Use case: Document signing services

In early March, Penneo – the digital signature platform used by Scandinavian businesses – rolled out a new feature for selected customers. The new feature allows customers to protect access to their documents stored in the Penneo managed archive using encryption keys, not controlled by Penneo, effectively separating the lock from the key.

Penneo customers who take advantage of this service will have 100% control over who has access to their documents. This means: 

  • No Penneo employees can access the customer’s documents.
  • A hacker who gets into the Penneo archive cannot access the customer’s documents.
  • Even if Penneo were required to provide access to a customer’s documents by lawful government or state agencies, the documents would only be provided in encrypted unreadable  format.

High-level architecture

When a Penneo-user wishes to access a signed and encrypted document from the archive the JavaScript application running in the browser will 1) obtain the encrypted document from the Penneo backend, and 2) obtain the cryptographic key needed to decrypt the document from Sepior KMaaS. Using these two pieces of information, the archived document can now be presented to the user in a readable format.

In this use case, authentication is done using the Danish national PKI, NemID, allowing the user to authenticate towards both Penneo and Sepior in a federated manner which provides a seamless user experience and minimizes any friction in the authentication process.
 

Key-and-Lock-Separation

Key-and-Lock-Separation

The overall architecture delivers a true Key-and-Lock-Separation environment that may be necessary for compliance in regulated sectors. Locking and unlocking in this case takes place in the browser as an integral part of the Penneo application (and implemented using an SDK from Sepior). The lock is the encryption on the document stored at Penneo, and the key is stored in the Sepior KMaaS service which is comprised of a separate high-availability and cryptographic-level security architecture.

Sepior is in the process of rolling out the Sepior KMaaS service to business in security conscious sectors all over the world. Currently it is available as a free trial, and there is a plugin for Amazon S3 available together with a demo showcasing this plugin. A Sepior customer can use the same Sepior KMaaS to manage keys for many different applications, e.g. protecting both their data with Penneo as well as data they store on Amazon S3.

About Penneo

Penneo helps companies getting their documents signed digitally - easier, faster and more secure. Once a document has been signed by the verified recipient, it’s stored for later access in a document archive managed by Penneo and hosted in the cloud. With many companies from the financial sector on the customer list, security and compliance is of the highest priority.

If you’re interested in knowing more about Penneo you can visit www.penneo.com for details.


 

 

Jakob Illeborg Pagter