ascertia secure e mail server (jul08)

www.ascertia.com © Copyright 2001-2008 Ascertia Ltd.

ADSS Secure eMail Server For General Document Security and Invoice Signing

Saving Time & Money, Avoiding Risk & Fraud

2


Agenda

• Secure Email Server

• ADSS Server

• Trust Services

• Outbound emails

• Incoming emails

• Archiving

3


ADSS Secure eMail Server

• Built on Apache James– A Java MTA mail server– Selects emails using one or more “matchers” – Interacts with ADSS Server using one or more “mailets”

• James matchers – for filtering emails– “Subject” field, “To” field, “From” field, – “has attachment”, “attachment file name is”– Other options available (e.g. based on key words)

• James mailets – to process filtered emails– Sign attachment using ADSS Server (e.g. PDF, XML, File)– Verify signed attachments using ADSS Server – Sign and verify emails

4


Basic Architecture

ADSS Secure eMail Server

(MTA Server)

ADSS Server+ sign/verify

+ encrypt*/decrypt*+ archive*/recover*

HSM DB

Request (Sign / Verify

Encrypt / Decrypt)Response

• Future Options

Policy Management for signing and verification and archiving.Customer console for recovery and other management.

5


ADSS Server

• A multi-function security server– Server-side signing, Server based verification, Timestamping– CRL manager/archiver, OCSP Validation Authority– Time Stamp Authority (TSA) and Certificate Authority

• It powers the Secure eMail Server – Secure eMail Server is a ‘business application’ for ADSS Server

• Supports signing and verification – Of PDF, XML and other file attachments – Multiple options for PDF signing style (visible, invisible, certified,

timestamped, long-term signatures)

• Key Management– Supports organisation or organisation role signing – Supports end-user key signing (server-side) signing– Inbuilt Key Manager linked to internal or external CA– Can use FIPS compliant HSM for strong private key protection

6


Ascertia ADSS Server Trust Services

Note: You only need license and use what is needed today

PDF Documents - Basic signature (visible / invisible) - Certify - Sign & timestamp - Long-term signatures

XML Documents - XML DSig (XAdES ES) - Timestamps (XAdES ES-T) - Long-term signatures (XAdES X-Long)

PKCS#7 / CMS / SMIME - Basic signature (CAdES ES) - Timestamps (CAdES ES-T) - Long-term signatures (CAdES X-Long)

Historic VerificationOCSP Validation (immediate verify & long term sign)Time Stamp Authority (TSA) Server

Sign Verify

-

[email protected]

7


Secure Email Server - Future Options

• Archiving the email– With Archive management, review, resend, retention policy

management, logging etc

• WebMail support – Allowing users to sign and verify emails and attachments and

also handle encrypted emails

• Encrypt emails using ADSS Server – using recipient certificate(s)

• Decrypt emails using ADSS Server – using recipient private key

• Timestamp the receipt of inbound emails – Option to also apply a Notary signature

• Apply an Electronic Post Mark (EPM)

• Work with Trusted Archive Server

Ascertia is always happy to discuss the commercial drivers and technical requirements and then set the dates for the delivery of the required options

8


Signing Outbound Emails Architecture

Internet

Mail Server

1) Alice sends email

Alice Bob

AscertiaSecure eMail

Server

AscertiaADSSServer

2) Requestsignature

3) Signature

4) Forward email

5) Bob receives Signed email

Mail Server

9


ERP Email System Architecture

Internet

Mail Server

1) ERP systemsends email

ERP System

Recipient


Server

AscertiaADSSServer

2) Requestsignature

3) Signature

4) Forward email

5) Recipientreceivessigned email

Mail Server

10


Signing Outbound Emails

• Secure Email Server sends request to ADSS Server

• ADSS Server Signs– using unique user keys (e.g. Alice) – Using corporate keys (e.g. Finance Dept for Company A)– Using software or keys in FIPS or Common Criteria HSM/Token

• Can sign attachments– PDF attachments: using PDF signature standard– XML files: using XML DSig standard – Other file types: using wrapping PKCS#7/CMS signature– OR basic signatures plus timestamps (PDF/ETSI)– OR basic signatures plus timestamps and signer’s certificate

status (usually OCSP) at time of signing (PDF/ETSI)

• Can sign emails using feature support in ADSS Server v3.4

11


Verifying Incoming Emails Architecture

Internet

Mail Server

Recipient

ADSS Server

2) Requestsignature

verification

3) Signatureverificationresponse

details

4) Recipientreceivesverified email

Mail Server


Server

CA-1

CA-2

CA-N

CRLCRL

OCSP

Mail Server

ERP System

1) ERP systemsends email

12


Verifying incoming signed emails

• Secure Email Server – Checks received emails .v. Matcher rules– Sends document to be verified to ADSS Server

• ADSS Server – Checks PDF or XML or File or S/MIME signature – Signature integrity check– Signer certificate validation check:

Issued by a trusted CA Certificate is not expired Certificate is not revoked (using CRLs, or OCSP) Certificate contains valid extensions Certificate meets minimum certificate quality level (option)

• Embedded signatures within attachments can be verified, e.g. PDFs, XML

• Multiple trusted CAs can be registered

13


Verification processing

• Verification Result delivery options– Allow email to be delivered normally– Send email on to recipient with results attached / appended– Only allow successfully verified emails to be sent to recipient– All untrusted emails sent to an administrator with results report– Other custom options

• Mailet processing options– Can send ADSS Server the signed email hash + signature for

privacy or speed/throughput purposes– Can send entire email + attachments for verification– Can also send entire email for archive (see later)

• ADSS Server records all sign/verify transactions– Logs can be searched / filtered / reports produced– Logs can be exported in CSV format

14


Secure eMail Server – Archiving (Q408)

• “mailet” based policy for archiving emails – For outbound emails– For incoming emails

• For simple short-medium term archiving – Sends emails to local email archive management module– Keeps all email header, body, attachment data– Option to timestamp the archived data

• Archive Management – Use Secure eMail Server Console (secure browser based)– Search & recover & resend emails– Database archive feature– Retention Policy auto-delete feature as a future option

15


Signed Webmail Architecture (future)

Internet

Mail Server

1) Alice creates and sends webmail

Alice Bob

Secure eMail Server

ADSSServer

2) Sign3) Verify / archive

4) Forward

5) Bob receives Signed email

Mail Server

SimpleWebmail

Application

Note: These servers could be co-located on a single system or arranged in separate or a high-availability mode

Uses GoSign applet

16


Summary

• Meets business needs for an easy to deploy document signing and secure email solution

– Filters, processes, signs, verifies – Encryption, decryption options – archive, recovery, resend options

• Easy to integrate – A separate drop-in secure email MTA Server using ADSS Server as

a powerful high-security engine

• Multi-platform – Windows 2003 Server today (others by request)

• Secure Storage – Uses industry leading databases with secured content

Oracle, SQL Server, PostgreSQL

• Secure Management– A well proven multi-functional security services platform with full

security management plus event and transaction logging

17


Questions:Rod Crook Clive Flatau+44 1256 895416 +44 7789 991686 [email protected]@ascertia.com

ascertia secure e mail server (jul08)

Technology