Read time: 7 minutes

All the domain names and IP addresses protected by the certificate are listed systematically using the SAN or Subject Alternative Name. The Subject Alternate Names must be provided on an SSL/TLS certificate when further website actions need to be secured so that the DNS server can map the IP address to the domain name.

The SANs information can be found in the SSL/TLS certificate data by clicking on the padlock icon in most web browsers’ address bars.

In this blog, we will talk about how to add Subject Alternate Name attributes to a certificate, i.e., Web Server Certificate Enrollment with SAN Extension. Also, we will cover an error, i.e., Adding SAN (Subject Alternative Name) into the Additional attributes field on the Microsoft CA Certificate request form doesn’t produce does not automatically produce a certificate with a “Subject Alternative Name” entry.

Web Server Certificate Enrollment with SAN Extension

Enrolling a certificate with a custom SAN extension is now super simple. There is a certain set of instructions to follow, and you’ll get it.

Setting Certificate Template

Most certificate templates are set up to build a subject from Active Directory. But in the case of SSL Certificates, they use Supply in the request because they use a custom subject name. If you are using the default web server template, then there is no need to modify anything. For the custom certificate template, you should update it as given below.

Enrolling a certificate with a custom SAN extension

Also, you need to give Read and Enroll permissions from the security tab to your account.

Setting Certification Authority

Setting Certification Authority

  • Go to the certsrv console and expand Issuing CA.
  • Go to Certificate Template and open it.
  • Check whether the template is listed in the window; if not, right-click on the certificate template and then New -> Certificate Template to issue.
  • Select the required template and click on add.
certsrv console and expand Issuing CA

Certificate Enrollment Process

  • Open mmc console. In the Console1 window, go to File-> Add/Remove Snap-in.

    mmc console
  • In the Add/Remove Snap-in dialog box, click on certificates and add.

    Add/Remove Snap-in dialog box
  • In certificates, snap in box, click computer account, and next.

  • In the select computer window, click Local Computer and Finish.

    certificates-snap-in-box
  • Click Ok and close the snap-in.

  • Right-click on the personal node. Click on All tasks-> Request new certificate.

    Subject Alternative Name Certificates
  • In the Before you begin page, click Next.

  • In the select enrollment policy page, select the appropriate policy and go next.

    Subject Alternative Name - Certificate Enrollment Policy
  • In the Request Certificate box, click on the required template, expand its details, and open its properties to configure it.

    Subject Alternative Name - Request Certificate box
  • Certificate Properties Dialog box will appear like this.

    Subject Alternate Name  - •	Certificate Properties Dialog box
  • Since you are using Subject Alternate Name (SAN), you can leave the Subject name empty. In the dropdown, select the proper type for SAN. (In the case of SSL certificates, DNS is common).

  • In the value box, enter the names in the corresponding format and click add. Repeat this step for all the values you want to add.

    certificate enrollment page
  • Hit Ok and close. You’ll return to the certificate enrollment page. Click on enroll.

    certificate enrollment page - request certificates
  • Click finish when the certificate is successfully installed.

    Subject Alternative Name - certificate installation results
  • Here, you can view the Certificate’s SAN details.

    Certificate Subject Alternative Name details

Troubleshooting

Issue

The certificate generated doesn’t include SAN (Subject Alternative Name) entry even after adding SAN in the additional attributes field.

Cause

If Microsoft CA’s issuance policy is not set up to accept the Subject Alternative Name(s) attribute via the CA Web enrollment page, executing the preceding steps could not result in a certificate that includes a SAN entry.

Solution

To solve this, we need to run this command through the administrative command prompt:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

CA's web enrollment page

After running this command, make sure to restart the ADCS Services by running

net stop certsvc and net start certsvc

Now, you can create the certificate with the SAN entry by using the CA’s web enrollment page.

