MAX 2007 CONNECT. DISCOVER. INSPIRE. LiveCycle Digital Security and Certification Duane Nickull,  Sr. Technology Evangelis...
Abstract (Remove) <ul><li>This session will focus on the persistent rights management and document security technologies i...
Today’s Agenda – one hour <ul><li>Architecture Dive – Adobe LiveCycle ES  </li></ul><ul><ul><li>Security Architecture </li...
Old model for enterprise architecture (simple) Server  Client
Enterprise 2.0 <ul><li>Definition:  An adoption of Web 2.0 design patterns by Enterprises </li></ul><ul><li>Abstract  Mode...
LiveCycle ES Architecture
The Genesis of LiveCycle ES I want to connect these world! Distributors & Agencies Internal Processes ERP / ECM / CRM / BP...
Closing the Engagement Gap with LiveCycle Distributors & Agencies Internal Processes ERP / ECM / CRM / BPM / Accounting  C...
The Adobe technology platform architecture Service Tier Resource Tier EIS Databases Directories ECM  Repository Message Qu...
Adobe LiveCycle ES Service Components Service Tier Service Invocation Layer Service Container Registry Service Provider In...
LC ES Digital Signature Ecosystem
LiveCycle Invocation
Digital Signatures Adobe LiveCycle Document Security Server
Digital Signatures <ul><li>DSig enables recipients to verify the integrity of an electronic document. </li></ul><ul><li>In...
How it works - Signing PDF Documents
ByteRange and Signature value
The PDF Save/Hash/Update Process <ul><ul><li>Hash computed over entire PDF file </li></ul></ul><ul><ul><ul><li>byte 0 to l...
Multiple Signatures
Dsig Check list <ul><li>Public Key Infrastructure (PKI) </li></ul><ul><li>Certificate Revocation List (CRL) </li></ul><ul>...
PKI mechanisms <ul><li>Public Key Cryptography Standards (PKCS) - set of standard protocols used by PKI vendors including ...
Demo <ul><li>Adobe Acrobat </li></ul><ul><li>Custom Communications Form Sample </li></ul><ul><ul><li>Simple signing and br...
Adobe LiveCycle Digital Signatures
LiveCycle Digital Signatures <ul><li>Server used for: </li></ul><ul><ul><ul><li>Publishing &quot;certified&quot; documents...
For developers <ul><li>http://livedocs.adobe.com/ </li></ul>
Samples - retrieve Dsig field names <ul><li>import java.util.*; </li></ul><ul><li>import java.io.FileInputStream; </li></u...
Samples - retrieve Dsig field names (2) <ul><li>//Create a ServiceClientFactory instance </li></ul><ul><li>ServiceClientFa...
Samples - retrieve Dsig field names (3) <ul><li>//Obtain the name of each signature field by iterating List </li></ul><ul>...
Adobe LiveCycle Rights Management
Securing information is important  ”not optional” <ul><li>Mandatory compliance with:  </li></ul><ul><ul><li>Sarbanes-Oxley...
<ul><li>Lack  persistent  access controls to prevent information re-distribution  </li></ul><ul><li>Cannot  dynamically  c...
Adobe® LiveCycle™ Rights Management <ul><li>Controls </li></ul><ul><ul><li>Who can open a document </li></ul></ul><ul><ul>...
Adobe provides  persistent  protection for information
Adobe’s Contribution to Information Assurance <ul><li>Data is secured at the document level, throughout its lifecycle </li...
Security technologies
Secure Messaging (WS-Security)
Deployment Architecture – within enterprise
Deployment Architecture – external use
Demo !  <ul><li>LiveCycle Rights Management  </li></ul>
Orchestrating Security And demo…
Digital Signature Plug in Architecture <ul><li>Adobe Acrobat implements digital signatures using plug-ins for generic func...
Digital Signature Plug in Architecture
Q & A <ul><li>Contacts: </li></ul><ul><ul><li>Dnickull@adobe.com (Blog: http://technoracle.blogspot.com) </li></ul></ul><u...
