SlideShare a Scribd company logo

Digital Signatures: how it's done in PDF

iText Group nv
iText Group nv

These are the slides that were be presented at a GlobalSign customer event in Leuven on September 16, 2014. In my talk, I explained why digital signatures are important. I introduced the audience to the basic concepts used when signing documents and showed how these concepts are used in the context of PDF. Furthermore, I discussed different architectures to implement a digital signature solution, as well as how digital signatures can be used in a workflow and how we can create digital signatures for the long term.

Technology
1 of 50
Download to read offline
Digital Signatures How it’s done in PDF
iText, an open source PDF library Java C#
Shareholders: -Ingeborg Willaert (50%) -Bruno Lowagie (50%) iText Group NV °2008 Belgium IP, TM, Development Marketing iText Software BVBA °2011 Belgium Sales EMEA/Asia iText Software Corp. °2009 USA (CA/MA) Sales Americas/Oceania Board of Directors: -Peter Camps (chairman) -Ingeborg Willaert -Bruno Lowagie Advisory Board: -Andrew Binstock -Mark de Visser -Bernard Slede iTextGroup Benelux: 10th place Belgium: 3rd place
Agenda •Why do we need digital signatures? •Basic concepts… •… applied to PDF •Architectures: server-side vs. client-side •Digital signatures and document workflow •Long term validation
Introduction Why do we need digital signatures?
Integrity I paid a forged invoice and lost 30K€!
Authenticity Why am I, Emperor Constantine I, in this picture? I never transferred authority to the Pope!
Non-repudiation I didn’t do it!
Three goals •Integrity —we want assurance that the document hasn’t been changed somewhere in the workflow •Authenticity —we want assurance that the author of the document is who we think it is (and not somebody else) •Non-repudiation —we want assurance that the author can’t deny his authorship.
Part 1 Basic concepts…
Concept 1: Hashing •Hashing algorithm: •a cryptographic hash function to turn an arbitrary block of data into a fixed-size bit string. •Available algorithms: •MD5: Ron Rivest •SHA: •SHA-1: NSA (Being phased out!) •SHA-2: NSA / NIST •NEW: SHA-3 contest winner “Keccak” •RIPEMD: KULeuven
Concept 1: Integrity check using hash Document Generate Hash AF1B4C...D34E Secure Server / Website Retrieve Hash AF1B4C...D34E Compare!
Concept 2: encryption •Assymetric key algorithms •Encryption •Digital signing
Some name dropping •Public Key Cryptography Standards •PKCS#1: RSA Cryptography Standard (Rivest, Shamir, Adleman) •PKCS#7: Cryptographic Message Standard (CMS) •PKCS#11: Cryptographic Token Interface •PKCS#12: PersonalInformation Exchange SyntaxStandard •PKCS#13: Elliptic Curve Cryptography Standard (ECDSA) •Federal Information Processing Standards (FIPS) •DSA: Digital Signature Algorithm (DSA) •European Telecommunications Standards Institute (ETSI) •CMS Advanced Electronic Signatures (CAdES)
Concept 1 + Concept 2 •Producer •Provides data as-is •Provides hash encrypted using private key •Provides public key •Consumer •Creates hash from data: hash1 •Decrypts hash using public key: hash2 •If (hash1== hash2) document OK!
Goals met? •Integrity: •hashes are identical •Authenticity: •identity found along with public key •Non-repudiation: •if hash can be decrypted with public key, the document was signed with the corresponding private key
Differences between EU and US •In the US, we make a distinction: •Electronic signatures don’t necessarily involve PKI •Digital signatures when a PKI infrastructure is involved •In Europe, we speak of electronic signatures •As a synonymfor digital signatures •All laws and regulations take this wording •There’s no sharp distinction between electronic and digital signatures (which leads to confusion) •I always speak of digital signatures
Part 2 … applied to PDF
Standards •ISO •ISO-32000-1 (2008) based on PDF 1.7 (2006) •ISO-32000-2 will define PDF 2.0 (2016) •ETSI: TS 102 778 (2009 -2010) •PAdES1: Overview •PAdES2: Basic –CMS based (ISO-32000-1) •PAdES3: Enhanced –CAdESbased (ISO-32000-2) •PAdES4: LTV –Long Term Validation •PAdES5: XAdESbased (XML content) •PAdES6: Visual representation guidelines •ETSI: TS 103 172 (2011 -2013) •PAdESBaseline Profile
Signatures in PDF •There are no bytes in the PDF that aren’t covered, other than the PDF signature itself. (*) •The digital signature isn’t part of the ByteRange. •The concept “to initial a document” doesn’t exist; you sign the complete document at once, not on a page per page basis. (*)
Some PDF terminology •Signature field: •Visualisation (onewidget annotation) •Extra info about signature (Lock, SV) •/V refers to the signature dictionary •Signing: •Creating an /APfor the widget annotation •Creating a signature dictionary for /V
