• No results found

Page de signatures électroniques / Electronic Signatures Page

N/A
N/A
Protected

Academic year: 2021

Share "Page de signatures électroniques / Electronic Signatures Page"

Copied!
22
0
0

Loading.... (view fulltext now)

Full text

(1)

This document has been digitally signed and timestamped. To verify signatures validity, please refer to procedure and tools available on web site pki.thalesaleniaspace.fr/pki/

By default, signatures validity is unknown. The ? icon is present on each signature. After verification, the ? icon disappears if signature is valid. Last product update: july 2006.

Tous droits réservés Thales Alenia Space All rights reserved

Signed by: FR, Thales Alenia Space, DERREY HELENE, helene.derrey@external.thalesaleniaspace.com Cert. issued by: FR, Thales Alenia Space, "TAS Signature Service CA ", TASCSS@thalesaleniaspace.com Signing reason: Initiateur

Signing date: 24/07/2007 11:01:33

Signed by: FR, Thales Alenia Space, BOURDEAU ERIC, eric.bourdeau@thalesaleniaspace.com

Cert. issued by: FR, Thales Alenia Space, "TAS Signature Service CA ", TASCSS@thalesaleniaspace.com Signing reason: signature

Signing date: 28/08/2007 19:52:47

Signed by: FR, Thales Alenia Space, NAUT PIERRE LOUIS, pierre-louis.naut@thalesaleniaspace.com Cert. issued by: FR, Thales Alenia Space, "TAS Signature Service CA ", TASCSS@thalesaleniaspace.com Signing reason: Approver

(2)

Page laissée blanche intentionnellement

(3)

PROCEDURE TO EXTERNALLY VERIFY

ELECTRONIC SIGNATURE

Written by Responsibility-Company

Hélène DERREY Engineer – ATOS ORIGIN

Verified by

PL NAUT IS/ES/PS

Approved

(4)

CHANGE RECORDS

ISSUE DATE § : CHANGE RECORD AUTHOR

1 17/10/03 Creation Eric GENOTELLE

2 01/05/04 General correction Eric GENOTELLE

3 20/09/04 Addition of a FAQ, external access Eric GENOTELLE

4 01/07/06 Timestamp and new Alcatel Alenia Space certificate authorities Eric GENOTELLE

(5)

TABLE OF CONTENTS

1. INTRODUCTION 4

2. ELECTRONIC SIGNATURE CONCEPTS 5

2.1 WHAT IS ELECTRONIC SIGNATURE ? 5

2.2 WHAT ARE ELECTRONIC SIGNATURE BENEFITS ? 5

2.3 HOW DOES IT WORK ? 5

2.4 THALES ALENIA SPACE ELECTRONIC SIGNATURE FEATURES 6

3. SIGNATURE VERIFICATION PROCEDURE 8

3.1 PREREQUISITE 8

3.2 SIGNATURE VERIFICATION POINTS 8

3.3 VERIFICATION PROCEDURE 8

3.3.1 NORMAL WORK 8

3.3.2 IF THE DOCUMENT HAS BEEN MODIFIED… 10

3.3.3 IF SIGNATURE CERTIFICATES ARE NOT VALID… 10

4. ANNEX A: SOFTWARE INSTALLATION 12

4.1 INSTALLATION OF ADOBE ACROBAT READER 12

4.1.1 PRODUCT DOWNLOAD 12

4.1.2 INSTALLATION 12

4.2 INSTALLATION OF UTIMACO SIGN&CRYPT FOR ACROBAT 12

4.2.1 PRODUCT DOWNLOAD 12

4.2.2 INSTALLATION 12

4.2.3 CONFIGURATION 12

4.3 INSTALLATION OF CERTIFICATE AUTHORITY CERTIFICATES 13

5. ANNEX B: ELECTRONIC SIGNATURE PRINCIPLES 17

5.1 SIGNATURE APPOSITION 17

5.2 SIGNATURE VERIFICATION 17

(6)

1. INTRODUCTION

This document describes how to verify electronic signatures of Thales Alenia Space documents. This document is intended to anyone who:

· has to electronically verify digital signatures of documents delivered by Thales Alenia Space · wishes to get an overview of electronic signature concepts,

· wishes to get an overview of electronic signature solution in Thales Alenia Space. The electronic signature

After a presentation on electronic signature concepts and its application to Thales Alenia Space, this document describes the procedure to verify electronic signature.

An annex describes all installation software you need to perform. Another one presents signature principles.

