ascertia secure e mail server (jul08)
TRANSCRIPT
www.ascertia.com © Copyright 2001-2008 Ascertia Ltd.
ADSS Secure eMail Server For General Document Security and Invoice Signing
Saving Time & Money, Avoiding Risk & Fraud
2
www.ascertia.com © Copyright 2001-2008 Ascertia Ltd.
Agenda
• Secure Email Server
• ADSS Server
• Trust Services
• Outbound emails
• Incoming emails
• Archiving
3
www.ascertia.com © Copyright 2001-2008 Ascertia Ltd.
ADSS Secure eMail Server
• Built on Apache James– A Java MTA mail server– Selects emails using one or more “matchers” – Interacts with ADSS Server using one or more “mailets”
• James matchers – for filtering emails– “Subject” field, “To” field, “From” field, – “has attachment”, “attachment file name is”– Other options available (e.g. based on key words)
• James mailets – to process filtered emails– Sign attachment using ADSS Server (e.g. PDF, XML, File)– Verify signed attachments using ADSS Server – Sign and verify emails
4
www.ascertia.com © Copyright 2001-2008 Ascertia Ltd.
Basic Architecture
ADSS Secure eMail Server
(MTA Server)
ADSS Server+ sign/verify
+ encrypt*/decrypt*+ archive*/recover*
HSM DB
Request (Sign / Verify
Encrypt / Decrypt)Response
• Future Options
Policy Management for signing and verification and archiving.Customer console for recovery and other management.
5
www.ascertia.com © Copyright 2001-2008 Ascertia Ltd.
ADSS Server
• A multi-function security server– Server-side signing, Server based verification, Timestamping– CRL manager/archiver, OCSP Validation Authority– Time Stamp Authority (TSA) and Certificate Authority
• It powers the Secure eMail Server – Secure eMail Server is a ‘business application’ for ADSS Server
• Supports signing and verification – Of PDF, XML and other file attachments – Multiple options for PDF signing style (visible, invisible, certified,
timestamped, long-term signatures)
• Key Management– Supports organisation or organisation role signing – Supports end-user key signing (server-side) signing– Inbuilt Key Manager linked to internal or external CA– Can use FIPS compliant HSM for strong private key protection
6
www.ascertia.com © Copyright 2001-2008 Ascertia Ltd.
Ascertia ADSS Server Trust Services
Note: You only need license and use what is needed today
PDF Documents - Basic signature (visible / invisible) - Certify - Sign & timestamp - Long-term signatures
XML Documents - XML DSig (XAdES ES) - Timestamps (XAdES ES-T) - Long-term signatures (XAdES X-Long)
PKCS#7 / CMS / SMIME - Basic signature (CAdES ES) - Timestamps (CAdES ES-T) - Long-term signatures (CAdES X-Long)
Historic VerificationOCSP Validation (immediate verify & long term sign)Time Stamp Authority (TSA) Server
Sign Verify
-
7
www.ascertia.com © Copyright 2001-2008 Ascertia Ltd.
Secure Email Server - Future Options
• Archiving the email– With Archive management, review, resend, retention policy
management, logging etc
• WebMail support – Allowing users to sign and verify emails and attachments and
also handle encrypted emails
• Encrypt emails using ADSS Server – using recipient certificate(s)
• Decrypt emails using ADSS Server – using recipient private key
• Timestamp the receipt of inbound emails – Option to also apply a Notary signature
• Apply an Electronic Post Mark (EPM)
• Work with Trusted Archive Server
Ascertia is always happy to discuss the commercial drivers and technical requirements and then set the dates for the delivery of the required options
8
www.ascertia.com © Copyright 2001-2008 Ascertia Ltd.
Signing Outbound Emails Architecture
Internet
Mail Server
1) Alice sends email
Alice Bob
AscertiaSecure eMail
Server
AscertiaADSSServer
2) Requestsignature
3) Signature
4) Forward email
5) Bob receives Signed email
Mail Server
9
www.ascertia.com © Copyright 2001-2008 Ascertia Ltd.
ERP Email System Architecture
Internet
Mail Server
1) ERP systemsends email
ERP System
Recipient
AscertiaSecure eMail
Server
AscertiaADSSServer
2) Requestsignature
3) Signature
4) Forward email
5) Recipientreceivessigned email
Mail Server
10
www.ascertia.com © Copyright 2001-2008 Ascertia Ltd.
