SlideShare a Scribd company logo

What's new in PDF 2.0 regarding digital signatures

Download as PPTX, PDF
Bruno Lowagie
Bruno Lowagie

These are my slides for my talk about digital signatures in PDF at W-JAX München (November 7, 2012)

Technology
1 of 64
What's new in PDF 2.0 regarding Digital Signatures Bruno Lowagie iText Software Group
Digital Signatures are gaining importance! • Electronic invoices – Going paperless! • Contracts and Agreements – Workflow! • Notarized documents – Long-Term Validation! • Official documents – Assurance of authenticity! www.itextpdf.com
Standards: PAdES — ISO-32000-2 www.itextpdf.com
iText White Paper www.itextpdf.com
iText White Paper • Chapter 1: – The concept of digital signatures • Chapter 2: – Digital signatures in the context of PDF • Chapter 3: – Best practices in signing • Chapter 4: – Architectures for digital signing • Chapter 5: – Verification and Long-Term Validation www.itextpdf.com
Goals • Integrity — we want assurance that the document hasn’t been changed somewhere in the workflow • Authenticity — we want assurance that the author of the document is who we think it is (and not somebody else) • Non-repudiation — we want assurance that the author can’t deny his authorship. www.itextpdf.com
Concept 1: Message digest • Hashing algorithm: – a cryptographic hash function to turn an arbitrary block of data into a fixed-size bit string. • Available algorithms: – MD5: Ron Rivest – SHA • SHA-1: NSA • SHA-2: NSA / NIST • NEW: SHA-3 contest winner ―Keccak‖ – RIPEMD: KULeuven www.itextpdf.com
Concept 2: Encryption • Asymmetric key algorithms – Encryption – Digital signing www.itextpdf.com
Concept 1 + Concept 2 • Producer – Provides data as-is – Provides hash encrypted using private key – Provides public key • Consumer – Creates hash from data: hash1 – Decrypts hash using public key: hash2 – If (hash1 == hash2) document OK! www.itextpdf.com
Goals met? • Integrity: – hashes are identical • Authenticity: – identity found along with public key • Non-repudiation: – if hash can be decrypted with public key, the document was signed with the corresponding private key www.itextpdf.com
iText White Paper • Chapter 1: – The concept of digital signatures • Chapter 2: – Digital signatures in the context of PDF • Chapter 3: – Best practices in signing • Chapter 4: – Architectures for digital signing • Chapter 5: – Verification and Long-Term Validation www.itextpdf.com
PDF Syntax • There are no bytes in the PDF that aren’t covered, other than the PDF signature itself. • The digital signature isn’t part of the ByteRange. • The concept ―to initial a document‖ doesn’t exist; you sign the complete document at once (not on a page per page basis). www.itextpdf.com
How to compose a signature? www.itextpdf.com
Old subfilters • adbe.x509.rsa_sha1 – Message Digest: SHA-1, SHA256, SHA384, SHA512, RIPEMD160 – Encryption: RSA – Uses PKCS#1: forbidden in PAdES • adbe.pkcs7.sha1 – Message Digest: SHA-1 – Encryption: RSA, DSA – Subfilter deprecated in ISO-32000-2 www.itextpdf.com
Detached signatures • adbe.pkcs7.detached • ETSI.CAdES.detached – SHA-1, SHA256, SHA384, SHA512, RIPEMD160 – RSA, DSA, ECDSA • Warning – SHA-1 is being phased out – Key length ≥ 2048-bit – Some combinations won’t work in old versions www.itextpdf.com
Private key & Certificates BouncyCastleProvider provider = new BouncyCastleProvider(); Security.addProvider(provider); KeyStore ks = KeyStore.getInstance("pkcs12", provider.getName()); ks.load(new FileInputStream(path), pass); String alias = (String)ks.aliases().nextElement(); PrivateKey pk = (PrivateKey) ks.getKey(alias, pass); Certificate[] chain = ks.getCertificateChain(alias); www.itextpdf.com
iText Reader & Stamper PdfReader reader = new PdfReader(src); OutputStream os = new FileOutputStream(dest); PdfStamper stamper = PdfStamper.createSignature(reader, os, '0'); www.itextpdf.com
Signature appearance PdfSignatureAppearance appearance = stamper.getSignatureAppearance(); appearance.setReason(reason); appearance.setLocation(location); appearance.setVisibleSignature( new Rectangle(36, 748, 144, 780), 1, "sig"); appearance.setCertificationLevel(certificationLevel); www.itextpdf.com
Creating the signature ExternalDigest digest = new BouncyCastleDigest(); ExternalSignature pks = new PrivateKeySignature( pk, digestAlgorithm, provider); MakeSignature.signDetached( appearance, digest, pks, chain, null, null, null, 0, subfilter); CMS/CADES Chapter 3 www.itextpdf.com
Default appearance www.itextpdf.com
Custom appearance www.itextpdf.com
