News
University of Malaya pionners the First e-Scroll with technology from Thales
December 2013 by Marc Jacob
The goal: To create a hard-to-forge and easy-to-authenticate degree certificate
Many universities around the world are faced with the growing problem of counterfeit degree certificates. People who had never attended university were buying forged degrees and presenting themselves to employers as graduates. University of Malaya decided to address this problem by pioneering a digitally signed and time stamped certificate called the e-Scroll. This e-Scroll is not only hard to forge but also can be easily verified by a prospective employer.
As University of Malaya looked for a way forward to produce degree certificates that could not be forged and that could be easily authenticated, Dr. David Asirvatham, Director of IT Centre at University of Malaya, struck on the idea of an e-Scroll: a digital degree that can be digitally signed and time stamped, allowing it to be authenticated online. The potential advantages were significant. In a world where a growing number of graduates apply for jobs online, an applicant could attach an e-Scroll certificate to an online job submission, and employers would be able to quickly and easily validate its authenticity. An e-Scroll would also provide cost savings by eliminating the need to print expensive specialized paper-based certificates. Delivery of e-Scrolls is also made easy as students can login to a portal to download their e-Scroll. Most importantly, University of Malaya could virtually eliminate the negative impact of fraudulent certificates.
The challenge was in finding the right technology to implement the solution. It would need to be easy for university officials to create the certificates the graduating classes included 7,000 students on average. It would need to allow employers to authenticate the certificates quickly. Most of all, it would need to be secured in order to foil the highly sophisticated forgers who had been making a great deal of money selling counterfeit certificates.
The solution: Thales high assurance hardware with digital signature applications from GiAT Infosys Sdn Bhd
To implement their innovative e-Scroll solution, the university chose a complete digital signature solution offered by Thales in collaboration with GiAT Infosys Sdn Bhd, a Malaysian IT provider together with their business partner, Haynik Holding Sdn Bhd. Using a special-purpose software program, the university converts each student’s particulars and credentials into an Adobe PDF e-Scroll certificate. Each approved e-Scroll is digitally signed by the university’s Registrar and Vice Chancellor using GlobalSign® Digital IDs in an automated batch signing process. Thales nShield HSMs high-assurance tamper-resistant hardware security modules provide strong protection for the digital identities of the two signatories by securely storing their private signing keys and preventing any unauthorized access. As part of the process, each e-Scroll is issued a secure time stamp against the Malaysian National Clock (located at SIRIM) by Thales Time Stamp Server. The inclusion of a protected time stamp as part of the digital signature process provides an additional layer of security indicating the exact date that the credential was issued. Paper-based certificates can be post-dated or pre-dated but not e-Scrolls.
Thales solutions provide a mechanism to assure the integrity and authenticity of almost any form of electronic document
or message, enabling you to:
• Implement secure digital signing with high-availability solutions appropriate for critical processes
• Take advantage of high performance capabilities that
can support the most demanding online applications
and transaction volumes
• Employ fine-grained security controls to enforce policies requiring separation of duties, strong authentication for administrators and quorum authorized signing operations
• Accelerate deployments with standard APIs and out-of-the-box integrations
• Utilize globally respected product level security certifications such as FIPS 140-2 to streamline auditing and compliance reporting
The challenge of digital signatures
Organizations use digital signatures today in a wide variety of
applications. As the virtual equivalent of a traditional wet ink
signature, a digital signature is intended to verify the authenticity of
messages, transactions, digital documents and software, proving that
the information originated with the signer and has not been altered.
Digital signatures offer a host of potential benefits in addition to
document security, including greater efficiencies and cost reductions
realized through the automation of manual processes.
Digital signatures, however, pose a number of challenges for
organizations. Because digital signatures and digital identities rely
on the use of public key cryptography, the protection of private
keys is critical to the integrity of the whole system. If the digital
signing process is not secured, attackers can create seemingly
legitimate signatures over forged data, compromising the system
and the organization’s reputation. Moreover, organizations that
fail to maintain adequate documentation and certification for
policies and practices can risk rejection of digital signatures in
certain jurisdictions. Finally, some digital signing processes can be
computationally intensive, slowing down business processes
and limiting their ability to scale.
