Digital Signatures
Stefanie García LauleSecurity Product ManagementSAP AG
© SAP AG 2004, SAP TechEd / SCUR104 / 2
Agenda
Technology: Electronic Signatures
Interfaces SAP NetWeaver
Legal Requirements
© SAP AG 2004, SAP TechEd / SCUR104 / 3
Agenda
Technology: Electronic Signatures
Interfaces SAP NetWeaver
Legal Requirements
© SAP AG 2004, SAP TechEd / SCUR104 / 4
Up to now: Handwritten Signatures
„Document content“
VerificationSignature
• Document unchanged• Identity of signer• Legally binding
• Visibility of document• Copy / Print
Thomas Smith
© SAP AG 2004, SAP TechEd / SCUR104 / 5
Digitally Signed Documents
sign verifyContract
IntegrityAuthenticityValidityLegally binding
CA(register) trustPrivate Key
Public Key
© SAP AG 2004, SAP TechEd / SCUR104 / 6
Certificates = Digital Identity
Certificate contains
Name of the subjectName of the issuerValidity intervalPublic key
issues
Private key (secret!)
1-1
CAcertification
authority Trust CenterService
Can be in software (e.g. PSE Management)Or in Hardware (e.g. SmartCard)
© SAP AG 2004, SAP TechEd / SCUR104 / 7
The Signing Process I
Document
Cryptographic Hash-Algorithm
Document
Pos. Material 10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
CryptographicChecksum
010110..
© SAP AG 2004, SAP TechEd / SCUR104 / 8
The Signing Process II
CryptographicHash-Algorithm
Document
Document
Pos. Material 10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
CryptographicChecksum
Private Key of Signer
SignatureValue
Public KeyAlgorithm
Signed Document
Document
Pos. Material 10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
010110..
© SAP AG 2004, SAP TechEd / SCUR104 / 9
The Verification Process I
CryptographicHash-Algorithm
Document
Signed Document
Document
Pos. Material 10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
CryptographicChecksum
010110..
© SAP AG 2004, SAP TechEd / SCUR104 / 10
The Verification Process II
Public Key of Signer
CryptographicHash-Algorithm
CryptographicChecksum
Document 010110..
010110..
Signed Document
Document
Pos. Material 10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
Public KeyAlgorithm
© SAP AG 2004, SAP TechEd / SCUR104 / 11
The Verification Process III
Public Key of Signer
Cryptographic Hash-Algorithm
Dokument
Pos. Material 10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
CryptographicChecksum
Document
Public KeyAlgorithm
= ?
DokumentPos. Material 10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
Wrong
OK
Signature of CA OK?Certificate not revoked?
010110..
010110..
Signed Document
Document
Pos. Material 10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
No
Yes
No? Yes
© SAP AG 2004, SAP TechEd / SCUR104 / 12
Technical Calculation of Digital Signatures
Crypto-graphic Hash Algorithm
Document
Dokument
Pos. Material 10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
CryptographicCheck Sum
Private key of the signer
signaturevalue
Public KeyAlgorithm
signed document
Dokument
Pos. Material 10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
Public Key of the signer
Crypto-graphic Hash Algorithm
Dokument
Pos. Material 10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
CryptographicCheck Sum
Dokument
Public KeyAlgorithm =
?Dokument
Pos. Material 10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
Yes
No
Yes
Incorrect
OK
Signature of CA OK?Certificate not revoked?
No
010110..
010110..
010110..
signed document
Dokument
Pos. Material 10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
© SAP AG 2004, SAP TechEd / SCUR104 / 13
Advantages of Digital Signatures
Authenticity
Integrity
Validity
Legally Binding
© SAP AG 2004, SAP TechEd / SCUR104 / 14
Agenda
Technology: Electronic Signatures
Interfaces SAP NetWeaver
Legal Requirements
© SAP AG 2004, SAP TechEd / SCUR104 / 15
Secure Store & Forward (SSF) Interface
SSF
ABAP JAVA
SAP NetWeaver
SAP Application
SAP Application
SAP Application
SSF Partner ProductSAPSECULIB
IAIK Toolkit
© SAP AG 2004, SAP TechEd / SCUR104 / 16
Secure Store & Forward (SSF) Interface
SSF-API
ABAPABAPABAPApplications with Electronic Signatures
Signing in SAP GUI for Windows Frontend (Software Partner Program SPP)without Signaturcontrol
Signaturcontrol: BSP (6.20) or WinGUI (7.0)
Application server signs (SAPSECULIB)
© SAP AG 2004, SAP TechEd / SCUR104 / 17
Secure Store & Forward (SSF) Interface
ABAPABAPABAPJavaJavaJava
SAPSECULIB supports:digital signatures without
cryptographic hardware(Smartcards, Cryptoboards)
IAIK Toolkit supports: - Electronic Signatures without
cryptographic hardware
Application server signs with Electronic Signatures
© SAP AG 2004, SAP TechEd / SCUR104 / 18
Secure Store & Forward (SSF) Interface
Supported Signature Formats:
ABAPPKCS#7 PKCS#7
S/MIMEXML
SAP Java CryptographicToolkit
IAIK S/MIME
SAP XML Toolkit
SSF Partner product
Valid for Web Application Server 6.30
Java
• No Partner Certification• No support of Cryptographic Hardware
• SSF Partner Certification• Support of Cryptographic Hardware
© SAP AG 2004, SAP TechEd / SCUR104 / 19
SSF ABAP Functions
SSF_SIGN create digital signature(s)
SSF_VERIFY verify digital signature(s)
SSF_ENVELOPE encrypt for recipient(s)
SSF_DEVELOPE decrypt for recipient
SSF_ADDSIGN add a digital signature
…..
