for Acrobat 6.0 that considers signature apposition is a modification. Each new signature apposition generates a new revision of the document. If you made a comparison between 2 revisions, you will notice the only change is signature apposition. This comparison can be performed only with Acrobat. Note: you do not have this inconvenient with Acrobat 5.1 . Answer Tous droits réservés Ó Thales Alenia Space All rights reserved SIGNATURE VERIFICATION Question Answer REFERENCE : DSI-ASP-PR-3924 DATE : 28/05/2007 ISSUE : 5 Page : 19 / 20 When I print a document, information such as title, author, reference, are not printed in the signature page. You have to print the document with the option "Document and comments" selected. Tous droits réservés Ó Thales Alenia Space All rights reserved SIGNATURE VERIFICATION REFERENCE : DSI-ASP-PR-3924 DATE : 28/05/2007 ISSUE : 5 END OF DOCUMENT Tous droits réservés Ó Thales Alenia Space All rights reserved Page : 20 / 20