18
AOL AIM and Document Signing Dartmouth College PKI Lab

AOL AIM and Document Signing

  • Upload
    aimon

  • View
    34

  • Download
    2

Embed Size (px)

DESCRIPTION

AOL AIM and Document Signing. Dartmouth College PKI Lab. AOL AIM for Windows implements PKI for secure messaging: Each message signed and encrypted using personal PKI credentials Assures identity of sender Guarantees privacy of contents of messages Not necessarily overkill: - PowerPoint PPT Presentation

Citation preview

Page 1: AOL AIM and Document Signing

AOL AIM and Document Signing

Dartmouth College PKI Lab

Page 2: AOL AIM and Document Signing

Instant Messaging• AOL AIM for Windows implements PKI for

secure messaging:– Each message signed and encrypted using

personal PKI credentials– Assures identity of sender– Guarantees privacy of contents of messages

• Not necessarily overkill:– ISTS system administrators discuss sensitive

network and server configuration information– No noticeable delay due to overhead for signature

and encryption

Page 3: AOL AIM and Document Signing
Page 4: AOL AIM and Document Signing
Page 5: AOL AIM and Document Signing

Instant Messaging

• Kudos to AOL for a clean and innovative product.

• But…– Encryption and signing not (yet) interoperable

with other IM implementations– Should be easier to import trusted root certificates

Page 6: AOL AIM and Document Signing

Document Signing

• Digital signature embedded in a document authenticates its source and enables detection of tampering:– Text documents (Word, Acrobat)– Spreadsheets (Excel)– Presentations (PowerPoint)– XML forms (Infomosaic)

Page 7: AOL AIM and Document Signing

Document Signing Uses• Streamline business processes:

– Move paper-based processes online without sacrificing security (e.g. hiring authorization, requisitions, expense reports, grant applications)

– Electronic forms transmission, tracking, and processing while still allowing the crucial human authorization steps

– Secure transmission of business information without requiring it be sent on signed paper

• Intra-institutional transactions (within or between departments)

• Inter-institutional transactions (among Higher Education institutions or with government) – use HEBCA or USHER for inter-institutional trust

Page 8: AOL AIM and Document Signing

Signed Word Document

Page 9: AOL AIM and Document Signing

Signed PowerPoint Document

Page 10: AOL AIM and Document Signing

Signed Excel Spreadsheet

Page 11: AOL AIM and Document Signing

Signing Office Documents• To sign, select “Tools -> Options -> Digital

Signatures…”• Must save before signing• Saving changes after signing removes

signatures (to protect against tampering after signing)

• Can have multiple signatures• User interface could use some improvement• Beware of macros – can change apparent

content without requiring a save (sort of like changing ink on a signed paper document)

Page 12: AOL AIM and Document Signing

Signed Acrobat (PDF) Document• Requires proper version of Acrobat.• No macro vulnerability.• Can use write-only form (write protected by

institution) with user digital signature to implement electronic signed “fill in the blanks” style forms.

Page 13: AOL AIM and Document Signing

Signed XML Forms• End user signing requires an application like

Infomosaic’s SecureSign/SecureXML.• Uses XML digital signatures standards.• Standard XML forms can be generated and

processed by any application that adheres to the proper standards.

• Enables truly platform and application independent digital signing of electronic transactions (critical component of Web Services).

Page 14: AOL AIM and Document Signing

NIH EDUCAUSE HEBCA Demo

• XML form signing with two signatures:– Signer– Institutional co-signer (pre-registered with Federal

receipt server)

• Document is signed by signer and co-signer at one institution and then submitted to another institution.

• Current proof of concept has Federal government as recipient, but can work for any two organizations.

Page 15: AOL AIM and Document Signing

NIH EDUCAUSE HEBCA Demo• Uses HEBCA & FBCA bridges so the receipt

server can trust signatures made with Higher Education PKI credentials

• Read-only form provided by recipient (Federal agency in the proof of concept) and processed automatically upon receipt

• Fine work by Peter Alterman and many others (including a number of our colleagues)

• Award winning proof of concept

Page 16: AOL AIM and Document Signing

NIH EDUCAUSE HEBCA Demo• Federal receipt and authorization server:

– Checks validity of signer and co-signer certificates and if they are issued by a trusted institution’s PKI

– Verifies that the co-signer is properly registered as an authorized co-signer for the signer’s institution

– Verifies that the co-signer and signer are different individuals

– Acknowledges secure and proper receipt of submission via web page and email

– Use secure SSL for all transactions

Page 17: AOL AIM and Document Signing

Federal AgencyPortal

UN IVERSITY

College/University

Internalworkflow

Applicant & cosigner

Internet

Receipt andAuthorization

Server

Agency Server

FBCA

HEBCA

AuditLog

UN VERS TY

CA @ College/University

IBM

Agency Back EndProcessing (Phase 4)

DigitallySigned

XML form

DigitallySigned

XML form.

DigitallySigned

XML form.

DigitallySigned

XML form.

Validate certs

XML form

Receipt message

XML form

XML formcerts

Transactionrecord

Page 18: AOL AIM and Document Signing

NIH EDUCAUSE HEBCA Demo

• Caveats:– I’m new to this application– Just got everything running properly today ;-)– I had to use a test certificate for the signer since I

only have one Dartmouth identity– This is a proof of concept