 
Architecture Summary – LiveCycle ES <ul><li>LC ES is a true platform. </li></ul><ul><li>Core services for PDF security, ri...
Advanced Encryption Standard (AES) How it actually works
AES <ul><li>AES has a fixed block size of 128 bits and a key size of 128, 192 or 256 bits.  </li></ul><ul><li>The key is e...
Building an AES Cypher – Stages 1 & 2 <ul><ul><li>Subbyte:  Non-linear substitution step where each byte is replaced with ...
Building an AES Cypher – Stage 3 <ul><ul><li>MixColumns  - four bytes of each column (state) are combined using invertible...
Building an AES Cypher – Stage 4 <ul><li>AddRoundKey  - the subkey is combined with the state. For each round, a subkey is...
Technical Notes Supplemental
Confidentiality and Encryption of Information  <ul><li>Encryption  is the process of transforming information (plaintext) ...
Other security features… <ul><li>Authentication/integrity of electronic data.  </li></ul><ul><ul><li>Parity bits or Cyclic...
Security Regulations supplementry
Compliance <ul><li>Sarbanes-Oxley Section 404 </li></ul><ul><li>Section 404 of Sarbanes-Oxley specifically calls for US-li...
Compliance <ul><li>NASD 2711 </li></ul><ul><li>The National Association of Securities Dealers Rule 2711 (NASD 2711) stipul...
Compliance <ul><li>ITAR/Export Control </li></ul><ul><li>The U.S. government’s International Traffic in Arms Regulations (...
Compliance <ul><li>California's Information Practices Act (SB 1386) </li></ul><ul><li>California's Database Security Breac...
Compliance <ul><li>SEC 17a-4 </li></ul><ul><li>SEC Rule 17a-4 (in combination with 17a-3) of the Securities Exchange Act o...
Photo assets
<ul><li>Three (long) or four (short) bullets go here to describe the image, diagram or screenshot in the pod above </li></...
<ul><li>This layout is generally used for diagrams or large photos that look awkward in a pod </li></ul>*A 10 point footno...
<ul><li>Useful for comparing four concepts side-by-side </li></ul>*A 10 point footnote can go here, if necessary Pod 1 Tit...
<ul><li>Information goes here, and one or two images can sit in the gray area on the right </li></ul>*A 10 point footnote ...
<ul><li>Useful for comparing four concepts </li></ul>*A 10 point footnote can go here, if necessary Four Quadrant Split Po...
<ul><li>Useful for comparing two concepts side-by-side with data content below </li></ul>Optional Split Pod Layout
<ul><li>Useful for comparing two concepts side-by-side with data content below </li></ul>Optional Split Pod Layout
Upcoming SlideShare
Loading in …5
×

Adobe PDF and LiveCycle ES Security

4,365 views

Published on

An overview of how electronic signature objects are generated and used within PDF documents including the overview of Aodbe LiveCycle ES's ability to programmatically work with them server side.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,365
On SlideShare
0
From Embeds
0
Number of Embeds
43
Actions
Shares
0
Downloads
115
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Adobe PDF and LiveCycle ES Security

    1. 1. MAX 2007 CONNECT. DISCOVER. INSPIRE. LiveCycle Digital Security and Certification Duane Nickull, Sr. Technology Evangelist - Adobe Systems
    2. 2. Abstract (Remove) <ul><li>This session will focus on the persistent rights management and document security technologies in the LiveCycle Enterprise Suite. The components explored will include LiveCycle Digital Signatures ES and LiveCycle Rights Management (formerly Policy Server). The thrust of the talk will focus on LiveCycle ES as a service oriented platform for delivering key interactions with remote clients but will also showcase core capabilities and delve quickly into SDK's and API's for developers. </li></ul>