What’s inside the signature? %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DIGITAL SIGNATURE •Signed Message Digest •Certificatechain •Revocation information •Timestamp ISO-32000-2: At minimum the PKCS#7 object shall include the signer’s X.509 signing certificate. This certificate shall be used to verify the signature value in /Contents. Best practices (“should” also have): •Full certificate chain •Revocation information (CRL / OCSP) •Timestamp
Part 3 Architectures: Server-side vs. client-side signing
Server-side signing <</Type/Sig/ /Contents < %PDF-1.x ... ... %%EOF >>> Signed Message Digest Application Device SERVER
Use cases server-side signing •Company signature •Invoices •Contracts •… •Signing services in the Cloud •Docusign •Echosign •… •Security management responsibilities!
Client-side signing <</Type/Sig/ /Contents < %PDF-1.x ... ... %%EOF >>> Signed Message Digest Application Device CLIENT
Use cases client-side signing •Desktop applications •Adobe Acrobat Pro •Adobe Reader (only for Reader-enabled documents) •Home made, e.g. using iText •In a web context •The PDF software runs on the client, e.g. using Java Web Start •Access to the token or smart card through •MSCAPI •PKCS#11 •Custom smart card library •Security •User has smart card and PIN or USB token and passphrase
Deferred signing Signed Message Digest App Device CLIENT <</Type/Sig/ /Contents < %PDF-1.x ... ... %%EOF >>> Application SERVER
Use cases deferred signing •Signing on an iPad / Tablet •App on the device has low footprint •Easy to link to integrate into a document management system •Disadvantage •You need to trust the server that the hash you receive is actually the hash of the document you want to sign •Common Criteria •a framework in which computer system users can specifytheir security functionaland assurancerequirements (SFRs and SARs respectively) through the use of Protection Profiles (PPs), vendors can then implementand/or make claims about the security attributes of their products, and testing laboratories can evaluatethe products to determine if they actually meet the claims.
Part 4 Digital signatures and document workflow
Digital signatures: types •Certification (aka author) signature •only possible for the first revision (*) •involves modification detection permissions: •No changes allowed •Form filling and signing allowed •Form filling, signing and commenting allowed •Approval (aka recipient) signature •workflow with subsequent signers •New in PDF 2.0: modification detection permissions •Usage Rights signature •involving Adobe’s private key to Reader enable a PDF
Other possible icons •Signer’s identity is unknown •Document has been altered or corrupted
Serial signatures %PDF-1.x %Originaldocument % Additional content 1 ... ... %%EOF DIGITAL SIGNATURE 1 ... %%EOF DIGITAL SIGNATURE 2 % Additional content 2 ... ... %%EOF DIGITAL SIGNATURE 3 Rev1 Rev2 Rev3 A PDF document can be signed more than once, but parallel signatures aren’t supported, only serial signatures: additional signatures sign all previous signatures.
Certified by Alice
Read and approved by Bob
Signed by Bob
Bob’s signature invalidated by Chuck
Read, approved and signed by Carol
Read, approved, and signed by Dave
Signature and lock broken by Chuck
Part 5 Long-term validation
Certificates expire Expiration date 2012 2013 2014
Certificates get revoked Expiration date Revocation date 2012 2013 2014
How to survive revocation / expiration? 2012 2013 2014 Expiration date Revocation date
Timestamps
What to do when: •There’s no CRL/OCSP/TS in the document? •The certificate is about to expire in one of your documents? •The hashing / encryption algorithm is about to be deprecated?
Document Security Store %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DIGITAL SIGNATURE •Signed Message Digest •Certificate %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE •VRI, Certs, OCSPs, CRLs DIGITAL SIGNATURE •Signed Message Digest •Certificate
Document-level timestamp %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE •VRI, Certs, OCSPs, CRLs %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE •VRI, Certs, OCSPs, CRLs DOCUMENT TIMESTAMP TS1 ETSI.RFC3161 DIGITAL SIGNATURE •Signed Message Digest •Certificate DIGITAL SIGNATURE •Signed Message Digest •Certificate
Repeat as soon as needed %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE •VRI, Certs, OCSPs, CRLs DOCUMENT TIMESTAMP TS1 %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE •VRI, Certs, OCSPs, CRLs DOCUMENT TIMESTAMP TS1 DSS for TS1 DOCUMENT TIMESTAMP TS2 DIGITAL SIGNATURE •Signed Message Digest •Certificate DIGITAL SIGNATURE •Signed Message Digest •Certificate
Q & A EMEAKerkstraat 1089050 GentbruggeBELGIUME: sales.isb@itextpdf.com T: +32 92 98 02 31F: +32 92 70 33 75 Americas, Oceania1 Broadway, 14th floorCambridge, MA 02142USA E: sales.isc@itextpdf.comT: +1 617 982 2646 F: +1 617 982 2647 iText HQAdolf Baeyensstraat 1219040 Sint-AmandsbergBELGIUM Asia71 Ayer Rajah Crescent #05-04139951SINGAPOREE: sales.isa@itextpdf,com T: tel: +65 31 58 39 47 http://itextpdf.com

