dsi-asp-pr-3924 - Thales Alenia Space

Transcription

Page de signatures électroniques / Electronic Signatures Page
Information Documentaire / Document Information
PROCEDURE TO EXTERNALLY VERIFY ELECTRONIC SIGNATURE
Titre / Title :
Auteur / Author : GENOTELLE ERIC
Reference : DSI-ASP-PR-3924 Vged=6
Signed by: FR, Thales Alenia Space, DERREY HELENE, [email protected]
Cert. issued by: FR, Thales Alenia Space, "TAS Signature Service CA ", [email protected]
Signing reason: Initiateur
Signing date: 24/07/2007 11:01:33
Signed by: FR, Thales Alenia Space, BOURDEAU ERIC, [email protected]
Signing reason: signature
Signing date: 28/08/2007 19:52:47
Signed by: FR, Thales Alenia Space, NAUT PIERRE LOUIS, [email protected]
Signing reason: Approver
Signing date: 30/08/2007 11:00:36
This document has been digitally signed and timestamped. To verify signatures validity, please refer to procedure and tools available on web site pki.thalesaleniaspace.fr/pki/
By default, signatures validity is unknown. The ? icon is present on each signature. After verification, the ? icon disappears if signature is valid. Last product update: july 2006.
Tous droits réservés
 Thales Alenia Space
All rights reserved
Page laissée blanche intentionnellement
Blank page intentionally left
 Thales Alenia Space
All rights reserved
REFERENCE : DSI-ASP-PR-3924
SIGNATURE VERIFICATION
DATE :
28/05/2007
ISSUE :
5
PROCEDURE TO EXTERNALLY VERIFY
ELECTRONIC SIGNATURE
Written by
Responsibility-Company
Hélène DERREY
Engineer – ATOS ORIGIN
Verified by
PL NAUT
IS/ES/PS
Approved
E. BOURDEAU
IS/ES
Ó Thales Alenia Space
All rights reserved
Page : 1 / 20
DATE :
28/05/2007
ISSUE :
5
Page : 2 / 20
CHANGE RECORDS
ISSUE
DATE
1
2
3
4
5
17/10/03
01/05/04
20/09/04
01/07/06
28/05/2007
§ : CHANGE RECORD
Creation
General correction
Addition of a FAQ, external access
Timestamp and new Alcatel Alenia Space certificate authorities
Convergence Thales Alenia Space
All rights reserved
AUTHOR
Eric GENOTELLE
Eric GENOTELLE
Eric GENOTELLE
Eric GENOTELLE
Hélène DERREY
DATE :
28/05/2007
ISSUE :
5
Page : 3 / 20
TABLE OF CONTENTS
1.
INTRODUCTION
4
2.
ELECTRONIC SIGNATURE CONCEPTS
5
3.
2.1
WHAT IS ELECTRONIC SIGNATURE ?
5
2.2
WHAT ARE ELECTRONIC SIGNATURE BENEFITS ?
5
2.3
HOW DOES IT WORK ?
5
2.4
THALES ALENIA SPACE ELECTRONIC SIGNATURE FEATURES
6
SIGNATURE VERIFICATION PROCEDURE
8
3.1
PREREQUISITE
8
3.2
SIGNATURE VERIFICATION POINTS
8
3.3
VERIFICATION PROCEDURE
3.3.1 NORMAL WORK
3.3.2 IF THE DOCUMENT HAS BEEN MODIFIED…
3.3.3 IF SIGNATURE CERTIFICATES ARE NOT VALID…
4.
5.
6.
ANNEX A: SOFTWARE INSTALLATION
8
8
10
10
12
4.1
INSTALLATION OF ADOBE ACROBAT READER
4.1.1 PRODUCT DOWNLOAD
4.1.2 INSTALLATION
12
12
12
4.2
INSTALLATION OF UTIMACO SIGN&CRYPT FOR ACROBAT
4.2.1 PRODUCT DOWNLOAD
4.2.2 INSTALLATION
4.2.3 CONFIGURATION
12
12
12
12
4.3
13
INSTALLATION OF CERTIFICATE AUTHORITY CERTIFICATES
ANNEX B: ELECTRONIC SIGNATURE PRINCIPLES
17
5.1
SIGNATURE APPOSITION
17
5.2
17
ANNEX C - FAQ AND PROBLEM
18
All rights reserved
DATE :
28/05/2007
ISSUE :
5
Page : 4 / 20
1. INTRODUCTION
This document describes how to verify electronic signatures of Thales Alenia Space documents.
This document is intended to anyone who:
· has to electronically verify digital signatures of documents delivered by Thales Alenia Space
· wishes to get an overview of electronic signature concepts,
· wishes to get an overview of electronic signature solution in Thales Alenia Space.
The electronic signature
After a presentation on electronic signature concepts and its application to Thales Alenia Space, this
document describes the procedure to verify electronic signature.
An annex describes all installation software you need to perform.
Another one presents signature principles.
This document may be download from:
·
http://ged/doc.htm?ref=DSI-ASP-PR-3924 for Thales Alenia Space people
·
http://pki.thalesaleniaspace.fr/pki/doc/DSI-ASP-PR-3924.pdf for everyone (Internet access)
