0

I am still new to security issues so my problem may actually be just a misunderstanding.

The system I am working has the requirement that users should sign/timestamp data somewhere in the web application. However, in order to sign with a digital certificate, users should input their privates keys on the system. Giving the fact that a third party is involved, we as a company should guarantee that only the end user is allowed to sign/timestamp data.

The only way I see out of this, is to create a desktop application, that can certificate data. But still I should need somewhere the ability of timestamping, and this would require communication with an external server, which could be a way of our company 'stealing' their private keys.

Is there a pattern for signing/timestamping data on the Internet and specifically on a web app? How could this be implemented?

mrcaramori
  • 2,503
  • 4
  • 29
  • 47
  • No, I mean signing with a digital certificate. By third party you mean someone to say my code is safe? – mrcaramori Feb 15 '13 at 11:49
  • How homogenous are the private keys you're talking about? Shall your users be able to bring their own, anything accepted, or do you somehow limit the type? What about smart cards or USB tokens? In those cases you obviously cannot extract the private key but the card or token has to do the signing which most likely means that it hsa to happen at the computer at which the user himself works. This would point towards a desktop application indeed but also indicate a wide range of hardware to support... – mkl Feb 15 '13 at 13:16
  • @mkl Users are supposed to use a certain kind of certificate, we will point out which authorities they can contact. Still studying smart cards and tokens. The point is that our company should not touch and see the users private key. – mrcaramori Feb 18 '13 at 13:05
  • In that case a solution as depicted by Eugene Mayevski in his answer is quite apropos. The only question is how your company shall *guarantee* that the private keys are only used for signing their respective owner's data. Does it suffice that your company presents the solution and promisses to use the private key only like that and especially not to transmit it elsewhere? Or do you require some kind of certification? In the former case, a solution built by you is ok. In the latter case, it might be easier to buy a third party product for this task which already is appropriately certified. – mkl Feb 18 '13 at 13:31
  • @mkl I would need to certify that our application isn't going to use the private keys for anything else, so, we really can't see these private keys. I don't know any kind of application certification about private key usage but I will look for it. Anyway, it would be much easier to let the user choose the application he wants to certify, though we would still need to timestamp the data. – mrcaramori Feb 18 '13 at 14:04

1 Answers1

1

So you have a server and users. Users perform digital signing of data on their systems. Timestamping is done together with signing (it proves the signing time). Timestamping is performed by trusted thirdparty TSA (Timestamping Authorities). The code which will do signing will contact the TSA (usually using HTTP or HTTPS protocol) and timestamping will be performed that way. TSA's certificate is included with the timestamp so that the timestamp can be validated later.

Now about technical side. For web application your best option is to create an applet or ActiveX control which will be downloaded to user's browser and which will do signing.

Our company offers pre-created solution for this, and I described it in details in this answer.

Of course you can let the user download the document and sign it using Acrobat stuff or some other client-side application, then upload the document back. If you decide to write such application yourself, you would need signing components, eg. IText or our SecureBlackbox.

Community
  • 1
  • 1
Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • 1
    +1; to implement the analogous applications using iText, have a look at the white paper [Digital Signatures for PDF documents](http://itextpdf.com/book/digitalsignatures), especially section 4.3 *Client/server architectures for signing.* (PS: iText can be licensed either commercially or within the terms of the AGPL) – mkl Feb 18 '13 at 13:39