identity, credential, and access management 1 inter-disciplinary icam program 1 april 2011

Inter-Disciplinary ICAM Program

Identity, Credential, and Access Management

1

Leveraging Digital Signature with LincPass

USDA-wide Training Session for the

Digital Signature Project An ICAM Program Objective

1April 2011

Inter-Disciplinary ICAM Program2

Leveraging Digital Signature with LincPass

Why is digital signature important to me? Prerequisites for digital signature Leveraging LincPass to sign documents and emails Electronic signatures, digital signatures, non-

repudiation Differences between assurance levels,

eAuthentication, and USDA LincPass Digital signature policy When should I use digital signature? Digitally signing, validating, and removing a

signature for a Microsoft Office 2007 document Digitally signing an Adobe Acrobat 9.x document Digitally signing a Microsoft Outlook 2007 email Configuration changes for Adobe Resources for digital signature Questions

Why is Digital Signature Important to Me?

• FY11 and Beyond Business Drivers– Achieve LincPass-integrated and improved business

processes and identity validation in those business processes

– Capitalize on an efficient, time-saving, cost-reducing alternative to “wet ink” signature

– ICAM Oct. 6 “Preparing to Implement Identity, Credential and Access Management” as directed by OMB

– Use the LincPass for validation & verification of the signer's digital identity

“The day of smart card issuance is behind us;

the era of usage is here.”Inter-Disciplinary ICAM Program

3

4

Prerequisites for Digital Signature

LincPass card


Two-factor card reader foryour desktop or laptop

Digital Signature User Guides

AD account is LincPass- enabled,workstation has ActivClient installed


Digital Signature ProjectLeveraging LincPass to Sign Documents & Email

5

Document Signing with the LincPass The USDA Digital Signature Project - Phase I is focused on providing

information on how to use the certificates on the LincPass to digitally sign documents and emails. The benefit of digitally signing documents and emails is assurance that the information hasn’t been altered since the document was signed, and verification of the signer’s digital identity.

Scope: Adobe Acrobat files & forms (Versions 8 & 9) Microsoft Office Word, Excel, PowerPoint (Versions 2003 & 2007) Microsoft Outlook (Versions 2003 & 2007)

Benefits: LincPass integrated Assurance that the content has not been altered

since the file was signed Provides a digital signature certificate that can be used

for a non-repudiable digital signature Verification of the signer's digital identity Efficient, time-saving, cost-reducing alternative to “wet ink” signature

DigitalSignature


Digital Signature Project What is an Electronic Signature?

6

• “Electronic Signature”: A token (sound, symbol, process) logically associated with an electronic record with intent to sign the record– Example: A travel tracking system with a user

ID/password access requires a manager click a button labeled “Digital Signature” to approve travel for her staff. Problems: single-factor; user ID not traceable to anything, e.g., an official HR record, PIV card

• Authorized by the law [e.g., 1998 Digital Signature and Electronic Authentication Law (SEAL), 1999 Uniform Electronic Transactions Act (UETA), 2003 GPEA, etc.]

Loose and variable standards make electronic signatures increasingly easy to forge or spoof

Generally requires compensating controls and out-of-band identity validation (e.g., wet-ink signature on a timesheet)


Digital Signature Project What is a Digital Signature?

7

• “Digital Signature”: A sub-category of electronic signatures; includes a cryptographic assurance of the originator’s (authors) identity, and an integrity check on the content received– Uses PKI for cryptographic assurance– Extremely difficult to forge– Example: A travel tracking system with a user

ID/password access makes the manager digitally sign using her LincPass card when approving travel for her staff. Solves security (repudiation) problems: two-factor authentication; user ID traceable (via PKI infrastructure) to a known and verified identity in HSPD-12 system

DigitalSignature

Demonstrates the authenticity of a digital message or document Not all electronic signatures use digital signatures A true digital signature must be a digital cryptographic signature

Digital Signature:


Digital Signature Project Digital Signatures are Non-Repudiable

8

• “Non-repudiation”: Countering a claim that the signature is unauthorized or has no binding force

• Two common claims of repudiation:– “Not me”– “Not what I signed”

• A non-repudiable signature offers reasonable assurance that it was the person signing, and the file/record/transaction is unchanged from whenit was signed

The foundational concepts in digital signing are document message

integrity, and non-repudiation and confidentiality.


