Have you ever lost your keys? Or misplaced them? It can be a real pain, right? We all have experienced this at some stage. Pulling rooms apart only to find them underneath the paper you were reading earlier.
Well, in Digitary CORE you no longer require keys. You can drive your organisations requirements keyless. What’s this, you say? Before you start thinking that Digitary is moving into the motor sector, let me elaborate…
What does this mean?
It means you can digitally sign documents in Digitary CORE without possession of a physical USB cryptographic key, and all the client side nuisance that goes along with it. No more java or USB key driver installations. No more Java version inconsistencies and updates breaking the signing process. All you need is a modern browser and away you go.
So why the change?
In the classic Digitary platform, document signing was carried out by downloading and running a Java applet locally, inserting a cryptographic USB key into the users PC, and then invoking the applet to sign documents. Each document was downloaded locally to the client PC in order to be digitally signed with the signatures stored on the cryptographic key. The client PC therefore required Java and the cryptographic driver installed.
This was all very dependent on the client environment. In the good ‘ol days, this worked quite well. However, today the threat from any security flaw or vulnerability can be quickly exploited by those with malicious intent. Running Java applets in browsers has been identified as a security risk, and the US Government in 2013, as a result of increasing security vulnerabilities identified in Java applets, went as far as recommending that users disable Java by default in their browsers – http://www.kb.cert.org/vuls/id/625617
Modern web browsers have taken this a step further. Google Chrome 42 and Microsoft Spartan, the browser which replaces the much despised IE in Windows 10, have both disabled NPAPI plugin support. As Java is an NPAPI plugin, this ultimately means that it will not be possible to run Java in these browsers, period! Chrome switched off support in September 2015. NPAPI support does not exist at all in Microsoft Spartan in Windows 10 – http://www.techrepublic.com/article/java-gets-browser-eviction-notices-from-spartan-and-chrome-42/
In addition to the above, we have found that over the last year that around one third of support calls to Digitary from clients have related to issues with Java, driver software, or problems with USB keys. According to Melissa Rizzi, who leads our support team at Digitary, “Client side issues can be the most debilitating for the user – influencing their ability to sign documents – and can often be the hardest to get to the bottom of for the support team.”
Java versions, OS updates, security patches, browser versions, internal company security policies have all contributed to the office PC being a software vendor versioning minefield for the user. An update to one thing knocks out something else and so forth. This is particularly true for our customers who use their desktops to access enterprise student information systems that rely on particular versions of Java.
Aside from the complexities caused by client-side Java and USB sticks, the signing process was slow due to the restricted computing power of the USB devices. It was also rather inflexible – a USB stick had to be physically shared between users in order to sign documents.
Clearly, we needed to look at a more modern approach.
Easy Keyless Signing in Digitary CORE
With Digitary CORE,documents are still digitally signed to the same degree of security and legal validity, however we do this without individual cryptographic USB keys that must be stored securely under lock and key at your office. Instead, keys are now generated and stored on FIPS-compliant Hardware Security Modules, or HSMs.
What is a HSM?
A Hardware Security Module (HSM) is a dedicated, server-side appliance for managing cryptographic operations and keys inside a hardened, tamper-resistant device . HSMs act as trust anchors that protect the cryptographic infrastructure of some of the most security-conscious organisations in the world, including banks, government, and Internet Certification Authorities.
That sounds really secure, right? And at least you are not going to lose it. But what does this do for the signing process?
Well, to sign documents, you must pass 2-factor authentication checks. Your Digitary administrator will enable you to do this by pairing your smartphone to your Digitary CORE signing account. Once pairing is completed, you simply select the documents for signing, enter the Google MFA code on your smartphone (which changes every 30 seconds), click sign and then sit back leave it up to Digitary’s HSM to sign your selected documents. It really is that simple. There are no client side installations required, no local java errors or cryptographic driver errors. Just click sign and it goes.
The Digitary server signs the documents using the key associated with your user after carrying out strict authentication checks. It all happens server side, with updates sent to your browser at intervals so you can keep track of progress, and you are free to use the web application or your PC as you wish.
What’s more, signing happens up to 10x faster than with Digitary Classic. Even better, multiple users can use the same signing keys from different accounts, so no need to pass the USB key around campus any more.