Signing Outbound Emails
• Secure Email Server sends request to ADSS Server
• ADSS Server Signs– using unique user keys (e.g. Alice) – Using corporate keys (e.g. Finance Dept for Company A)– Using software or keys in FIPS or Common Criteria HSM/Token
• Can sign attachments– PDF attachments: using PDF signature standard– XML files: using XML DSig standard – Other file types: using wrapping PKCS#7/CMS signature– OR basic signatures plus timestamps (PDF/ETSI)– OR basic signatures plus timestamps and signer’s certificate
status (usually OCSP) at time of signing (PDF/ETSI)
• Can sign emails using feature support in ADSS Server v3.4
11
www.ascertia.com © Copyright 2001-2008 Ascertia Ltd.
Verifying Incoming Emails Architecture
Internet
Mail Server
Recipient
ADSS Server
2) Requestsignature
verification
3) Signatureverificationresponse
details
4) Recipientreceivesverified email
Mail Server
AscertiaSecure eMail
Server
CA-1
CA-2
CA-N
CRLCRL
OCSP
Mail Server
ERP System
1) ERP systemsends email
12
www.ascertia.com © Copyright 2001-2008 Ascertia Ltd.
Verifying incoming signed emails
• Secure Email Server – Checks received emails .v. Matcher rules– Sends document to be verified to ADSS Server
• ADSS Server – Checks PDF or XML or File or S/MIME signature – Signature integrity check– Signer certificate validation check:
Issued by a trusted CA Certificate is not expired Certificate is not revoked (using CRLs, or OCSP) Certificate contains valid extensions Certificate meets minimum certificate quality level (option)
• Embedded signatures within attachments can be verified, e.g. PDFs, XML
• Multiple trusted CAs can be registered
13
www.ascertia.com © Copyright 2001-2008 Ascertia Ltd.
Verification processing
• Verification Result delivery options– Allow email to be delivered normally– Send email on to recipient with results attached / appended– Only allow successfully verified emails to be sent to recipient– All untrusted emails sent to an administrator with results report– Other custom options
• Mailet processing options– Can send ADSS Server the signed email hash + signature for
privacy or speed/throughput purposes– Can send entire email + attachments for verification– Can also send entire email for archive (see later)
• ADSS Server records all sign/verify transactions– Logs can be searched / filtered / reports produced– Logs can be exported in CSV format
14
www.ascertia.com © Copyright 2001-2008 Ascertia Ltd.
Secure eMail Server – Archiving (Q408)
• “mailet” based policy for archiving emails – For outbound emails– For incoming emails
• For simple short-medium term archiving – Sends emails to local email archive management module– Keeps all email header, body, attachment data– Option to timestamp the archived data
• Archive Management – Use Secure eMail Server Console (secure browser based)– Search & recover & resend emails– Database archive feature– Retention Policy auto-delete feature as a future option
15
www.ascertia.com © Copyright 2001-2008 Ascertia Ltd.
Signed Webmail Architecture (future)
Internet
Mail Server
1) Alice creates and sends webmail
Alice Bob
Secure eMail Server
ADSSServer
2) Sign3) Verify / archive
4) Forward
5) Bob receives Signed email
Mail Server
SimpleWebmail
Application
Note: These servers could be co-located on a single system or arranged in separate or a high-availability mode
Uses GoSign applet
16
www.ascertia.com © Copyright 2001-2008 Ascertia Ltd.
Summary
• Meets business needs for an easy to deploy document signing and secure email solution
– Filters, processes, signs, verifies – Encryption, decryption options – archive, recovery, resend options
• Easy to integrate – A separate drop-in secure email MTA Server using ADSS Server as
a powerful high-security engine
• Multi-platform – Windows 2003 Server today (others by request)
• Secure Storage – Uses industry leading databases with secured content
Oracle, SQL Server, PostgreSQL
• Secure Management– A well proven multi-functional security services platform with full
security management plus event and transaction logging
17
www.ascertia.com © Copyright 2001-2008 Ascertia Ltd.
Questions:Rod Crook Clive Flatau+44 1256 895416 +44 7789 991686 [email protected]@ascertia.com