EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Distributed encryption

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#24521
Posted: 04/10/2013 02:45:57
by Petr Kykal (Standard support level)
Joined: 04/10/2013
Posts: 18

Hi,

I am interested in your SecureBlackbox solution. My goal is to digitaly sign PDF document which is on the client side, using client's signature, then encrypt the file still on the client side using public key provided from server app and then send this file to the server app using https.

Inside the server app, the file should be timestamped and then stored.

The app is written in ASP.NET MVC and I prefer java-applet for this solution.

Do you offer any ready to use solution, or is there at least any way to customize your solution for this purpose?
#24522
Posted: 04/10/2013 03:00:14
by Eugene Mayevski (EldoS Corp.)

Thank you for your interest in our products.

There seems to be no need in "Distributed Cryptography add-on". Your task can be accomplished using .NET and Java editions of SecureBlackbox. You use .NET edition (HTTPBlackbox client package will work) on the server and Java edition to create your applet. Our Java applet (the one in Distributed Cryptography add-on) is completely different from what you need so you would need to craft your own applet. Good thing is that Java edition of SecureBlackbox (PDFBlackbox package + optionally HTTPBlackbox package) is all you need.

The only note is that the server can't add a timestamp to already signed document. Timestamping should be done at the same time as signing. Yet there are workarounds for this limitation. For example, the server can make a signature of the signed document and include the timestamp to this signature. Now, the server can create an RFC 5544 timestamp of the signed document and store the timestamp next to the document itself (not embedded into the document). This part can be discussed and elaborated separately.


Sincerely yours
Eugene Mayevski
#24523
Posted: 04/10/2013 03:00:28
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

If you prefer Java applet then your task may be implemented using our SecureBlackbox Java edition.

You'll need PDFBlackbox and HTTPBlackbox client packages. If clients store their private keys on PKCS#11 compatible tokens then you'll also need PKIBlackbox package. SecureBlackbox evaluation package includes complex samples of PDF signing, encryption and transferring files via HTTPS.

Server side timestamping may be implemented using SecureBlackbox .NET edition and PDFBlackbox package.
#24524
Posted: 04/10/2013 03:17:55
by Eugene Mayevski (EldoS Corp.)

Correction - what package you need on the server depends on how timestamping is done (I described alternatives above). It can be either just HTTPBlackbox or HTTPBlackbox + PDFBlackbox.


Sincerely yours
Eugene Mayevski
#24525
Posted: 04/10/2013 03:25:52
by Petr Kykal (Standard support level)
Joined: 04/10/2013
Posts: 18

Thank you for your quick response. The way you provide is perfectly suitable for my needs.

About the timestamping. What I need is to follow PAdES. So the timestamp right after digital signature is probably what I need as you wrote.

But I need the time the PDF was uploaded to server too. This is the time, that I need to prove in future. So I believe, I need to timestamp it again when it is received by the server app.
#24666
Posted: 04/24/2013 06:59:46
by Petr Kykal (Standard support level)
Joined: 04/10/2013
Posts: 18

Quote
The only note is that the server can't add a timestamp to already signed document. Timestamping should be done at the same time as signing.


Provided sample of PAdES works well. But I am facing another issue now. I would like to use timestamps from trusted TSA authorities. The access to the TSA service is secured by user credentials or certificate. But I want the document to be signed and timestamped on the client using java applet. Thats why I must provide the credentials or certificate with the java applet (inside the code) which is not a good practice.

Can I sign the document, then compute hash of the document, which will be send to our server? The server will timestamp it using TSA authority service and then send the timestamped hash back to client. Then the java applet adds the timestamp to the document. Is this possible? Would it be still the PAdES?
#24667
Posted: 04/24/2013 07:07:49
by Vsevolod Ievgiienko (EldoS Corp.)

Hello.

You should better implement some kind of TSP proxy that will receive a TSP request from a client without any authorization, will redirect it to your trusted TSA and pass back response to a client. This way you'll be able to store credentials or certificate on your server.
#24668
Posted: 04/24/2013 07:14:15
by Petr Kykal (Standard support level)
Joined: 04/10/2013
Posts: 18

Quote
Vsevolod Ievgiienko wrote:
Hello.

You should better implement some kind of TSP proxy that will receive a TSP request from a client without any authorization, will redirect it to your trusted TSA and pass back response to a client. This way you'll be able to store credentials or certificate on your server.


Easy, but great. Thank you.
#24669
Posted: 04/24/2013 07:53:41
by Ken Ivanov (EldoS Corp.)

Petr,

Just a small correction to the above replies. You actually *can* timestamp signatures created by the clients on the web server, so you do not need the proxy solution here. Eugene was right in that sense that it is not possible to timestamp *any* PDF signature; yet as it's you who controls signature creation, it is possible to force clients create signatures that can be timestamped later by a third party (i.e. the web server).
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 1400 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!