    3. 3. Today’s Agenda – one hour <ul><li>Architecture Dive – Adobe LiveCycle ES </li></ul><ul><ul><li>Security Architecture </li></ul></ul><ul><li>Digital Signatures </li></ul><ul><li>LiveCycle Digital Signatures – Intro, Deployment, API’s </li></ul><ul><li>Adobe LiveCycle Rights Management – Intro, Architecture for deployment, Demo </li></ul><ul><li>Acrobat Digital Signature API Reference – Review </li></ul><ul><li>Resources: </li></ul><ul><ul><li>Adobe Developer Network </li></ul></ul><ul><ul><li>Google Groups (LiveCycle) </li></ul></ul>
    4. 4. Old model for enterprise architecture (simple) Server Client
    5. 5. Enterprise 2.0 <ul><li>Definition: An adoption of Web 2.0 design patterns by Enterprises </li></ul><ul><li>Abstract Model for connecting and integrating capabilities and users </li></ul>Patterns of interaction “ Don't treat software as an artifact, but as a process of engagement with your users. “ - Tim O’Reilly Users Services Capabilities Client Applications/Runtimes Connectivity/Reachability SOA
    6. 6. LiveCycle ES Architecture
    7. 7. The Genesis of LiveCycle ES I want to connect these world! Distributors & Agencies Internal Processes ERP / ECM / CRM / BPM / Accounting Customers & Citizens Suppliers & Contractors
    8. 8. Closing the Engagement Gap with LiveCycle Distributors & Agencies Internal Processes ERP / ECM / CRM / BPM / Accounting Customers & Citizens Suppliers & Contractors LiveCycle Scalable engagement services Document Output Electronic Forms Rich Internet Applications Enterprise Rights Management Digital Signatures “ Human-centric” BPM
    9. 9. The Adobe technology platform architecture Service Tier Resource Tier EIS Databases Directories ECM Repository Message Queues Legacy Systems Design & Development Tools Client Application Tier HTTP/S, Sockets, AMF, RTMP, SOAP, WS*, REST, … Printing & Scanning Reader Acrobat Connect Browsers Flash Player Flex AIR (Apollo) Acrobat Service Invocation Layer Service Container Registry Service Provider Interface LC Core Services 3rd Party Services Other? ? … LC Data Services Flex Builder Eclipse Notepad LiveCycle Designer WorkBench
    10. 10. Adobe LiveCycle ES Service Components Service Tier Service Invocation Layer Service Container Registry Service Provider Interface LC Core Services 3rd Party Services Forms Process Management Production Print Barcoded Forms PDF Generator Reader Extensions Common Administration, Orchestration, Security, Encryption Output Rights Management Digital Signatures Data Services
    11. 11. LC ES Digital Signature Ecosystem
    12. 12. LiveCycle Invocation
    13. 13. Digital Signatures Adobe LiveCycle Document Security Server
    14. 14. Digital Signatures <ul><li>DSig enables recipients to verify the integrity of an electronic document. </li></ul><ul><li>Integrity subject to many types of attacks. Mechanisms to combat include: </li></ul><ul><ul><li>Parity Bits or Cyclical Redundancy Checking ( CRC ) functions - works well for intentional modifications but clever hackers can circumvent. </li></ul></ul><ul><ul><li>One way hash (fixed length value) - unique fingerprint can detect if document has been altered by re-computing the hash (commonly MD5, SHA-1, SHA-256 ) </li></ul></ul><ul><ul><li>Message Authentication Codes (MAC) - prevent hacker from intercepting, modifying and attaching new hash. Symmetric key is connected to the MAC then hashed ( HMAC ). Without the key, attacker cannot forge new message. </li></ul></ul>
    15. 15. How it works - Signing PDF Documents
    16. 16. ByteRange and Signature value