To clear up other common misconceptions about digital signature, let’s discuss three more terms:

• Identity Assurance Levels (as defined by NIST 800-63): How sure you are of the identity of an individual, and that the person with whom you are interacting is that individual — digital signatures are not related

• eAuthentication: A software solution for authentication (is the user known?) and authorization (is the user allowed access?) — digital signatures not related, and eAuth provides no support for them

• LincPass (PIV card): A hardware token solution that enables authentication (is the user known?), and has an electronic certificate on the card’s chip that can pass along a digital representation of that identity — the mechanism that allows a user with an application that supports it (e.g., Outlook, Acrobat) to create digitally-signed files

Digital Signature Project Assurance Levels, eAuthentication, USDA LincPass

9


Knowledge Check

10

1. Digital signature is non-repudiable True False

2. Digitally signing documents Verifies the signer’s digital identity Assures the document or email content has not been

modified Uses PKI for cryptographic assurance All of the above

3. The receiver of a digitally signed document can claim it wasn’t altered in any way True False

4. eAuthentication provides support for Digital Signature True False


Digital Signature Project USDA Policy

11

USDA Policy References:• USDA DM 3530-003

– http://www.ocio.usda.gov/directives/doc/DM3530-003.pdf• Summary: Section #2 Policy

– “All agencies and mission areas whose major support systems have a security requirement for non-repudiation will use digital signature.”

– “It is the policy of the United States Department of Agriculture to encourage the use of PKI in satisfying system security requirements for non-repudiation. Agencies must satisfy the following procedural requirements prior to deployment of a Public Key Infrastructure.”

Federal Policy References:• FIPS 186-3 Digital Signatures Standard (June 2009)

– http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf• NIST Special Publication 800-89, Recommendations for Obtaining

Assurances for Digital Signature Applications – http://csrc.nist.gov/publications/nistpubs/800-89/SP-800-89_November2006.pdf

http://www.ocio.usda.gov/directives/doc/DM3530-003.pdf

http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf

http://csrc.nist.gov/publications/nistpubs/800-89/SP-800-89_November2006.pdf


When Should I Use a Digital Signature?

12

USDA is developing policy or directives that will officially address the technology of digital signature and its application in USDA. Check with your agency for interim guidance on when to use digital signatures for business purposes. Here are some general guidelines on when you might want to use them:

Placing a “seal” on the document Multiple signatures within one document Compliance Leadership memorandums and policy issuance Verification of the signer’s digital identity


Fun with Digital Signatures

13

Today we’ll walk through:1. How to digitally sign a Microsoft Office 2007 document

2. How to remove a digital signature from a Microsoft Office 2007 document

3. How to validate a digital signature in a Microsoft Office 2007 document

4. How to digitally sign an Adobe Acrobat 9.x

5. How to digitally sign a Microsoft Outlook 2007 email

You can find user guides on the OCIO intranet page http://www.ocionet.usda.gov/wps/portal/ocio/ocioportal/home/ioa/ioa.digital_signature How to digitally sign, validate, and remove a digital signature

for a Microsoft Office 2003 document How to digitally sign, validate, and remove a digital signature

for an Adobe Acrobat 8.x document How to digitally sign, validate, and remove a digital signature

for a Microsoft Outlook 2003 document

http://www.ocionet.usda.gov/wps/portal/ocio/ocioportal/home/ioa/ioa.digitial_signature



Digitally Sign a Microsoft Office 2007 Document

14

1. Insert your LincPass into the computer’s card reader.

2. Within the document you wish to sign, from the main menu icon, select Prepare, then Add a Digital Signature.


3. If this is the first time you’ve selected a certificate for digital signing, Microsoft offers to help you set one up. Since your LincPass already has certificates, click the OK button. (To avoid seeing this message each time, check the “Don’t show this message again” option.

Digitally Sign a Microsoft Office 2007 Document (cont.)


4. In the Sign window, complete the optional “Purpose for signing this document” field, then click the Change button to confirm you have the correct Certificate selected.

5. Select the certificate you want to use by highlighting it. (The next step will help you determine which is the correct certificate to select.)



