Cloud Signing: advanced PKI digital signatures made

easy!
Posted by Liaquat Khan on 29-Jul-2015 14:12:00

INTRODUCTION:

A quick background: Advanced digital signatures require each user to have their
own unique signing key. The security of the system then relies on the fact that
the user's private signing key is not accessible to anyone else other than the
owner. If implemented properly it allows an independent judge to determine that
any digital signatures produced with the user's private key must have been
created by the owner and no one else - thereby delivering the "non-repudiation"
property where signers can't reasonably deny the signatures they have created.

The issue with digital signature technology in the past however has been the cost
and complexity of issuing each user with their own private signing key in a secure
manner! Now with the advent of cloud computing and in particular cloud HSMs
(Hardware Security Modules) the situation has changed dramatically - today
advanced digital signature technology can be low-cost, easy to use and secure so
that it can be applied to any business use case, even on a mass scale.

In this blog we look at why cloud signing is such a hot topic right now and how to
implement it properly.
Advanced digital signature requirements
There is much confusion between electronic signatures and PKI digital signatures.
You can learn more about it here, but as a quick note basic e-signing just adds the
user's mark on a document and does nothing to protect the integrity of the signed
document or to prove that the user actually made that mark.

With PKI digtial signatures, cryptographic codes are created using privately-held
signing keys under the control of the signer which ensure data integrity and strong
authentication of the user - cryptographically-binding the user's authenticated
digital identity to their signed documents.

There are many cloud e-sign providers who simply implement basic electronic
signature squiggles on a document with no cryptographic evidence embedded into
the signed document to independently prove it was indeed the user who made that
mark. Most high-trust schemes however, require PKI-based digital signatures
where each user has their own private signing key. As an example consider:

EU Qualified Signatures - these are recognised as equivalent to handwritten ink

signatures in a court of law and require use of unique user keys held in secure
cryptographic hardware.

Adobe AATL Signatures - this is a trust scheme run by Adobe for its
Reader/Actobat product range. It again requires unique user keys and protection of
these in secure cryptograhic hardware. Adobe software will automatically mark
signatures as "trusted" if your signing key was certified by an AATL recognised
Certificate Authority (CA).

Traditionally the protection of the user's private signing key has been achieved by
storing it within tamper-resistant cryptographic hardware devices like smartcards
and secure USB tokens. These are PIN-protected and kept under the control of their
users.

Problems with smartcards / tokens & the rise of server-

held keys
Although there are many examples of e-Trust schemes relying on
smartcards/tokens, in particular electronic ID (eID) cards issued by many
governments, the general purpose use of such devices has been limited. This is
mainly due to the following reasons:

 complex to use - in the case of smartcards the user needs specialist reader
devices, which are not generally available. Using such devices on mobile phones is
even harder.

 Forgotten tokens - often users forget to bring their tokens when needed or
lose/misplace them. Also use of such tokens in public areas is sometimes blocked
or there is no readers available.

 Expense to deploy - the cost of providing the secure devices (and readers) to each
end-user is often too high for most business applications where a large number of
users are involved.

 Browser compatability issues - to use these smartcards/USB tokens requires

web applications to deploy Java applets, and latest versions of browsers (e. g.
Google Chrome) are blocking such technology because of various security
issues. Even where the browser allows Java, the frequent pop-up warning
messages make non-technical users nervous.

To overcome this the industry has been moving for sometime to server-held signing
keys i.e. each user's signing key is managed in a Hardware Security Module (HSM)
held centrally. As an example the new EU eIDAS Regulations allow EU Qualified
Signatures to be created using server-held signing keys as long as it's managed
securely. Similarly Adobe AATL Signatures can be created using server-held keys
also.

Before Cloud HSMs however the situation was quite complex if you wanted to
deploy a server-side signing solution. Basically you needed to purhcase an HSM
appliance and install, configure, patch and maintain these security devices. So
although the complexity of smartcards/USB signing devices was hidden from the
end-users perspective by using HSMs, IT departments still had the complexity of
managing these security devices.

Today both Azure and Amazon cloud platforns offer cloud HSMs as part of their
service. This means you can now deploy an advanced digital signature solution
using unique user signing keys with strong hadware-based protection, at a fraction
of the cost and complexity compared to an on-premise HSM solution, and at the
same time meet the needs of high-trust schemes like Adobe AATL and EU
regulations.

Cloud Signing with SigningHub

SigningHub has extensive support for secure cloud-based digital signatures which
includes:

 Support Azure Key Vault HSMs - for generating and managing unique user keys and
creating advanced, EU Qualified and Adobe AATL signatures. SigningHub is the
first global signing platform to integrate with the Azure Key Vault, see the
Microsoft blog here for more details.

 Support for Amazon Web Services (AWS) HSMs - same as above but using the
Amazon Cloud HSMs.

 Ability to interwork with a number of existing PKI service provider partners for
AATL, EU Qualified and other high-trust certificates including:
o LawTrust
o DigitalSign
o GlobalSign
o Entrust Datacard
o Commfides

 Ability to host your own private PKI infrastructure components like private
Certificate Authorities, OCSP Validation Authorities and Time Stamp Authority
(TSA) servers using Ascertia ADSS Server the above cloud platforms.

Summary
Cloud-based digital signatures using unique individual PKI signing keys for every user
has many benefits:

 Easy of use for end-users: no need for card/token readers, specialist desktop
software to be installed or Java runtime environment
 Ability to sign from anywhere, anytime: avoid lost or forgotten tokens
 Easy Management: no need to purchase, install, configure, patch or maintain on -
premise HSMs
 Immediate deployment: issue keys and start creating advanced PKI digital
signatures in minutes
 Enhance protection and compliance: by using strong unqiue cryptographic keys for
every user protected in FIPS 140-2 Level 2 HSMs
 Reduce latency and achieve global redundancy: cloud HSM services scale rapidly to
meet your business application needs for more keys during peak demands without
the complexities of on-premise dedicated HSMs. You can also implement global
redundancy by using cloud HSMs in multiple data centers.
 Reduce costs: the use of cloud HSMs is dramatically lower than a dedicated on -
premise HSM in terms of the hardware - this is not to even mention the admin
management overheads - which can be even higher!

Contact us to disucss how cloud signing can help transform your business.