    17. 17. The PDF Save/Hash/Update Process <ul><ul><li>Hash computed over entire PDF file </li></ul></ul><ul><ul><ul><li>byte 0 to last, excluding signature </li></ul></ul></ul><ul><ul><li>Signature placed in PDF: </li></ul></ul><ul><ul><ul><li>PDF -> disk worst case space left for sig value. </li></ul></ul></ul><ul><ul><ul><li>Once sig value is known (offsets in file), ByteRange array overwritten with absolutes. NOTE: byte offsets MUST NOT change, extra bytes overwritten with spaces. </li></ul></ul></ul><ul><ul><ul><li>Hash of entire file computed using SHA-1. </li></ul></ul></ul><ul><ul><ul><li>Hash encrypted with signer’s private key </li></ul></ul></ul><ul><ul><ul><li>PKCS#7 signature object generated. </li></ul></ul></ul><ul><ul><ul><li>Signature object placed in file on disk, overwrites placeholder value. Space not used for the signature object is overwritten with spaces. </li></ul></ul></ul><ul><ul><ul><li>PDF re-loaded in Acrobat. Ensures in-memory and disk versions match. </li></ul></ul></ul>
    18. 18. Multiple Signatures
    19. 19. Dsig Check list <ul><li>Public Key Infrastructure (PKI) </li></ul><ul><li>Certificate Revocation List (CRL) </li></ul><ul><li>Online Certificate Status Protocol (OCSP) </li></ul>
    20. 20. PKI mechanisms <ul><li>Public Key Cryptography Standards (PKCS) - set of standard protocols used by PKI vendors including RSA encryption, cryptographic syntax for S/MIME, extended certificate syntax and more. </li></ul><ul><li>Registration Authority (RA) - background checks of people, PDP authentication. </li></ul><ul><li>Certificate Repositories;, Key update, backup, recover, history; Cross-certification and Time stamping. </li></ul>
    21. 21. Demo <ul><li>Adobe Acrobat </li></ul><ul><li>Custom Communications Form Sample </li></ul><ul><ul><li>Simple signing and break signature value. </li></ul></ul>
    22. 22. Adobe LiveCycle Digital Signatures
    23. 23. LiveCycle Digital Signatures <ul><li>Server used for: </li></ul><ul><ul><ul><li>Publishing &quot;certified&quot; documents that can prove the authenticity and integrity of the document. </li></ul></ul></ul><ul><ul><ul><li>Control the changes that are permitted in documents as they flow through a business process with a certification signature. </li></ul></ul></ul><ul><ul><ul><li>Digitally sign documents before they are archived to improve compliance metrics. </li></ul></ul></ul><ul><ul><ul><li>Automate the signature validation process for PDF documents. </li></ul></ul></ul><ul><ul><ul><li>Leverage existing investments in public key infrastructure (PKI) protocols. </li></ul></ul></ul>
    24. 24. For developers <ul><li>http://livedocs.adobe.com/ </li></ul>
    25. 25. Samples - retrieve Dsig field names <ul><li>import java.util.*; </li></ul><ul><li>import java.io.FileInputStream; </li></ul><ul><li>import com.adobe.livecycle.signatures.client.*; </li></ul><ul><li>import com.adobe.livecycle.signatures.client.types.*; </li></ul><ul><li>import com.adobe.idp.Document; </li></ul><ul><li>import com.adobe.idp.dsc.clientsdk.ServiceClientFactory; </li></ul><ul><li>public class GetSignatureFields { </li></ul><ul><li>public static void main(String[] args) { </li></ul><ul><li>try { </li></ul><ul><li>//Set connection properties required to invoke LiveCycle ES Properties connectionProps = new Properties(); </li></ul><ul><li>connectionProps.setProperty(&quot;DSC_DEFAULT_EJB_ENDPOINT&quot;, &quot;jnp://localhost:1099&quot;); </li></ul><ul><li>connectionProps.setProperty(&quot;DSC_TRANSPORT_PROTOCOL&quot;,&quot;EJB&quot;); </li></ul><ul><li>connectionProps.setProperty(&quot;DSC_SERVER_TYPE&quot;, &quot;JBoss&quot;); </li></ul><ul><li>connectionProps.setProperty(&quot;DSC_CREDENTIAL_USERNAME&quot;, &quot;administrator&quot;); </li></ul><ul><li>connectionProps.setProperty(&quot;DSC_CREDENTIAL_PASSWORD&quot;, &quot;password&quot;); </li></ul>
    26. 26. Samples - retrieve Dsig field names (2) <ul><li>//Create a ServiceClientFactory instance </li></ul><ul><li>ServiceClientFactory myFactory </li></ul><ul><li>ServiceClientFactory.createInstance(connectionProps); </li></ul><ul><li>//Create a SignatureServiceClient object </li></ul><ul><li>SignatureServiceClient signClient = new SignatureServiceClient(myFactory); </li></ul><ul><li>//Specify a PDF document that contains signature fields </li></ul><ul><li>FileInputStream fileInputStream = new FileInputStream(&quot;C:dobeoan.pdf&quot;); </li></ul><ul><li>Document inDoc = new Document (fileInputStream); </li></ul><ul><li>//Retrieve the name of the document’s signature fields </li></ul><ul><li>List fieldNames = signClient.getSignatureFieldList(inDoc); </li></ul>