All rights reserved
DATE :
28/05/2007
ISSUE :
5
Page : 5 / 20
2. ELECTRONIC SIGNATURE CONCEPTS
2.1 What is electronic signature ?
Electronic signature provides two services:
·
integrity of the document : it guarantees the document has not been modified since it was signed.
I received a document signed by Alice.
How can I be sure it has not been modified since the
signature ?
·
·
Bob
Alice
non-repudiation : it guarantees the signer cannot deny he does not sign it.
How can I be sure that Alice will not pretend she has
not signed the document ?
Bob
Alice
2.2 What are electronic signature benefits ?
Electronic signature allows:
·
to exchange contractually electronic documents
·
to reduce cost for the provider:
·
no more paper signature to be manually distributed, archived,…
·
no more document "physical" delivery (.i.e. through DHL…). Paper document weight is significant.
·
it reduces signature duration process thanks to a signature workflow
·
to reduce cost for the customer
·
electronic verification process may be performed much quicker than manual control.
·
to improve signature process quality
·
to reduce exchange duration
2.3 How does it work ?
·
It is based on ciphering algorithms using private/public key of a signer.
·
A signer is identified through the mean of a certificate.
·
A certificate is a person’s digital identity. It links some information about the person with its public
key.
·
Certificates are delivered, signed and maintained by a Certification Authority (CA). They follow
standards (X.509 v3)
All rights reserved
DATE :
28/05/2007
ISSUE :
5
Page : 6 / 20
Serial Number : 6cb0dad0137a5fa79888f
Validity : Nov. 08, 2002 - Nov. 08, 2004
Thales’s X.509
Certificate
Subject / Name / Organization
Organization = Thales Alenia Space
Common Name = Pierre-Louis NAUT
Email Address = [email protected]
Public Key:
ie86502hhd009dkias736ed55ewfgk98dszbcvcq
m85k309nviidywtoofkkr2834kl
Signed By : Thales Alenia Space
kdiowurei495729hshsg0925h309afhwe09721h481
903207akndnxnzkjoaioeru10591328y5
CA Digital
Signature
Thales’s CA
1
Figure 1 : Certificate feature
·
Signature is produced with the private key of the signer
·
Signature is verified with the public key of the signer.
·
If one character of document is modified since signature apposition, the signature verification will
detect it !
·
·
The annex B details signature principles.
·
2.4 Thales Alenia Space Electronic signature features
·
Thales Alenia Space provides a signature system allowing to sign PDF documents.
·
Signatures are embedded in the PDF documents.
·
Signature proofs, i.e. signer certificates and CA certificates, are also embedded in the PDF
document, so that verifier has all the necessary elements to check signatures.
·
PDF documents are signed though Acrobat plug-in technology, using UTIMACO Sign&Crypt plugin.
·
Thales Alenia Space signature is compliant to signature standards: X.509v3, PKCS#7, …
·
Signatures may be verified through free tools according to the procedure defined in § 3.
·
·
Thanks to Acrobat technology, signatures have also a visible render, mentioning :
· signer identify (full name, email address)
· CA identity
· signature date
· signature reason (i.e. Writer, Approving, …)
All visible signatures are stored in a heading page.
All rights reserved
DATE :
28/05/2007
ISSUE :
5
Page : 7 / 20
Figure 2 : Visible signatures of heading page
·
A signed PDF document may be viewed with a standard ADOBE Acrobat Reader.
·
Signatures of a signed PDF document may be viewed (but not checked) and print from a
standard ADOBE Acrobat Reader.
·
Signatures of a signed PDF document may be checked with ADOBE Acrobat Reader and an
additional UTIMACO plug-in for a ADOBE Acrobat Reader (see 4.2). This plug-in is free of charge.
·
Signatures are put according to a signature process defined below:
·
Most signers sign with internal certificates. Thales Alenia Space delivers internal certificates to
