Streamlining the Usage of Authorization or Digital Signature in Digital Processes
Autor(a) principal: | |
---|---|
Data de Publicação: | 2023 |
Tipo de documento: | Dissertação |
Idioma: | eng |
Título da fonte: | Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
Texto Completo: | http://hdl.handle.net/10400.6/14036 |
Resumo: | The so-called digital transformation process is underway, leveraged mostly by the rapid technological development, but also more recently by the COVID-19 pandemic in particular. Although, the untrained eye, this transformation may seem to be only the transposition of procedures or documents to a corresponding digital format, the truth is that not everything that humans do manually and in a simple way can be easily transposed to digital (e.g., an election), just as there are aspects that are much better accomplished in the digital world than in the real one (e.g., a qualified digital signature). The work discussed in this dissertation explores the transposition to the digital world of very important tasks in organizations and entities today: those of authorizing or not authorizing, approving or not approving, or dispatching issues in document management systems. Integrating strict security assurances to digital processes typically comes with both computational and usability costs. The particular subject of streamlining the usage of digital authorizations is difficult to address nowadays because there is no widely adopted or agreed mechanism for them, thought there is regulation and widely recognized technology for digital signatures in Europe. There is no standard format for digital authorizations, though intuition suggests that they should be formed by a message with temporal pertinence glued to a supporting document via some strong digital means such as a qualified digital signature or a message authentication code mechanism. This project looked into the landscape in terms of legislation and recommended mechanisms for authentication, digital signature and digital seals in Europe, to then step up to the proposal of a data structure for a digital authorization and later on to the proposal of the algorithms to build and verify digital authorizations. The scheme proposed herein is based on symmetric key cryptography only, aiming to minimize impact on key management and maximizing potential adoption. In the meanwhile, the possible regimes (hierarchical vs. equality) for structuring authorizations in large organizations or entities are also identified and discussed, since their differences resonate into different cryptographic primitives and technologies being later applied. Some of these primitives are also discussed in this dissertation, specially the ones used to build the algorithms of the proposed scheme. The proposed algorithms for constructing and verifying digital authorizations were validated using the ProVerif tool. The main conclusions are that there is still much ground to be covered in this context, but that it is possible to integrate secure digital authorization schemes in the short to medium term, and that efforts should be focused next in the definition of the format and mechanisms that need to be widely adopted and recognized, enabling moving from intra- to inter-entities. |
id |
RCAP_a3b90eca20dee707dd2982d5b03d9c7c |
---|---|
oai_identifier_str |
oai:ubibliorum.ubi.pt:10400.6/14036 |
network_acronym_str |
RCAP |
network_name_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
repository_id_str |
7160 |
spelling |
Streamlining the Usage of Authorization or Digital Signature in Digital ProcessesAssinatura DigitalAutorização DigitalCibersegurançaEsquema de LamportFunção de HashRequisitos de SegurançaSelo DigitalVerificação de Esquemas CriptográficosDomínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e InformáticaThe so-called digital transformation process is underway, leveraged mostly by the rapid technological development, but also more recently by the COVID-19 pandemic in particular. Although, the untrained eye, this transformation may seem to be only the transposition of procedures or documents to a corresponding digital format, the truth is that not everything that humans do manually and in a simple way can be easily transposed to digital (e.g., an election), just as there are aspects that are much better accomplished in the digital world than in the real one (e.g., a qualified digital signature). The work discussed in this dissertation explores the transposition to the digital world of very important tasks in organizations and entities today: those of authorizing or not authorizing, approving or not approving, or dispatching issues in document management systems. Integrating strict security assurances to digital processes typically comes with both computational and usability costs. The particular subject of streamlining the usage of digital authorizations is difficult to address nowadays because there is no widely adopted or agreed mechanism for them, thought there is regulation and widely recognized technology for digital signatures in Europe. There is no standard format for digital authorizations, though intuition suggests that they should be formed by a message with temporal pertinence glued to a supporting document via some strong digital means such as a qualified digital signature or a message authentication code