S 2.265 Proper use of digital signatures in archiving

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Archive Administrator, IT Security Officer, Administrator, Head of IT

Digital signatures are a challenge for electronic archiving since, for technical reasons, they have a limited lifetime which is not always known in advance. On the other hand, they are necessary if electronic documents have to be archived in such a way that their evidentiary value is ensured. The significance of digital signatures depends highly on the interpretation at the time of examination and therefore on the so-called validity model. Also, no long-term practical experience with the archiving of digitally signed documents is available to date since digital signatures haven only been used in practice for a few years.

Validity and evidentiary value

These two characteristics of a signature are usually defined as follows: A digital signature is valid, if

• it is mathematically correct and
• the associated signature key was valid at the time the signature was effected.

A digital signature has evidentiary value, if

• it is recognised as valid according to the validity model used at the time of verification and
• the associated signature key is not compromised.

Significance of digital signatures

Digital signatures can be used for various purposes, including:

• verification of the integrity of the data,
• certification of the authenticity of cryptographic keys or electronic documents,
• authentication.

The use and the significance of digital signatures must be specified for the specific application within the scope of a security policy. The following, among other things, should be specified in this policy:

• the requirements under which digital signatures are generated,
• the body that generates digital signatures (in case of certificate signatures, for example, in a neutral trust centre),
• the validity model used for the application,
• if and how digital signatures can be withdrawn, if required,
• the statement which is to be associated with the signature, i.e. what is certified by it (in case of a time stamp, for example, the presence of a document at a certain time).

The policy must be documented in writing and archived to ensure that the meaning (i.e. the evidentiary value) of the signature is obvious during a subsequent verification. In addition, it should be published in a suitable form so that all persons who need or want to trust this signature can refer to it.

Lifetime of digital signatures

The lifetime of digital signatures is restricted by the technical development of hardware and software as well as the progress in the field of cryptography (see T 2.79 Ineffectual regeneration of digital signatures during archiving and T 4.47 Obsolescence of cryptographic procedures). It must be assumed that digital signatures become obsolete after approx. 5 years due to their decreasing significance. For this reason, trust centres should issue key certificates and time stamps for a maximum of 5 years. However, they can also be declared invalid at short notice, if this should be necessary. This is referred to as blocking.

Blocking of key certificates

If key certificates are blocked by the certification instance, for example, because the signature keys are compromised, action must be taken quickly. All signatures generated with the corresponding key after that time lose their factual significance (e.g. evidentiary value). However, the validity of the signatures also depends on the validity model. In contrast to the shell model, the chain model initially does not require any further action in case of compromised keys.

This may have direct consequences on the significance of archived documents. If the archived documents affected are only signed with the invalid key, then, depending on the validity model used, this signature has no more evidentiary value.

Recommendation

There are currently no proven standards for the archiving of digitally signed documents which could be applied to ensure the long-term validity and evidentiary value of signatures. Therefore, the following recommendations should be taken into account with regard to the threats arising during long-term archiving until corresponding standards have been established:

• The significance of the signatures and certificates must be documented in a policy. The policy must also be archived.
• An independent trust centre should be involved for generation of key certificates and time stamps.
• All signatures, time stamps, and certificates associated with a document and the keys required for verification of the signature or certificate must also be archived. This can be done locally or in a centralised manner by the trust centre.
• Depending on the requirements regarding the significance of the signature, it may be necessary to archive additional context information. In case of qualified signatures according to the Signature Act this includes, for example, directory service information by the certification service provider.
• The digital signatures and certificates should be regenerated after 5 years at the latest, at least before expiry of the regular validity of the key certificates. As long as the directory service remains available in its full integrity this is actually only necessary if the suitability of the algorithms is no longer guaranteed. Due to the fact that during archiving, the data is stored for an extended period without being processed, it makes sense to repeat the signature every 5 years as a precaution.
• The verification of a digital signature fails as soon as only one bit in the document or its signature is changed. Therefore, bit-precise archiving is absolutely necessary in order to preserve the validity of the signature. For this reason, appropriate error correction measures should be taken when storing the signed documents.
• The persons responsible for electronic archiving should keep themselves informed of the developments in the field of digital signatures.

Archiving models

The following describes different models for archiving of digitally signed documents. The archiving of key management information such as certificates or blocking lists will not be considered yet.

As long as it is not relevant for the described models whether the original document contains one or several signatures, reference will be made to one original signature. Multiple original signatures will only be mentioned if they change the method of operation of the archiving model.

The description of the models is structured according to the following aspects:

• Required infrastructure
• Procedure for archiving of a signed document
• Procedure for retrieving a document from the archive
• Semantics of the additional signatures generated in the context of archiving, i.e. What is confirmed by these signatures?
• Procedure for verifying the evidentiary value of the original signature
• Necessary trust in the instances involved in archiving

The description is followed by a brief discussion of the different models.