Recommended

Digital Signatures in PDF: how it's done
Digital Signatures in PDF: how it's doneDigital Signatures in PDF: how it's done
Digital Signatures in PDF: how it's doneBruno Lowagie
 
Digital signature
Digital signatureDigital signature
Digital signatureCHESStest{perfect Kadhu}
 
SRS document for Hotel Management System
SRS document for Hotel Management SystemSRS document for Hotel Management System
SRS document for Hotel Management SystemCharitha Gamage
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 
Digital signatures
Digital signaturesDigital signatures
Digital signaturesIshwar Dayal
 
Matrimonial Website
Matrimonial WebsiteMatrimonial Website
Matrimonial Websitencct
 
Online movie ticket booking
Online movie ticket bookingOnline movie ticket booking
Online movie ticket bookingmrinnovater007
 
Online movie ticket booking system
Online movie ticket booking systemOnline movie ticket booking system
Online movie ticket booking systemSikandar Pandit
 

Recommended

Digital Signatures in PDF: how it's done
Digital Signatures in PDF: how it's doneDigital Signatures in PDF: how it's done
Digital Signatures in PDF: how it's doneBruno Lowagie
 
Digital signature
Digital signatureDigital signature
Digital signatureCHESStest{perfect Kadhu}
 
SRS document for Hotel Management System
SRS document for Hotel Management SystemSRS document for Hotel Management System
SRS document for Hotel Management SystemCharitha Gamage
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 
Digital signatures
Digital signaturesDigital signatures
Digital signaturesIshwar Dayal
 
Matrimonial Website
Matrimonial WebsiteMatrimonial Website
Matrimonial Websitencct
 
Online movie ticket booking
Online movie ticket bookingOnline movie ticket booking
Online movie ticket bookingmrinnovater007
 
Online movie ticket booking system
Online movie ticket booking systemOnline movie ticket booking system
Online movie ticket booking systemSikandar Pandit
 
Digital Signatures
Digital SignaturesDigital Signatures
Digital SignaturesEhtisham Ali
 