all Thales Alenia Space users.
·
A qualified user may sign with a Corporate certificate, in order to certify/guarantee the
signature process. Thales Corporate (ASKI) delivers Corporate certificates to "qualified" users
such as document manager, program manager, …
Document to be signed
Internal Signatures
Signature
Signature 1
Signature 2
…
Certifying Signature
Signature 1
Signature 2
…
Corporate
Signature
PDF
Internal certificates
Corporate certificates
Figure 3 : Thales Alenia Space signature Process
·
Signer may be identified in the signature according to his email address (i.e. [email protected]) or his full name (i.e. Pierre-Louis NAUT). Email address and full
name are parts of the signer certificate subject.
·
The signature server provides the signature date.
·
Since 2006, signature are timestamped thanks to a timestamp server.
All rights reserved
DATE :
28/05/2007
ISSUE :
5
Page : 8 / 20
3. SIGNATURE VERIFICATION PROCEDURE
3.1 Prerequisite
To verify signatures of PDF documents signed by Thales Alenia Space, you need to have installed on a PC:
·
Adobe Acrobat Reader 5.1 or higher (cf. installation in 4.1)
·
UTIMACO Sign&Crypt for Acrobat Reader (cf. installation in 4.2)
·
Certificates of CA (cf. installation in 4.3)
All of these components are free of charge.
PC operating system may be Windows NT 4.0, Windows 2000, Win XP.
3.2 Signature verification points
The following table defines signature verification points:
Signature verification points
Document signature
Signer certificate signature
Signer certificate validity date
Certificate Authority trust chain
Comment
See principles in § 5.2
See principles in § 5.2 where the document to be signed is the
certificate
Look if the signature date is between the "Not before" date and
the "Not after" date. These date are parts of certificate.
Check certificates signature of all CA involved in trust chain.
At that time, there is no CRL (Certificate Revocation List) check.
3.3 Verification procedure
3.3.1 Normal work
·
Open the PDF signed document from ADOBE Acrobat Reader.
·
Display all signatures thanks to Signatures tab.
·
All signatures are tagged with a question mark ("?"), which means that signer certificates have not
been yet verified.
·
Go to Signature button and select the option "Authenticate all signatures" (in French
"Authentifier toutes les signatures")
·
All rights reserved
DATE :
28/05/2007
ISSUE :
5
Page : 9 / 20
·
If signer certificates are OK, Acrobat Reader tags them with a green V (ü).
·
In expanding signature in the left frame, we may see signature properties: signer name, signature
date, signature reason, …
·
To get details on signature and certificate, click right on signature of the left frame. Select
Properties menu item. A window displaying signature properties appears. To have information on
certificate, select Show button
All rights reserved
DATE :
28/05/2007
ISSUE :
5
Page : 10 / 20
3.3.2 If the document has been modified…
·
If the document has been modified since signature, Acrobat indicates it the signature left frame
"The document has been modified".
3.3.3 If signature certificates are not valid…
·
If signer certificates cannot be verified or are not OK, Acrobat Reader indicates it: the signature is
tagged with a red cross X.
All rights reserved
·
DATE :
28/05/2007
ISSUE :
5
Page : 11 / 20
To know the reason, click right on signature then Properties. Acrobat displays the problem reason
in the validity area.
All rights reserved
DATE :
28/05/2007
ISSUE :
5
Page : 12 / 20
4. ANNEX A: SOFTWARE INSTALLATION
This section describes the components you have to install to verify Thales Alenia Space document
signatures. It consists in:
1. installing ADOBE Acrobat Reader 5.1 or higher
2. installing UTIMACO Sign&Crypt for Acrobat Reader 4.0.0006 or higher
3. installing CA certificates
4.1 Installation of ADOBE Acrobat Reader
4.1.1 Product download
·