SSFS_CALL_CONTROL starts the signature control
SSFS_GET_SIGNATURE gets the signature value from the control
…
SSF_KRN_… done directly by the AS
© SAP AG 2004, SAP TechEd / SCUR104 / 20
Signature in Web Browser: Signature control
© SAP AG 2004, SAP TechEd / SCUR104 / 21
System Signatures
SAP System
PDFDocument
ADS Adobe Document
Server
HTTPHTTPSS/MIMEFTP
Company A Company B
PDFDocument
SAP System
Archiving
Create
electronicsignature
Che
ck e
lect
roni
csi
gnat
ure
ADS Adobe Document
Server
Automation of processes requiring approval and/or handwrittensignatures, such as invoicesCost reduction through the elimination of manual tasks and processsteps
© SAP AG 2004, SAP TechEd / SCUR104 / 22
User Signatures
PDFDocument
AcrobatReader
HTTPHTTPSS/MIMEFTP
User Frontend Company
PDFDocument
SAP System
Archiving
ADS Adobe Document
Server
Create
electronicsignature
Che
ck e
lect
roni
csi
gnat
ure
Standardized formatLegally binding
© SAP AG 2004, SAP TechEd / SCUR104 / 23
Applications with Electronic Signatures
SAP NetWeaver
Public Sector
SAP Content Server
ERP MM-FIHealthcarePLM ECH
ERP FI
ERP FI/IHC
ERP SD/CRM
EBPCRM
PLM DMS
PLM PP-PI
PLM QMHCM Belgium
© SAP AG 2004, SAP TechEd / SCUR104 / 24
Agenda
Technology: Electronic Signatures
Interfaces SAP NetWeaver
Legal Requirements
© SAP AG 2004, SAP TechEd / SCUR104 / 25
Legal Requirements
Electronic Signature Acts all over the world
German Electronic Signature Act
Japan Electronic Commerce Promotion Council
EU Directive 1999/93/EC
US E-Sign Act
Singapore Digital Signature Law and Regulations
Malaysian Digital Signature Law
Argentina Digital Signature Law
Canada Uniform Electronic Commerce Act
© SAP AG 2004, SAP TechEd / SCUR104 / 26
Legal Requirements
Let‘s have a look at:
FDA: 21 CFR Part 11
US: E-Sign Act
EU: Directive 1999/93/EC
Germany: Signature Act and Ordinance
© SAP AG 2004, SAP TechEd / SCUR104 / 27
FDA: 21 CFR Part 11
In 1997 the United States Food and Drug Administration (FDA) issued a regulation 21 CFR Part 11 (Code of Federal Regulations Electronic Records) entitled ‚Electronic Records and Electronic Signatures‘:
The regulations provide guidance for the use of electronic records and electronic signatures in the biotechnology, pharmaceutical, medical devices, radiological health, food, cosmetics and veterinary medicine fields.
© SAP AG 2004, SAP TechEd / SCUR104 / 28
FDA: 21 CFR Part 11
Definitions:
Electronic Signature
means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent to the individual‘s handwritten signature.
Digital Signature
means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.
© SAP AG 2004, SAP TechEd / SCUR104 / 29
FDA: 21 CFR Part 11
General implementation of Electronic Signatures:
System Signature with authorization by userID and password
First shipment with SAP R/3 Release 4.6CUsage of PKCS#7 standard, encryption executed by 128 bitNo external security product is necessary
When logging on to the system, users identify themselves by entering their user IDs and passwords. The SAP system then executes the digitalsignature. The user name and ID are part of the signed document. Public key infrastructure can be administered by the customers themselves, which is sufficient according to Part 11 for Digital Signatures.