Microsoft CA's issuance policy

If you need help with your PKI environment, feel free to email us at info@encryptionconsulting.com

Conclusion

All the domain names and IP addresses protected by the certificate are organized into a SAN or subject alternative name. You can easily add SAN entries to the certificates by following the certain instructions depicted in this blog. There is an issue when the certificate generated comes out without a SAN entry, even after adding a SAN entry. This can be solved by running a single command which adds the entry, and now you can create the certificate.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Nishiket Kumar is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

Read time: 4 minutes

What is a CRL and Delta CRL?

A list of digital certificates that have had their issuing certificate authority (CA) revoke them before their actual or assigned expiration date is known as a certificate revocation list (CRL).

A Delta CRL is a supplemental CRL that is optional and only includes the updates made since the last Base CRL update. The standard CRL we’ve been discussing is called “Base” about a delta CRL if one is present.

Steps to Disable Delta CRL

Delta CRL can be disabled either by running certain commands on an administrative command prompt or by using GUI, which is discussed below:

By Command Prompt:

  • Set Delta CRL Validity to zero by running this command on an administrative command prompt: Certutil -setreg CA\CRLDeltaPeriodUnits 0

    Delta CRL Validity
  • Run net stop certsvc and net start certsvc to restart the ADCS Service.

    certsvc
  • Run certutil -crl to publish new CRLs.

    certutil-crl

By using GUI:

  • Open Certificate Authority (CA) Console. To do so, open Server Manager -> Tools -> Certification Authority.

    Certification Authority
  • Right-click on Revoked Certificates and open properties.

    Revoked Certificates properties
  • On the properties page, uncheck “Publish Delta CRLs.”

    To publish Delta and new CRLs
  • Click on Apply and OK.
  • To Publish new CRLs, Right click on Revoked Certificates -> All tasks -> Publish.

    Publish CRLS
  • Click on New CRL to publish.

    Published Certificate Revocation List (CRL)

If you need help with your PKI environment, feel free to email us at info@encryptionconsulting.com.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Nishiket Kumar is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

Read Time: 3 minutes

In this blog, we are covering an error where the ADCS Service stopped working on Issuing CA. The issue was related to the HSM side as the SafeNet Key Storage provider failed to initialize properly.

Issue

ADCS Service failing to start.

Error Code

Log Name Application
Source Microsoft-Windows-CertificationAuthority
Event ID 100
Level Error

Description

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. Issuing CA Provider DLL failed to initialize correctly. 0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL).

This error comes in the case of Luna; if it’s Ncipher, you’ll see that the provider of the Ncipher will fail.

Steps done

  • We did run certutil -csplist to check whether the SafeNet Key Storage Provider was configured correctly.
  • If there is a provider failed to pass the test. You can check the configuration under the registry entries under
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration \CA NAME\CSP

Solution

This issue often occurs when CA uses the HSM and HSM is incorrectly configured.

  • Verify that the connectivity of HSM is properly configured.
  • HSM’s cryptographic service provider should be loaded/initialized properly (re-register and reconfiguring along with a reboot).

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Nishiket Kumar is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

Read Time: 5 minutes

This blog discusses Cross Forest Certificate Enrollment and the steps required to do it.

What is Cross Forest Certificate Enrollment?

  • Enterprises can build a central PKI in one Active Directory Domain Services (AD DS) forest that issues certificates to domain members in other forests by using cross-forest enrolment.
  • By combining certificate templates from many forests into a single PKI that supports all forests, enterprises with current per-forest AD CS implementations can lower the number of CAs.
  • To offer enrollment services across all forests, enterprises with multi-forest settings but no PKI can implement AD CS in a single forest.

Prerequisites

  • Two-way forest trusts exist between account and resource forests.
  • One or more enterprise CAs running on Windows Server.

Steps

Publish the Root CA Information to another Forest.

  1. Log on to a domain controller in the Forest as a member of the Enterprise Admins group.
  2. Insert the USB thumb drive containing the root CA published certificate and CRL.
  3. Ensure you are in the administrative command prompt.
  4. At the command prompt, type “certutil -f -dspublish ” Root CA.crt” RootCA
  5. At the command prompt, type PKIView.msc and press ENTER.
  6. If the pkiview message box appears, click OK to accept the error message if prompted.
  7. In the console tree, right-click Enterprise PKI, and then click Manage AD Containers.
  8. On the Certification Authorities Container tab, ensure that RootCAName appears.
  9. On the AIA Container tab, ensure that RootCAName appears. Click OK.