Banking Management System Project
Banking Management System ProjectBanking Management System Project
Banking Management System ProjectChaudhry Sajid
 
E-commerce documentation
E-commerce documentationE-commerce documentation
E-commerce documentationSohel Parvez
 
Salesforce Flows Architecture Best Practices
Salesforce Flows Architecture Best PracticesSalesforce Flows Architecture Best Practices
Salesforce Flows Architecture Best Practicespanayaofficial
 
Salesforce Integration with MuleSoft | MuleSoft Mysore Meetup #12
Salesforce Integration with MuleSoft | MuleSoft Mysore Meetup #12Salesforce Integration with MuleSoft | MuleSoft Mysore Meetup #12
Salesforce Integration with MuleSoft | MuleSoft Mysore Meetup #12MysoreMuleSoftMeetup
 
Bank management system
Bank management systemBank management system
Bank management systemsumanadas37
 
College admission system
College admission system College admission system
College admission system Sourabh Upadhyay
 
cryptography
cryptographycryptography
cryptographyAbhijeet Singh
 
Encryption And Decryption
Encryption And DecryptionEncryption And Decryption
Encryption And DecryptionNA
 
Digital signature(Cryptography)
Digital signature(Cryptography)Digital signature(Cryptography)
Digital signature(Cryptography)Soham Kansodaria
 
Software Requirements Specification for restaurant management system
Software Requirements Specification for restaurant management systemSoftware Requirements Specification for restaurant management system
Software Requirements Specification for restaurant management systemSM. Aurnob
 
Encryption algorithms
Encryption algorithmsEncryption algorithms
Encryption algorithmstrilokchandra prakash
 
E commerce development methodology
E commerce development methodologyE commerce development methodology
E commerce development methodologyVardhanMishara
 
HDFC banking system SRS Document
HDFC banking system SRS DocumentHDFC banking system SRS Document
HDFC banking system SRS DocumentNavjeetKajal
 
SRS For Online Store
SRS For Online StoreSRS For Online Store
SRS For Online StoreAhsan Rizwan
 
SRS on Online Blood Bank Managment system...
SRS on Online Blood Bank Managment system... SRS on Online Blood Bank Managment system...
SRS on Online Blood Bank Managment system... GCWUF
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
AES KEY EXPANSION .pptx
AES KEY EXPANSION .pptxAES KEY EXPANSION .pptx
AES KEY EXPANSION .pptxAhmudulHassan
 
Digital signature
Digital signatureDigital signature
Digital signature9799907840kd
 
Salesforce Trailhead - what is it?
Salesforce Trailhead - what is it?Salesforce Trailhead - what is it?
Salesforce Trailhead - what is it?Roy Gilad
 
Digital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDFDigital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDFiText Group nv
 
PDF made easy with iText 7
PDF made easy with iText 7PDF made easy with iText 7
PDF made easy with iText 7iText Group nv
 

More Related Content

What's hot

Digital Signatures
Digital SignaturesDigital Signatures
Digital SignaturesEhtisham Ali
 
Banking Management System Project
Banking Management System ProjectBanking Management System Project
Banking Management System ProjectChaudhry Sajid
 
E-commerce documentation
E-commerce documentationE-commerce documentation
E-commerce documentationSohel Parvez
 
Salesforce Flows Architecture Best Practices
Salesforce Flows Architecture Best PracticesSalesforce Flows Architecture Best Practices
Salesforce Flows Architecture Best Practicespanayaofficial
 
Salesforce Integration with MuleSoft | MuleSoft Mysore Meetup #12
Salesforce Integration with MuleSoft | MuleSoft Mysore Meetup #12Salesforce Integration with MuleSoft | MuleSoft Mysore Meetup #12
Salesforce Integration with MuleSoft | MuleSoft Mysore Meetup #12MysoreMuleSoftMeetup
 
Bank management system
Bank management systemBank management system
Bank management systemsumanadas37
 
Encryption And Decryption
Encryption And DecryptionEncryption And Decryption
Encryption And DecryptionNA
 