© SAP AG 2004, SAP TechEd / SCUR104 / 30
FDA: mySAP ERP Business Processes
The following components support Electronic Signatures:
PP-PI: Process step completion within process instructions sheet and acceptance of process values outside predefined tolerance limits
ECM: Status change of Engineering Change Order and Object Management Records
EBR: Electronic batch record approval
QM: Inspection lot, Usage decision, Physical Sample Drawing
DMS: Document Management Status create/change
cProjects: document approval, project activities status change approval, …
for multiple signatures mySAP ERP provides Signature Strategies that define allowed signatures and the sequence in which they must be executed
© SAP AG 2004, SAP TechEd / SCUR104 / 31
US: E-Sign Act
Most of the laws began with the Utah Digital Signature Act of 1995focused on a narrow set of Digital Signature technologies based on PKICalifornia realized that focusing on specific technologies in law was pointless because technology advances so quickly chose a minimalist and technology neutral approach, which became the foundation of the US E-Sign Act
In order to avoid each American state from having conflicting law, the National Conference of Commissioners on Uniform State Laws developed the Uniform Electronic Transactions Act (UETA), while the European Union proposed its Directive on a Common Framework for Electronic Signatures for the European Union
In the United States, all of these incompatible state laws were superseded by the Electronic Signatures in Global and National Commerce Act (US E-Sign Act), which was signed into law in 2000. It is technology neutral, provided certain disclosures are provided and the basic requirements of Electronic Signatures are followed.
© SAP AG 2004, SAP TechEd / SCUR104 / 32
US: E-Sign Act
The term ‘Electronic Signature' means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."
However, for such an electronic "symbol" to be legally binding, it is important that the symbol provide authentication of the party who created it, ensure that what was signed cannot be altered, ensure that the party understood that by creating the symbol the party was willingly signing, and that the party is able to keep an original of the data and his electronic signature for his own records.
© SAP AG 2004, SAP TechEd / SCUR104 / 33
US: E-Sign Act
Can anything be signed electronically?
Not everything, but most common documents can be. The E-SIGN Act specifically forbids a narrow range of documents that may not be signed electronically. The exceptions primarily relate to wills, testamentary trusts, adoption, divorce, court orders, termination of utilities, repossession, foreclosure, eviction, cancellation of life insurance, product recalls and documents related to the transportation of hazardous materials.
© SAP AG 2004, SAP TechEd / SCUR104 / 34
US: E-Sign Act
Key features of legal electronic signatures include:
Knowing who the parties are when they sign;
Having those parties agree to use electronic signatures and show they are technically capable of signing electronically;
Ensuring each party who signs receives a copy of the electronically signed documents (including the ability to re-verify those signatures electronically); and
Ensuring that a forged or tampered electronic document can be detected.
© SAP AG 2004, SAP TechEd / SCUR104 / 35
EU Directive 1999/93/EC
Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for Electronic Signatures for the European Union
Article 5 : Legal effects of Electronic Signatures
Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure-signature-creation device:
a) satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a hand-written signature satisfies those requirements in relation to paper-based data; and
b) are admissible as evidence in legal proceedings
Handwritten Signature = Electronic Signature
© SAP AG 2004, SAP TechEd / SCUR104 / 36
EU Directive 1999/93/EC
Electronic signatures
Advanced electronic signatures
Qualified signatures
“Qualified signature”: advanced electronic signature + qualified certificate (Annex I + II) + secure signature creation device (Annex III)
© SAP AG 2004, SAP TechEd / SCUR104 / 37
Germany: Multilevel Law
Implementation of EU Directive 1999/93/EC in Germany:
Signature Act (Signaturgesetz SigG) provides general framework, 22nd May 2001
defines a digital signaturedefines the role of a CAdefines certificates and outlines how they are handled
Signature Ordinance (Signaturverordnung SigV), 24th October 2001
sets out operational details and responsibilities of a CA
© SAP AG 2004, SAP TechEd / SCUR104 / 38
Germany: Electronic Signature Act
1. Electronic Signature
shall be data in electronic form that are attached to other electronic data or logically linked to them and used for authentication;
2. Advanced Electronic Signature
shall be electronic signature as 1. above that
a) are exclusively assigned to the owner of the signature code
b) enable the owner of signature code to be identified
c) are produced with means which the owner of the signature codecan keep under his sole control and
d) are so linked to the data to which they refer that any subsequent alteration of such data may be detected;
© SAP AG 2004, SAP TechEd / SCUR104 / 39
Germany: Electronic Signature Act
3. Qualified Electronic Signatureshall be electronic signatures as in 2. above that
a) are based on a qualified certificate valid at the time of their creation and
b) have been produced with a secure signature-creation device;
© SAP AG 2004, SAP TechEd / SCUR104 / 40
Copyright 2004 SAP AG. All Rights ReservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden.SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.