Certification Level • Certification (aka author) signature— only possible for the first revision; involves modification detection and prevention (MDP). • Approval (aka recipient) signature— workflow with subsequent signers. • Usage Rights signature— involving Adobe’s private key to Reader enable a PDF (off-topic here). www.itextpdf.com
Author signature www.itextpdf.com
Approval signature www.itextpdf.com
Approval signature: broken www.itextpdf.com
Approval signature: update www.itextpdf.com
Serial signatures • A document can be signed more than once. • Parallel signatures aren’t supported. • Additional signatures sign all previous signatures. www.itextpdf.com
Workflow: Certified by Alice www.itextpdf.com
Read & Approved by Bob www.itextpdf.com
Signed by Bob www.itextpdf.com
Chuck and the MDP settings www.itextpdf.com
Read & Approved by Carol www.itextpdf.com
Signed by Carol www.itextpdf.com
Filled out and signed by Dave www.itextpdf.com
Chuck and the MDP settings www.itextpdf.com
iText White Paper • Chapter 1: – The concept of digital signatures • Chapter 2: – Digital signatures in the context of PDF • Chapter 3: – Best practices in signing • Chapter 4: – Architectures for digital signing • Chapter 5: – Verification and Long-Term Validation www.itextpdf.com
Certificate Authorities www.itextpdf.com
Self-signed certificate www.itextpdf.com
Certificate Authority www.itextpdf.com
CDS / AATL www.itextpdf.com
Certificate Revocation • What if your certificate is compromised? • CRL: Certificate Revocation List • OCSP: Online Certificate Status Protocol www.itextpdf.com
List<CrlClient> crlList = new ArrayList<CrlClient>(); • CrlClientOnline • CrlClientOffline
OcspClient ocspClient = new OcspClientBouncyCastle();
CRL versus OSCP • File Size: – OCSP: small, predictable size – CRL: depends on the CA • Performance: – CRL: can be cached – OCSP: online connection • Legal requirements www.itextpdf.com
Certificates expire 2012 2013 2014 Expiration date www.itextpdf.com
Certificates get revoked Revocation date Expiration date www.itextpdf.com
How to survive expiration? Revocation date Expiration date www.itextpdf.com
TSAClient tsa = new TSAClientBouncyCastle( tsaUrl, tsaUser, tsaPass);
iText White Paper • Chapter 1: – The concept of digital signatures • Chapter 2: – Digital signatures in the context of PDF • Chapter 3: – Best practices in signing • Chapter 4: – Architectures for digital signing • Chapter 5: – Verification and Long-Term Validation www.itextpdf.com
Client + software certificate www.itextpdf.com
Client + key on hardware www.itextpdf.com
Server + software certificate www.itextpdf.com
Server + key on hardware www.itextpdf.com
iText White Paper • Chapter 1: – The concept of digital signatures • Chapter 2: – Digital signatures in the context of PDF • Chapter 3: – Best practices in signing • Chapter 4: – Architectures for digital signing • Chapter 5: – Verification and Long-Term Validation www.itextpdf.com
Inspecting signed documents • Manually • Automated process – Checking the integrity of a signed PDF – Checking the certificate chain – Retrieving information from the signature – TODO: validate MDP settings www.itextpdf.com
What to do when... • There’s no CRL/OCSP/TS in the document? • The certificate is about to expire? • The hashing / encryption algorithm is about to be deprecated? www.itextpdf.com
Long-Term Validation (LTV) www.itextpdf.com
Long-Term Validation (LTV) www.itextpdf.com
Validation of LTV PAdES 4 section 4.3: • The ―latest‖ document timestamp should be validated at current time with validation data collected at current time. • The ―inner‖ document timestamp should be validated at previous document timestamp time with the validation present (and timestamped for the successive enveloping timestamps) in the previous DSS. • The signature and the signature timestamp should be validated at the latest innermost LTV document timestamp time using the validation data stored in the DSS and timestamped by the successive enveloping timestamps. www.itextpdf.com
What's new in PDF 2.0 regarding Digital Signatures Bruno Lowagie CEO iText Software Group
Conclusion • ISO-32000-2 (PDF 2.0) – Deprecation of old subfiltertypes – Support for new subfiltertypes – Support for CAdES signatures – Support for ECDSA encryption – MDP extended to approval signatures – LTV: Long-term validation www.itextpdf.com
Conclusion • PAdES – PAdES 1: summary of PAdES – PAdES 2: CMS (ISO-32000-1) – PAdES 3: CAdES (ISO-32000-2) – PAdES 4: LTV (ISO-32000-2) – PAdES 5: not discussed (iText Roadmap 2013) – PAdES 6: signature appearance www.itextpdf.com
Conclusion • Technology – Software certificates (PKCS#12) – HSM (PKCS#11) – USB token (PKCS#11, MSCAPI) – Smart card (PKCS#11, MSCAPI, smartcardio, ...) www.itextpdf.com
Thank you! http://itextpdf.com/book/digitalsignatures www.itextpdf.com