    27. 27. Samples - retrieve Dsig field names (3) <ul><li>//Obtain the name of each signature field by iterating List </li></ul><ul><li>Iterator iter = fieldNames.iterator(); </li></ul><ul><li>int i = 0 ; </li></ul><ul><li>String fieldName=&quot;&quot;; </li></ul><ul><li>while (iter.hasNext()) { </li></ul><ul><li>PDFSignatureField signatureField = (PDFSignatureField)iter.next(); </li></ul><ul><li>fieldName = signatureField.getName(); </li></ul><ul><li>System.out.println(&quot;The name of the signature field is &quot; +fieldName); </li></ul><ul><li>i++; </li></ul><ul><li> } </li></ul><ul><li>}catch (Exception ee) { </li></ul><ul><li> ee.printStackTrace(); </li></ul><ul><li>} </li></ul>
    28. 28. Adobe LiveCycle Rights Management
    29. 29. Securing information is important ”not optional” <ul><li>Mandatory compliance with: </li></ul><ul><ul><li>Sarbanes-Oxley (Section 404) (USA) </li></ul></ul><ul><ul><li>NASD 2711 (USA) </li></ul></ul><ul><ul><li>BS1779 – (UK) </li></ul></ul><ul><ul><li>ITAR Export Control </li></ul></ul><ul><ul><li>Directive 95/46/EC of the European Parliament </li></ul></ul><ul><ul><li>California's Information Practices Act (SB 1386) </li></ul></ul><ul><ul><li>SEC Rule 17a-4 </li></ul></ul><ul><ul><li>HIPAA </li></ul></ul><ul><ul><li>Personal Information Protection and Electronic Documents Act (Canada) </li></ul></ul><ul><li>Protect corporate image / brand trust </li></ul><ul><ul><li>Employee turnover increases risk; mobile workstations, theft of laptops etc. </li></ul></ul><ul><ul><li>Prevent Phishing (customer relations ruined) </li></ul></ul><ul><li>Mitigate the risk of espionage </li></ul><ul><ul><li>Removes the temptation and mitigates accidental disclosure. </li></ul></ul>
    30. 30. <ul><li>Lack persistent access controls to prevent information re-distribution </li></ul><ul><li>Cannot dynamically change rights/access after distribution </li></ul>Shortcomings of Current Information Assurance Approaches Author Secure Pipe Approach Access Control Approach File System Recipient Unauthorized Users
    31. 31. Adobe® LiveCycle™ Rights Management <ul><li>Controls </li></ul><ul><ul><li>Who can open a document </li></ul></ul><ul><ul><li>What they can do with it </li></ul></ul><ul><ul><li>Expiration/revocation </li></ul></ul><ul><ul><li>Version control </li></ul></ul><ul><ul><li>Auditing </li></ul></ul><ul><li>Works with Adobe Acrobat, Microsoft Office and CATIA </li></ul>
    32. 32. Adobe provides persistent protection for information
    33. 33. Adobe’s Contribution to Information Assurance <ul><li>Data is secured at the document level, throughout its lifecycle </li></ul><ul><li>Document authenticity/integrity can be verified at any time </li></ul><ul><li>Only the intended recipients can view protected documents </li></ul><ul><li>A chain of custody is maintained for all documents via an audit trail </li></ul><ul><li>Protected documents are easily shared across organizations </li></ul>
    34. 34. Security technologies
    35. 35. Secure Messaging (WS-Security)
    36. 36. Deployment Architecture – within enterprise
    37. 37. Deployment Architecture – external use
    38. 38. Demo ! <ul><li>LiveCycle Rights Management </li></ul>
    39. 39. Orchestrating Security And demo…