Model 1: Archiving body with receipt stamping

• Infrastructure
  
  Trustworthy archiving body that also offers certification services (trust centre)
• Procedure for archiving
  
  The document is archived together with an indication of the time of receipt by the archiving body.
• Procedure for retrieving
  
  The document together with the indication of the time of receipt by the archiving body is digitally signed by the archiving body at the time of retrieval. The signature of the archiving body proves the authenticity of the document and protects its integrity.
• Semantics of the signature of the archiving body
  
  By means of the signature at the time of document retrieval the archiving body confirms that the relevant document was received and archived at the time indicated.
• Verification of the evidentiary value of the original signature
  
  To verify the authenticity and integrity of a document, first the signature of the archiving body is verified. The original signature is considered to have evidentiary value if it had evidentiary value at the indicated time of document receipt by the archiving body. This verification remains the responsibility of the user. The certificates required for this can either be provided by the same archiving body together with the document or must be requested from a different suitable body.
• Trust model
  
  Trust is placed in the archiving body that the signed documents are stored with integrity and that they were correct at the time of receipt.
  
  If an attacker is able to manipulate the time of document receipt he/she can change the evidentiary value of the documents. By indicating a later time the evidentiary value of a document can be eliminated. On the other hand, in case of a document whose signature is valid, but without evidentiary value, the evidentiary value can be feigned by indicating an earlier time of receipt.
  
  The correctness of the stored time of document receipt must be ensured by means of suitable safeguards. Digital signatures, as in models 3 and 4, can be used for this.

Model 2: Archiving body with confirmation stamping

• Infrastructure
  
  Trustworthy archiving body that also offers certification services (trust centre)
• Procedure for archiving
  
  The evidentiary value of the original signature of the document is verified upon receipt of the document by the archiving body. The document is only archived if the evidentiary value can be verified at the relevant time. In the case of multiple original signatures, their evidentiary value is determined individually. The document is archived together with the indication of the evidentiary value of the individual signatures, if at least one of the original signatures has evidentiary value.
• Procedure for retrieving
  
  The document is digitally signed by the archiving body at the time of retrieval, sometimes together with the indication of the evidentiary value of the original signature. The signature of the archiving body proves the authenticity of the document and protects its integrity.
• Semantics of the signature of the archiving body
  
  The signature of the archiving body confirms the evidentiary value of the original signature. In case of multiple original signatures, the included indication regarding their evidentiary value is confirmed individually.
• Verification of the evidentiary value of the original signature
  
  To verify the authenticity and integrity of a document, the signature of the archiving body is verified. The evidentiary value of the original signature is revealed by the indication included or by the archiving itself.
• Trust model
  
  Trust is placed in the archiving body that the signed documents are stored with integrity and that the evidentiary value of the documents was verified prior to archiving.
  
  If an attacker is able to break a formerly valid signature key and to introduce documents with forged signatures to the archive without this being noticed, these are considered to have evidentiary value. For this reason, it must be ensured by means of suitable safeguards that the evidentiary value of signed documents is verified prior to inclusion in the archive and that the database is protected against unauthorised adding of data.

Model 3: Trust centre with time stamp service

• Infrastructure
  
  Separation of roles between an archiving body and a trustworthy time stamp service (trust centre) who communicate with each other.
• Procedure for archiving
  
  Upon receipt of the document by the archiving body, the evidentiary value of the original signature of the document is confirmed by means of a time stamp of the trust centre for the duration of the evidentiary value of this stamp.
  
  The complete document, i.e. the document including all signatures, is regularly provided with a new time stamp of the trust centre before expiry of the evidentiary value of the last time stamp,
• Structure of an archived document
  
  An archived document contains at least the signed original document and a time stamp with regard to this document. In the course of time, it is extended by additional time stamps which are each effected with regard to the signed original document including all previous time stamps.
• Procedure for retrieving
  
  The document including all time stamps is delivered in the current condition.
• Semantics of a time stamp
  
  In the case of time stamping, a signature of the trust centre intended for that specific purpose confirms that the document was present at the time indicated in the time stamp.
• Verification of the evidentiary value of the original signature
  
  The evidentiary value of the last time stamp is directly verified. All other time stamps are checked by verifying their evidentiary value at the time of the subsequent time stamp (recursive verification). The verification of the evidentiary value takes place at the time indicated in the first time stamp.
• Trust model
  
  Trust is placed in the archiving body that the documents are stored with integrity. The trust centre trusts the time stamp service.
  
  Based on the chain of time stamps the evidentiary value of the original signature can be verified at any time.

Model 4: Trust centre with archive stamp service

• Infrastructure
  
  Separation of roles between an archiving body and a trustworthy archive stamp service (trust centre) who communicate with each other.
• Mode of operation of archive stamping
  
  if a document is subjected to archive stamping for the first time, this process corresponds to time stamping: The document is provided with a time stamp.
  
  If a document underwent the archive stamp service exactly one time and thus already contains one time stamp, this time stamp is verified first during the next archive stamping. Only if the time stamp has evidentiary value is the document including time stamp signed with a special archive signature.
  