Publish SubCA information to new Forest Configuration Partition (Enrollment Services and Templates)

  1. Ensure New Forest has Permissions/Delegations configured on CN=Public Key Services, CN=Services, CN=Configuration, DC={forest root domain}
  2. From existing forests, modify the scheduled task to update PKIsync.cmd to new Forest (Below additional line to be added)
    .\PKISync.ps1 -sourceForest RESOURCE.LOCAL -targetforest account.LOCAL -type Template -cn ” <certificate template common name>. ” >> C:\Temp\CAScripts\PKSyncCorp.txt
  3. Run the Scheduled task “PKI Cross Forest Replication”
  4. Login to target forest open ADSIEDIT.msc > Connect to configuration partition N=Public Key Services, CN=Services, CN=Configuration, DC={forest root domain}
  5. Check Enrollment Services > Verify if PKI Servers exist there.
  6. Check Certificate Templates > Verify customer certificate templates exist there

Note: Above cmd only syncs specific templates; you may choose to sync entire containers.

Publish the SubCA Information to a New Forest. 

  1. Open an administrative command prompt.
  2. At the command prompt, type USB: and then press ENTER.
  3. At the command prompt, type CD \CACerts and press ENTER.
  4. At the command prompt, type certutil -dspublish -f <enterprise-ca-cert-filename.cer> SubCA and then press ENTER.
  5. At the command prompt, type certutil -dspublish -f <enterprise-ca-cert-filename.cer> NTAUthCA and then press ENTER.

Add SubCA Information to the Cert Publishers group in New Forest. 

  1. Open Active Directory Users and Computers.
  2. Connect to the Domain needed
  3. In the console tree, navigate to the CN=Users container.

Note: If the group is not in the default container, search for it within the domain.

  • In the details pane, double-click Cert Publishers.
  • On the General tab, ensure that the group’s scope is Domain Local.
  • Add PKI Servers from the forest as members.

Assign permissions of Forest to Certificate Templates

  1. Open Active Directory certificate authority.
  2. Find Certificate templates > Right Click > Manage
  3. Find the Certificate Templates and go to their properties
  4. Assign users/groups/computers
  5. On the General tab, ensure that the group’s scope is Domain Local.
  6. Add PKI Servers from the forest as members.

Assign permissions on CA so new Forest can enroll Certificates

  1. Open Active Directory certificate authority.
  2. Right Click CA Name > Choose Properties
  3. Navigate to Security > Add Groups of New Forest, which needs to enroll.

References

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/ff955842(v=ws.10)

If you need help with your PKI environment, feel free to email us at info@encryptionconsulting.com.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Nishiket Kumar is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

Read Time: 5 minutes

In this blog, we will cover a common error while Installing Active Directory Certificate Services. While configuring the setup on Server Manager, the option for SafeNet Luna Cryptographic Key Provider wasn’t available.

Issue

CA Service wasn’t working.

Error Code

Provider Name: SafeNet Key Storage Provider
SafeNet Key Storage Provider: Provider DLL failed to initialize correctly.
CertUtil: -csplist command FAILED: 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY)
CertUtil: The device that is required by this cryptographic provider is not ready for use.

Description

We weren’t getting an option for SafeNet Luna Cryptographic Key Provider while configuring ADCS for Issuing CA despite installing KSPConfig and successfully completing all the HSM setups.

Steps done

  • We did run certutil -csplist to check whether the SafeNet Key Storage Provider was configured correctly.
  • Checked the vtl verify is working.
  • Tried to re-install the KSP configuration again.
  • We ran Regedit to check whether the options for SafeNet are available in the Registry

Solution

This comes out to be a generic error with SafeNet HSM Configuration. To solve it, we did is to re-configure the HSM by Re-registering the account and rebooting the system. It did solve the issue in this case.

