Digital Signatures Overview

Digital
Signatures
Stefanie Garca Laule

Security Product Management
SAP AG
Agenda
Technology: Electronic Signatures

Interfaces SAP NetWeaver
Legal Requirements
SAP AG 2004, SAP TechEd / SCUR104 / 2
Agenda

Legal Requirements
Up to now: Handwritten Signatures
Visibility of document
Copy / Print
Document content
a
om
h
T
Signature
Document unchanged
Identity of signer
Legally binding
ith
m
sS
Verification
Digitally Signed Documents
sign
(register)
Private Key
Public Key
Contract
CA
Integrity
Authenticity
Validity
Legally binding
verify
trust
Certificates = Digital Identity

CA
certification
authority
Certificate contains
Name of the subject

Name of the issuer
Validity interval
Public key
1-1
Private key (secret!)

Can be in software (e.g. PSE Management)
Or in Hardware (e.g. SmartCard)
issues
Trust Center
Service
The Signing Process I
Document
Document
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639
50.0
50 80000711
10
Cryptographic
Hash-Algorithm
Cryptographic
Checksum
010110..
The Signing Process II

Private Key of
Signer
Document
Document
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639
50.0
50 80000711
10
Cryptographic
Hash-Algorithm
Cryptographic
Checksum
Signature
Value
010110..
Public Key
Algorithm
Signed Document
Document
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639
50.0
50 80000711
10
The Verification Process I
Cryptographic
Hash-Algorithm
Signed Document
Docu
ment
Document
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639
50.0
50 80000711
10
010110..
Cryptographic
Checksum
The Verification Process II
Cryptographic
Hash-Algorithm
Signed Document
Docu
ment
010110..
Document
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639
50.0
50 80000711
10
Cryptographic
Checksum
010110..
Public Key of
Signer
Public Key
Algorithm
The Verification Process III
Signature of CA OK?
Certificate not revoked?
Cryptographic
Hash-Algorithm
Signed Document
Docu
ment
010110..
Document
Cryptographic
Checksum
=
?
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639
50.0
50 80000711
10
Yes
No
Dokument
Yes
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639
50.0
50 80000711
10
OK
No
010110..
Public Key of
Signer
Wrong
Pos. Material
Public Key
Algorithm
10 80000311 1100.0
Dokument
20
30
40
50
80000620
80000636
80000639
80000711
100.2
110.3
50.0
10
Technical Calculation of Digital Signatures

Private key of
the signer
Document
Dokument
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639
50.0
50 80000711
10
Cryptographic
Hash
Algorithm
Cryptographic
Check Sum
signature
value
signed document
010110..
Dokument
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639
50.0
50 80000711
10
Public Key
Algorithm
signed document
Doku
ment
Dokument
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639
50.0
50 80000711
10
Cryptographic
Hash
Algorithm
Cryptographic
Check Sum
Yes
Yes
010110..
Public Key
Algorithm
010110..
Public Key of
the signer
Signature of CA OK?
Certificate not revoked?
=
?
No
No
Dokument
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639
50.0
50 80000711
10
OK
Dokument
Pos. Material
10 80000311 1100.0
20 80000620 100.2
30 80000636 110.3
40 80000639
50.0
50 80000711
10
Incorrect
Advantages of Digital Signatures
Authenticity
Integrity
Validity
Legally Binding
Agenda

Legal Requirements
Secure Store & Forward (SSF) Interface
SAP
Application
SAP
Application
SAP
Application
SAP NetWeaver
SSF
ABAP
JAVA
SSF Partner Product

SAPSECULIB
IAIK Toolkit
Applications
with Electronic
Signatures
SSF-API
ABAP
ABAP
ABAP
Signing in SAP GUI for Windows

