More Related Content

Similar to Digital Signatures: how it's done in PDF(20)


Digital Signatures: how it's done in PDF

  1. Digital Signatures How it’s done in PDF
  2. iText, an open source PDF library Java C#
  3. Shareholders: -Ingeborg Willaert (50%) -Bruno Lowagie (50%) iText Group NV °2008 Belgium IP, TM, Development Marketing iText Software BVBA °2011 Belgium Sales EMEA/Asia iText Software Corp. °2009 USA (CA/MA) Sales Americas/Oceania Board of Directors: -Peter Camps (chairman) -Ingeborg Willaert -Bruno Lowagie Advisory Board: -Andrew Binstock -Mark de Visser -Bernard Slede iTextGroup Benelux: 10th place Belgium: 3rd place
  4. Agenda •Why do we need digital signatures? •Basic concepts… •… applied to PDF •Architectures: server-side vs. client-side •Digital signatures and document workflow •Long term validation
  5. Introduction Why do we need digital signatures?
  6. Integrity I paid a forged invoice and lost 30K€!
  7. Authenticity Why am I, Emperor Constantine I, in this picture? I never transferred authority to the Pope!
  8. Non-repudiation I didn’t do it!
  9. Three goals •Integrity —we want assurance that the document hasn’t been changed somewhere in the workflow •Authenticity —we want assurance that the author of the document is who we think it is (and not somebody else) •Non-repudiation —we want assurance that the author can’t deny his authorship.
  10. Part 1 Basic concepts…
  11. Concept 1: Hashing •Hashing algorithm: •a cryptographic hash function to turn an arbitrary block of data into a fixed-size bit string. •Available algorithms: •MD5: Ron Rivest •SHA: •SHA-1: NSA (Being phased out!) •SHA-2: NSA / NIST •NEW: SHA-3 contest winner “Keccak” •RIPEMD: KULeuven
  12. Concept 1: Integrity check using hash Document Generate Hash AF1B4C...D34E Secure Server / Website Retrieve Hash AF1B4C...D34E Compare!
  13. Concept 2: encryption •Assymetric key algorithms •Encryption •Digital signing
  14. Some name dropping •Public Key Cryptography Standards •PKCS#1: RSA Cryptography Standard (Rivest, Shamir, Adleman) •PKCS#7: Cryptographic Message Standard (CMS) •PKCS#11: Cryptographic Token Interface •PKCS#12: PersonalInformation Exchange SyntaxStandard •PKCS#13: Elliptic Curve Cryptography Standard (ECDSA) •Federal Information Processing Standards (FIPS) •DSA: Digital Signature Algorithm (DSA) •European Telecommunications Standards Institute (ETSI) •CMS Advanced Electronic Signatures (CAdES)
  15. Concept 1 + Concept 2 •Producer •Provides data as-is •Provides hash encrypted using private key •Provides public key •Consumer •Creates hash from data: hash1 •Decrypts hash using public key: hash2 •If (hash1== hash2) document OK!
  16. Goals met? •Integrity: •hashes are identical •Authenticity: •identity found along with public key •Non-repudiation: •if hash can be decrypted with public key, the document was signed with the corresponding private key
  17. Differences between EU and US •In the US, we make a distinction: •Electronic signatures don’t necessarily involve PKI •Digital signatures when a PKI infrastructure is involved •In Europe, we speak of electronic signatures •As a synonymfor digital signatures •All laws and regulations take this wording •There’s no sharp distinction between electronic and digital signatures (which leads to confusion) •I always speak of digital signatures
  18. Part 2 … applied to PDF
  19. Standards •ISO •ISO-32000-1 (2008) based on PDF 1.7 (2006) •ISO-32000-2 will define PDF 2.0 (2016) •ETSI: TS 102 778 (2009 -2010) •PAdES1: Overview •PAdES2: Basic –CMS based (ISO-32000-1) •PAdES3: Enhanced –CAdESbased (ISO-32000-2) •PAdES4: LTV –Long Term Validation •PAdES5: XAdESbased (XML content) •PAdES6: Visual representation guidelines •ETSI: TS 103 172 (2011 -2013) •PAdESBaseline Profile
  20. Signatures in PDF •There are no bytes in the PDF that aren’t covered, other than the PDF signature itself. (*) •The digital signature isn’t part of the ByteRange. •The concept “to initial a document” doesn’t exist; you sign the complete document at once, not on a page per page basis. (*)
  21. Some PDF terminology •Signature field: •Visualisation (onewidget annotation) •Extra info about signature (Lock, SV) •/V refers to the signature dictionary •Signing: •Creating an /APfor the widget annotation •Creating a signature dictionary for /V
  22. What’s inside the signature? %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DIGITAL SIGNATURE •Signed Message Digest •Certificatechain •Revocation information •Timestamp ISO-32000-2: At minimum the PKCS#7 object shall include the signer’s X.509 signing certificate. This certificate shall be used to verify the signature value in /Contents. Best practices (“should” also have): •Full certificate chain •Revocation information (CRL / OCSP) •Timestamp
