Merce

SignOSure multi-platform file signing and encryption
  • Summary

    Industry Financial services / capital markets

    Client National Securities Depository Limited

    Requirement There was a need to upload files in batch mode with financial data, maintaining strict data integrity and security. Therefore digital signatures and encryption was needed. Multi-platform support was mandatory, with complete inter-operability among platforms.

  • Our solution

    Feature requirements. The following specifications were drawn up for the system:

    • Batch mode and interactive file signing, with support for PKI, CRL, and multi-level certificate chains. Must also be available as a library on each platform which is supported, to allow applications developed in future to integrate these features into themselves.
    • Must support certificates and key pairs which conform to the Indian IT Act 2000 and its amendments, so that digital signatures are honoured in Indian courts.
    • Must support MD5 and SHA1 for cryptographic hashes, DES3 and AES for encryption.
    • Must support multiple platforms; the minimal set was current versions of MS Windows and Linux
    • Must compress before encrypting/signing
    • Must support files up to 1 GB in size
    • Must support both single-file and detached file formats. In a single-file format, the signature and the data being signed are stored in a single file. In detached format, the two are in separate files.
    • Must support the following operations: sign-only, encrypt-and-sign, verify-and-extract, decrypt
    • Output files must be ASCII-armoured to allow safe transport over email etc.

    Many of these features are available with well-tested and popular packages like GnuPG. But no package offered all these features, together with the ability to work with key pairs and certificates published by Indian Certifying Authorities.

    Design We tested the well-known and trusted OpenSSL library and toolkit and verified that it can handle keys and certificates which conform to Indian CA standards and formats. Our solution was built on top of OpenSSL on Linux and MS Windows.

    An MS Windows application was built to provide a GUI for operating the digital signatures and encryption functions. On Linux, a set of command-line programs were created which provided the same set of features. A Windows DLL was provided for integration with future applications on MS Windows and a Java wrapper class was provided on Linux to allow future Java applications to perform all operations.

    We faced issues with OpenSSL libraries on MS Windows and had to experiment with different versions. Binary distributions of the library for MS Windows were either outdated or buggy; we had to build from source. There were bugs in some of the core operations implemented by the library; we worked around those bugs by not using those functions at all. These bugs were triggered by specific combinations of options. We chose to not use those combinations, and we built our own wrappers around the buggy functions with added code to deliver the same features without using the built-in support for those features provided by OpenSSL.

    Careful tests were done with input files of various sizes and with various combinations of operations and various combinations of options. Tests were performed on the same platform and across platforms to ensure completely identical behaviour and interoperability.

    Technologies The code on Linux was written in two layers: shellscript and Perl for the lower layer to use OpenSSL directly, and Java for a higher layer to provide a Java API for applications. The code on MS Windows was written using Microsoft Visual Studio. Both platforms used identical versions of the underlying OpenSSL library.

    Deployment We tested the libraries on the two platforms and handed them over to the customer. We packaged the Windows GUI executable in an installer and the customer distributed it to their counterparties, who downloaded and installed their copies. We installed and configured the instances on Linux servers for the customer, and provided support for interoperability issues in the first few weeks.

RELATED READING