Frontend (Software Partner
Program SPP)
without Signaturcontrol
Signaturcontrol: BSP (6.20) or
WinGUI (7.0)
Application server signs
(SAPSECULIB)
ABAP
ABAP
ABAP
SAPSECULIB supports:
digital signatures without
cryptographic hardware
(Smartcards, Cryptoboards)
Java
Java
Java
IAIK Toolkit supports:

- Electronic Signatures without
cryptographic hardware
Application server
signs with Electronic
Signatures
Supported Signature Formats:
Java
ABAP
PKCS#7
SSF
Partner product
SSF Partner Certification

Support of Cryptographic Hardware
Valid for Web Application Server 6.30
PKCS#7
SAP Java Cryptographic

Toolkit
S/MIME
IAIK S/MIME
XML
SAP XML Toolkit
No Partner Certification
No support of Cryptographic Hardware
SSF ABAP Functions

SSF_SIGN
create digital signature(s)
SSF_VERIFY
verify digital signature(s)
SSF_ENVELOPE
encrypt for recipient(s)
SSF_DEVELOPE
decrypt for recipient
SSF_ADDSIGN
add a digital signature
..
SSFS_CALL_CONTROL
starts the signature control
SSFS_GET_SIGNATURE
gets the signature value from the control
SSF_KRN_
done directly by the AS
Signature in Web Browser: Signature control
System Signatures
Create electronic
signature
SAP System
ADS
Adobe Document
Server
Company B
SAP System
PDF
PDF
Document
Document
HTTP
HTTPS
S/MIME
FTP
Check electronic
signature
Company A
ADS
Adobe Document
Server
Archiving
Automation of processes requiring approval and/or handwritten

signatures, such as invoices
Cost reduction through the elimination of manual tasks and process
steps
User Signatures
Company
Create electronic
signature
SAP System
PDF
PDF
Document
Document
HTTP
HTTPS
S/MIME
FTP
Acrobat
Reader
Standardized format
Legally binding
ADS
Archiving
Adobe Document
Server
Check electronic
signature
User Frontend
Applications with Electronic Signatures
CRM
EBP
ERP SD/CRM
PLM ECH
PLM DMS
PLM PP-PI
Healthcare
HCM Belgium
PLM QM
ERP FI
ERP FI/IHC
Public Sector
SAP Content Server
SAP NetWeaver
ERP MM-FI
Agenda

Legal Requirements
Legal Requirements
Electronic Signature Acts all over the world

Singapore
ignat
German Electronic S
Digital Sig
nature La
w
ure Act
and Regu
lations
Council
n
io
t
o
m
o
r
P
ommerce
C
ic
n
o
r
t
c
le
Japan E
tin
n
e
A rg
ig
D
a
it
aw
L
ure
t
a
gn
i
S
al
EU Directive 1999/93/EC
US E-Sign Act
Canad
a Unif
Mala
ysian
D
or m E
lectro
nic Co
mmer
ce
igita
l
Act
Sign
a
ture
Law
Legal Requirements
Lets have a look at:

FDA: 21 CFR Part 11
US: E-Sign Act
EU: Directive 1999/93/EC
Germany: Signature Act and Ordinance
FDA: 21 CFR Part 11
In 1997 the United States Food and Drug Administration (FDA)

issued a regulation 21 CFR Part 11 (Code of Federal Regulations
Electronic Records) entitled Electronic Records and Electronic
Signatures:
The regulations provide guidance for the use of electronic records

and electronic signatures in the biotechnology, pharmaceutical,
medical devices, radiological health, food, cosmetics and veterinary
medicine fields.
FDA: 21 CFR Part 11

Definitions:
Electronic Signature
means a computer data compilation of any symbol or series of
symbols executed, adopted, or authorized by an individual to be the
legally binding equivalent to the individuals handwritten signature.
Digital Signature
means an electronic signature based upon cryptographic methods
of originator authentication, computed by using a set of rules and a
set of parameters such that the identity of the signer and the
integrity of the data can be verified.
FDA: 21 CFR Part 11

General implementation of Electronic Signatures:
System Signature with authorization by userID and password
First shipment with SAP R/3 Release 4.6C

