Horus metasign A non-repudiable signature creating and verifying secure transactions

In a context where Keep control of security For applications, Hardware Security Modules organisations are moving to (HSM) may be used for the same purpose. Metasign creates and verifies electronic Electronic signatures guarantee the integrity paperless transactions, it is signatures using the following formats: CMS, of documents and identify the signers. Once CAdES, XAdES or PAdES, and in conformance necessary to electronically sign a signer has produced a signature and the with declared signature policies. Metasign documents to guarantee their signature has been verified, the signature is supports time-stamping tokens generated secure and may no longer be repudiated. integrity and to be able to bring by Atos metatime or by other time-stamping the proof of acceptance by the Each signer (e.g. a user or an application) solutions. uses a signature key pair (a public key and Metasign supports the following functions: signer. The signature has to be a private key) and a public key certificate verified strictly so as to detect generated by a Certification Authority. • Signature creation: creation with the requested format using the signature Metasign can use signature certificates any possible cause for invalidity. policy and the configured cryptographic generated by the Atos’s solution metapki or token; multiple signatures and co- Atos, a European actor in IS other PKI products. signatures are supported security, provides metasign, an For users, the signature private key and the • Immediate verification (and overall solution to create and signature certificate may be stored in a smart augmentation) : cryptographic signature verify electronic signatures. card or in a USB token protected by a PIN, or verification following its creation and alternatively in a file in the PKCS#12 format. adding the necessary information to Private keys and certificates are accessible maintain its long-term validity with report either through a PKCS#11 interface or a generation MSCAPI interface. • Subsequent verification: verification by relying parties and generation of a report.

Atos, a European actor in IS security As a European security leader, Atos has developed an unique expertise in securing 4 - Subsequent information systems, delivering consultancy, verification integration and expertise services in trust technologies.

Signed and 3 - Diffusion and/or augmented archiving

document oft

Metasign

2 - Verification in compliance with a Signed document signature policy. Adding information: • Time-stamp token • Revocation information Metasign

Document to sign 1 - Document signing • Hash of document

Trusted partner for your Digital Journey Metasign offer and its functionalities

Metasign-api Metasign-adp configured in the administration interface. Metasign-api is a full set of Java programming Verification can take place with reference interfaces allowing different integration Metasign-adp is an optional component that to the current time or to a time in the past. scenarios: allows archiving of the signature on a server Trusted Certification Authorities can be extracted from European trusted lists (TSL). • Java applets for web browsers for later retrieval as proof elements. At the time of the signature creation, metadata • standalone applications for personal are added and stored with the signature Signature formats computers and the document. They may then be used Metasign supports advanced electronic • server-based applications. to retrieve the information for signature signatures conformant with the CMS, CAdES (CMS Advanced Electronic Signatures), Metasign-applet verification and history. XAdES (XML Advanced Electronic Signatures) Metasign-applet is a full set of applets that and PAdES (PDF Advanced Electronic can be easily configured to provide signature Vericert Signatures) technical specifications as defined creation and/or signature verification Vericert is an optional “web service” server by ETSI (European Telecommunication functions into web-based applications. component. It verifies certification paths Standardisation Institute). against verification policies that can be Metasign-workstation Metasign-workstation is a standalone application running on a PC. Users can sign Web application Working station Network application multiple documents in a one step process. Metasign-applet Metasign-work station Metasign-server The main goal of the application is to simplify the usage and the deployment of digital signatures. Metasign-server Metasign-server is a “web service” server that signs and verifies documents. Its administration interface is provided for configuring applications and signature policies. Metasign-api The server can be used to sign in the name of an entity or to sign in the name of a physical person CMS CAdES XAdES PAdES with a centralised and secured management of signature keys.

oft

Software Certificate Smart card HSM

Standards and technical specifications

Norms and standards Conformity • Certificate format compliance with ITU-T X.509v3, RFC 5280 Conformance with European directive 1999/93/CE and eIDAS regulation and RFC 3739 Conformance with French low N°2000-213 of March 13, 2000, for digital • XAdES: XML Advanced ETSI TS 101 903 signature • CAdES: CMS Advanced Electronic Signature ETSI TS 101 733 EAL3+ CC certification and French RGS standard qualification (In progess) • PAdES: PDF Advanced Electronic Signature ETSI TS 102 778 including LTV format (part 4) and visual of signature (part6) Atos received on 25/03/2016 the ANSSI Security Visa for • XML signature policy ETSI TR 102 038 Common Criteria certification at level EAL 3 augmented with • RFC 3161: Time Stamp Protocol its products MetaSIGN-API and MetaSIGN-Applet version 3.3.5. • PKCS#11 and MSCAPI for interfacing with smart cards. Support of IAS cards and pinpad readers System requirements • PKCS#11 for interfacing with a Hardware Security Module (HSM) Metasign works in a Java 6, Java 7 or Java 8 runtime • PKCS#12 for the storage (in the file case) of the signature The metasign implementation of norms and standards is validated private key and the certificate throughout the frequently participation to ETSI interoperability plugtests Server solutions metasign-server, metasign-adp and Vericert are running on Linux platforms (e.g. Red Hat or SUSE). These solutions are fully integrated and delivered with Open Source international components Find out more about us Apache, PostgreSQL, PHP and Tomcat atos.net/en/products/cyber-security/digital-identities/metasign

© Atos July 2018 - All trademarks are the property of their respective owners. Atos, the Atos logo, Atos Codex, Atos Consulting, Atos Worldgrid, Bull, Canopy, equensWorldline, Unify, Worldline and Zero Email are registered trademarks of the Atos group. Atos reserves the right to modify this document at any time without notice. Some offerings or parts of offerings described in this document may not be available locally. Please contact your local Atos office for information regarding the offerings available in your country. This document does not represent a contractual commitment. CT_180709_LPM_F-Horus_metasign-en7