This document may be download from:

· http://ged/doc.htm?ref=DSI-ASP-PR-3924for Thales Alenia Space people

(7)

2. ELECTRONIC SIGNATURE CONCEPTS

2.1 What is electronic signature ?

Electronic signature provides two services:

· integrity of the document : it guarantees the document has not been modified since it was signed.

·

I received a document signed by Alice. How can I be sure it has not been modified since the

signature ?

Bob Alice

· non-repudiation : it guarantees the signer cannot deny he does not sign it.

How can I be sure that Alice will not pretend she has not signed the document ?

Bob Alice

2.2 What are electronic signature benefits ?

Electronic signature allows:

· to exchange contractually electronic documents · to reduce cost for the provider:

· no more paper signature to be manually distributed, archived,…

· no more document "physical" delivery (.i.e. through DHL…). Paper document weight is significant. · it reduces signature duration process thanks to a signature workflow

· to reduce cost for the customer

· electronic verification process may be performed much quicker than manual control. · to improve signature process quality

· to reduce exchange duration

2.3 How does it work ?

· It is based on ciphering algorithms using private/public key of a signer. · A signer is identified through the mean of a certificate.

· A certificate is a person’s digital identity. It links some information about the person with its public key.

· Certificates are delivered, signed and maintained by a Certification Authority (CA). They follow standards (X.509 v3)

(8)

1

Serial Number : 6cb0dad0137a5fa79888f Validity : Nov. 08, 2002 - Nov. 08, 2004 Subject / Name / Organization

Organization = Thales Alenia Space Common Name = Pierre-Louis NAUT

Email Address = pierre-louis.naut@thalesaleniaspace.fr Public Key:

ie86502hhd009dkias736ed55ewfgk98dszbcvcq m85k309nviidywtoofkkr2834kl

Signed By : Thales Alenia Space

kdiowurei495729hshsg0925h309afhwe09721h481 903207akndnxnzkjoaioeru10591328y5 Thales’s X.509 Certificate CA Digital Signature Thales’s CA Figure 1 : Certificate feature

· Signature is produced with the private key of the signer · Signature is verified with the public key of the signer.

· If one character of document is modified since signature apposition, the signature verification will detect it !

·

· The annex B details signature principles. ·

2.4 Thales Alenia Space Electronic signature features

· Thales Alenia Space provides a signature system allowing to sign PDF documents. · Signatures are embedded in the PDF documents.

· Signature proofs, i.e. signer certificates and CA certificates, are also embedded in the PDF document, so that verifier has all the necessary elements to check signatures.

· PDF documents are signed though Acrobat in technology, using UTIMACO Sign&Crypt plug-in.

· Thales Alenia Space signature is compliant to signature standards: X.509v3, PKCS#7, … · Signatures may be verified through free tools according to the procedure defined in § 3. · Thanks to Acrobat technology, signatures have also a visible render, mentioning :

· signer identify (full name, email address) · CA identity

· signature date

· signature reason (i.e. Writer, Approving, …) · All visible signatures are stored in a heading page.

(9)

Figure 2 : Visible signatures of heading page

· A signed PDF document may be viewed with a standard ADOBE Acrobat Reader.

· Signatures of a signed PDF document may be viewed (but not checked) and print from a standard ADOBE Acrobat Reader.

· Signatures of a signed PDF document may be checked with ADOBE Acrobat Reader and an additional UTIMACO plug-in for a ADOBE Acrobat Reader (see 4.2). This plug-in is free of charge. · Signatures are put according to a signature process defined below:

· Most signers sign with internal certificates. Thales Alenia Space delivers internal certificates to all Thales Alenia Space users.

· A qualified user may sign with a Corporate certificate, in order to certify/guarantee the signature process. Thales Corporate (ASKI) delivers Corporate certificates to "qualified" users such as document manager, program manager, …

Signature Internal certificates Internal Signatures Signature 2 … Signature 1 Signature 2 … Corporate Signature Certifying Signature Corporate certificates Document to be signed PDF Signature 1

Figure 3 : Thales Alenia Space signature Process

· Signer may be identified in the signature according to his email address (i.e.

pierre-louis.naut@thalesaleniaspace.com) or his full name (i.e. Pierre-Louis NAUT). Email address and full

name are parts of the signer certificate subject. · The signature server provides the signature date.

(10)

3. SIGNATURE VERIFICATION PROCEDURE

3.1 Prerequisite

To verify signatures of PDF documents signed by Thales Alenia Space, you need to have installed on a PC: · Adobe Acrobat Reader 5.1 or higher (cf. installation in 4.1)

· UTIMACO Sign&Crypt for Acrobat Reader (cf. installation in 4.2) · Certificates of CA (cf. installation in 4.3)

All of these components are free of charge.

