Exploring Digital Signatures Secrecy in Web-Platform: Client-Side Cryptographic Operations
Resumo
Online signature platforms confront critical security challenges, notably exposing sensitive documents to third-party applications. This paper presents a novel client-side cryptographic model that enhances document secrecy and key management by performing cryptographic operations within the user’s browser. By employing one-time certificates, our model eliminates document uploads, reducing the risk of leakage and private key compromise. Aligned with Claude Shannon’s information theory, our approach ensures robust secrecy while remaining compatible with existing digital signatures. Our implementation demonstrates practical performance, offers a significant advancement in secure digital signatures, addressing vulnerabilities in traditional web-based platforms.
Referências
Aciobănit,ei, I., Arseni, S.-C., Bureacă, E., and Togan, M. (2024). A comprehensive and privacy-aware approach for remote qualified electronic signatures. Electronics, 13(4).
Adobe Inc. (2024). Adobe acrobat. [link]. Accessed: 2024-08-19.
Ascertia (2018). Signinghub: Architecture and Deployment Guide. Accessed: 2024-06-08.
Barker, E. and Barker, W. (2018). Recommendation for key management. Part 2: Best Practices for Key Management Organization. Technical report, National Institute of Standards and Technology.
Bit4id (2021). Signcloud. Remote digital signature and key management. Accessed: 2024-06-08.
Boeyen, S., Santesson, S., Polk, T., Housley, R., Farrell, S., and Cooper, D. (2008). Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280.
Boneh, D. and Franklin, M. (2001). Identity-based encryption from the weil pairing. In Annual international cryptology conference, pages 213–229. Springer.
Brasil (2018). Lei Geral de Proteção de Dados Pessoais (General Data Protection Law. Lei n° 13.709, de 14 de agosto de 2018. Diário Oficial da União, 157(1):59–64.
Brazil (1996). Lei de Propriedade Industrial (Industrial Property Law). Lei n° 9.279, de 14 de maio de 1996.
Brazil (2011). Lei de Acesso à Informação (Freedom of Information Law). Lei n° 12,527, de 18 de novembro de 2011.
Brazil, Economy Ministry (2021). Portaria SEDGG/ME n° 2.154, de 23 de fevereiro de 2021. Institui normas de gestão de integridade, riscos e controles internos no âmbito da Administração Pública Federal direta, autárquica e fundacional.
CFM (2010). Código de Ética Médica. Resolução CFM n° 1.931/2009.
Choi, S.-H., Yun, J., and Park, K.-W. (2017). Doc-trace: Tracing secret documents in cloud computing via steganographic marking. IEICE TRANSACTIONS on Information and Systems, 100(10):2373–2376.
Cryptomathic (2023). Signer. Freedom to digitally sign documents remotely. Accessed: 2024-06-11.
Digital Bazaar, I. (2010). Node-forge: A native implementation of TLS in JavaScript and Tools to Write Crypto-Based and Network-Heavy web apps. [link]. JavaScript library for cryptographic and network tools.
DigitalSign (2023). Signingdesk solution. Accessed: 2024-06-08.
Eich, B. (1995). Javascript. [link]. Programming language for web development.
ETSI (2024). Electronic Signatures and Infrastructures (ESI): PAdES digital signatures; part 1: Building blocks and PAdES baseline signatures. Accessed: 2024-08-16.
European Union (2018). General data protection regulation, regulation (eu) 2016/679.
Foundation, E. (2024). Ethereum. [link]. Accessed: 2024-08-16.
GlobalSign and Ventures, P. (2014). Pkijs: A public key infrastructure library for javascript. [link]. JavaScript library for working with X.509 certificates and cryptographic standards.
Goldreich, O. (2001). Foundations of cryptography: volume 2, basic applications, volume 2. Cambridge university press.
Hansen, T. and Eastlake 3rd, D. E. (2011). US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF). RFC 6234.
ISO (2020). ISO 32000-2: Portable document format (PDF) — part 2. International Standardization Organization.
Jacomme, C. and Kremer, S. (2021). An extensive formal analysis of multi-factor authentication protocols. ACM Transactions on Privacy and Security (TOPS), 24(2):1–34.
Jonsson, J. and Kaliski, B. (2003). Public-key cryptography standards (PKCS) 1: RSA cryptography specifications version 2.1. RFC 3447, Internet Engineering Task Force (IETF).
Kohnfelder, L. M. (1978). Towards a practical public-key cryptosystem. PhD thesis, Massachusetts Institute of Technology.
Luan, H., Wang, C., Zhou, Z., and Yang, Z. (2015). Cross-access method for team confidential document based on offline key management. International Journal of Security and Its Applications, 9(1):97–108.
Mayr, L., Palma, L., Zambonin, G., Silvano, W., and Custódio, R. (2023). Monitoring key pair usage through distributed ledgers and one-time signatures. Information, 14(10):523.
Mayr, L., Zambonin, G., Schardong, F., and Custódio, R. (2024). One-time certificates for reliable and secure document signing. arXiv preprint.