    40. 40. Digital Signature Plug in Architecture <ul><li>Adobe Acrobat implements digital signatures using plug-ins for generic functions common to all digital signatures. </li></ul><ul><li>Support for specific kinds of signatures (signing methods): </li></ul><ul><ul><li>Public-private key (PPK) </li></ul></ul><ul><ul><li>Handwriting </li></ul></ul><ul><ul><li>Biometrics (retinal scans, fingerprints) </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>Development Kit (SDK): </li></ul><ul><li>http://partners.adobe.com/asn/developer/acrosdk/main.html </li></ul>
    41. 41. Digital Signature Plug in Architecture
    42. 42. Q & A <ul><li>Contacts: </li></ul><ul><ul><li>Dnickull@adobe.com (Blog: http://technoracle.blogspot.com) </li></ul></ul><ul><li>References: </li></ul><ul><ul><li>LiveCycle Developer Centre: http://www.adobe.com/devnet/livecycle/ </li></ul></ul><ul><ul><li>Google Groups - LiveCycle Developers Group </li></ul></ul>
    43. 44. Architecture Summary – LiveCycle ES <ul><li>LC ES is a true platform. </li></ul><ul><li>Core services for PDF security, rights management, generation and various core libraries. </li></ul><ul><li>Service invocation layer calls underlying capabilities and APIs. </li></ul><ul><li>Operations exposed by Invocation later for the PDF Encryption Service may be called locally or remotely. </li></ul><ul><li>Remote callers can use: </li></ul><ul><ul><li>Watch Folder </li></ul></ul><ul><ul><li>Web Services </li></ul></ul><ul><ul><li>EJB’s </li></ul></ul><ul><ul><li>Other… </li></ul></ul><ul><li>PDF Encryption Service exposed via a Developer SDK used for integration with Third Party Applications. </li></ul>
    44. 45. Advanced Encryption Standard (AES) How it actually works
    45. 46. AES <ul><li>AES has a fixed block size of 128 bits and a key size of 128, 192 or 256 bits. </li></ul><ul><li>The key is expanded using Rijndael's key schedule. </li></ul><ul><li>Most of AES calculations are done in a special finite field. </li></ul><ul><li>Operates on a 4×4 array of bytes (the State ) </li></ul><ul><li>For encryption, each round of AES (except the last round) consists of four stages: </li></ul><ul><ul><li>SubBytes, ShiftRows, MixColumns and AddRoundKey </li></ul></ul><ul><li>The final round omits the MixColumns stage. </li></ul>
    46. 47. Building an AES Cypher – Stages 1 & 2 <ul><ul><li>Subbyte: Non-linear substitution step where each byte is replaced with another according to a lookup table. </li></ul></ul><ul><ul><li>ShiftRows — a transposition step where each row of the state is shifted cyclically a certain number of steps. </li></ul></ul>
    47. 48. Building an AES Cypher – Stage 3 <ul><ul><li>MixColumns - four bytes of each column (state) are combined using invertible linear transformation. Each column is treated as a polynomial over GF ( 28 ) and is then multiplied modulo x 4 + 1 with a fixed polynomial c ( x ) = 3 x 3 + x 2 + x + 2. </li></ul></ul>
    48. 49. Building an AES Cypher – Stage 4 <ul><li>AddRoundKey - the subkey is combined with the state. For each round, a subkey is derived from the main key using the key schedule; each subkey is the same size as the state. The subkey is added by combining each byte of the state with the corresponding byte of the subkey using bitwise XOR. </li></ul>
    49. 50. Technical Notes Supplemental
    50. 51. Confidentiality and Encryption of Information <ul><li>Encryption is the process of transforming information (plaintext) into an incomprehensible form (ciphertext). Encryption is an effective technique for managing document access. </li></ul><ul><li>Decryption is the reverse process that transforms ciphertext back to the original plaintext. </li></ul><ul><li>Cryptography refers to the two processes of encryption and decryption and its implementation is referred to as a cryptosystem . </li></ul><ul><li>Keys are used for encryption and decryption. </li></ul><ul><ul><li>Symmetric Keys – Adobe uses 128 bit AES keys for documents. </li></ul></ul><ul><ul><li>Asymmetric Keys – Adobe uses RSA (512-, 1024-, and 2048-bit) elsewhere </li></ul></ul><ul><ul><li>Adobe also offers a hybrid approach for encryption. </li></ul></ul>