PC operating system may be Windows NT 4.0, Windows 2000, Win XP.

3.2 Signature verification points

The following table defines signature verification points:

Signature verification points Comment

Document signature See principles in § 5.2

Signer certificate signature See principles in § 5.2 where the document to be signed is the certificate

Signer certificate validity date Look if the signature date is between the "Not before" date and the "Not after" date. These date are parts of certificate.

Certificate Authority trust chain Check certificates signature of all CA involved in trust chain. At that time, there is no CRL (Certificate Revocation List) check.

3.3 Verification procedure

3.3.1 Normal work

· Open the PDF signed document from ADOBE Acrobat Reader. · Display all signatures thanks to Signatures tab.

· All signatures are tagged with a question mark ("?"), which means that signer certificates have not been yet verified.

· Go to Signature button and select the option "Authenticate all signatures" (in French "Authentifier toutes les signatures")

(11)

· If signer certificates are OK, Acrobat Reader tags them with a green V (

ü

).

· In expanding signature in the left frame, we may see signature properties: signer name, signature date, signature reason, …

· To get details on signature and certificate, click right on signature of the left frame. Select

Properties menu item. A window displaying signature properties appears. To have information on

(12)

3.3.2 If the document has been modified…

· If the document has been modified since signature, Acrobat indicates it the signature left frame "The document has been modified".

3.3.3 If signature certificates are not valid…

· If signer certificates cannot be verified or are not OK, Acrobat Reader indicates it: the signature is tagged with a red cross

X

.

(13)

· To know the reason, click right on signature then Properties. Acrobat displays the problem reason

(14)

4. ANNEX A: SOFTWARE INSTALLATION

This section describes the components you have to install to verify Thales Alenia Space document signatures. It consists in:

1. installing ADOBE Acrobat Reader 5.1 or higher

2. installing UTIMACO Sign&Crypt for Acrobat Reader 4.0.0006 or higher 3. installing CA certificates

4.1 Installation of ADOBE Acrobat Reader

4.1.1 Product download

· With a browser, go to the site http://www.adobe.com

· Then get ADOBE Acrobat Reader by clicking on

Follow instruction and fill ADOBE forms. Select the option "Do not use Adobe Download Manager" if you want to download the full installable version.

· Then ADOBE asks you where to save the installable file, whose default name is for example

AdbeRdr60_fra_full.exe.

4.1.2 Installation

· With the file explorer, run the installable file then follow instructions.

4.2 Installation of UTIMACO Sign&Crypt for Acrobat

4.2.1 Product download

· With a browser, go to the site http://pki.thalesaleniaspace.fr/pki/tools/ then download the product Sign&Crypt for Acrobat Reader

4.2.2 Installation

· You should have Acrobat Reader 5.1 or more higher installed. · With the file explorer, run the installable file then follow instructions.

4.2.3 Configuration

· Run Acrobat Reader

· An UTIMACO splash window should briefly appear when Acrobat is starting. · Go to the menu Edition / Preferences / TS SafeGuard Sign&Crypt…

(15)

In the CRL tab:

· Select the option Check certificate trust chain when validating signature. This option allows

to check, in addition to signature check and certificate validity date check, certificate trust chain. · Select the option Do not use CA/Root certificates stored in the message. This option allows

to perform the trust chain according to the Windows certificate store, and not CA certificates located in the document.

In the “horodatage” tab, leave all fields empty.

4.3 Installation of Certificate Authority certificates

Because trust chain verification is performed according to Windows certificate store (more reliable than the document), all the certificate authorities have to be declared in this store.

(16)

Thales Alenia Space Root CA

http://pki.thalesaleniaspace.fr/pki/cer/tas_root_ca.c er

Father of Thales Alenia Space Ged CA

Subject:

E = RootCA@thalesaleniaspace.com

CN = Thales Alenia Space RootCA O = Thales Alenia Space

C = FR Signature :

85 3a 96 69 3c 83 a6 37 d4 36 83 f7 76 41 3c 1b 98 9e 5d 06

Thales Alenia Space Ged CA

http://pki.thalesaleniaspace.fr/pki/cer/tas_cacert.ce r

CA delivering internal certificates for all Thales Alenia Space signers

Subject:

E = TASCSS@thalesaleniaspace.com CN = TAS Signature Service CA O = Thales Alenia Space C = FR

Signature :

b5 15 7f a5 61 44 da d6 7b a1 59 b4 54 a7 d2 33 6e 1a f1 33

Tableau 1 : CA involved in signature trust chain

(*) These certificates have to be installed only if Thales Corporate certificates are involved in signature process.