6. Click the View Certificate button. The General tab lists the information about the certificate. Click the Details tab. Scroll down in the list of fields and values to select the Key Usage field. In the field below, it should say “Digital Signature, Non-Repudiation c0).” Click the OK button to close the window.

NOTE: If the “Key Usage” field only says “Digital Signature” or something else, go back to Step 5 and select one of the other certificates and use the View Certificate button to verify it’s the one you want.



7. Back on the list of certificates, with the correct certificate highlighted, click the OK button.

8. Back on the Sign window, click the Sign button.

NOTE: After you select the certificate the first time, Office 2007 will remember this certificate choice. The next time you want to digitally sign a document, you won’t have to repeat the selection process – you’ll jump from Step 4 to Step 8 in this sequence.



9. At the ActivClient prompt, enter your LincPass PIN, then press Enter or click the OK button.

10. After the Certificate is validated, you will receive a successful signature message. Click the OK button.



11. Once the signature has been successfully applied, Office 2007 automatically opens a Signatures window on the right side of the screen showing the valid signature(s).

12. The Word, Excel, or PowerPoint file is now digitally signed by you. Close the file without making any changes (or the digital signature will be lost).

NOTE: More than one person can digitally sign a document, as long as the content of the document isn’t changed. After the first signature is applied and the file closed, the second person can follow Steps 1-12 to apply a second signature. This can be repeated for as many signatures as are needed.



Remove a Digital Signature from a Microsoft Office 2007 Document

21

If you want to remove all digital signatures from a document, the simplest way is to make a minor change to the document (e.g. add a space), then save the document. When Office 2007 warns you that all signatures will be lost, click the Yes button to continue the save operation.

To remove one or more digital signatures from the document without changing the document contents, follow these steps:

1. From the Signatures window on the right side of the screen, select the signature you want to remove, then click the right-side drop arrow.

2. Select the “Remove Signature” option. Click OK to confirm you want to remove the signature.


How to Verify a Signature is Valid in a Microsoft Office 2007 Document

22

1. Open the file for which you want to verify signatures.

2. You can tell the document has a digital signature because the Signatures window automatically opens when you open the document. The window lists valid signatures and the date the signature was added. If you want to see signature details, highlight and right-click the digital signature, then select Signature Details to view the certificate behind it.

NOTE: If the window doesn’t open automatically, click the small red certificate icon in the bottom status information bar.


Adding a Digital Signature to an Adobe Acrobat 9.x Document

23

1. Insert your LincPass into the computer’s card reader.

2. Open Adobe Acrobat. Either create a new document or open an existing document you want to sign.

3. From the top menu bar, select Sign, then select Place Signature.


Adding a Digital Signature to an Adobe Acrobat 9.x Document (cont.)

24

4. Adobe will tell you to draw an area on the screen where you want to place the signature. Click the OK button, then with your mouse, draw a box for the signature. You can set the size of the signature, but it’s easier to read if you make it as large as possible. You can place the signature anywhere in your document as well, but the recommended locations are at the beginning or end of the document.

5. After you have created the signature area, Adobe shows a placeholder for the signature area and displays the Sign Document window.


6. From the Sign As drop-list, select your digital signature key. You will need to view the certificate to confirm it is the correct certificate to use for signing. Select one of the two with your name and then select the Info button.

NOTES: 1. If other people with LincPass cards have used your computer, you will see their certificates offered in

this list. Only select your personal certificates.2. If you don’t see your certificate keys listed at all, first check that your card is in the reader and wait a

minute or two for Acrobat to find it. If your keys still aren’t listed, your agency may need to implement the Adobe Technical Modification for Digital Signature. Ask your system administration or help desk team for help implementing this modification. This technical modification will also save you from having to go through this selection process each time you want to digitally sign a document.



7. In the Certificate Viewer window, select the Details tab, then in the Certificate data area, scroll down to and highlight the “Key Usage” item. The pane below should say “Sign transaction, Sign document.” Click the OK button to close the window.

NOTE: If you don’t see the correct key usage value, go back to Step 6 and select the other certificate with your name, then repeat Steps 6 and 7.