Configuring the KSP Using the GUI

You can use the KspConfig utility to configure the KSP with your partitions. The Crypto Officer must complete this procedure using Administrator privileges on the client.

You can register the following user/domain combinations with the KSP:

  • Administrator user with the domain-specific to the client. Default Windows domains are in the format WIN-XXXXXXXXXXX.
  • SYSTEM user with the NT-AUTHORITY domain

The configuration tool registers a Crypto Officer password/challenge to a specific user so only that user can unlock the partition.

Steps to configure the KSP using the GUI

1. In Windows Explorer, navigate to the Luna KSP install directory and launch KspConfig as the Administrator user.

2. In the left panel, double-click Register or View Security Library. Enter the filepath to cryptoki.dll or click Browse to locate it.

<client_install_dir>\cryptoki.dll

Click Register to complete the registration.

3. In the left panel, double-click Register HSM Slots. Select the Administrator user, client domain, and an available slot to register. Enter the CO password/challenge and click Register Slot.

4. Select the SYSTEM user and NT-AUTHORITY domain and register for the slot.

5. Repeat steps 3-4 for any other available slots you want to register with the KSP.

(One common mistake is to just reconfigure it without rebooting the system).

References

https://thalesdocs.com/gphsm/luna/7/docs/network/Content/sdk/microsoft/ksp_cng.htm

If you need help with your PKI environment, feel free to email us at info@encryptionconsulting.com.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Nishiket Kumar is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

Read time: 2 minutes 

This blog will discuss a known bug happening with the Luna HSM Client version, preventing users from installing NDES. 

Source: Microsoft-Windows-Certification Authority

Error Code: 0x6cc (WIN32: 1740 RPC_S_DUPLICATE_ENDPOINT).

Event ID: 34

Description

On Server 2016 while building the PKI, even though with all the CA’s built/configured, OSCP deployed successfully, still the command to restart the services via scripts cannot be issued.  

After running through the scripts to configure the CA using various certutil commands the script gets to  

net stop certsvc && net start certsvc

What the screen displays:

The Active Directory Certificate Services service is stopping. 
The Active Directory Certificate Services service was stopped successfully. 

The Active Directory Certificate Services service is starting. 
The Active Directory Certificate Services service was started successfully. 

When trying to restart the services, it reports:

WIN32: 1749 RPC_S_DUPLICATE_ENDPOINT

Active Directory Certificate Services did not start, could not initialize RPC for Issuing CA, and showed the endpoint as duplicates.  

As the setup times out and the installation fails, it reports either RPC is unavailable or that the endpoint text is duplicate. This behavior is consistent across all CAs on the server and prevents from installing NDES.

Cause

The duplicate endpoint error message is caused by the SafeNet KSP library’s failure to release the service before it is restarted. It was an issue with Luna Version 10.3.0, where the service restart was too fast, and it locked the KSP. 

Solution

Since it is an issue with the Luna Client version, so upgrading the client version will solve the issue. In this case, 10.3.0 was there, and upgrading to 10.5.0 solved the issue. 

 

If you need help with your PKI environment, feel free to email us at info@encryptionconsulting.com.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Nishiket Kumar is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

Read time: 7 Minutes

Organizations need to secure keys and secrets, and their data is increasing exponentially. The demand for high-level security for that is at its peak now. For most organizations, automation of key lifecycle management is ideal because the lifecycle of cryptographic keys also calls for a high level of management. HSMs, or hardware security modules, are the mainstay in this scenario. Hardware security module (HSM) adds additional security for sensitive data. Before diving into HSM as a Service, let’s briefly discuss what HSM is and how it works.

What is HSM, and how does it work?

Hardware security modules (HSMs) are fortified, tamper-resistant hardware components that produce, safeguard, and manage keys for encrypting and decrypting data and establishing digital signatures and certificates. This secures cryptographic procedures. To the highest security requirements, including FIPS 140-2 and Common Criteria, HSMs have been evaluated, verified, and certified. HSMs are extremely difficult to breach and have highly regulated access, which is one of the reasons they are so secure.

