Introduction

This Use Case has been developed for JISA’s CryptoBind HSM (Network Security Module by JISA Powered by LiquidSecurity) product. JISA’s HSM can be integrated with third party digital signing solutions. Document signing allow user to add a digital signature to a document to prove the identity of the sender. This signature ensures user that the document hasn’t been altered, and that he can trust its contents. The primary purpose of the document signing is to provide Security Solution For Cloud Data Centers, Enterprise, Government Organizations & Ecommerce Applications.

Definitions, Acronyms and Abbreviations

HSM : Hardware Security Module

Cryptography : Cryptography is a method of protecting information and communications through the use of codes, so that only those for whom the information is intended can read and process it.

Hash Value: In digital signing, hash value acts as a cipher i.e. a secret pattern to represent other letters or
symbols

FIPS: FIPS: FIPS are standards and guidelines for federal computer systems that are developed by National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce.

Explanation of use case contents

This use case contains following contents which may be applied across a wide range of system types. This section will provide explanation for each content of the use case.

Name of use case

Digital Signing Solution Integrated with CryptoBind HSM

Description

If your organization is dealing with a large number of physical documents on a regular basis, organization would want to know if the authorized person has signed the document. Here a document can include but not limited to Contracts, Invoice, Sales & Purchase orders, Acknowledgement Statements, Legal documents, Insurance documents etc. When changes are made in these documents, you would want to know who made the changes. Hence such organization should consider adopting digital signing. It’s a faster approach than traditionally signing the documents as documents can get signed instantly from anywhere using a tablet, phone or computer. Digitally signing documents makes it easier to organize documents, because there are no physical documents to manage. Digital signature itself ensure that signatures are verified and tamperproof.

Why to use CryptoBind HSM in this use case?

Digital signing solution performs 2 major operations i.e. applying the digital signatures and storing these signed documents. The solution also produces the hash value, which identifies the contents of the file, and uses the certificate or private key of the organization to sign the document.

If the organization does not use HSM, the certificates and keys would be stored on local server in a file folder or database. While signing the document, signing solution retrieves the certificate and keys from server and completes signing operation on server. If someone gets hold of these certificates and keys they can create documents signed with your key. This is likely to steal identity of the organization and the created documents can appear as if you have signed them.

Hence HSM plays a crucial role in protecting certificates and keys. HSM is dedicated, tamper-resistant device which securely manage, process and store digital keys. The signing operation is performed within the crypto boundary which is FIPS certified.

Actors

Sender – Sends a signed document to receiver

Receiver – Receives the signed document by sender

Precondition

Digital signing solution (software) should be integrated with the CryptoBind HSM in order to securely store
your private keys and certificates.

Flow

Digital signature proves that a document has not been tampered with, also certifying the identity of the person who signs the document. Hence the flow basically consist of two important aspects viz how to generate signature and how to authenticate it.

  1. User provide document to be signed as input to Digital signing software.
  2. The software will generate two keys required for encryption: public key and private key
  3. When a signer digitally signs a document, a cryptographic hash is generated for the document
  4. This cryptographic hash is encrypted using private key. This private key is always stored in tamper resistant, secure HSM device.
  5. This hash function is then appended to document and sent to receiver along with sender’s public key.
  6. The recipient decrypts the hash using sender’s public key. This generates a hash (plain text) at the receiver’s end.
  7. This generated hash is compared with the hash appended on signed document.
  8. If both hash values match, it proves the document has not been altered or tampered and the document can be considered valid.