Moriarty, K., Kaliski, B., Jonsson, J., and Rusch, A. (2016). PKCS 1: RSA Cryptography Specifications Version 2.2. RFC 8017.
Moriarty, K., Nystrom, M., Parkinson, S., Rusch, A., and Scott, M. (2014). PKCS12: Personal information exchange syntax v1.1. PKCS Standard 12, RSA Laboratories.
Myers, M., Adams, C., Solo, D., and Kemp, D. (1999). Internet x.509 certificate request message format. RFC 2511, Internet Engineering Task Force (IETF).
NextSense (2023). Signing suite. Accessed: 2024-06-08.
Nystrom, M. and Kaliski, B. (2000). PKCS10: Certification request syntax specification version 1.7. PKCS Standard 10, RSA Laboratories.
OAB (2015). Código de Ética e disciplina da OAB, provimento no. 117/2000.
Perottoni, E. D., Costa, B. P., Müller, F. L., dos Santos Camargo, V., Schardong, F., Silvano, W., Mayr, L., Custódio, R. F., Rocha, L., Lyra, C., et al. (2023). Menos certificação digital e mais identidade eletrônica: Icpedu e cafe em um assinador digital inclusivo. In Anais Estendidos do XXIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 93–96. SBC.
Poppler Utils (2024). pdfsig: Verify digital signatures in PDF documents. [link]. Accessed: 2024-08-19.
Prabakaran, D. and Ramachandran, S. (2022). Multi-factor authentication for secured financial transactions in cloud environment. CMC-Computers, Materials & Continua, 70(1):1781–1798.
Shannon, C. E. (1949). Communication theory of secrecy systems. The Bell system technical journal, 28(4):656–715.
Shatnawi, A., Munson, E. V., and Thao, C. (2017). Maintaining integrity and non-repudiation in secure offline documents. In Proceedings of the 2017 ACM Symposium on Document Engineering, pages 59–62.
(SJCL), S. J. C. L. (2010). Sjcl: Stanford javascript crypto library. [link]. A JavaScript library for cryptography developed at Stanford University.
UFSC (2019). Portaria normativa nº 276/2019/gr, de 18 de setembro de 2019. [link]. Institui e disciplina o uso de Certificação Digital na Universidade Federal de Santa Catarina.
United Kingdom (1989). Official Secrets Act 1989.
United Kingdom (2000). Freedom of Information Act 2000.
United States (1917). Espionage Act of 1917.
União Europeia (2014). Regulamento (UE) n° 910/2014 do Parlamento Europeu e do Conselho. [link] 2014/910/oj.
Ventures, P. (2013). Asn1js: A pure javascript library for parsing and serializing asn.1 data. [link]. JavaScript library for working with Abstract Syntax Notation One (ASN.1) data.
Vercel Inc. (2016). Next.js: The react framework for production. [link]. A React framework for building web applications.
Adobe Inc. (2024). Adobe acrobat. [link]. Accessed: 2024-08-19.
Ascertia (2018). Signinghub: Architecture and Deployment Guide. Accessed: 2024-06-08.
Barker, E. and Barker, W. (2018). Recommendation for key management. Part 2: Best Practices for Key Management Organization. Technical report, National Institute of Standards and Technology.
Bit4id (2021). Signcloud. Remote digital signature and key management. Accessed: 2024-06-08.
Boeyen, S., Santesson, S., Polk, T., Housley, R., Farrell, S., and Cooper, D. (2008). Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280.
Boneh, D. and Franklin, M. (2001). Identity-based encryption from the weil pairing. In Annual international cryptology conference, pages 213–229. Springer.
Brasil (2018). Lei Geral de Proteção de Dados Pessoais (General Data Protection Law. Lei n° 13.709, de 14 de agosto de 2018. Diário Oficial da União, 157(1):59–64.
Brazil (1996). Lei de Propriedade Industrial (Industrial Property Law). Lei n° 9.279, de 14 de maio de 1996.
Brazil (2011). Lei de Acesso à Informação (Freedom of Information Law). Lei n° 12,527, de 18 de novembro de 2011.
Brazil, Economy Ministry (2021). Portaria SEDGG/ME n° 2.154, de 23 de fevereiro de 2021. Institui normas de gestão de integridade, riscos e controles internos no âmbito da Administração Pública Federal direta, autárquica e fundacional.
CFM (2010). Código de Ética Médica. Resolução CFM n° 1.931/2009.
Choi, S.-H., Yun, J., and Park, K.-W. (2017). Doc-trace: Tracing secret documents in cloud computing via steganographic marking. IEICE TRANSACTIONS on Information and Systems, 100(10):2373–2376.
Cryptomathic (2023). Signer. Freedom to digitally sign documents remotely. Accessed: 2024-06-11.
Digital Bazaar, I. (2010). Node-forge: A native implementation of TLS in JavaScript and Tools to Write Crypto-Based and Network-Heavy web apps. [link]. JavaScript library for cryptographic and network tools.
DigitalSign (2023). Signingdesk solution. Accessed: 2024-06-08.
Eich, B. (1995). Javascript. [link]. Programming language for web development.