For constructing tamper-resistant, hardened environments for storing cryptographic keys, HSMs act as trust anchors. An HSM can serve as the ideal Root of Trust in any organization’s security infrastructure thanks to the stringent security procedures implemented inside it. They have the specialized gear to generate high-quality random keys. Multiple organizations use more than one HSM to secure their environment instead of just one. A simplified, central key management system founded on stringent internal security standards and external laws enhances security and compliance regardless of how many HSMs are deployed.

To further protect against breaches, HSMs are often kept off the organization’s computer network. An attacker would need physical access to the HSM to view the protected data.

HSM as a Service

A top priority is creating an encryption key management and maintenance plan, especially if you want to keep your HSMs operating at peak efficiency throughout each encryption certificate. To fully actualize secure techniques for data security, this includes managing your encryption keys over private and public networks and hybrid mixes of physical and cloud-based HSM functions. It would help if you established uniformity around the board to successfully navigate the difficulties of switching to HSM as a Service.

EC’s HSM as a Service

The HSM as a Service from Encryption Consulting offers the highest level of security for certificate management, data encryption, fraud protection, and financial and general-purpose encryption. It is globally compatible, FIPS 140-2 Level 3, and PCI HSM approved. It offers customizable, high-assurance HSM Solutions (On-prem and Cloud) designed and built to the highest standards. We are Vendor- agnostic and provide various options, whichever is best for you to deploy. We ensure Highest Availability around the world and supply our services across the globe. 

Encryption Consulting’s HSM-as-a-Services are suitable for the following:

  • Customers who already have HSM deployed in place.
  • Customers who are planning for new HSM infrastructure (Designing and Deploying)

Being a Vendor-agnostic Organization, we give it upon the customer to implement whichever HSM they want by providing various options:

  1. Entrust N-shield HSM

    nShield HSMs provide a secure solution for encryption and signing keys, creating digital signatures, encrypting data, and more. N-shield as a Service gives the advantages of a cloud service deployment with the same features and capability as on-premises HSMs.

  2. Thales Luna 7 HSM

    Thales Luna Network HSMs secure your sensitive data and critical applications by storing, protecting, and managing your cryptographic keys with high-assurance, tamper-resistant, network-attached appliances offering market-leading performance.

  3. FutureX HSM

    FutureX hardware security module solutions provide robust encryption, tamper resistance, and logical security to safeguard your most sensitive data. Key lifecycle management, payment encryption, and general encryption are all handled by Futurex HSMs.

For HSM, we provide both varieties of solutions:

Dedicated HSM

Azure Dedicated HSM offers storage for cryptographic keys. Dedicated HSM meets the most demanding security requirements.

  • Organizations who require FIPS 140-2 Level 3-validated devices and total and exclusive control over the HSM appliance should choose this option.
  • Microsoft uses Thales Luna 7 HSM model A790 appliances to supply the Dedicated HSM service.
  • They are directly deployed to a client’s private IP address space.
  • Single-tenant devices.
  • Full administrative control and High Performance.
  • Azure Dedicated HSM is most suitably used in migration scenarios.

Managed HSM

Azure Managed HSM is a fully managed, highly available, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications.

  • Uses FIPS 140-2 Level 3 validated devices.
  • Your keys are safeguarded using Marvell LiquidSecurity HSM adapters while using Managed HSMs.
  • Single-tenant devices.
  • Supports Import keys from your on-premises HSMs.

Advantages of HSM as a Service

  • Systems that are exceptionally safe against tampering include tamper-evident, tamper-proof, and tamper-resistant systems.
  • Can implement on both On-premises and Cloud with scalability and versatility.
  • Maintain complete control over key materials regardless of where application workloads occur.
  • Leveraging numerous clouds to expand cloud-based cryptography and key management.
  • With a single click, services may be automatically scaled, reducing the administration burden.
  • When necessary, enables the creation and application of rules to ensure compliance

EC Managed HSMaaS

Encryption Consulting LLC (EC) will completely offload the HSM environment, which means EC will take care of deploying the HSM environment to lead and manage the HSM environment (cloud/ hybrid or On-Prem) of your organization. For more information, visit our website or contact us via email.