Recommended

PDF Digital signatures
PDF Digital signaturesPDF Digital signatures
PDF Digital signaturesBruno Lowagie
 
Digital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDFDigital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDFiText Group nv
 
Digital Signatures in the Cloud: A B2C Case Study
Digital Signatures in the Cloud: A B2C Case StudyDigital Signatures in the Cloud: A B2C Case Study
Digital Signatures in the Cloud: A B2C Case StudyiText Group nv
 
Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with BroJosh Liburdi
 
Crypography in c#
Crypography in c#Crypography in c#
Crypography in c#Manu Cohen-Yashar
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
 
OpenID Foundation RISC WG Update - 2017-10-16
OpenID Foundation RISC WG Update - 2017-10-16OpenID Foundation RISC WG Update - 2017-10-16
OpenID Foundation RISC WG Update - 2017-10-16MikeLeszcz
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 

Recommended

PDF Digital signatures
PDF Digital signaturesPDF Digital signatures
PDF Digital signaturesBruno Lowagie
 
Digital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDFDigital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDFiText Group nv
 
Digital Signatures in the Cloud: A B2C Case Study
Digital Signatures in the Cloud: A B2C Case StudyDigital Signatures in the Cloud: A B2C Case Study
Digital Signatures in the Cloud: A B2C Case StudyiText Group nv
 
Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with BroJosh Liburdi
 
Crypography in c#
Crypography in c#Crypography in c#
Crypography in c#Manu Cohen-Yashar
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
 
OpenID Foundation RISC WG Update - 2017-10-16
OpenID Foundation RISC WG Update - 2017-10-16OpenID Foundation RISC WG Update - 2017-10-16
OpenID Foundation RISC WG Update - 2017-10-16MikeLeszcz
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
Final ppt ecommerce
Final ppt ecommerceFinal ppt ecommerce
Final ppt ecommercepriyanka Garg
 
PKI Industry growth in Bangladesh
PKI Industry growth in BangladeshPKI Industry growth in Bangladesh
PKI Industry growth in BangladeshBangladesh Network Operators Group
 
FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...
FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...
FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...FIWARE
 
Identity based proxy-oriented data uploading and
Identity based proxy-oriented data uploading andIdentity based proxy-oriented data uploading and
Identity based proxy-oriented data uploading andKamal Spring
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructurevimal kumar
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Serviceskieranjacobsen
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flashEvan J Johnson (Not a CISSP)
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenIDPrabath Siriwardena
 
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
OpenID Foundation RISC WG Update - 2018-04-02
OpenID Foundation RISC WG Update - 2018-04-02OpenID Foundation RISC WG Update - 2018-04-02
OpenID Foundation RISC WG Update - 2018-04-02MikeLeszcz
 
Remote Procedure Call over DDS - London Connext DDS Conference
Remote Procedure Call over DDS - London Connext DDS Conference Remote Procedure Call over DDS - London Connext DDS Conference
Remote Procedure Call over DDS - London Connext DDS Conference Gerardo Pardo-Castellote
 
Marco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overviewMarco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overviewInformation Security Awareness Group
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and ApplicationsSvetlin Nakov
 
identity-based distributed provable data possession in multi-cloud storage
identity-based distributed provable data possession in multi-cloud storageidentity-based distributed provable data possession in multi-cloud storage
identity-based distributed provable data possession in multi-cloud storageswathi78
 
OpenID - An in depth look at what it is, and how you can use it
OpenID - An in depth look at what it is, and how you can use itOpenID - An in depth look at what it is, and how you can use it
OpenID - An in depth look at what it is, and how you can use itBill Shupp
 
Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04Synacts
 
PKI by Tim Polk
PKI by Tim PolkPKI by Tim Polk
PKI by Tim PolkInformation Security Awareness Group
 
HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016Jason Stangroome
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guideJ.D. Wade
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 

More Related Content

What's hot

FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...
FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...
FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...FIWARE
 
Identity based proxy-oriented data uploading and
Identity based proxy-oriented data uploading andIdentity based proxy-oriented data uploading and
Identity based proxy-oriented data uploading andKamal Spring
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructurevimal kumar
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Serviceskieranjacobsen
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
OpenID Foundation RISC WG Update - 2018-04-02
OpenID Foundation RISC WG Update - 2018-04-02OpenID Foundation RISC WG Update - 2018-04-02
OpenID Foundation RISC WG Update - 2018-04-02MikeLeszcz
 