With a browser, go to the site http://www.adobe.com
· Then get ADOBE Acrobat Reader by clicking on
Follow instruction and fill ADOBE forms. Select the option "Do not use Adobe Download Manager" if you
want to download the full installable version.
·
Then ADOBE asks you where to save the installable file, whose default name is for example
AdbeRdr60_fra_full.exe.
4.1.2 Installation
·
With the file explorer, run the installable file then follow instructions.
4.2 Installation of UTIMACO Sign&Crypt for Acrobat
4.2.1 Product download
·
With a browser, go to the site http://pki.thalesaleniaspace.fr/pki/tools/ then download the product
Sign&Crypt for Acrobat Reader
4.2.2 Installation
·
You should have Acrobat Reader 5.1 or more higher installed.
·
With the file explorer, run the installable file then follow instructions.
4.2.3 Configuration
·
Run Acrobat Reader
·
An UTIMACO splash window should briefly appear when Acrobat is starting.
·
Go to the menu Edition / Preferences / TS SafeGuard Sign&Crypt…
All rights reserved
DATE :
28/05/2007
ISSUE :
5
Page : 13 / 20
In the CRL tab:
·
Select the option Check certificate trust chain when validating signature. This option allows
to check, in addition to signature check and certificate validity date check, certificate trust chain.
·
Select the option Do not use CA/Root certificates stored in the message. This option allows
to perform the trust chain according to the Windows certificate store, and not CA certificates located
in the document.
In the “horodatage” tab, leave all fields empty.
4.3 Installation of Certificate Authority certificates
Because trust chain verification is performed according to Windows certificate store (more reliable than the
document), all the certificate authorities have to be declared in this store.
The following table lists all the CA certificates to be installed.
All rights reserved
DATE :
28/05/2007
ISSUE :
5
Page : 14 / 20
CA certificates
Download URL
Description
Thales Alenia Space http://pki.thalesaleniaspace.fr/pki/cer/tas_root_ca.c Father of Thales Alenia Space Ged
Root CA
er
CA
Subject:
E = [email protected]
CN = Thales Alenia Space RootCA
O = Thales Alenia Space
C = FR
Signature :
85 3a 96 69 3c 83 a6 37 d4 36 83 f7 76
41 3c 1b 98 9e 5d 06
Thales Alenia Space http://pki.thalesaleniaspace.fr/pki/cer/tas_cacert.ce
Ged CA
r
CA delivering internal certificates for all
Thales Alenia Space signers
Subject:
E = [email protected]
CN = TAS Signature Service CA
O = Thales Alenia Space
C = FR
Signature :
b5 15 7f a5 61 44 da d6 7b a1 59 b4 54
a7 d2 33 6e 1a f1 33
Tableau 1 : CA involved in signature trust chain
(*) These certificates have to be installed only if Thales Corporate certificates are involved in signature
process.
·
Download the CA certificate from URL
·
With the file explorer, double-click on the certificate
file (.cer).
·
It opens certificate properties Windows.
·
Click on Install certificate… button.
All rights reserved
·
It opens a certificate import wizard Windows.
·
Click on Next button.
·
Let the default option (Automatically…)
·
Click on Next button.
·
Click on Finish button.
·
To the question "Do you want to add the following
certificate to the XXX store…", answer Yes.
DATE :
28/05/2007
ISSUE :
5
All rights reserved
Page : 15 / 20
·
DATE :
28/05/2007
ISSUE :
5
The CA importation is terminated.
All rights reserved
Page : 16 / 20
DATE :
28/05/2007
ISSUE :
5
Page : 17 / 20
5. ANNEX B: ELECTRONIC SIGNATURE PRINCIPLES
This section describes electronic signature principles defined by the following figure.
CA
Document
Document
Document
secret
public
public
HASH
HASH
Sign
RSA
HASH
RSA
Digital
Signature
Digital
Signature
Verify
Internet
Document
Document
Document
Figure 4 : Signature principles
5.1 Signature apposition
·
A hash of a document is computed , according to a hash function (typically MD5 algorithm)
·
The hash is coded with the private key of the signer, according to a crypt function (typically RSA
