In 2008, Izenpe made it a priority to add a signature and security services platform in its product offer. This platform, called ZAIN, was to incorporate a set of security mechanisms that included certificate validation and electronic signature management services. ZAIN was to progressively replace the use of integration toolkits that Izenpe had offered until that point. Since its founding in 2002 as an initiative of the Basque government and regional councils, Izenpe has provided identification and electronic signature services to promote e-Administration and telematic relations with security guarantees, confidentiality, authenticity and transaction irrevocability for public administrations and private entities.
Published at "Revista SIC", nº 90, June 2010
By T. Saez (IZENPE) and S. Adame (Safelayer)
In Spain and Europe, the deployment of eID and electronic signature services platforms is seen as strategic for the development of e-Government. The need to manage different eIDs (e.g., in Spain there are 18 certification service providers recognized by the Spanish Ministry of Industry, Tourism and Trade) and the technical complexity involved in managing the different electronic-signature formats and their mutual recognition mean a deployment strategy based on specialized security services is required.
For these reasons, Izenpe defined ZAIN as a platform was to comprise a complete set of global and standardized security mechanisms (authentication, authorization, electronic signature and data protection) to be offered as services. Aside from its technical interest, its strategic value resides in its capability to act as a catalyst in developing electronic processes, basically owing to the ease of use it is to introduce and to its capability for providing trust and guarantees in electronic relations.
In production since May 2009, ZAIN provides ease of use because it reduces time spent on integrating the security mechanisms in applications and greatly simplifies their maintenance. The toolkit-based integration strategy is characterized by its isolated and static focus for each application and technology. It requires specific installation, start-up, training, configuration and maintenance systems, which means its deployment is costly, especially for large numbers of applications.
In contrast, with an integration strategy based on a service-oriented platform, security functions are incorporated in the applications via the consumption of services, providing a common framework of integration, training, configuration and maintenance and facilitating centralized auditing and policy management. One of the biggest benefits of this approach is precisely the separation of functions, in which the provider is responsible for and provides the required quality assurances (e.g., via metrics that specify the trust level of electronic signatures), while the applications are left to concentrate on their specific business functions. This means that organizations do not need to have specialized PKI staff.
The conclusions in the recent study "European Federated Validation Service" by the European Commission's IDABC include a group of European-scale validation services and tools and highlight the fact that the TrustedX product from the Spanish developer Safelayer Secure Communications is the most complete technology solution. In a process that lasted over a year, Izenpe evaluated and analyzed several platforms, eventually opting for Safelayer technology, to which it would add a layer of customized services for operating with Izenpe's PKI.
ZAIN's Catalog of Services
ZAIN provides a complete set of security mechanisms offered as services to user entities, which delegate the trust evaluation of data to Izenpe. The ZAIN platform includes the following trust services:
- Identity Validation. The platform offers an identity validation service. It currently validates the certificates issued by Izenpe's CA and those issued by providers with which there are agreements, which cover legal and operational as well as technical aspects. In addition, it supports incorporating new authentication mechanisms at a later point in time in a straightforward fashion and federation for the exchange of authentication data between corporate applications and between resources belonging to external security domains.
- Electronic Signature Verification and Non-Repudiation. The electronic signature verification service supports practically all existing standard signature formats. In addition and optionally, the service can complete electronic signatures with evidences on the status of the certificates and extend their validity with time-stamps as per the ETSI's recommendations for advanced electronic signatures.
- Trust Level Evaluation. The quality and responsibility level differs for the different CAs recognized by Izenpe as it varies according to the legal and technical guarantees offered by each provider. This service returns a metric value that indicates the trust level of the certificates and the electronic signatures so that the applications can define the minimum trust levels depending on the data to be managed and, for example, not allow authentication mechanisms that do not have a high enough security level.
- Semantic Interpretation. This service makes uniform the information on the certificates and signatures of the CAs recognized by Izenpe-regardless of the different profiles used-for the uniform interpretation of the data on the signers and their attributes. A system of templates simplifies the extraction of the certificate or signature data, isolating the application completely from the certificate policy or issuing CA.
- Electronic Signature Generation. Although users normally sign directly using the DNIe or ONA card, via an applet in their browser or a signature application installed in their operating system, the platform also supports server-signature mode, in which the electronic signature operations are delegated to the servers (e.g., for issuing electronic invoices, census certificates, academic qualifications).
- Signature Custody. As algorithms, keys and other cryptographic material can become vulnerable over time, signatures and evidences are considered temporary, and need to be renewed regularly. To maintain non-repudiation properties, the validity of the electronic evidences must be reaffirmed periodically and automatically. In ZAIN, the signature data custody service maintains the properties of the electronic signatures for the periods set out in the corporate regulations and/or the applicable legislation.