Remote Procedure Call over DDS - London Connext DDS Conference
Remote Procedure Call over DDS - London Connext DDS Conference Remote Procedure Call over DDS - London Connext DDS Conference
Remote Procedure Call over DDS - London Connext DDS Conference Gerardo Pardo-Castellote
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and ApplicationsSvetlin Nakov
 
identity-based distributed provable data possession in multi-cloud storage
identity-based distributed provable data possession in multi-cloud storageidentity-based distributed provable data possession in multi-cloud storage
identity-based distributed provable data possession in multi-cloud storageswathi78
 
OpenID - An in depth look at what it is, and how you can use it
OpenID - An in depth look at what it is, and how you can use itOpenID - An in depth look at what it is, and how you can use it
OpenID - An in depth look at what it is, and how you can use itBill Shupp
 
Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04Synacts
 
HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016Jason Stangroome
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 

What's hot (20)

Final ppt ecommerce
Final ppt ecommerceFinal ppt ecommerce
Final ppt ecommerce
 
PKI Industry growth in Bangladesh
PKI Industry growth in BangladeshPKI Industry growth in Bangladesh
PKI Industry growth in Bangladesh
 
FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...
FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...
FIWARE Global Summit - Fast RTPS: Programming with the Default middleware for...
 
Identity based proxy-oriented data uploading and
Identity based proxy-oriented data uploading andIdentity based proxy-oriented data uploading and
Identity based proxy-oriented data uploading and
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flash
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
 
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
 
OpenID Foundation RISC WG Update - 2018-04-02
OpenID Foundation RISC WG Update - 2018-04-02OpenID Foundation RISC WG Update - 2018-04-02
OpenID Foundation RISC WG Update - 2018-04-02
 
Remote Procedure Call over DDS - London Connext DDS Conference
Remote Procedure Call over DDS - London Connext DDS Conference Remote Procedure Call over DDS - London Connext DDS Conference
Remote Procedure Call over DDS - London Connext DDS Conference
 
Marco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overviewMarco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overview
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
 
identity-based distributed provable data possession in multi-cloud storage
identity-based distributed provable data possession in multi-cloud storageidentity-based distributed provable data possession in multi-cloud storage
identity-based distributed provable data possession in multi-cloud storage
 
OpenID - An in depth look at what it is, and how you can use it
OpenID - An in depth look at what it is, and how you can use itOpenID - An in depth look at what it is, and how you can use it
OpenID - An in depth look at what it is, and how you can use it
 
Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04
 
PKI by Tim Polk
PKI by Tim PolkPKI by Tim Polk
PKI by Tim Polk
 
HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 

Similar to What's new in PDF 2.0 regarding digital signatures

Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guideJ.D. Wade
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 
Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overviewRishi Pathak
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices WorldDiogo Mónica
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideJ.D. Wade
 
Smart Signatures—Experiments in Authentication (Stanford BPASE 2018 final)
Smart Signatures—Experiments in Authentication (Stanford BPASE 2018 final)Smart Signatures—Experiments in Authentication (Stanford BPASE 2018 final)
Smart Signatures—Experiments in Authentication (Stanford BPASE 2018 final)Christopher Allen
 
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsCertificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsDavid Ochel
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetJ.D. Wade
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Arnaud Le Hors
 
Blockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMBlockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMDiego Alberto Tamayo
 
Blockchain a-new-disruption-in-financial-servies by ibm
Blockchain a-new-disruption-in-financial-servies by ibm Blockchain a-new-disruption-in-financial-servies by ibm
Blockchain a-new-disruption-in-financial-servies by ibm Diego Alberto Tamayo
 
Blockchain a-new-disruption-in-financial-services - IBM
Blockchain a-new-disruption-in-financial-services - IBMBlockchain a-new-disruption-in-financial-services - IBM
Blockchain a-new-disruption-in-financial-services - IBMDiego Alberto Tamayo
 
Blockchain and BPM - Reflections on Four Years of Research and Applications
Blockchain and BPM - Reflections on Four Years of Research and ApplicationsBlockchain and BPM - Reflections on Four Years of Research and Applications
Blockchain and BPM - Reflections on Four Years of Research and ApplicationsIngo Weber
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence Sam Bowne
 
Cryptographic Agility in Corda
Cryptographic Agility in CordaCryptographic Agility in Corda
Cryptographic Agility in CordaGuy Hochstetler
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
Network security-primer-9544
Network security-primer-9544Network security-primer-9544
Network security-primer-9544Hfz Mushtaq
 
Introduction to Blockchain and Hyperledger
Introduction to Blockchain and HyperledgerIntroduction to Blockchain and Hyperledger
Introduction to Blockchain and HyperledgerDev_Events
 

Similar to What's new in PDF 2.0 regarding digital signatures (20)

Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guide
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overview
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
 
Smart Signatures—Experiments in Authentication (Stanford BPASE 2018 final)
Smart Signatures—Experiments in Authentication (Stanford BPASE 2018 final)Smart Signatures—Experiments in Authentication (Stanford BPASE 2018 final)
Smart Signatures—Experiments in Authentication (Stanford BPASE 2018 final)
 
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsCertificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .Net
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
 
Blockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMBlockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBM
 
Blockchain a-new-disruption-in-financial-servies by ibm
Blockchain a-new-disruption-in-financial-servies by ibm Blockchain a-new-disruption-in-financial-servies by ibm
Blockchain a-new-disruption-in-financial-servies by ibm
 
Blockchain a-new-disruption-in-financial-services - IBM
Blockchain a-new-disruption-in-financial-services - IBMBlockchain a-new-disruption-in-financial-services - IBM
Blockchain a-new-disruption-in-financial-services - IBM
 
Blockchain and BPM - Reflections on Four Years of Research and Applications
Blockchain and BPM - Reflections on Four Years of Research and ApplicationsBlockchain and BPM - Reflections on Four Years of Research and Applications
Blockchain and BPM - Reflections on Four Years of Research and Applications
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
Cryptographic Agility in Corda
Cryptographic Agility in CordaCryptographic Agility in Corda
Cryptographic Agility in Corda
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
Network security-primer-9544
Network security-primer-9544Network security-primer-9544
Network security-primer-9544
 
Introduction to Blockchain and Hyperledger
Introduction to Blockchain and HyperledgerIntroduction to Blockchain and Hyperledger
Introduction to Blockchain and Hyperledger
 

More from Bruno Lowagie

The Dark Magic of Start-Up Valuation
The Dark Magic of Start-Up ValuationThe Dark Magic of Start-Up Valuation
The Dark Magic of Start-Up ValuationBruno Lowagie
 
Open Source Survival: A Story from the Trenches
Open Source Survival: A Story from the TrenchesOpen Source Survival: A Story from the Trenches
Open Source Survival: A Story from the TrenchesBruno Lowagie
 
Entreprenerd: presenting the book
Entreprenerd: presenting the bookEntreprenerd: presenting the book
Entreprenerd: presenting the bookBruno Lowagie
 
The Secret of your Success
The Secret of your SuccessThe Secret of your Success
The Secret of your SuccessBruno Lowagie
 
Blockchain: use cases for the future
Blockchain: use cases for the futureBlockchain: use cases for the future
Blockchain: use cases for the futureBruno Lowagie
 
Blockchain Fundamentals
Blockchain FundamentalsBlockchain Fundamentals
Blockchain FundamentalsBruno Lowagie
 
Digital Signatures in PDF: how it's done
Digital Signatures in PDF: how it's doneDigital Signatures in PDF: how it's done
Digital Signatures in PDF: how it's doneBruno Lowagie
 
How can large open source projects be monetized?
How can large open source projects be monetized?How can large open source projects be monetized?
How can large open source projects be monetized?Bruno Lowagie
 
Open source: an introduction to IP and Legal
Open source: an introduction to IP and LegalOpen source: an introduction to IP and Legal
Open source: an introduction to IP and LegalBruno Lowagie
 
How can large open source projects be monetized?
How can large open source projects be monetized?How can large open source projects be monetized?
How can large open source projects be monetized?Bruno Lowagie
 
Waarom iText de Leeuw van de Export 2016 moet winnen
Waarom iText de Leeuw van de Export 2016 moet winnenWaarom iText de Leeuw van de Export 2016 moet winnen
Waarom iText de Leeuw van de Export 2016 moet winnenBruno Lowagie
 
Belgium and the US: a mutual introduction
Belgium and the US: a mutual introductionBelgium and the US: a mutual introduction
Belgium and the US: a mutual introductionBruno Lowagie
 
Four failures and one hit
Four failures and one hitFour failures and one hit
Four failures and one hitBruno Lowagie
 
Startup Legal and IP
Startup Legal and IPStartup Legal and IP
Startup Legal and IPBruno Lowagie
 
Startup Weekend Ghent
Startup Weekend GhentStartup Weekend Ghent
Startup Weekend GhentBruno Lowagie
 
Doing business in the US: Yes, You Can!
Doing business in the US: Yes, You Can!Doing business in the US: Yes, You Can!
Doing business in the US: Yes, You Can!Bruno Lowagie
 
Community Leadership Summit - Calistoga March 2013
Community Leadership Summit - Calistoga March 2013Community Leadership Summit - Calistoga March 2013
Community Leadership Summit - Calistoga March 2013Bruno Lowagie
 
