Since 1991, Gradkell Systems, Inc. has provided the U.S. Government and industry with the highest level of security for their paperless financial systems. To help meet the growing demand for data security, Gradkell Systems now provides a software product suite enabling "drop-in" integration of Public Key security into existing applications and databases. The DBsign® Data Security Suite provides a cost-effective way to integrate public key, digital signature security into e-Business applications and legacy systems.

• Saves time, saves money: application programmers make simple calls to DBsign's high-level APIs ("sign invoice"); companies and government agencies do not need to hire a crypto expert.
• Integrates into any development environment (Oracle Forms, HTML, Visual Basic, etc).
• Works with the DoD Public-Key Infrastructure (PKI) and the Common Access Card (CAC).
• Works with Public Key Infrastructures (PKIs) from RSA, Verisign, Entrust and others.

There are three primary components that make up the DBsign® Data Security Suite:

• DBsign® Client Integration Module
• DBsign® Crypto Adapter Module
• DBsign® Administration Tools

The DBsign® Client Integration Module makes it easy to make database applications "PKI ready". It allows an application to use Digital Signature Templates (see "Versionable Signature Templates" below) to retrieve data to be signed from the application database. It also facilitates the storage of digital signature information in the database to be used in signature verification. The DBsign Client Integration Module also manages data that are necessary for strong certificate-based authentication and keeps a thorough audit log of digital signature activity in the application.

The DBsign® Crypto Adapter Module provides the cryptographic functionality in DBsign Client Integration Module. The Crypto Adapter allows DBsign to interoperate with a wide range of cryptographic toolkits, hardware tokens (e.g. smart cards and high speed crypto accelerators), and PKI environments (e.g., Entrust PKI, RSA Keon, Netscape Certificate Management System, Baltimore UniCERT, etc).

The DBsign® Administration Tools make it easy to create and manage every aspect of DBsign. The tools include a Visual Signature Template Designer and Code Generator to speed up the process of defining or modifying the way documents are digitally signed. It also includes the Signature Fault Resolution tool that allows the user to browse the log tables and to "resolve" signature verification failures. For example, if the signed data has been altered, the document's signature will not verify. This tool identifies the data item that changed and displays the values of the signed item when it was signed and when it was verified. Such a tool is necessary to determine if the data was changed illegally or if the change was valid and the document needs to be re-signed.

Key Features of the DBsign® Data Security Suite include:

• Real-Time Signature Validation
• "Drop-in" Implementation
• Versionable Signature Templates
• Configurable Audit and Event Logging
• Signature Fault Resolution
• FIPS 140-1 Validated Cryptography
• Graphical Administration Tools
• Standards-based Implementation
• Vendor-independent Architecture
• Database Independence
• Development Environment Independence

Real-Time Signature Validation. In many business processes, transactions depend on the data integrity of other previously entered transactions. For example, processing an invoice depends on the integrity of the existing vendor and purchase order data. Through the use of digital signature technology, the DBsign Data Security Suite enables applications to verify the data integrity of previous transactions, in real-time, before proceeding with the transaction currently being processed. Since DBsign is tightly integrated into the application, this verification happens automatically with no user intervention. This level of database sophistication and data security provided through real-time signature verification is not found in any other commercial data security product.

"Drop-in" Implementation. Using DBsign, digital signature technology can be added to existing applications with "drop-in" ease. DBsign does not require changes to the existing table structure – the PK digital signature fields can be added as separate tables linked to the data being signed. All signature operations can be performed in one line of code. Implementation of DBsign by software developers requires little or no digital signature or public key knowledge.

Versionable Signature Templates. Organizations change and so must their information systems. Over time, new functionality is added to systems and existing functionality is enhanced. This means that the digital signature system must be able to change with the application. For example, a new field is added to an online document and this new data element needs to be protected by the document's digital signature. This must be done in such a way that digital signatures on existing documents that did not include this field will still verify. Versionable Signature Templates shield digital signature systems from database changes and allow new types of digital signatures to be added to the system. Versionable Signature Templates are unique to Gradkell's DBsign and are a direct result of years of experience with large, paperless, database-driven systems.

Configurable Audit and Event Logging. An important feature of any security system is the ability to maintain a historical record of who did what and when. The types of actions and data that can be tracked with the DBsign Audit Logging Module are application defined, allowing the logging system to conform to the logging requirements of the application, not vice-versa.

Signature Fault Resolution. The purpose of protecting RDBMS data with digital signatures is to detect when data have been changed illegally (e.g. to detect attempted fraud). Sometimes, however, the data is validly changed, but is done so by a SQL script executed by a user or DBA. The signature still will not verify, but in order to determine if the change to the data is valid, the original data that was signed must be compared to the current data. With the Signature Fault Resolution screen, the user can easily determine which data elements changed and make a decision to re-sign the data or to report a security violation. This important security feature is an invaluable troubleshooting tool.

FIPS 140-1 Validated Cryptography. All cryptographic modules used by DBsign are compliant with FIPS 140-1 and have undergone a very strict validation in a NIST certificate validation laboratory. DBsign can also use many types of third party cryptographic modules. DBsign is currently interoperable with all FIPS 140-1 validated cryptographic smart cards.

Graphical Administration Tools. All aspects of configuring digital signatures in online database documents are controlled through an intuitive administration framework. These tools make it easy to specify the types of documents that will be digitally signed and which data fields to include in the digital signature.

Standards-based Implementation. Public key cryptography has become the defacto standard for E-Commerce and Internet security. This is primarily due to the industry push for a detailed, comprehensive standards process. The Internet Engineering Taskforce (IETF) and the American National Standards Institute (ANSI) have played very important roles in defining the data formats (X.509v3 certificates and X.509v3 CRLs) and protocols (LDAPv2, OCSP, S/MIME) used in public key environments. Many standards for encoding data are derived from the PKCS standards developed by RSA Security, Inc. Interoperability is a primary goal of DBsign and is achieved by strict adherence to industry-accepted standards. As a result, DBsign has proven to be interoperable with products from multiple PKI and cryptographic module vendors.

Vendor-independent Architecture. DBsign encapsulates the specific requirements for integrating digital signatures into database applications. Vendor independence means that underlying cryptographic hardware and software components can be provided by third party PKI products. For example, in high security or high dollar environments, advanced hardware cryptographic modules (such as smart cards and PC-Cards) may be required for certain transactions. For lower risk transactions, less expensive software cryptographic modules (such as pure software solutions) are more appropriate. Through adherence to open standards, DBsign allows applications to simultaneously use cryptographic modules from many different vendors. This allows organizations to achieve and optimal balance of security and cost.

Database Independence. DBsign uses a portable subset of the SQL language and accesses databases through generic interfaces such as ODBC and JDBC. DBsign works with ODBC-compliant database drivers, such as Oracle RDBMS (versions 7.x and 8i), DB2, Sybase ASE, Microsoft SQL Server, and Microsoft Access.

Development Environment Independence. All development environments (e.g., Visual Basic, Oracle Forms, C++, Java, Delphi, Power Builder, etc.) capable of calling simple shared library (DLL) routines or ActiveX controls can use DBsign. This is an important feature for environments where centralized data is accessed though multiple applications which were developed in different programming languages or hardware and operating system platforms.