Conclusion

Hardware Security Module (HSM) is a specialized, highly trusted physical device used for all the main cryptographic activities, such as encryption, decryption, authentication, key management, key exchange, and more. EC’s HSMaaS provides a variety of options for HSM deployment as well as management. Dedicated HSM is used widely in migration scenarios, whereas Managed HSM supports importing keys from your on-prem HSMs. Advantages include security, scalability, versatility, full control, and more. Do visit our website or contact us for more information.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Nishiket Kumar is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

Encryption Consulting has assisted various organizations in implementing and deploying a new HSM environment as well as maintaining their existing environment for various use cases. Please find the Case Study table for the same below:

Challenge Solution Benefits
The lack of belief in the usage of electronic documents outside of the organization’s boundaries. Using HSMs to sign, timestamp, and encrypt the contents will preserve the documents’ legitimacy and privacy. Swift and simple implementation increases security without requiring any development work.
Keeping the private key safely stored within a large organization. Deploying an HSM provides a secure environment for the primary keys’ storage as well as their safe use. Ensures the safety of private key storage while ensuring flexibility and cost-effectiveness with fast implementation.
To provide an effective cloud solution for the financial services industry. By Deploying HSMs, Organizations have been able to offer the highest level of security for the cryptographic keys used to encrypt client data. Offers a productive cloud solution that has been audited and found to comply with all applicable regulatory obligations.
Creating a Public Key Infrastructure built on top-of-the-line hardware i.e., having robust, flexible, and high availability features. Deploying HSMs as the Root of Trust for robust performance, availability, and scalability. Provides the highest possible standards along with being On-Time and Under Budget.
Process the new e-identity documents while shortening the processing time. Utilizing various layers of access control, using hardened security with the use of HSMs. High performance, availability, and data throughput capabilities.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Nishiket Kumar is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

Read time: 7 minutes

An electronic signature, often known as an e-signature, is a legally recognized method of obtaining consent or approval on electronic documents or forms. It is a collection of many ways for affixing identity to documents. They are created using an electronic technique and can be as simple as a photograph of a handwritten signature or as complex as a PKI-generated digital signature certificate. E-signature has grown exponentially due to the increased need for paperless work; documents must be signed, and e-signing is a convenient, efficient, and modern alternative.

In other definitions, an E-signature can be stated as “An electronic sound, symbol, or process attached to or logically associated with a record adopted by a person with the intent to sign the record.”

Benefits of Electronic Signatures

  • The signatory is clearly identified.
  • Ensures the document’s integrity by ensuring that it has not been updated or amended after signing.
  • It ensures non-repudiation since it is credible proof of the signatory’s consent, as they cannot deny signing the document.

Types of Electronic Signatures

Electronic signatures are mainly divided into three categories. The distinction is based on electronic Identification, Authentication, and Trust Services regulation (eIDAS). Throughout the EU, this law creates the legal framework for electronic identity, signatures, seals, and documents.

  1. Simple or Basic electronic signature (SES)

    The most basic and popular form of e-sign, which is used widely. This signature is not cryptographically encrypted. The intention of the signer to sign the document is used as confirmation of its validity. This signature form is simple, but it’s also simple to forge because there are minimal security mechanisms to verify the signer’s legitimacy.

    Use cases include Biometric Signature, Manual Signature, One-time passwords (OTP), etc.

  2. Advanced electronic signature (AES)

    This signature is substantially more secure than ordinary electronic signatures because the signer’s validity must first be verified before the signature can occur. To assure authenticity, digital certificates and public keys are created, managed, distributed, used, stored, and revoked using Public Key Infrastructure (PKI). A Certificate Authority (CA) normally certifies these signatures.

    Use cases include Biometric/Manual Signatures, Banking Card, Email OTPs, etc.

  3. Qualified Electronic Signature (QES)

    This is the highest level of E-sign available for use. Qualified electronic signatures include those for advanced electronic signatures and digital signatures and additional requirements for the equipment used to produce the signature. Before use during the signing process, the EU assured Certification Authority must have obtained the device. Both the digital security protocol and the devices that allow for signature creation are included in QES. This increases the legitimacy and integrity of signed documents.