Bizcamp #8: The Founder's Dilemmas, Control vs. Wealth decisions
Bizcamp #8: The Founder's Dilemmas, Control vs. Wealth decisionsBizcamp #8: The Founder's Dilemmas, Control vs. Wealth decisions
Bizcamp #8: The Founder's Dilemmas, Control vs. Wealth decisionsBruno Lowagie
 
Kruispunt Brugsepoortstraat
Kruispunt BrugsepoortstraatKruispunt Brugsepoortstraat
Kruispunt BrugsepoortstraatBruno Lowagie
 
GentM #9: Business Angels
GentM #9: Business AngelsGentM #9: Business Angels
GentM #9: Business AngelsBruno Lowagie
 

More from Bruno Lowagie (20)

The Dark Magic of Start-Up Valuation
The Dark Magic of Start-Up ValuationThe Dark Magic of Start-Up Valuation
The Dark Magic of Start-Up Valuation
 
Open Source Survival: A Story from the Trenches
Open Source Survival: A Story from the TrenchesOpen Source Survival: A Story from the Trenches
Open Source Survival: A Story from the Trenches
 
Entreprenerd: presenting the book
Entreprenerd: presenting the bookEntreprenerd: presenting the book
Entreprenerd: presenting the book
 
The Secret of your Success
The Secret of your SuccessThe Secret of your Success
The Secret of your Success
 
Blockchain: use cases for the future
Blockchain: use cases for the futureBlockchain: use cases for the future
Blockchain: use cases for the future
 
Blockchain Fundamentals
Blockchain FundamentalsBlockchain Fundamentals
Blockchain Fundamentals
 
Digital Signatures in PDF: how it's done
Digital Signatures in PDF: how it's doneDigital Signatures in PDF: how it's done
Digital Signatures in PDF: how it's done
 
How can large open source projects be monetized?
How can large open source projects be monetized?How can large open source projects be monetized?
How can large open source projects be monetized?
 
Open source: an introduction to IP and Legal
Open source: an introduction to IP and LegalOpen source: an introduction to IP and Legal
Open source: an introduction to IP and Legal
 
How can large open source projects be monetized?
How can large open source projects be monetized?How can large open source projects be monetized?
How can large open source projects be monetized?
 
Waarom iText de Leeuw van de Export 2016 moet winnen
Waarom iText de Leeuw van de Export 2016 moet winnenWaarom iText de Leeuw van de Export 2016 moet winnen
Waarom iText de Leeuw van de Export 2016 moet winnen
 
Belgium and the US: a mutual introduction
Belgium and the US: a mutual introductionBelgium and the US: a mutual introduction
Belgium and the US: a mutual introduction
 
Four failures and one hit
Four failures and one hitFour failures and one hit
Four failures and one hit
 
Startup Legal and IP
Startup Legal and IPStartup Legal and IP
Startup Legal and IP
 
Startup Weekend Ghent
Startup Weekend GhentStartup Weekend Ghent
Startup Weekend Ghent
 
Doing business in the US: Yes, You Can!
Doing business in the US: Yes, You Can!Doing business in the US: Yes, You Can!
Doing business in the US: Yes, You Can!
 
Community Leadership Summit - Calistoga March 2013
Community Leadership Summit - Calistoga March 2013Community Leadership Summit - Calistoga March 2013
Community Leadership Summit - Calistoga March 2013
 
Bizcamp #8: The Founder's Dilemmas, Control vs. Wealth decisions
Bizcamp #8: The Founder's Dilemmas, Control vs. Wealth decisionsBizcamp #8: The Founder's Dilemmas, Control vs. Wealth decisions
Bizcamp #8: The Founder's Dilemmas, Control vs. Wealth decisions
 
Kruispunt Brugsepoortstraat
Kruispunt BrugsepoortstraatKruispunt Brugsepoortstraat
Kruispunt Brugsepoortstraat
 
GentM #9: Business Angels
GentM #9: Business AngelsGentM #9: Business Angels
GentM #9: Business Angels
 

Recently uploaded

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 

Recently uploaded (20)

