Abstract
The paper presents the technology curves in
developing a digital signature solution for the web
environment. The solution enables a user to perform
an electronic version of a digital signature using web
extension technologies. On the quest for data integrity
and authenticity, data is digitally signed, and a digital
signature is generated with the assistance of software
or hardware-based token on a web browser. The
technology curves identified are (1) web extensions
survivability and advancement, (2) web browsers
compatibility, and (3) digital certificates issuance.
The paper explains how these technology curves have
impacted the decision on the architecture and design
of the solution during the development and
deployment. In the final, a digital signature ecosystem
which is based on a client and server technology is
successfully released, which includes a web signature
script to simplify the digital signature as a service.
1. Introduction
In digital security, the solution for data integrity is
a hash algorithm. For data authenticity, it is a digital
signature. A user who performs digital signature,
assure that the data has integrity, the data is
authenticated and originated from a valid user. For
data security, technologies such as digital certificates,
security devices, hash, and digital signature algorithm
are integrated. Today, with the maturity of
technologies (20 years), the development of digital
signature solution should be simple and feasible.
However, based on the latest development
experiences, it revealed technical and integration
complexities. These complexities may further assert
the study of low adoption and the lack of the digital
signature application [1]. This paper explains the
issues and challenges in integrating the technologies,
with the introduction of technologies existence and
competitive survival in the digital world.
Digital certificate technology emerged as a
solution to instil trust in the internet transaction. The
purpose is to verify user identity in a web site. The
standard for issuing certificate is published in 1998 by
International Telecommunication Union –
Telecommunication (ITU-T) [2]. Security devices
such as smart cards and USB tokens, allow users to
store a certificate inside the devices. As per today, a
user has an option to purchase a certificate and a
security device, perform an application installation of
the security device and securely log in to a domain site
that deployed a certificate-based authentication
mechanism.
For web browser technology, it must provide a
connection to the security device and read the
certificate from the security device. The standard is
stated in ‘PKCS#11: Cryptographic Token Interface
Standard’ by RSA Laboratories in 1995 [3]. It is a
guide for defining a generic interface such as
application programming interface (API), for the
security device. With the standard, a Cryptographic
Service Provider (CSP) library is built for Microsoft
web browser.
A PKCS#11 library is made ready for
Mozilla web browser. These libraries provide secure
access to the private key for authentication, signing
and manage the handling of security devices context.
For saving the certificate, web browsers must provide
storage for the certificate. At present, a majority of
web browsers equipped with user’s and server’s
certificates storage. ‘Certificate Manager’ is a graphic
user interface available in the web browsers for the
import and export of the certificates. This feature is
delivered as the core security functionalities of the
web browser, to support mutual SSL (Secure Sockets
Layer) authentication.
For cryptography technology, Microsoft provides
a Crypto API (CryptoAPI) library [15] that enables
the integration of cryptography and security for
Microsoft-based application. Mozilla provides a
Network Security Services (NSS) library [14] that
responsible for all cryptography and security standard
for Mozilla-based application. For the developers, it
means, cryptographic functions that relate to signing,
which includes connecting to secure device, read and
store the certificate to the certificate manager on
Mozilla Firefox requires API from NSS library. For
other web browsers, the integration requires API from
CryptoAPI library.
Web extension is an application that resides on the
web browser. It extends functionalities of the web
browser. It is a terminology, which initially referred
to ActiveX and Netscape Plug-in technologies. The
development of web extension provides a function to
sign data on the web browser digitally. The function
calls a set of API from CryptoAPI and NSS as in
Figure 1. The development allows binding of security
devices and secures cryptographic services in the web
International Journal of Intelligent Computing Research (IJICR), Volume 10, Issue 3, September 2019 Copyright © 2019, Infonomics Society 1014
as provided in the ‘Cryptographic Token Provider’
layer. The top two layers which are ‘Web Browser’
and ‘Web Extension’ are the applications and
technologies layers for the digital signature solution.
Other layers are pre-existed with the installation of the
security device’s application, web browsers, and
Windows operating system