    51. 52. Other security features… <ul><li>Authentication/integrity of electronic data. </li></ul><ul><ul><li>Parity bits or Cyclical Redundancy Checking (CRC) functions —CRC functions work well for unintentional modifications, such as wire interference, but they can be circumvented by a clever attacker. </li></ul></ul><ul><ul><li>One-way hash —creates hash value or message digest for a message of any length. Adobe has adopted the SHA-1 and SHA-256 algorithms because of their wide acceptance as a security standard. </li></ul></ul><ul><ul><li>Message Authentication Codes (MAC) —prevents an attacker from obtaining the original message, modifying it, and attaching a new hash. In this case, a symmetric key is connected to the MAC and then hashed (HMAC). Without the key, an attacker cannot forge a new message. Adobe uses HMACs where appropriate. </li></ul></ul>
    52. 53. Security Regulations supplementry
    53. 54. Compliance <ul><li>Sarbanes-Oxley Section 404 </li></ul><ul><li>Section 404 of Sarbanes-Oxley specifically calls for US-listed companies to establish and maintain the necessary internal control mechanisms to ensure the financial reporting process complies with the law. In order to comply with section 404 of Sarbanes-Oxley, companies must implement internal controls that: </li></ul><ul><ul><li>Expire access to spreadsheets with errors </li></ul></ul><ul><ul><li>Protect data from access and modification by unauthorized users </li></ul></ul><ul><ul><li>Track actions on data as it crosses application and organizational boundaries </li></ul></ul><ul><ul><li>http://www.sec.gov/rules/final/33-8238.htm </li></ul></ul>
    54. 55. Compliance <ul><li>NASD 2711 </li></ul><ul><li>The National Association of Securities Dealers Rule 2711 (NASD 2711) stipulates that investment banking be run separately from research and trading to ensure trust in the public markets. And while organizations may attempt to prohibit communication between these groups, email and other technologies serve as a conduit of improper communication. It may also be in the interest of the bank to allow an analyst to “cross the wall” for a particular engagement. However, it is necessary to ensure that information obtained during that engagement stays on the appropriate side of the wall.   </li></ul><ul><li>In order to comply with NASD 2711, financial organizations must: </li></ul><ul><ul><li>Identify and protect regulated data wherever it is stored, transmitted or processed </li></ul></ul><ul><ul><li>Prevent unauthorized data access and usage </li></ul></ul><ul><ul><li>Ensure that end-users cannot arbitrarily remove protection </li></ul></ul><ul><ul><li>Provide evidentiary-quality audit trails that prove data is protected </li></ul></ul><ul><li>http://www.nasd.com/web/idcplg?IdcService=SS_GET_PAGE&nodeId=653 </li></ul>
    55. 56. Compliance <ul><li>ITAR/Export Control </li></ul><ul><li>The U.S. government’s International Traffic in Arms Regulations (ITAR) govern the dissemination of a broad array of information. Among other requirements, they prohibit disclosing or transferring regulated technical data to a foreign person, whether in the United States or abroad. Companies that export products—particularly in the high-tech, aviation, and military sectors—must put in place mechanisms that prevent violations of U.S. export laws. These regulations hold companies accountable for the acts of anyone that accesses technical data. Penalties for export violations can be severe—$1M and 10 years in prison per violation, prohibitions against future exports by the company, and the loss of government contracts.   </li></ul><ul><li>The Department of State’s Directorate of Defense Trade Controls has guidelines that suggest: </li></ul><ul><ul><li>Export controlled documents should be “tagged” to identify their status </li></ul></ul><ul><ul><li>Establishing a procedure to combat illegal transfers </li></ul></ul><ul><ul><li>Regular audits to ensure integrity of program </li></ul></ul><ul><ul><li>Procedures to investigate any potential diversions </li></ul></ul><ul><ul><li>https://www.pmdtc.org/docs/itar/itar_part_125.pdf </li></ul></ul>