Usage of PKCS#7 standard, encryption executed by 128 bit
No external security product is necessary
When logging on to the system, users identify themselves by entering their

user IDs and passwords. The SAP system then executes the digital
signature. The user name and ID are part of the signed document. Public
key infrastructure can be administered by the customers themselves,
which is sufficient according to Part 11 for Digital Signatures.
FDA: mySAP ERP Business Processes

The following components support Electronic Signatures:
PP-PI: Process step completion within process instructions sheet
and acceptance of process values outside predefined tolerance
limits
ECM: Status change of Engineering Change Order and Object
Management Records
EBR: Electronic batch record approval
QM: Inspection lot, Usage decision, Physical Sample Drawing
DMS: Document Management Status create/change
cProjects: document approval, project activities status change
approval,
for multiple signatures mySAP ERP provides Signature

Strategies that define allowed signatures and the sequence in
which they must be executed
US: E-Sign Act

Most of the laws began with the Utah Digital Signature Act of 1995
focused on a narrow set of Digital Signature technologies based on PKI
California realized that focusing on specific technologies in law was pointless

because technology advances so quickly chose a minimalist and technology
neutral approach, which became the foundation of the US E-Sign Act
In order to avoid each American state from having conflicting law, the
National Conference of Commissioners on Uniform State Laws
developed the Uniform Electronic Transactions Act (UETA), while the
European Union proposed its Directive on a Common Framework for
Electronic Signatures for the European Union
In the United States, all of these incompatible state laws were
superseded by the Electronic Signatures in Global and National
Commerce Act (US E-Sign Act), which was signed into law in 2000. It is
technology neutral, provided certain disclosures are provided and the
basic requirements of Electronic Signatures are followed.
US: E-Sign Act

The term Electronic Signature' means an electronic sound, symbol,
or process, attached to or logically associated with a contract or
other record and executed or adopted by a person with the intent to
sign the record."
However, for such an electronic "symbol" to be legally binding, it is

important that the symbol provide authentication of the party who
created it, ensure that what was signed cannot be altered, ensure
that the party understood that by creating the symbol the party was
willingly signing, and that the party is able to keep an original of the
data and his electronic signature for his own records.
US: E-Sign Act

Can anything be signed electronically?
Not everything, but most common documents can be. The E-SIGN
Act specifically forbids a narrow range of documents that may not
be signed electronically. The exceptions primarily relate to wills,
testamentary trusts, adoption, divorce, court orders, termination of
utilities, repossession, foreclosure, eviction, cancellation of life
insurance, product recalls and documents related to the
transportation of hazardous materials.
US: E-Sign Act
Key features of legal electronic signatures include:

Knowing who the parties are when they sign;
Having those parties agree to use electronic signatures and
show they are technically capable of signing electronically;
Ensuring each party who signs receives a copy of the
electronically signed documents (including the ability to reverify those signatures electronically); and
Ensuring that a forged or tampered electronic document can be
detected.
Directive 1999/93/EC of the European Parliament and of the Council
of 13 December 1999 on a Community framework for Electronic
Signatures for the European Union
Article 5 : Legal effects of Electronic Signatures
Member States shall ensure that advanced electronic signatures
which are based on a qualified certificate and which are created by
a secure-signature-creation device:
a) satisfy the legal requirements of a signature in relation to data in
electronic form in the same manner as a hand-written signature
satisfies those requirements in relation to paper-based data; and
b) are admissible as evidence in legal proceedings
Handwritten Signature = Electronic Signature
Electronic signatures
Advanced electronic signatures
Qualified signatures
Qualified signature:
advanced electronic signature
+ qualified certificate (Annex I + II)
+ secure signature creation device (Annex III)
Germany: Multilevel Law
Implementation of EU Directive 1999/93/EC in Germany:
Signature Act (Signaturgesetz SigG) provides general

framework, 22nd May 2001
defines a digital signature
defines the role of a CA
defines certificates and outlines how they are handled
Signature Ordinance (Signaturverordnung SigV), 24th October

