PDF Signing With CloudFoxy And Smartcards – Production Notes

Category : https , security

print
We have handed over the first deployment of our CloudFoxy (smart cards over RESTful API) for PDF signing and it is now in live use. Here are a few observations of mine about dependencies, performance, and delivery.

We are really happy that this integration worked-out well and the customer is satisfied with our solution.

Dependencies

The biggest issue were third-party dependencies – we have got rid of a lot of these. Our TCP/IP card interface uses TCP/IP protocol for communication. It means:

  • no kernel drivers;
  • no dependency on operating systems;
  • no more operating system (OS) limits on devices¬† – you can only use up to 10 smart-card readers in MS Windows.

Instead, you can explore our example Python code and start using up to 120 smart cards with an easy to understand client code.

There is still a dependency – where we collide with eIDAS and other trust providers, there are a lot of proprietary functions and APIs. We have isolated these into a Python TCP proxy, which does the translation.

In terms of legacy systems support – we can’t possibly cater for all we’d like. We are self-funded start-up after all, and there are limits of what we can do. Having said that, we want to extend the system so it can work with some interesting smart-card applications: PGP, BitCoin Wallet, etc.

Performance

High level architecture of the solution

This was an aspect, which represented the biggest worry at the beginning. The client was using digital signatures in software and wasn’t sure about the performance impact of the change, mandated by regulators, on the overall system performance. Especially, as one of the relevant use-cases involved batch signing of hundreds of documents.

Interestingly, the performance hit is relatively small and can be completely erased by personalizing 2 or more smart card for heavy users.

Software signing took about 2 seconds. We did several measurements with smartcards:

  1. absolute compatibility – out-of-the-box speed settings;
  2. high-compatibility – some of the speeds were increased but still providing a very high level of compatibility allowing use of a mix of smartcards
  3. max performance advised by smart cards
end-to-end signing 3.32s 3.09s 2.92s
signing operations in the proxy 1,050ms 800ms 620ms
signing on smart-cards (exc. PIN validate) 460ms 420ms 300ms

One can see there is a performance hit, but if you personalize two smart cards for users requiring large volumes of signatures, you may beat the software-based signatures.

Delivery

We agreed to deliver the PDF signing solution in 8 weeks and we did it. We needed that much time for hardware restocking. The software integration took about 4 calendar weeks over the summer.

Sources

For those interested in more information, please:

  1. visit our website at https://cloudfoxy.com
  2. GitLab projects and technical documentation – https://gitlab.com/cloudfoxy
  3. … have a look at our cloud certificate monitoring service KeyChest, which will integrate with CloudFoxy for secure key distribution and certificate renewal in near future.

 


About Author

Dan Cvrcek

Co-founder of Radical Prime and Enigma Bridge. Indendent consultant on security and encryption systems (incl. large banking, payment, and enterprise systems) ... and a university professor.