mechanism. This project looked into the landscape in terms of legislation and recommended mechanisms for authentication, digital signature and digital seals in Europe, to then step up to the proposal of a data structure for a digital authorization and later on to the proposal of the algorithms to build and verify digital authorizations. The scheme proposed herein is based on symmetric key cryptography only, aiming to minimize impact on key management and maximizing potential adoption. In the meanwhile, the possible regimes (hierarchical vs. equality) for structuring authorizations in large organizations or entities are also identified and discussed, since their differences resonate into different cryptographic primitives and technologies being later applied. Some of these primitives are also discussed in this dissertation, specially the ones used to build the algorithms of the proposed scheme. The proposed algorithms for constructing and verifying digital authorizations were validated using the ProVerif tool. The main conclusions are that there is still much ground to be covered in this context, but that it is possible to integrate secure digital authorization schemes in the short to medium term, and that efforts should be focused next in the definition of the format and mechanisms that need to be widely adopted and recognized, enabling moving from intra- to inter-entities.Está em curso o chamado processo de transformação digital, alavancado pelo rápido desenvolvimento tecnológico em geral, e até pela recente pandemia COVID-19 em particular. Apesar de, numa abordagem superficial, esta transformação possa parecer apenas a transposição de procedimentos ou documentos para um suporte informático, a verdade é que nem tudo o que o humano faz de forma simples manualmente pode ser transponível facilmente para o digital (e.g., uma eleição), tal como há aspetos que são muito melhor conseguidos no mundo digital que no real (e.g., uma assinatura digital qualificada). O trabalho espelhado nesta dissertação explora a transposição para o digital de tarefas muito importantes em organizações e entidades dos dias de hoje: as de autorizar ou não autorizar, aprovar ou não aprovar ou despachar assuntos em sistemas de gestão documental. A integração de fortes garantias de segurança em processos digitais está tipicamente associada a custos computacionais e de usabilidade. O tema particular da dinamização e motivação da utilização de autorizações digitais é difícil de abordar hoje em dia porque não existe um mecanismo amplamente adotado ou acordado para as mesmas, embora exista regulamentação e tecnologia amplamente reconhecida para as assinaturas digitais na Europa. Não existe um formato padrão para as autorizações digitais, embora a intuição sugira que estas devem ser formadas por uma mensagem com pertinência temporal, colada a um documento de apoio através de alguns meios digitais fortes, tais como uma assinatura digital qualificada ou um mecanismo de código de autenticação de mensagem. Este projecto analisou o panorama em termos de legislação e mecanismos recomendados para autenticação, assinatura digital e selos digitais na Europa, para depois avançar para a proposta de uma estrutura de dados para uma autorização digital e mais tarde para a proposta dos algoritmos para construir e verificar as autorizações digitais. O esquema aqui proposto baseia-se apenas em criptografia de chave simétrica, com o objetivo de minimizar o impacto na gestão de chaves e maximizar a sua potencial adopção. Entretanto, são também identificados e discutidos os possíveis regimes (hierárquicos vs. igualdade) para a estruturação de autorizações em grandes organizações ou entidades, uma vez que as suas diferenças têm repercussões em termos das diferentes primitivas criptográficas e tecnologias que podem ser aplicadas. Algumas destas primitivas são também discutidas nesta dissertação. Os algoritmos propostos para a construção e verificação de autorizações digitais foram validados utilizando a ferramenta ProVerif. As conclusões principais são que ainda há muito terreno a percorrer neste contexto, mas que é possível integrar esquemas seguros de autorização digital no curto a médio prazo, e que os esforços se devem concentrar a seguir na definição do formato e dos mecanismos que precisam de ser amplamente adotados e reconhecidos, permitindo passar de intra-entidades para inter-entidades.Inácio, Pedro Ricardo MoraisuBibliorumRaposo, Rui Miguel Monteiro2024-01-15T14:23:57Z2023-06-192023-03-312023-06-19T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttp://hdl.handle.net/10400.6/14036TID:203460510enginfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2024-01-17T03:48:45Zoai:ubibliorum.ubi.pt:10400.6/14036Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-20T01:45:07.593139Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse |
dc.title.none.fl_str_mv |
Streamlining the Usage of Authorization or Digital Signature in Digital Processes |
title |
Streamlining the Usage of Authorization or Digital Signature in Digital Processes |
spellingShingle |
Streamlining the Usage of Authorization or Digital Signature in Digital Processes Raposo, Rui Miguel Monteiro Assinatura Digital Autorização Digital Cibersegurança Esquema de Lamport Função de Hash Requisitos de Segurança Selo Digital Verificação de Esquemas Criptográficos Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática |
title_short |
Streamlining the Usage of Authorization or Digital Signature in Digital Processes |
title_full |
Streamlining the Usage of Authorization or Digital Signature in Digital Processes |
title_fullStr |
Streamlining the Usage of Authorization or Digital Signature in Digital Processes |
title_full_unstemmed |
Streamlining the Usage of Authorization or Digital Signature in Digital Processes |
title_sort |
Streamlining the Usage of Authorization or Digital Signature in Digital Processes |
author |
Raposo, Rui Miguel Monteiro |
author_facet |
Raposo, Rui Miguel Monteiro |
author_role |
author |
dc.contributor.none.fl_str_mv |
Inácio, Pedro Ricardo Morais uBibliorum |
dc.contributor.author.fl_str_mv |
Raposo, Rui Miguel Monteiro |
dc.subject.por.fl_str_mv |
Assinatura Digital Autorização Digital Cibersegurança Esquema de Lamport Função de Hash Requisitos de Segurança Selo Digital Verificação de Esquemas Criptográficos Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática |
topic |
Assinatura Digital Autorização Digital Cibersegurança Esquema de Lamport Função de Hash Requisitos de Segurança Selo Digital Verificação de Esquemas Criptográficos Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática |
description |
The so-called digital transformation process is underway, leveraged mostly by the rapid technological development, but also more recently by the COVID-19 pandemic in particular. Although, the untrained eye, this transformation may seem to be only the transposition of procedures or documents to a corresponding digital format, the truth is that not everything that humans do manually and in a simple way can be easily transposed to digital (e.g., an election), just as there are aspects that are much better accomplished in the digital world than in the real one (e.g., a qualified digital signature). The work discussed in this dissertation explores the transposition to the digital world of very important tasks in organizations and entities today: those of authorizing or not authorizing, approving or not approving, or dispatching issues in document management systems. Integrating strict security assurances to digital processes typically comes with both computational and usability costs. The particular subject of streamlining the usage of digital authorizations is difficult to address nowadays because there is no widely adopted or agreed mechanism for them, thought there is regulation and widely recognized technology for digital signatures in Europe. There is no standard format for digital authorizations, though intuition suggests that they should be formed by a message with temporal pertinence glued to a supporting document via some strong digital means such as a qualified digital signature or a message authentication code mechanism. This project looked into the landscape in terms of legislation and recommended mechanisms for authentication, digital signature and digital seals in Europe, to then step up to the proposal of a data structure for a digital authorization and later on to the proposal of the algorithms to build and verify digital authorizations. The scheme proposed herein is based on symmetric key cryptography only, aiming to minimize impact on key management and maximizing potential adoption. In the meanwhile, the possible regimes (hierarchical vs. equality) for structuring authorizations in large organizations or entities are also identified and discussed, since their differences resonate into different cryptographic primitives and technologies being later applied. Some of these primitives are also discussed in this dissertation, specially the ones used to build the algorithms of the proposed scheme. The proposed algorithms for constructing and verifying digital authorizations were validated using the ProVerif tool. The main conclusions are that there is still much ground to be covered in this context, but that it is possible to integrate secure digital authorization schemes in the short to medium term, and that efforts should be focused next in the definition of the format and mechanisms that need to be widely adopted and recognized, enabling moving from intra- to inter-entities. |
publishDate |
2023 |
dc.date.none.fl_str_mv |
2023-06-19 2023-03-31 2023-06-19T00:00:00Z 2024-01-15T14:23:57Z |
dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
dc.type.driver.fl_str_mv |
info:eu-repo/semantics/masterThesis |
format |
masterThesis |
status_str |
publishedVersion |
dc.identifier.uri.fl_str_mv |
http://hdl.handle.net/10400.6/14036 TID:203460510 |
url |
http://hdl.handle.net/10400.6/14036 |
identifier_str_mv |
TID:203460510 |
dc.language.iso.fl_str_mv |
eng |
language |
eng |
dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
eu_rights_str_mv |
openAccess |
dc.format.none.fl_str_mv |
application/pdf |
dc.source.none.fl_str_mv |
reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação instacron:RCAAP |
instname_str |
Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
instacron_str |
RCAAP |
institution |
RCAAP |
reponame_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
collection |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
repository.name.fl_str_mv |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
repository.mail.fl_str_mv |
|
_version_ |
1799136947181977600 |