Digital signature(Cryptography)
Digital signature(Cryptography)Digital signature(Cryptography)
Digital signature(Cryptography)Soham Kansodaria
 
Software Requirements Specification for restaurant management system
Software Requirements Specification for restaurant management systemSoftware Requirements Specification for restaurant management system
Software Requirements Specification for restaurant management systemSM. Aurnob
 
E commerce development methodology
E commerce development methodologyE commerce development methodology
E commerce development methodologyVardhanMishara
 
HDFC banking system SRS Document
HDFC banking system SRS DocumentHDFC banking system SRS Document
HDFC banking system SRS DocumentNavjeetKajal
 
SRS For Online Store
SRS For Online StoreSRS For Online Store
SRS For Online StoreAhsan Rizwan
 
SRS on Online Blood Bank Managment system...
SRS on Online Blood Bank Managment system... SRS on Online Blood Bank Managment system...
SRS on Online Blood Bank Managment system... GCWUF
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
AES KEY EXPANSION .pptx
AES KEY EXPANSION .pptxAES KEY EXPANSION .pptx
AES KEY EXPANSION .pptxAhmudulHassan
 
Salesforce Trailhead - what is it?
Salesforce Trailhead - what is it?Salesforce Trailhead - what is it?
Salesforce Trailhead - what is it?Roy Gilad
 

What's hot (20)

Digital Signatures
Digital SignaturesDigital Signatures
Digital Signatures
 
Banking Management System Project
Banking Management System ProjectBanking Management System Project
Banking Management System Project
 
E-commerce documentation
E-commerce documentationE-commerce documentation
E-commerce documentation
 
Salesforce Flows Architecture Best Practices
Salesforce Flows Architecture Best PracticesSalesforce Flows Architecture Best Practices
Salesforce Flows Architecture Best Practices
 
Salesforce Integration with MuleSoft | MuleSoft Mysore Meetup #12
Salesforce Integration with MuleSoft | MuleSoft Mysore Meetup #12Salesforce Integration with MuleSoft | MuleSoft Mysore Meetup #12
Salesforce Integration with MuleSoft | MuleSoft Mysore Meetup #12
 
Bank management system
Bank management systemBank management system
Bank management system
 
College admission system
College admission system College admission system
College admission system
 
cryptography
cryptographycryptography
cryptography
 
Encryption And Decryption
Encryption And DecryptionEncryption And Decryption
Encryption And Decryption
 
Digital signature(Cryptography)
Digital signature(Cryptography)Digital signature(Cryptography)
Digital signature(Cryptography)
 
Software Requirements Specification for restaurant management system
Software Requirements Specification for restaurant management systemSoftware Requirements Specification for restaurant management system
Software Requirements Specification for restaurant management system
 
Encryption algorithms
Encryption algorithmsEncryption algorithms
Encryption algorithms
 
E commerce development methodology
E commerce development methodologyE commerce development methodology
E commerce development methodology
 
HDFC banking system SRS Document
HDFC banking system SRS DocumentHDFC banking system SRS Document
HDFC banking system SRS Document
 
SRS For Online Store
SRS For Online StoreSRS For Online Store
SRS For Online Store
 
SRS on Online Blood Bank Managment system...
SRS on Online Blood Bank Managment system... SRS on Online Blood Bank Managment system...
SRS on Online Blood Bank Managment system...
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
AES KEY EXPANSION .pptx
AES KEY EXPANSION .pptxAES KEY EXPANSION .pptx
AES KEY EXPANSION .pptx
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Salesforce Trailhead - what is it?
Salesforce Trailhead - what is it?Salesforce Trailhead - what is it?
Salesforce Trailhead - what is it?
 