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 

What's new in PDF 2.0 regarding digital signatures

  • 1. What's new in PDF 2.0 regarding Digital Signatures Bruno Lowagie iText Software Group
  • 2. Digital Signatures are gaining importance! • Electronic invoices – Going paperless! • Contracts and Agreements – Workflow! • Notarized documents – Long-Term Validation! • Official documents – Assurance of authenticity! www.itextpdf.com
  • 3. Standards: PAdES — ISO-32000-2 www.itextpdf.com
  • 4. iText White Paper www.itextpdf.com
  • 5. iText White Paper • Chapter 1: – The concept of digital signatures • Chapter 2: – Digital signatures in the context of PDF • Chapter 3: – Best practices in signing • Chapter 4: – Architectures for digital signing • Chapter 5: – Verification and Long-Term Validation www.itextpdf.com
  • 6. Goals • Integrity — we want assurance that the document hasn’t been changed somewhere in the workflow • Authenticity — we want assurance that the author of the document is who we think it is (and not somebody else) • Non-repudiation — we want assurance that the author can’t deny his authorship. www.itextpdf.com
  • 7. Concept 1: Message digest • Hashing algorithm: – a cryptographic hash function to turn an arbitrary block of data into a fixed-size bit string. • Available algorithms: – MD5: Ron Rivest – SHA • SHA-1: NSA • SHA-2: NSA / NIST • NEW: SHA-3 contest winner ―Keccak‖ – RIPEMD: KULeuven www.itextpdf.com
  • 8. Concept 2: Encryption • Asymmetric key algorithms – Encryption – Digital signing www.itextpdf.com
  • 9. Concept 1 + Concept 2 • Producer – Provides data as-is – Provides hash encrypted using private key – Provides public key • Consumer – Creates hash from data: hash1 – Decrypts hash using public key: hash2 – If (hash1 == hash2) document OK! www.itextpdf.com
  • 10. Goals met? • Integrity: – hashes are identical • Authenticity: – identity found along with public key • Non-repudiation: – if hash can be decrypted with public key, the document was signed with the corresponding private key www.itextpdf.com
  • 11. iText White Paper • Chapter 1: – The concept of digital signatures • Chapter 2: – Digital signatures in the context of PDF • Chapter 3: – Best practices in signing • Chapter 4: – Architectures for digital signing • Chapter 5: – Verification and Long-Term Validation www.itextpdf.com
  • 12. PDF Syntax • There are no bytes in the PDF that aren’t covered, other than the PDF signature itself. • The digital signature isn’t part of the ByteRange. • The concept ―to initial a document‖ doesn’t exist; you sign the complete document at once (not on a page per page basis). www.itextpdf.com
  • 13. How to compose a signature? www.itextpdf.com
  • 14. Old subfilters • adbe.x509.rsa_sha1 – Message Digest: SHA-1, SHA256, SHA384, SHA512, RIPEMD160 – Encryption: RSA – Uses PKCS#1: forbidden in PAdES • adbe.pkcs7.sha1 – Message Digest: SHA-1 – Encryption: RSA, DSA – Subfilter deprecated in ISO-32000-2 www.itextpdf.com
  • 15. Detached signatures • adbe.pkcs7.detached • ETSI.CAdES.detached – SHA-1, SHA256, SHA384, SHA512, RIPEMD160 – RSA, DSA, ECDSA • Warning – SHA-1 is being phased out – Key length ≥ 2048-bit – Some combinations won’t work in old versions www.itextpdf.com
  • 16. Private key & Certificates BouncyCastleProvider provider = new BouncyCastleProvider(); Security.addProvider(provider); KeyStore ks = KeyStore.getInstance("pkcs12", provider.getName()); ks.load(new FileInputStream(path), pass); String alias = (String)ks.aliases().nextElement(); PrivateKey pk = (PrivateKey) ks.getKey(alias, pass); Certificate[] chain = ks.getCertificateChain(alias); www.itextpdf.com
  • 17. iText Reader & Stamper PdfReader reader = new PdfReader(src); OutputStream os = new FileOutputStream(dest); PdfStamper stamper = PdfStamper.createSignature(reader, os, '0'); www.itextpdf.com
  • 18. Signature appearance PdfSignatureAppearance appearance = stamper.getSignatureAppearance(); appearance.setReason(reason); appearance.setLocation(location); appearance.setVisibleSignature( new Rectangle(36, 748, 144, 780), 1, "sig"); appearance.setCertificationLevel(certificationLevel); www.itextpdf.com
  • 19. Creating the signature ExternalDigest digest = new BouncyCastleDigest(); ExternalSignature pks = new PrivateKeySignature( pk, digestAlgorithm, provider); MakeSignature.signDetached( appearance, digest, pks, chain, null, null, null, 0, subfilter); CMS/CADES Chapter 3 www.itextpdf.com
  • 20. Default appearance www.itextpdf.com
  • 21. Custom appearance www.itextpdf.com
  • 22. Certification Level • Certification (aka author) signature— only possible for the first revision; involves modification detection and prevention (MDP). • Approval (aka recipient) signature— workflow with subsequent signers. • Usage Rights signature— involving Adobe’s private key to Reader enable a PDF (off-topic here). www.itextpdf.com