    Use cases include Smartcards, Electronic Identity Cards, Payment Cards, etc.

Parameter for selecting the right kind of E-signature

  • Integrity
  • Identity
  • Authentication
  • Authenticity

    Differentiation based on the level of assurance:

     SESAESQES
    IntegrityAfter signing, the content cannot be modified.After signing, the content cannot be changed.After signing, the content cannot be altered.
    IdentityNo identity Checking.High likelihood of identity verification of a signer.100% successful in identifying the signer; this can be done via face-to-face or other means.
    AuthenticationNot certain whether the signature can be traced back to the signer.Certain that the signature can be traced back to the signer.Certain that the signature can be traced back to the signer.
    AuthenticityIt’s unclear whether the signature was generated solely by the signatory.Assured that the signature was formed solely under the signatory’s authority. MFA is there.Confirmed that the signature was created solely under the signatory’s control. MFA is available.
    ValidityLegally indisputable.Legally indisputable.Legally indisputable.
    Hardware No requirement.A Secure Signature Creation Device (SSCD) is required.A Secure Signature Creation Device (SSCD) is required.

    Difference between Digital Signature and Electronic Signature

    Although the terms electronic signature and digital signature are frequently used interchangeably, the meanings and concepts of both are different. The key difference is that the Certification authorities permit digital signatures primarily used to safeguard documents. In contrast, an electronic signature is frequently associated with a contract where the signer intends to do so.

    Digital Signature:

    • It is used for securing a document
    • Generally authorized by CA and have more security features in hand.
    • Adobe and Microsoft are two common types of digital signatures.

    Electronic Signature:

    • Primarily used for verifying a document
    • Not authorized usually and has less security than DS.
    • Verbal, electronic ticks, and scanned signatures are the most common types of electronic signatures.

    Conclusion

    E-signatures, also known as electronic signatures, is a collection of diverse methods for attaching identity to documents. Electronic signatures on electronic records have been introduced and adopted by many businesses, customers, and even some government processes. There are three types of e-signs: SES, AES, and QES, with SES being the basic and common form and QES being the most secured one. E-signature is based on Identity, Integrity, and Authentication. Talking about digital signatures vs. e-signatures, a digital signature focuses on the document’s security, whereas an e-signature majorly focuses on verification.

    Free Downloads

    Datasheet of Encryption Consulting Services

    Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

    Download
    Encryption Services

    About the Author

    Nishiket Kumar is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

    Read time: 7 minutes

    Personal Identity Verification (PIV) is a NIST FIPS 201-2 security standard that establishes a framework for multi-factor authentication (MFA) using a smartcard. In simple words, PIV (Personal Identity Verification) can be stated as a multi-factor authentication solution that covers the entire identity lifecycle from identity proofing to secure credential issuance, physical access, and secure credential expiration.

    In a single line, Personal Identity Verification is an identity management framework.

    History

    The United States federal government ordered the production of a common identity credential in 2004. It was originally designed only for US federal government but is now widely used in commercial applications. The reason behind its widespread usage is the standard’s high-assurance identity proofing and ability to use multi-factor authentication for security purposes such as preventing fraud, improving privacy, etc.

    PIV Key Features

    PIV is an excellent choice for businesses that must adhere to government regulations or work in highly regulated areas.

    • Identity proofing
    • Lifecycle management
    • Advanced Use cases
    • Physical/ IT System Access

    Personal Identity Verification (PIV) Card

    A personal identity verification (PIV) card is a smart card issued by the United States government that contains the information needed to provide access to federal facilities and information systems and ensure acceptable levels of security for all federal applications.A personal identification verification card has unique technologies that security reader systems can use for various purposes. FIPS establishes precise standards for these cards, including cryptographic methods to encrypt sensitive data and types of security, such as passwords and biometrics systems, to validate cardholders’ identities. Other characteristics, such as four mandatory cryptographic keys and key sizes, are also specified in the PIV card guidelines.