algorithm)
·
This crypted hash is the document signature.
·
The document and the signature are sent to the recipient.
5.2 Signature verification
·
The recipient receives the document and the signature.
·
The hash of a document is computed, with the same hash algorithm as the one used for signature
apposition.
·
The signature (crypted hash) is decrypted, with the same algorithm as the one used for signature
apposition and with the public key of the signer. The public key may be found in the certificate that
is usually annexed with document and signature.
·
The 2 hashes are compared. If they are the same, the signature is OK. If not, the signature is KO.
All rights reserved
DATE :
28/05/2007
ISSUE :
5
Page : 18 / 20
6. ANNEX C - FAQ AND PROBLEM
Question
Answer
Question
Answer
Question
Answer
Question
Answer
Sign&Crypt for Acrobat Reader can not be installed.
When running Sign&Crypt for Acrobat Reader setup, this one is indicating Acrobat
Reader version is incorrect
Please check the version of Acrobat Reader. It should be greater than 5.1
I have the full Acrobat 6.0 pack installed. Sign&Crypt for Acrobat Reader cannot
be installed.
The full Acrobat 6.0 pack may not include Acrobat Reader. Sign&Crypt for
Acrobat Reader works only with Acrobat Reader.
In this case, please first install Acrobat Reader.
When I'm trying to verify a signature, I get an error message pointing out that
signature cannot be verified due to an invalid or missing signature pilot.
Sign&Crypt for Acrobat Reader is not installed.
Please install it.
I have the full Acrobat 6.0 pack and Acrobat Reader installed on my PC.
When I'm opening a PDF document with the explorer or with IE navigator, the PDF
document is opened with Acrobat and not Acrobat Reader, so I cannot verify
signatures.
It's a normal and standard behavior of Acrobat product.
To solve the problem, start Acrobat Reader before opening PDF document. It will
force PDF document opening with Acrobat Reader.
Question
Answer
When opening a digitally signed PDF document with IE, Acrobat Reader traps.
It happens sometimes with Acrobat Reader 6.0 and when the option 'authenticate
all signatures when opening a document'.
Please unselect this option.
Nevertheless, it is not recommended to have this option selected. Verifying
signatures may take time, so may penalize the user whereas it is not necessary to
systematically perform signature verification.
Question
When performing signatures verification on a PDF document containing multiple
signatures with Acrobat Reader 6.0, all signatures status are OK, but for all
signatures except the last one, Acrobat indicates the document has been modified
since the signature apposition.
It's a behavior for Acrobat 6.0 that considers signature apposition is a
modification.
Each new signature apposition generates a new revision of the document. If you
made a comparison between 2 revisions, you will notice the only change is
signature apposition. This comparison can be performed only with Acrobat.
Note: you do not have this inconvenient with Acrobat 5.1 .
Answer
All rights reserved
Question
Answer
DATE :
28/05/2007
ISSUE :
5
Page : 19 / 20
When I print a document, information such as title, author, reference, are not
printed in the signature page.
You have to print the document with the option "Document and comments"
selected.
All rights reserved
DATE :
28/05/2007
ISSUE :
5
END OF DOCUMENT
All rights reserved
Page : 20 / 20

dsi-asp-pr-3924 - Thales Alenia Space

Transcription

Documents pareils

10 questions to ask yourself before renewing your home insurance

VIP Service Certificate—Germany Delivery Dealer Notice

Soda PDF Anywhere Release Notes

Recreational vehicles and their equipment

the form

For immediate release

Universal Adult Model Release for all Agencies

Buy house 5 Rooms CHAMROUSSE 82.2m²

US Bank Visa - University of Manitoba