  • 23. Author signature www.itextpdf.com
  • 24. Approval signature www.itextpdf.com
  • 25. Approval signature: broken www.itextpdf.com
  • 26. Approval signature: update www.itextpdf.com
  • 27. Serial signatures • A document can be signed more than once. • Parallel signatures aren’t supported. • Additional signatures sign all previous signatures. www.itextpdf.com
  • 28. Workflow: Certified by Alice www.itextpdf.com
  • 29. Read & Approved by Bob www.itextpdf.com
  • 30. Signed by Bob www.itextpdf.com
  • 31. Chuck and the MDP settings www.itextpdf.com
  • 32. Read & Approved by Carol www.itextpdf.com
  • 33. Signed by Carol www.itextpdf.com
  • 34. Filled out and signed by Dave www.itextpdf.com
  • 35. Chuck and the MDP settings www.itextpdf.com
  • 36. iText White Paper • Chapter 1: – The concept of digital signatures • Chapter 2: – Digital signatures in the context of PDF • Chapter 3: – Best practices in signing • Chapter 4: – Architectures for digital signing • Chapter 5: – Verification and Long-Term Validation www.itextpdf.com
  • 37. Certificate Authorities www.itextpdf.com
  • 38. Self-signed certificate www.itextpdf.com
  • 39. Certificate Authority www.itextpdf.com
  • 40. CDS / AATL www.itextpdf.com
  • 41. Certificate Revocation • What if your certificate is compromised? • CRL: Certificate Revocation List • OCSP: Online Certificate Status Protocol www.itextpdf.com
  • 42. List<CrlClient> crlList = new ArrayList<CrlClient>(); • CrlClientOnline • CrlClientOffline
  • 43. OcspClient ocspClient = new OcspClientBouncyCastle();
  • 44. CRL versus OSCP • File Size: – OCSP: small, predictable size – CRL: depends on the CA • Performance: – CRL: can be cached – OCSP: online connection • Legal requirements www.itextpdf.com
  • 45. Certificates expire 2012 2013 2014 Expiration date www.itextpdf.com
  • 46. Certificates get revoked Revocation date Expiration date www.itextpdf.com
  • 47. How to survive expiration? Revocation date Expiration date www.itextpdf.com
  • 48. TSAClient tsa = new TSAClientBouncyCastle( tsaUrl, tsaUser, tsaPass);
  • 49. iText White Paper • Chapter 1: – The concept of digital signatures • Chapter 2: – Digital signatures in the context of PDF • Chapter 3: – Best practices in signing • Chapter 4: – Architectures for digital signing • Chapter 5: – Verification and Long-Term Validation www.itextpdf.com
  • 50. Client + software certificate www.itextpdf.com
  • 51. Client + key on hardware www.itextpdf.com
  • 52. Server + software certificate www.itextpdf.com
  • 53. Server + key on hardware www.itextpdf.com
  • 54. iText White Paper • Chapter 1: – The concept of digital signatures • Chapter 2: – Digital signatures in the context of PDF • Chapter 3: – Best practices in signing • Chapter 4: – Architectures for digital signing • Chapter 5: – Verification and Long-Term Validation www.itextpdf.com
  • 55. Inspecting signed documents • Manually • Automated process – Checking the integrity of a signed PDF – Checking the certificate chain – Retrieving information from the signature – TODO: validate MDP settings www.itextpdf.com
  • 56. What to do when... • There’s no CRL/OCSP/TS in the document? • The certificate is about to expire? • The hashing / encryption algorithm is about to be deprecated? www.itextpdf.com
  • 57. Long-Term Validation (LTV) www.itextpdf.com
  • 58. Long-Term Validation (LTV) www.itextpdf.com
  • 59. Validation of LTV PAdES 4 section 4.3: • The ―latest‖ document timestamp should be validated at current time with validation data collected at current time. • The ―inner‖ document timestamp should be validated at previous document timestamp time with the validation present (and timestamped for the successive enveloping timestamps) in the previous DSS. • The signature and the signature timestamp should be validated at the latest innermost LTV document timestamp time using the validation data stored in the DSS and timestamped by the successive enveloping timestamps. www.itextpdf.com
  • 60. What's new in PDF 2.0 regarding Digital Signatures Bruno Lowagie CEO iText Software Group
  • 61. Conclusion • ISO-32000-2 (PDF 2.0) – Deprecation of old subfiltertypes – Support for new subfiltertypes – Support for CAdES signatures – Support for ECDSA encryption – MDP extended to approval signatures – LTV: Long-term validation www.itextpdf.com
  • 62. Conclusion • PAdES – PAdES 1: summary of PAdES – PAdES 2: CMS (ISO-32000-1) – PAdES 3: CAdES (ISO-32000-2) – PAdES 4: LTV (ISO-32000-2) – PAdES 5: not discussed (iText Roadmap 2013) – PAdES 6: signature appearance www.itextpdf.com
  • 63. Conclusion • Technology – Software certificates (PKCS#12) – HSM (PKCS#11) – USB token (PKCS#11, MSCAPI) – Smart card (PKCS#11, MSCAPI, smartcardio, ...) www.itextpdf.com