    PIV Card Features

    PIV card encrypts data and validates identity to ensure

    1. Integrity: It means only the card owner can change the data present inside the card.
    2. Confidentiality: It represents only the cardholder can read and access the data present on the card.
    3. Authenticity: It guarantee’s the source of data present.
    4. Non-Repudiation: It means there can’t be any false data.

    With the PIV card, you may be more confident that all electronic communications, data storage, and retrieval will be more secured.

    Information Stored in PIV Card

    A PIV Card Application must include seven mandatory interoperable data elements and two conditionally obligatory data objects.Seven Mandatory elements consist of:

    • Card Capability Container
    • Card Holder Unique Identifier
    • X.509 Certificate  for PIV Authentication
    • X.509 Certificate for Card Authentication
    • Cardholder Fingerprints
    • Cardholder Facial Image
    • Security Object

    Whereas, If the cardholder possesses a government-issued email account at the time of credential issuance, two data objects are required:

    • X.509 Certificate for Digital Signature
    • X.509 Certificate for Key Management

    PIV Authentication Mechanisms

    The primary objective of the PIV Card is to verify the cardholder’s identity with a system or person in charge of regulating access to a protected resource or facility. Various combinations of one or more of the validation processes outlined below may be used to achieve this aim.

    Card Validation

    This is the procedure for ensuring that a PIV Card is genuine. Card validation mechanisms include:

    • visual inspection of the PIV Card’s tamper-proofing and tamper-resistant characteristics
    • use of cryptographic challenge-response schemes with symmetric keys and,
    • use asymmetric authentication schemes to validate private keys embedded within the PIV Card.

    Credential Validation

    This is the procedure for authenticating the PIV Card’s numerous forms of credentials. Credential Validation mechanisms include:

    • visual inspection of PIV Card visual elements
    • verification of certificates on the PIV Card
    • verification of signatures on the PIV biometrics
    • Checking the expiration date and revocation status of the credentials on the PIV Card.

    Cardholder Validation

    This is the procedure for confirming that the PIV card is in possession of the person it was issued. Cardholder Validation mechanisms include:

    • presentation of a PIV Card by the cardholder
    • matching the visual characteristics of the cardholder with the photo on the PIV Card
    • matching the PIN provided with the PIN on the PIV Card and,
    • matching the live fingerprint samples provided by the cardholder with the biometric information embedded within the PIV Card.

    Alternative Options

    Two additional credentials have been defined to take advantage of the infrastructure created by the Federal government’s PIV program, but neither has received significant adoption.

    PIV-I: (Personal Identity Verification – Interoperability)

    It is a version of PIV with the same criteria as PIV. The US federal government needed a way to handle the identities and access of guest users, so it was proposed to be created.

    • Unlike PIV, no background checks are required, which directly impacts the level of suitability for access.
    • Follows Federal Bridge cross-certification certificate policies.
    • Origin: Federal CIO Council.

    CIV: (Commercial Identity Verification)

    CIV is a different protocol based on the PIV architecture, with the main distinction being that the standards are less stringent.

    • Follows the issuing organization’s policies.
    • Trusted credentials only within the issuing organization.
    • Origin: Smart Card Alliance Access Control Council

    Conclusion

    Personal Identity Verification (PIV) is a framework which is used to validate the identity. It was designed earlier for US federal government but is used widely now-a-days. The key features of PIV include identity proofing, lifecycle management and many more. PIV card is a smart card issued by US federal govt. which is used for validation purposes. It consists of many features such as confidentiality, integrity, non-repudiation etc. Basic personal Information are being stored in PIV Card. To protect PIV card various authentication mechanisms are used namely Card Validation, Credential Validation and Cardholder Validation. Though, with increasing use cases, new alternates of PIV are being discovered namely PIV-I and CIV which are yet to be widely recognized.

    References

    nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-73-4.pdf

    Free Downloads

    Datasheet of Encryption Consulting Services

    Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

    Download
    Encryption Services

    About the Author

    Nishiket Kumar is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

    Let's talk