Abstract The paper presents the technology curves in developing a digital signature solution for the web environment. The solution enables ...
Abstract The paper presents the technology curves in developing a digital signature solution for the web environment. The solution enables a user to perform an electronic version of a digital signature using web extension technologies. On the quest for data integrity and authenticity, data is digitally signed, and a digital signature is generated with the assistance of software or hardware-based token on a web browser. The technology curves identified are (1) web extensions survivability and advancement, (2) web browsers compatibility, and (3) digital certificates issuance. The paper explains how these technology curves have impacted the decision on the architecture and design of the solution during the development and deployment. In the final, a digital signature ecosystem which is based on a client and server technology is successfully released, which includes a web signature script to simplify the digital signature as a service. 1. Introduction In digital security, the solution for data integrity is a hash algorithm. For data authenticity, it is a digital signature. A user who performs digital signature, assure that the data has integrity, the data is authenticated and originated from a valid user. For data security, technologies such as digital certificates, security devices, hash, and digital signature algorithm are integrated. Today, with the maturity of technologies (20 years), the development of digital signature solution should be simple and feasible. However, based on the latest development experiences, it revealed technical and integration complexities. These complexities may further assert the study of low adoption and the lack of the digital signature application [1]. This paper explains the issues and challenges in integrating the technologies, with the introduction of technologies existence and competitive survival in the digital world.
Digital certificate technology emerged as a solution to instil trust in the internet transaction. The purpose is to verify user identity in a web site. The standard for issuing certificate is published in 1998 by International Telecommunication Union – Telecommunication (ITU-T) [2]. Security devices such as smart cards and USB tokens, allow users to store a certificate inside the devices. As per today, a user has an option to purchase a certificate and a security device, perform an application installation of the security device and securely log in to a domain site that deployed a certificate-based authentication mechanism. For web browser technology, it must provide a connection to the security device and read the certificate from the security device. The standard is stated in ‘PKCS#11: Cryptographic Token Interface Standard’ by RSA Laboratories in 1995 [3]. It is a guide for defining a generic interface such as application programming interface (API), for the security device. With the standard, a Cryptographic Service Provider (CSP) library is built for Microsoft web browser.
A PKCS#11 library is made ready for Mozilla web browser. These libraries provide secure access to the private key for authentication, signing and manage the handling of security devices context. For saving the certificate, web browsers must provide storage for the certificate. At present, a majority of web browsers equipped with user’s and server’s certificates storage. ‘Certificate Manager’ is a graphic user interface available in the web browsers for the import and export of the certificates. This feature is delivered as the core security functionalities of the web browser, to support mutual SSL (Secure Sockets Layer) authentication. For cryptography technology, Microsoft provides a Crypto API (CryptoAPI) library [15] that enables the integration of cryptography and security for Microsoft-based application. Mozilla provides a Network Security Services (NSS) library [14] that responsible for all cryptography and security standard for Mozilla-based application. For the developers, it means, cryptographic functions that relate to signing, which includes connecting to secure device, read and store the certificate to the certificate manager on Mozilla Firefox requires API from NSS library. For other web browsers, the integration requires API from CryptoAPI library. Web extension is an application that resides on the web browser. It extends functionalities of the web browser. It is a terminology, which initially referred to ActiveX and Netscape Plug-in technologies. The development of web extension provides a function to sign data on the web browser digitally. The function calls a set of API from CryptoAPI and NSS as in Figure 1. The development allows binding of security devices and secures cryptographic services in the web International Journal of Intelligent Computing Research (IJICR), Volume 10, Issue 3, September 2019 Copyright © 2019, Infonomics Society 1014 as provided in the ‘Cryptographic Token Provider’ layer. The top two layers which are ‘Web Browser’ and ‘Web Extension’ are the applications and technologies layers for the digital signature solution. Other layers are pre-existed with the installation of the security device’s application, web browsers, and Windows operating system
No comments