8. You will now be back at the Certify Document screen with your correct certificate selected.


Optional


9. Optional: You can adjust the appearance of your signature, though it is recommended that you keep the standard text option. If you want to explore the various options, select the Appearance drop-list and select Create New Appearance, to open the Configure Signature Appearance window where you can make changes. If you don’t want to make any changes, go to Step 10.



10. In the Sign Document window, click the Sign button.



11. When Acrobat prompts you, save the file. If you are working with an existing document, you may want to save it with a new name to distinguish it from the unsigned version of the document.

12. At the ActivClient prompt, enter your LincPass PIN, then press ENTER or click the OK button.



13.Your document is now digitally signed. Close it without making any changes.

NOTE: Other people can digitally sign the same document by following Steps 1-13 in this section. You can have as many people digitally sign the document as needed.



Digitally Signing a Microsoft Outlook Email

32

1. Open Outlook and, if it isn’t already there, insert your LincPass in the card reader.

2. Start a new message in Outlook. Suggestion: Address this first email to yourself so you can see what it looks like when you receive a digitally signed email (described later in Step 5).

3. In the message, with the Message tab selected, look for the digital signature icon (envelope with a red ribbon). Click the digital signature icon to turn it on. Select recipients and compose the message as usual, then click the Send button.


4. At the ActivClient prompt, enter your LincPass PIN, then press ENTER or click the OK button. Outlook will automatically verify your certificates on your LincPass and send the message.

5. The message will appear in the recipient’s Inbox with an envelope with a red ribbon on it, indicating the message is digitally signed.

Digitally Signing a Microsoft Outlook Email (cont.)


6. Open the message and look for the Signed By information below the subject, and the red ribbon icon on the right. This indicates the message has been digitally signed.

7. Click the red ribbon icon, then the Details button to see details of the digital signature. If you want to send the message in clear text signed and/or request an S/MIME receipt for the email you’re sending, continue on to Step 8.



8. Start a new message in Outlook. In the top menu bar, select the Options tab.

9. In the More Options group, click the small arrow in the lower right corner of the group title.



10. In the Message Options window, click the Security Settings button.



11. In the Security Properties window, check the “Add digital signature to the message” (if it isn’t already checked) and, optionally, the “Send the message as clear text signed” and/or the “Request S/MIME receipt for this message” options.

• Select “Send this message as clear text signed” if you want to allow others who may be using a lesser technology with Outlook to read your message. Recipients who don’t have S/MIME security will be able to read the message.

• Select “Request S/MIME receipt for all S/MIME signed messages” if you want to be able to verify that your digital signature is being validated by recipients and to request confirmation that the message was received unaltered, as well as notification telling you who opened the message and when it was opened.



12. Click the OK button to close the Security Properties window, and the Close button to close the Message Options window. Add recipients and content as usual, then click the Send button. If you selected the Request S/MIME receipt option, Outlook will ask you to confirm that you want to send an S/MIME receipt. If you do, click the Yes button; if you don’t, click the No button. (If you want Outlook to always request the receipt when you’ve selected the option in Step 11, first click the “Don’t ask me about sending S/MIME receipts again” option, then click the Yes button.)



13. At the ActivClient prompt, enter your LincPass PIN, then press ENTER or click the OK button.

14. The message will appear in the recipient’s inbox with an envelope with a red ribbon on it, indicating the message is digitally signed. If you want to check the signature, follow Steps 6 and 7 above.



15. If you selected the Request S/MIME receipt option, you’ll receive a new message that will require you to enter your LincPass PIN again before you can open it.



Set Microsoft Outlook to Digitally Sign All Emails By Default

41

1. Open Outlook and, if it isn’t already there, insert your LincPass in the card reader.

2. From the top menu bar, select Tools, then Trust Center.


3. In the Trust Center window, select Email Security from the left menu.

Set Microsoft Outlook to Digitally Sign All Emails By Default (cont.)


• Select Add digital signature to outgoing messages to automatically send digitally signed emails unless you choose not to for an individual message.

• Select Send clear text signed message when sending signed messages if you always want to allow others who may be using a lesser technology with Outlook to read your message. Recipients who don’t have S/MIME security will be able to read the message.

• Select Request S/MIME receipt for all S/MIME signed messages if you want to be able to verify that your digital signature is being validated by recipients and to request confirmation that the message was received unaltered, as well as notification telling you who opened the message and when it was opened.

