Digital Signature Signing Services
Digital Signature Signing Services
There are about two types of digital signing services that Krish IT provides. They are as follows
- Client Side Signing Solution
- Server Side Signing Solution
Client Side Signing Solution
Client Side Signing Solution Web sockets
Client Side Signing Solution Web socket based solution is considered more reliable and easy to implement in all kind of browsers. Krish IT developed a solution based on web socket to provide digital signature functionality to any web socket compatible web browser.
It is a web socket server over TCP protocol. It listens on a designated port number on local IP address which receives web socket connection from browser. Based on the type of the service request from browser, it performs different operation and returns the result. All request and response are in the format of JSON
How does it work?
Step 1 - Integration
- Web socket server component is installed on client machine and invoked to run on designated port number
- Client script code is integrated into web application wherever digital signing is required
Step 2 - Working
- In case of DSC based signing solution, On signing page, client script sends a web socket request to get the list of hardware token certificate details
- Make required UI changes to fill certificate details once the server returns the list of certificate details
- Fill up all required details on the form and select the certificate used for digital signing
- On submission of the form, client script sends a web socket request to digitally sign the data using the certificate chosen
- Web socket server computes the signature and returns base64 encoded signature data as response
- On reception of signature data web application can send the signature for verification
Server Side Signing Solution
Server Side Signing Solution server side component is the service module that generates keys based on the data provided by the core application. The Server Side Signing Solution application is tightly integrated with Hardware Security Module for user key access. Server Side Signing Solution module helps the core application to encrypt and decrypt data in any format. The signer module works at the server side enabling the core application to get the documents/data signed at the server level. This is a highly scalable application can be integrated to Billing application through web services. Signer server can also be configured to provide additional level of security such as authentication of signing request originator and password protect keys stored in HSM device.
Description:
- Server Side Signing Solution application is capable of handling the requests from multiple applications
- Whenever the signing request is initiated, application shall forward the signing request to Server Side Signing Solution application through Web services API by sending the byte array of the document
- Server Side Signing Solution application shall fetch the Digital signature certificates from the HSM and perform the signing of the document
- Digital signature shall be embedded on the document and shall be pushed back to application from where the request has been initiated
Hardware Security Module (HSM)
A hardware security module (HSM) is a dedicated crypto processor that is specifically designed for the protection of the crypto key lifecycle. Hardware security modules act as trust anchors that protect the cryptographic infrastructure of some of the most security-conscious organizations in the world by securely managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device.
HSM is highly secured way of storing digital signature certificate of an end user. These are highly scalable appliance which can sign huge documents per second. These appliances are specifically meant for secure storage of keypair as well as digital signature certificate of the user. The appliance is FIPS 140-2 level 3 certified. The Server Side Signing Solution application is tightly coupled with the HSM and interacts with HSM through PKCS#11 interfacing.
The HSM is a physical appliance and which can be connected over a network.
Security at a Glance:
- FIPS 140-2 (available in Level 2 and 3) validated
- Common Criteria EAL 4+ certified cryptographic module
- Keys in hardware
- Remote management
- Secure transport mode for high-assurance delivery
- Multi-level access control
- Multi-part splits for all access control keys
- Intrusion-resistant, tamper-evident hardware
- Secure Audit Logging
- Strongest cryptographic algorithms
- Suite B algorithm support
- Secure decommission
Features:
- Dual Hot Swap Power Supplies
- Multi-level access control
- Intrusion-resistant, tamper-evident hardware
- Field Serviceable Components
- Software upgradable
- Multiple Roles for Administration
- Strong Separation of Duties
- Partitioning and strong cryptographic separation
- Load Balancing and Scalability
- Host Trust Links – secure binding of client to HSM in Virtual Cloud Environment