aol aim and document signing
DESCRIPTION
AOL AIM and Document Signing. Dartmouth College PKI Lab. AOL AIM for Windows implements PKI for secure messaging: Each message signed and encrypted using personal PKI credentials Assures identity of sender Guarantees privacy of contents of messages Not necessarily overkill: - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: AOL AIM and Document Signing](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813f55550346895daa19e3/html5/thumbnails/1.jpg)
AOL AIM and Document Signing
Dartmouth College PKI Lab
![Page 2: AOL AIM and Document Signing](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813f55550346895daa19e3/html5/thumbnails/2.jpg)
Instant Messaging• AOL AIM for Windows implements PKI for
secure messaging:– Each message signed and encrypted using
personal PKI credentials– Assures identity of sender– Guarantees privacy of contents of messages
• Not necessarily overkill:– ISTS system administrators discuss sensitive
network and server configuration information– No noticeable delay due to overhead for signature
and encryption
![Page 3: AOL AIM and Document Signing](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813f55550346895daa19e3/html5/thumbnails/3.jpg)
![Page 4: AOL AIM and Document Signing](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813f55550346895daa19e3/html5/thumbnails/4.jpg)
![Page 5: AOL AIM and Document Signing](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813f55550346895daa19e3/html5/thumbnails/5.jpg)
Instant Messaging
• Kudos to AOL for a clean and innovative product.
• But…– Encryption and signing not (yet) interoperable
with other IM implementations– Should be easier to import trusted root certificates
![Page 6: AOL AIM and Document Signing](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813f55550346895daa19e3/html5/thumbnails/6.jpg)
Document Signing
• Digital signature embedded in a document authenticates its source and enables detection of tampering:– Text documents (Word, Acrobat)– Spreadsheets (Excel)– Presentations (PowerPoint)– XML forms (Infomosaic)
![Page 7: AOL AIM and Document Signing](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813f55550346895daa19e3/html5/thumbnails/7.jpg)
Document Signing Uses• Streamline business processes:
– Move paper-based processes online without sacrificing security (e.g. hiring authorization, requisitions, expense reports, grant applications)
– Electronic forms transmission, tracking, and processing while still allowing the crucial human authorization steps
– Secure transmission of business information without requiring it be sent on signed paper
• Intra-institutional transactions (within or between departments)
• Inter-institutional transactions (among Higher Education institutions or with government) – use HEBCA or USHER for inter-institutional trust
![Page 8: AOL AIM and Document Signing](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813f55550346895daa19e3/html5/thumbnails/8.jpg)
Signed Word Document
![Page 9: AOL AIM and Document Signing](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813f55550346895daa19e3/html5/thumbnails/9.jpg)
Signed PowerPoint Document
![Page 10: AOL AIM and Document Signing](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813f55550346895daa19e3/html5/thumbnails/10.jpg)
Signed Excel Spreadsheet
![Page 11: AOL AIM and Document Signing](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813f55550346895daa19e3/html5/thumbnails/11.jpg)
Signing Office Documents• To sign, select “Tools -> Options -> Digital
Signatures…”• Must save before signing• Saving changes after signing removes
signatures (to protect against tampering after signing)
• Can have multiple signatures• User interface could use some improvement• Beware of macros – can change apparent
content without requiring a save (sort of like changing ink on a signed paper document)
![Page 12: AOL AIM and Document Signing](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813f55550346895daa19e3/html5/thumbnails/12.jpg)
Signed Acrobat (PDF) Document• Requires proper version of Acrobat.• No macro vulnerability.• Can use write-only form (write protected by
institution) with user digital signature to implement electronic signed “fill in the blanks” style forms.
![Page 13: AOL AIM and Document Signing](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813f55550346895daa19e3/html5/thumbnails/13.jpg)
Signed XML Forms• End user signing requires an application like
Infomosaic’s SecureSign/SecureXML.• Uses XML digital signatures standards.• Standard XML forms can be generated and
processed by any application that adheres to the proper standards.
• Enables truly platform and application independent digital signing of electronic transactions (critical component of Web Services).
![Page 14: AOL AIM and Document Signing](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813f55550346895daa19e3/html5/thumbnails/14.jpg)
NIH EDUCAUSE HEBCA Demo
• XML form signing with two signatures:– Signer– Institutional co-signer (pre-registered with Federal
receipt server)
• Document is signed by signer and co-signer at one institution and then submitted to another institution.
• Current proof of concept has Federal government as recipient, but can work for any two organizations.
![Page 15: AOL AIM and Document Signing](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813f55550346895daa19e3/html5/thumbnails/15.jpg)
NIH EDUCAUSE HEBCA Demo• Uses HEBCA & FBCA bridges so the receipt
server can trust signatures made with Higher Education PKI credentials
• Read-only form provided by recipient (Federal agency in the proof of concept) and processed automatically upon receipt
• Fine work by Peter Alterman and many others (including a number of our colleagues)
• Award winning proof of concept
![Page 16: AOL AIM and Document Signing](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813f55550346895daa19e3/html5/thumbnails/16.jpg)
NIH EDUCAUSE HEBCA Demo• Federal receipt and authorization server:
– Checks validity of signer and co-signer certificates and if they are issued by a trusted institution’s PKI
– Verifies that the co-signer is properly registered as an authorized co-signer for the signer’s institution
– Verifies that the co-signer and signer are different individuals
– Acknowledges secure and proper receipt of submission via web page and email
– Use secure SSL for all transactions
![Page 17: AOL AIM and Document Signing](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813f55550346895daa19e3/html5/thumbnails/17.jpg)
Federal AgencyPortal
UN IVERSITY
College/University
Internalworkflow
Applicant & cosigner
Internet
Receipt andAuthorization
Server
Agency Server
FBCA
HEBCA
AuditLog
UN VERS TY
CA @ College/University
IBM
Agency Back EndProcessing (Phase 4)
DigitallySigned
XML form
DigitallySigned
XML form.
DigitallySigned
XML form.
DigitallySigned
XML form.
Validate certs
XML form
Receipt message
XML form
XML formcerts
Transactionrecord
![Page 18: AOL AIM and Document Signing](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813f55550346895daa19e3/html5/thumbnails/18.jpg)
NIH EDUCAUSE HEBCA Demo
• Caveats:– I’m new to this application– Just got everything running properly today ;-)– I had to use a test certificate for the signer since I
only have one Dartmouth identity– This is a proof of concept