ETSI (2024). Electronic Signatures and Infrastructures (ESI): PAdES digital signatures; part 1: Building blocks and PAdES baseline signatures. Accessed: 2024-08-16.
European Union (2018). General data protection regulation, regulation (eu) 2016/679.
Foundation, E. (2024). Ethereum. [link]. Accessed: 2024-08-16.
GlobalSign and Ventures, P. (2014). Pkijs: A public key infrastructure library for javascript. [link]. JavaScript library for working with X.509 certificates and cryptographic standards.
Goldreich, O. (2001). Foundations of cryptography: volume 2, basic applications, volume 2. Cambridge university press.
Hansen, T. and Eastlake 3rd, D. E. (2011). US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF). RFC 6234.
ISO (2020). ISO 32000-2: Portable document format (PDF) — part 2. International Standardization Organization.
Jacomme, C. and Kremer, S. (2021). An extensive formal analysis of multi-factor authentication protocols. ACM Transactions on Privacy and Security (TOPS), 24(2):1–34.
Jonsson, J. and Kaliski, B. (2003). Public-key cryptography standards (PKCS) 1: RSA cryptography specifications version 2.1. RFC 3447, Internet Engineering Task Force (IETF).
Kohnfelder, L. M. (1978). Towards a practical public-key cryptosystem. PhD thesis, Massachusetts Institute of Technology.
Luan, H., Wang, C., Zhou, Z., and Yang, Z. (2015). Cross-access method for team confidential document based on offline key management. International Journal of Security and Its Applications, 9(1):97–108.
Mayr, L., Palma, L., Zambonin, G., Silvano, W., and Custódio, R. (2023). Monitoring key pair usage through distributed ledgers and one-time signatures. Information, 14(10):523.
Mayr, L., Zambonin, G., Schardong, F., and Custódio, R. (2024). One-time certificates for reliable and secure document signing. arXiv preprint.
Moriarty, K., Kaliski, B., Jonsson, J., and Rusch, A. (2016). PKCS 1: RSA Cryptography Specifications Version 2.2. RFC 8017.
Moriarty, K., Nystrom, M., Parkinson, S., Rusch, A., and Scott, M. (2014). PKCS12: Personal information exchange syntax v1.1. PKCS Standard 12, RSA Laboratories.
Myers, M., Adams, C., Solo, D., and Kemp, D. (1999). Internet x.509 certificate request message format. RFC 2511, Internet Engineering Task Force (IETF).
NextSense (2023). Signing suite. Accessed: 2024-06-08.
Nystrom, M. and Kaliski, B. (2000). PKCS10: Certification request syntax specification version 1.7. PKCS Standard 10, RSA Laboratories.
OAB (2015). Código de Ética e disciplina da OAB, provimento no. 117/2000.
Perottoni, E. D., Costa, B. P., Müller, F. L., dos Santos Camargo, V., Schardong, F., Silvano, W., Mayr, L., Custódio, R. F., Rocha, L., Lyra, C., et al. (2023). Menos certificação digital e mais identidade eletrônica: Icpedu e cafe em um assinador digital inclusivo. In Anais Estendidos do XXIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 93–96. SBC.
Poppler Utils (2024). pdfsig: Verify digital signatures in PDF documents. [link]. Accessed: 2024-08-19.
Prabakaran, D. and Ramachandran, S. (2022). Multi-factor authentication for secured financial transactions in cloud environment. CMC-Computers, Materials & Continua, 70(1):1781–1798.
Shannon, C. E. (1949). Communication theory of secrecy systems. The Bell system technical journal, 28(4):656–715.
Shatnawi, A., Munson, E. V., and Thao, C. (2017). Maintaining integrity and non-repudiation in secure offline documents. In Proceedings of the 2017 ACM Symposium on Document Engineering, pages 59–62.
(SJCL), S. J. C. L. (2010). Sjcl: Stanford javascript crypto library. [link]. A JavaScript library for cryptography developed at Stanford University.
UFSC (2019). Portaria normativa nº 276/2019/gr, de 18 de setembro de 2019. [link]. Institui e disciplina o uso de Certificação Digital na Universidade Federal de Santa Catarina.
United Kingdom (1989). Official Secrets Act 1989.
United Kingdom (2000). Freedom of Information Act 2000.
United States (1917). Espionage Act of 1917.
União Europeia (2014). Regulamento (UE) n° 910/2014 do Parlamento Europeu e do Conselho. [link] 2014/910/oj.
Ventures, P. (2013). Asn1js: A pure javascript library for parsing and serializing asn.1 data. [link]. JavaScript library for working with Abstract Syntax Notation One (ASN.1) data.
Vercel Inc. (2016). Next.js: The react framework for production. [link]. A React framework for building web applications.
Publicado
16/09/2024
Como Citar
SILVANO, Wellington Fernandes; CABRAL, Gabriel; MAYR, Lucas; SCHARDONG, Frederico; CUSTÓDIO, Ricardo.
Exploring Digital Signatures Secrecy in Web-Platform: Client-Side Cryptographic Operations. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 335-350.
DOI: https://doi.org/10.5753/sbseg.2024.241786.