- Data Encryption. Encryption mechanisms are used to protect data-electronic documents, emails and web messaging. In the future, it will be possible to include the encrypted key custody service, controlling the access to the data for groups of trusted persons or systems.
Once the technological platform was chosen, the question on which would be the ideal architecture to implement in Izenpe was addressed, taking into account the possible procedures for migrating the toolkits to the new platform. ZAIN's services are provided as Web services-as per the OASIS standards for signature services, for which reason a series of welcome kits or examples similar to those previously recommended with the toolkits in .NET and J2EE were created to make the migration as straightforward as possible. For the platform's format, Izenpe decided to provide two modes: service mode, in which the instances are held by Izenpe and are accessible via the Internet, and product mode, in which there is an installation in the client entity.
Only entities authorized by Izenpe can use the services of the ZAIN platform. To perform this control, the platform supports different authentication mechanisms and defining specific authorization policies for consuming its resources.
Furthermore, ZAIN's policy manager supports centrally defining a set of trust policies that are applied to specific users or to groups of users or applications. Thus controlling service parameters such as the allowed authentication mechanisms, the recognized certification service providers and the trust level granted to each one, and the semantic interpretation of the data, and the cryptographic parameters of the algorithms.
Using a common component for centralized event auditing (history), ZAIN uniformly manages the trace/log data of all the platform's service components and the data on service use and consumption. This allows generating all types of reports, always via controlled access to the activity data.
The figure illustrates the different components that make up the ZAIN platform, among which are the time-stamping authority (TSA), the certificate validation authority (VA) and the different infrastructure services on which services such as the database (DB), the directory and the document management system (DMS) are based. Generally, time-stamps are requested using the RFC 3161 protocol from the TSA recognized by Izenpe, although third-party TSAs can also be incorporated as per the defined policies. Likewise, the platform validates the status of the certificates using OCSP protocol, but it also supports incorporating other types of validation, such as using certificate revocation lists (CRL) and via federation with other eID and signature platforms (e.g., @firma).
Izenpe has made use of TrustedX's integration module to build a service brokering service (LOTUR@) that facilitates the interoperability between entities. It can interact with the libraries of the Spanish Ministry of the Presidency or any other service in a way that is transparent for the consumer of the information, assuring the exchanges based on agreements between the participants. The consuming application makes the call to ZAIN, and ZAIN carries out the necessary transformations (WS, format conversions, etc.) making the call to the producers of the information.
The ZAIN Platform in Service
More than 20 public and private entities are already using the ZAIN platform, certificate validation and signature generation and verification being the most used services, amounting to 100,000 operations a month. In local councils, for example, it interacts with the applications of the municipal services, such as the census register and the citizen's portal, whereas in other areas of public administration, such as provincial councils offices and government departments, it is used in procedures with Treasury (deposit management, notifications, etc.) the employee's portal and electronic invoicing. For companies in the banking sector, it is used in signing guarantees and electronic banking access.
Owing to the increase in clients and applications using ZAIN, as of last year, Izenpe has a technical office devoted exclusively to the platform, which offers a 24x7 service to all clients that have the service mode; this option being also available for clients that have the platform in product mode managed from Izenpe. The platform's service level agreement (SLA) guarantees that when an incident occurs, the client receives a notification within 15 minutes.
One of ZAIN's success factors is its focus and orientation toward business processes, owing to its capability for precisely and uniformly providing the trust level of the data at all times and information on who the authors are and their attributes. This greatly simplifies the logic in the applications, provides greater reliability and avoids having to make changes to them for the dynamic recognition of new security services or authentication mechanisms (e.g., of new validation or time-stamp authorities).
ZAIN also guarantees protection of investment as it offers extensive support for the internationally-recognized security standards adopted by the industry. Likewise, its service-oriented architecture (SOA) guarantees the adoption of new standards and services as the development of new business processes requires it and the incorporation of new functions and features as they are needed. Thus, users, applications and potential end-clients are not limited, and the right protection mechanism is provided to a greater number of applications in a straightforward manner.
In the new systems required by society, remote, electronic-virtual interactions are increasingly important in every sphere of life-in personal, professional and government relations. Trust is the basis for the relations, which is why electronic identification systems are evolving toward evermore-reliable mechanisms based on PKI technology. This is where Safelayer positions itself, providing innovative, global and efficient technology in meeting the demand for reliable mechanisms for the virtual processes of authentication and identification, electronic signatures and data protection, and, therefore, providing tools for competitive improvement.
The software is TrustedX; the trust organization, Izenpe; the result, ZAIN.