· Download the CA certificate from URL

· With the file explorer, double-click on the certificate file (.cer).

· It opens certificate properties Windows. · Click on Install certificate… button.

(17)

· Click on Next button.

· Let the default option (Automatically…) · Click on Next button.

· Click on Finish button.

· To the question "Do you want to add the following certificate to the XXX store…", answer Yes.

(18)
(19)

5. ANNEX B: ELECTRONIC SIGNATURE PRINCIPLES

This section describes electronic signature principles defined by the following figure.

secret

public

Digital Signature HASH RSA Document Document Document

Sign

Internet CA Digital Signature HASH HASH Document Document Document RSA

public

Verify

Figure 4 : Signature principles

5.1 Signature apposition

· A hash of a document is computed , according to a hash function (typically MD5 algorithm) · The hash is coded with the private key of the signer, according to a crypt function (typically RSA

algorithm)

· This crypted hash is the document signature.

· The document and the signature are sent to the recipient.

5.2 Signature verification

· The recipient receives the document and the signature.

· The hash of a document is computed, with the same hash algorithm as the one used for signature apposition.

· The signature (crypted hash) is decrypted, with the same algorithm as the one used for signature apposition and with the public key of the signer. The public key may be found in the certificate that is usually annexed with document and signature.

(20)

6. ANNEX C - FAQ AND PROBLEM

Question Sign&Crypt for Acrobat Reader can not be installed.

When running Sign&Crypt for Acrobat Reader setup, this one is indicating Acrobat Reader version is incorrect

Answer Please check the version of Acrobat Reader. It should be greater than 5.1

Question I have the full Acrobat 6.0 pack installed. Sign&Crypt for Acrobat Reader cannot

be installed.

Answer The full Acrobat 6.0 pack may not include Acrobat Reader. Sign&Crypt for

Acrobat Reader works only with Acrobat Reader. In this case, please first install Acrobat Reader.

Question When I'm trying to verify a signature, I get an error message pointing out that

signature cannot be verified due to an invalid or missing signature pilot.

Answer Sign&Crypt for Acrobat Reader is not installed.

Please install it.

Question I have the full Acrobat 6.0 pack and Acrobat Reader installed on my PC.

When I'm opening a PDF document with the explorer or with IE navigator, the PDF document is opened with Acrobat and not Acrobat Reader, so I cannot verify signatures.

Answer It's a normal and standard behavior of Acrobat product.

To solve the problem, start Acrobat Reader before opening PDF document. It will force PDF document opening with Acrobat Reader.

Question When opening a digitally signed PDF document with IE, Acrobat Reader traps.

Answer It happens sometimes with Acrobat Reader 6.0 and when the option 'authenticate

all signatures when opening a document'. Please unselect this option.

Nevertheless, it is not recommended to have this option selected. Verifying signatures may take time, so may penalize the user whereas it is not necessary to systematically perform signature verification.

Question When performing signatures verification on a PDF document containing multiple

signatures with Acrobat Reader 6.0, all signatures status are OK, but for all signatures except the last one, Acrobat indicates the document has been modified since the signature apposition.

Answer It's a behavior for Acrobat 6.0 that considers signature apposition is a

modification.

Each new signature apposition generates a new revision of the document. If you made a comparison between 2 revisions, you will notice the only change is signature apposition. This comparison can be performed only with Acrobat. Note: you do not have this inconvenient with Acrobat 5.1 .

(21)

printed in the signature page.

Answer You have to print the document with the option "Document and comments"

(22)

References

Related documents

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be

Overall signature validity state icon Form signed Text in the Document Message Bar: Signed and all signatures are valid.. Explanation: The form has been signed by one or more

When opening a signed PDF report for the first time, Acrobat Reader will display the message “Signed and all signatures are valid” on top of the document if the certificate is

Once DocuTech has finished processing the electronic signatures, the borrower is returned to the eSign portal to the Documents That Can Not Be eSigned page.. The borrower should

And third, this public-private project would help to further demonstrate the critical importance of increasing broadband access and adoption in the provision of health care—part of

ethernet exam preps fiber opt ic hex hexadecimal history how t o subnet hub internet layer IP LAN network access layer network mat h network media network t opology osi model

If you configured your Adobe product for Windows integration as described in “To configure Adobe Acrobat Professional or Adobe Reader for Windows integration” on page 2 ,

You may need to fine tune the form fields based on how well you have created the form and how well Adobe Acrobat Pro DC is able to recognize.. Evaluate the form fields