NOTE: It’s recommended that you don’t select the “Request S/MIME receipt” option by default unless you have a strong business need, as it doubles the number of emails in your inbox and adds network traffic.



4. Click the OK button to close the Options window. When you start a new message, your toolbar will show the envelope with a small red ribbon already selected, indicating the message will be digitally signed. (You can choose not to sign an individual email by simply clicking the envelope icon to turn it off.)

If you selected the Request S/MIME receipt option in Step 3, you will receive a separate message with the recipient information, as described in the previous section, Steps 12-15.



Configuration Change Required for Adobe Acrobat

45

By default, Adobe Acrobat 9 and Acrobat Reader 9 are configured to use the Adobe Approved Trust List (AATL) for validating the certificate trust chain of certificates used to digitally sign PDF documents.

The AATL is an Adobe-hosted resource that contains a list of trusted Certificate Issuers.

The issuing Certificate Authority at USDA for our LincPass certificates are not listed in the AATL.

The result is that LincPass digital signatures will not be trusted in Adobe by default.

Adobe Acrobat 9 and Acrobat Reader 9 MUST be modified to use the Windows Certificate Store for the purpose of identifying trusted

Certificate Authorities.


Configuration Change Required for Adobe Acrobat (cont.)

46

Each agency MUST implement a change to trust the issuing Certificate Authority of the LincPass certificates in the Windows Certificate Store.

When this configuration change is implemented, LincPass digital signatures will be recognized as trusted by Adobe Acrobat.

Enabling Windows Integration in Adobe Acrobat 9 and Acrobat Reader 9 will allow Adobe to inherently trust the HSPD-12 PIV certificate issuing authority listed in the Windows Certificate Store.

This can be completed in the registry configuration on each client workstation.

ICAM Project Managers should ask their Adobe system administrators to make the registry configuration change. Detailed information can be found in our “Digital Signatures Adobe Configuration Change to Registry Setting for Certificates” document located here: http://www.ocionet.usda.gov/wps/portal/ocio/ocioportal/home/ioa/ioa.digitial_signature



Digital Signature Resources

This training presentation will soon be posted:

On our ICAM Community on USDA Connecthttps://connections.usda.gov/Agency ICAM Team SharePoint Foldershttps://sharepoint.egov.usda.gov/ocio/IAM/EEMS/B_I/AgencyImp/Agency%20Implementation%20Folders/Forms/AllItems.aspxOCIO Intranet sitehttp://www.ocionet.usda.gov/wps/portal/ocio/ocioportal/home/ioa/ioa.digital_signature

https://connections.usda.gov/communities/service/html/communityview?communityUuid=7f2a8394-907c-4cfe-b652-87162ffc515d

https://sharepoint.egov.usda.gov/ocio/IAM/EEMS/B_I/AgencyImp/Agency%20Implementation%20Folders/Forms/AllItems.aspx

https://sharepoint.egov.usda.gov/ocio/IAM/EEMS/B_I/AgencyImp/Agency%20Implementation%20Folders/Forms/AllItems.aspx

http://www.ocionet.usda.gov/wps/portal/ocio/ocioportal/home/ioa/ioa.digital_signature





The Digital Signature User Guides: Digital Signatures Microsoft Office – 2003 Digital Signatures Microsoft Office – 2007 Digital Signatures Microsoft Outlook – 2003 & 2007 Digital Signatures Adobe Acrobat 8.x and 9.x

Relevant Supporting Documents: Digital Signatures Adobe Configuration Changes to Registry Settings Digital Signature Industry Research

Where to get these:

OCIO Intranet:http://www.ocionet.usda.gov/wps/portal/ocio/ocioportal/home/ioa/ioa.digital_signature

ICAM Community on USDA Connect:https://connections.usda.gov/ – search for “ICAM Community” in the public communities list

Digital Signature Resources


https://connections.usda.gov/


Questions?

50

identity, credential, and access management 1 inter-disciplinary icam program 1 april 2011

Documents

digital signature questions

digital signature important

digital signature certificate

digital signatures

wet ink signature icam

wetink signature

lincpass card

lincpass integrated