strategy for digitally signing a process?

Question

I'm developing a web application, and I'd like to digitally sign a certain step in a process

That is, a user of the app performs a certain action, and I'd like that event to be digitally signed.

The user should use and usb token when issuing the action to digitally sign it.

I'd like to know which approach do you recommend to do such a thing.

For example:

sign a database record (how do you acomplish it?) (cons: you have to validate it with the application itself, I guess)

create a pdf stating the event and the user and digitally sign the pdf (pro: the pdf is independent from the application)

create and sign and xml documento (how to acomplish it? where does the digital sign is stored?)

any other???

saludos

sas

Answer 1

There are good introductions to Public Key Cryptography that you should read and understand prior to even beginning to think about an implementation.

Based on the level of your question, you don't yet know enough to even ask the right questions and the most trivial of misunderstanding on your part and the whole security system falls apart. You might want to consider securing the services of an expert, because doing it 99.9% right is just wasted effort.

Answer 2

In your case each user will have it public key and private key. The user will sign the database record (string etc. ), a pdf or xml document using his private key.

You get a signed database record (signed string etc.), signed pdf or xml document.

You store the signed database record now as a binary record in your database. You store the signed pdf or xml as normal document in your storage location. And probably you need to add a field in your database to integrate this file to your application.

For the library to do the signing, you may use AES, here you go with the implemented library of various language: http://en.wikipedia.org/wiki/AES_implementations

Anyway, I not sure any user who is concern on security will give your application his/her private key for signing. People usually use a trusted application to sign something before pass it out.

Answer 3

I am currently working on a project that has almost the same requirements that you listed in your question.

We are using a USB device to generate signatures. The device is from a company called IronKey, it is extremely secure and meets many security standards. The device has a hardware generated key pair that can be used for signing and verification.

When the user submits data using our application we encapsulate the data into an xml document, next we generate a hash using sha256, finally we use the device via pkcs11 to sign the hash. The signature and data are then stored in the client database and later submitted to our server where we can perform verification using the public key from the users token (stored in our server database at the time the token was issued).

This is not performed using a web application due to the fact that it is necessary to perform client side access of the token.

Hope this helps, i have missed out lots of detail, if you have any other questions let me know!