    56. 57. Compliance <ul><li>California's Information Practices Act (SB 1386) </li></ul><ul><li>California's Database Security Breach Notification Act ( SB 1386 ) and General Security Standard for Businesses (AB 1950) require companies and government agencies that store personal information on California residents to implement safety procedures that safeguard data and disclose any breach of security to the individuals affected.  Personal information includes an individual's first name or first initial and last name in combination with any one or more of the following data elements: </li></ul><ul><ul><li>Social security number, driver’s license number or California identification card number </li></ul></ul><ul><ul><li>Account number, credit or debit card number, in combination with any required security code, access code or password that permits access to an account </li></ul></ul><ul><ul><li>Medical information </li></ul></ul><ul><li>Companies that fail to implement information security procedures and/or disclose security breaches face potential liability from class action suits and irreversible brand damage.  Furthermore, Congressional legislation is under consideration to set a national standard similar to California's for protecting personal information.  </li></ul><ul><li>http://searchcio.techtarget.com/originalContent/0,289142,sid19_gci941077,00.html </li></ul>
    57. 58. Compliance <ul><li>SEC 17a-4 </li></ul><ul><li>SEC Rule 17a-4 (in combination with 17a-3) of the Securities Exchange Act of 1934 requires broker-dealers to create and preserve in an easily accessible manner, a comprehensive record of each securities transaction and their securities business in general.  These preserved records are used by the SEC to monitor compliance with applicable securities laws including antifraud provisions and financial responsibility standards. </li></ul><ul><li>  </li></ul><ul><li>To ensure compliance with SEC Rule 17a-4, broker-dealers must: </li></ul><ul><ul><li>Maintain and retain certain records for the required retention period </li></ul></ul><ul><ul><li>Store the records in a manner that prevents them from being overwritten, erased or otherwise altered </li></ul></ul><ul><ul><li>Have in place a system to show the audit trail of each record and provide verification that the records were not altered </li></ul></ul>
    58. 59. Photo assets
    59. 60. <ul><li>Three (long) or four (short) bullets go here to describe the image, diagram or screenshot in the pod above </li></ul>*A 10 point footnote can go here, if necessary 50-50 Split Pod Layout
    60. 61. <ul><li>This layout is generally used for diagrams or large photos that look awkward in a pod </li></ul>*A 10 point footnote can go here, if necessary No Pod Layout
    61. 62. <ul><li>Useful for comparing four concepts side-by-side </li></ul>*A 10 point footnote can go here, if necessary Pod 1 Title Pod 2 Title Pod 3 Title Pod 4 Title 4 Column Split Pod Layout
    62. 63. <ul><li>Information goes here, and one or two images can sit in the gray area on the right </li></ul>*A 10 point footnote can go here, if necessary Pod-On-Right Layout
    63. 64. <ul><li>Useful for comparing four concepts </li></ul>*A 10 point footnote can go here, if necessary Four Quadrant Split Pod Layout
    64. 65. <ul><li>Useful for comparing two concepts side-by-side with data content below </li></ul>Optional Split Pod Layout
    65. 66. <ul><li>Useful for comparing two concepts side-by-side with data content below </li></ul>Optional Split Pod Layout

    ×