2001
sets out operational details and responsibilities of a CA
Germany: Electronic Signature Act
1. Electronic Signature
shall be data in electronic form that are attached to other electronic
data or logically linked to them and used for authentication;
2. Advanced Electronic Signature

shall be electronic signature as 1. above that
a) are exclusively assigned to the owner of the signature code
b) enable the owner of signature code to be identified
c) are produced with means which the owner of the signature code
can keep under his sole control and
d) are so linked to the data to which they refer that any subsequent
alteration of such data may be detected;
Germany: Electronic Signature Act
3. Qualified Electronic Signature

shall be electronic signatures as in 2. above that
a) are based on a qualified certificate valid at the time of their
creation and
b) have been produced with a secure signature-creation device;
Copyright 2004 SAP AG. All Rights Reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries,
pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or
registered trademarks of IBM Corporation in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered
trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium,
Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and
implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein
as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other
countries all over the world. All other product and service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group
shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional warranty.

Digital Signatures Overview

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Digital Signatures Overview

Uploaded by

Copyright:

Available Formats

Digital

Stefanie Garca Laule

Technology: Electronic Signatures

SAP AG 2004, SAP TechEd / SCUR104 / 2

Technology: Electronic Signatures

SAP AG 2004, SAP TechEd / SCUR104 / 3

Up to now: Handwritten Signatures

SAP AG 2004, SAP TechEd / SCUR104 / 4

Digitally Signed Documents

SAP AG 2004, SAP TechEd / SCUR104 / 5

Certificates = Digital Identity

Name of the subject

Private key (secret!)

The Signing Process I

SAP AG 2004, SAP TechEd / SCUR104 / 7

The Signing Process II

SAP AG 2004, SAP TechEd / SCUR104 / 8

The Verification Process I

SAP AG 2004, SAP TechEd / SCUR104 / 9

The Verification Process II

SAP AG 2004, SAP TechEd / SCUR104 / 10

The Verification Process III

SAP AG 2004, SAP TechEd / SCUR104 / 11

Technical Calculation of Digital Signatures

SAP AG 2004, SAP TechEd / SCUR104 / 12

Advantages of Digital Signatures

SAP AG 2004, SAP TechEd / SCUR104 / 13

Technology: Electronic Signatures

SAP AG 2004, SAP TechEd / SCUR104 / 14

Secure Store & Forward (SSF) Interface

SSF Partner Product

SAP AG 2004, SAP TechEd / SCUR104 / 15

Secure Store & Forward (SSF) Interface

Signing in SAP GUI for Windows

SAP AG 2004, SAP TechEd / SCUR104 / 16

Secure Store & Forward (SSF) Interface

IAIK Toolkit supports:

SAP AG 2004, SAP TechEd / SCUR104 / 17

Secure Store & Forward (SSF) Interface

Supported Signature Formats:

SSF Partner Certification

SAP AG 2004, SAP TechEd / SCUR104 / 18

SAP Java Cryptographic

SAP XML Toolkit

SSF ABAP Functions

create digital signature(s)

verify digital signature(s)

encrypt for recipient(s)

decrypt for recipient

add a digital signature

starts the signature control

gets the signature value from the control

done directly by the AS

Signature in Web Browser: Signature control

SAP AG 2004, SAP TechEd / SCUR104 / 20

Automation of processes requiring approval and/or handwritten

SAP AG 2004, SAP TechEd / SCUR104 / 22

Applications with Electronic Signatures

Technology: Electronic Signatures

SAP AG 2004, SAP TechEd / SCUR104 / 24

Electronic Signature Acts all over the world

SAP AG 2004, SAP TechEd / SCUR104 / 25

Lets have a look at:

SAP AG 2004, SAP TechEd / SCUR104 / 26