  23. Part 3 Architectures: Server-side vs. client-side signing
  24. Server-side signing <</Type/Sig/ /Contents < %PDF-1.x ... ... %%EOF >>> Signed Message Digest Application Device SERVER
  25. Use cases server-side signing •Company signature •Invoices •Contracts •… •Signing services in the Cloud •Docusign •Echosign •… •Security management responsibilities!
  26. Client-side signing <</Type/Sig/ /Contents < %PDF-1.x ... ... %%EOF >>> Signed Message Digest Application Device CLIENT
  27. Use cases client-side signing •Desktop applications •Adobe Acrobat Pro •Adobe Reader (only for Reader-enabled documents) •Home made, e.g. using iText •In a web context •The PDF software runs on the client, e.g. using Java Web Start •Access to the token or smart card through •MSCAPI •PKCS#11 •Custom smart card library •Security •User has smart card and PIN or USB token and passphrase
  28. Deferred signing Signed Message Digest App Device CLIENT <</Type/Sig/ /Contents < %PDF-1.x ... ... %%EOF >>> Application SERVER
  29. Use cases deferred signing •Signing on an iPad / Tablet •App on the device has low footprint •Easy to link to integrate into a document management system •Disadvantage •You need to trust the server that the hash you receive is actually the hash of the document you want to sign •Common Criteria •a framework in which computer system users can specifytheir security functionaland assurancerequirements (SFRs and SARs respectively) through the use of Protection Profiles (PPs), vendors can then implementand/or make claims about the security attributes of their products, and testing laboratories can evaluatethe products to determine if they actually meet the claims.
  30. Part 4 Digital signatures and document workflow
  31. Digital signatures: types •Certification (aka author) signature •only possible for the first revision (*) •involves modification detection permissions: •No changes allowed •Form filling and signing allowed •Form filling, signing and commenting allowed •Approval (aka recipient) signature •workflow with subsequent signers •New in PDF 2.0: modification detection permissions •Usage Rights signature •involving Adobe’s private key to Reader enable a PDF
  32. Other possible icons •Signer’s identity is unknown •Document has been altered or corrupted
  33. Serial signatures %PDF-1.x %Originaldocument % Additional content 1 ... ... %%EOF DIGITAL SIGNATURE 1 ... %%EOF DIGITAL SIGNATURE 2 % Additional content 2 ... ... %%EOF DIGITAL SIGNATURE 3 Rev1 Rev2 Rev3 A PDF document can be signed more than once, but parallel signatures aren’t supported, only serial signatures: additional signatures sign all previous signatures.
  34. Certified by Alice
  35. Read and approved by Bob
  36. Signed by Bob
  37. Bob’s signature invalidated by Chuck
  38. Read, approved and signed by Carol
  39. Read, approved, and signed by Dave
  40. Signature and lock broken by Chuck
  41. Part 5 Long-term validation
  42. Certificates expire Expiration date 2012 2013 2014
  43. Certificates get revoked Expiration date Revocation date 2012 2013 2014
  44. How to survive revocation / expiration? 2012 2013 2014 Expiration date Revocation date
  45. Timestamps
  46. What to do when: •There’s no CRL/OCSP/TS in the document? •The certificate is about to expire in one of your documents? •The hashing / encryption algorithm is about to be deprecated?
  47. Document Security Store %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DIGITAL SIGNATURE •Signed Message Digest •Certificate %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE •VRI, Certs, OCSPs, CRLs DIGITAL SIGNATURE •Signed Message Digest •Certificate
  48. Document-level timestamp %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE •VRI, Certs, OCSPs, CRLs %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE •VRI, Certs, OCSPs, CRLs DOCUMENT TIMESTAMP TS1 ETSI.RFC3161 DIGITAL SIGNATURE •Signed Message Digest •Certificate DIGITAL SIGNATURE •Signed Message Digest •Certificate
  49. Repeat as soon as needed %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE •VRI, Certs, OCSPs, CRLs DOCUMENT TIMESTAMP TS1 %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE •VRI, Certs, OCSPs, CRLs DOCUMENT TIMESTAMP TS1 DSS for TS1 DOCUMENT TIMESTAMP TS2 DIGITAL SIGNATURE •Signed Message Digest •Certificate DIGITAL SIGNATURE •Signed Message Digest •Certificate
  50. Q & A EMEAKerkstraat 1089050 GentbruggeBELGIUME: T: +32 92 98 02 31F: +32 92 70 33 75 Americas, Oceania1 Broadway, 14th floorCambridge, MA 02142USA E: sales.isc@itextpdf.comT: +1 617 982 2646 F: +1 617 982 2647 iText HQAdolf Baeyensstraat 1219040 Sint-AmandsbergBELGIUM Asia71 Ayer Rajah Crescent #05-04139951SINGAPOREE: sales.isa@itextpdf,com T: tel: +65 31 58 39 47