  If a document already contains an archive signature, the archive signature is verified first during the next archive stamping. Only if the previous archive signature has evidentiary value is it replaced by a current archive signature.
• Procedure for archiving
  
  Upon receipt of the document by the archiving body, the evidentiary value of the original signature of the document is confirmed by means of the archive stamping by the trust centre for the duration of the evidentiary value of the time stamp added.
  
  The document must be regularly provided with an archive stamp by the trust centre before expiry of the evidentiary value of the time stamp or the last archive signature.
• Structure of an archived document
  
  An archived document consists of at least the signed original document and a time stamp with regard to this. After expiry of the evidentiary value of the time stamp it is provided with exactly one archive signature in addition. This signature is generated with regard to the signed original document and the time stamp.
• Procedure for retrieving
  
  The document including all signatures is delivered in the current condition.
• Semantics of the archive signature
  
  The archive signature confirms the evidentiary value of the time stamp. The time stamp confirms the presence of the original document at the time indicated.
• Verification of the evidentiary value of the original signature
  
  First, the evidentiary value of the archive signature is verified, and then the evidentiary value of the original signature at the time indicated in the time stamp.
• Trust model
  
  Trust is placed in the archiving body that the documents are stored with integrity. The trust centre needs to have a trustworthy archive stamp service.
  
  The archive stamp service must verify the evidentiary value of a previous signature. If an attacker is able to suppress this verification and to provide forged signed documents with an archive signature, this is considered to have evidentiary value. For this reason, it must be ensured by means of suitable safeguards that the evidentiary value of the previous signature is verified before an archive signature is regenerated or added.

Discussion of the models

The lower the trust of the users in the archiving body is, the more effort is required for archiving of digitally signed documents with evidentiary value.

If full trust in the archiving body exists, model 2 can be applied. It is the most convenient model for a user because he/she is informed of the evidentiary value of the original signature upon retrieval of the archived document. The user trusts that the information provided by the archiving body is correct. He/she does not have any control capabilities beyond this. If the user wants to convince a third party of the evidentiary value of the original signature, he/she can merely refer to the answer by the archiving body and to their trustworthiness supported by archiving policies.

In model 1, the user must verify the evidentiary value of the original signature of the retrieved document. The archiving body merely supplies the time when it received the document. Just like the user, a third party can carry out the verification of the evidentiary value, but must trust the time indicated by the archiving body.

Both models have the advantage that the organisational effort by the archiving body is restricted to a minimum: No further treatment of the document is required after archiving. The archiving itself serves seals the original signature for the entire archiving period. According to this, the integrity of the database in the archive is critical. Unauthorised adding of data may result in forged signatures being recognised as having evidentiary value.

In models 3 and 4, however, the integrity of the archived data is protected by digital signatures. This prevents forged signed documents being recognised as having evidentiary value if they were introduced to the archive without authorisation.

Another trust-increasing safeguard in models 3 and 4 is the possibility to divide the responsibilities for document storage and signature sealing between different bodies: archiving body and trust centre.

The necessary trust in the archiving body, as usually is the case with archiving, is limited to the storage of documents. In addition, successful archiving of digitally signed documents requires regular communication with the trust centre. Every document received must first be provided with a time stamp by the trust centre since the time of document receipt by the archiving body is decisive for subsequent verification of the evidentiary value.

In model 4, the trust centre regularly confirms the proper archiving up to current time by verifying the evidentiary value of the previous archive signature of the document and replacing this signature by a new archive signature. As a result, the interval between the end of the evidentiary value of the time stamp and the time of the last archive stamp is continuously increased. Therefore, the archive signature confirms the evidentiary value of the time stamp only as long as archive stamping in the trust centre works properly. This applies in particular to the verification of the evidentiary value of the previous archive signature. Without this verification, the archiving body may submit forged signed documents for archive stamping which will then receive evidentiary value. The user must consequently trust that archive stamping by the trust centre is executed properly.

In model 3, the user can monitor the continuous execution of regular signature sealing. The only service required by the trust centre is time stamping. This time stamping is not specific for archiving and does not include any verification. The trust centre provides the presented document with the current time and a signature without looking at it. Trustworthy time stamping is therefore generally easier to implement than archive stamping with a comparable level of trust.

Models 3 and 4 offer a higher level of trustworthiness compared to models 1 and 2, but also make it more complicated for the user to verify the evidentiary value of the original signature. In model 3, an entire chain of time stamps needs to be checked for their evidentiary value in addition to the evidentiary value of the original signature at the time of the first time stamp, whereas in model 4 only the evidentiary value of the archive signature needs to be checked.

There are currently no proven standards for long-term archiving of digital signatures. Uniform concepts and standards still need to be established here, and the persons responsible for electronic archiving should therefore keep themselves informed of the developments in the field of digital signatures. Accordingly, the models described above are only intended as an example. Other methods for archiving of digitally signed documents may well be possible.

Review questions:

• Is the use and significance of digital signatures during archiving specified in a security policy and published in a suitable form?