Viewers also liked

Digital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDFDigital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDFiText Group nv
 
PDF made easy with iText 7
PDF made easy with iText 7PDF made easy with iText 7
PDF made easy with iText 7iText Group nv
 
PAdES signatures in iText and the road ahead
PAdES signatures in iText and the road aheadPAdES signatures in iText and the road ahead
PAdES signatures in iText and the road aheadiText Group nv
 
The importance of standards
The importance of standardsThe importance of standards
The importance of standardsiText Group nv
 
iText Summit 2014: Keynote talk
iText Summit 2014: Keynote talkiText Summit 2014: Keynote talk
iText Summit 2014: Keynote talkiText Group nv
 
Intellectual property and licensing
Intellectual property and licensingIntellectual property and licensing
Intellectual property and licensingiText Group nv
 
FIT Seminar Singapore presentation
FIT Seminar Singapore presentationFIT Seminar Singapore presentation
FIT Seminar Singapore presentationiText Group nv
 
Monetizing open-source projects
Monetizing open-source projectsMonetizing open-source projects
Monetizing open-source projectsiText Group nv
 
Tech Startup Day 2015: 4 failures and 1 hit
Tech Startup Day 2015: 4 failures and 1 hitTech Startup Day 2015: 4 failures and 1 hit
Tech Startup Day 2015: 4 failures and 1 hitiText Group nv
 
Présentation de mon PFE
Présentation de mon PFEPrésentation de mon PFE
Présentation de mon PFENadir Haouari
 
présentation soutenance PFE.ppt
présentation soutenance PFE.pptprésentation soutenance PFE.ppt
présentation soutenance PFE.pptMohamed Ben Bouzid
 

Viewers also liked (13)

Digital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDFDigital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDF
 
PDF made easy with iText 7
PDF made easy with iText 7PDF made easy with iText 7
PDF made easy with iText 7
 
PAdES signatures in iText and the road ahead
PAdES signatures in iText and the road aheadPAdES signatures in iText and the road ahead
PAdES signatures in iText and the road ahead
 
The importance of standards
The importance of standardsThe importance of standards
The importance of standards
 
iText Summit 2014: Keynote talk
iText Summit 2014: Keynote talkiText Summit 2014: Keynote talk
iText Summit 2014: Keynote talk
 
Intellectual property and licensing
Intellectual property and licensingIntellectual property and licensing
Intellectual property and licensing
 
Oops, I broke my API
Oops, I broke my APIOops, I broke my API
Oops, I broke my API
 
FIT Seminar Singapore presentation
FIT Seminar Singapore presentationFIT Seminar Singapore presentation
FIT Seminar Singapore presentation
 
Monetizing open-source projects
Monetizing open-source projectsMonetizing open-source projects
Monetizing open-source projects
 
ZUGFeRD: an overview
ZUGFeRD: an overviewZUGFeRD: an overview
ZUGFeRD: an overview
 
Tech Startup Day 2015: 4 failures and 1 hit
Tech Startup Day 2015: 4 failures and 1 hitTech Startup Day 2015: 4 failures and 1 hit
Tech Startup Day 2015: 4 failures and 1 hit
 
Présentation de mon PFE
Présentation de mon PFEPrésentation de mon PFE
Présentation de mon PFE
 
présentation soutenance PFE.ppt
présentation soutenance PFE.pptprésentation soutenance PFE.ppt
présentation soutenance PFE.ppt
 

Similar to Digital Signatures: how it's done in PDF

What's new in PDF 2.0 regarding digital signatures
What's new in PDF 2.0 regarding digital signaturesWhat's new in PDF 2.0 regarding digital signatures
What's new in PDF 2.0 regarding digital signaturesBruno Lowagie
 
Digital Signatures in the Cloud: A B2C Case Study
Digital Signatures in the Cloud: A B2C Case StudyDigital Signatures in the Cloud: A B2C Case Study
Digital Signatures in the Cloud: A B2C Case StudyiText Group nv
 
Digital Signatures solution by ComsignTrust
Digital Signatures solution by ComsignTrustDigital Signatures solution by ComsignTrust
Digital Signatures solution by ComsignTrustZeev Shetach
 
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)Nordic APIs
 
ETDA Conference - Digital signatures: how it's done in PDF
ETDA Conference - Digital signatures: how it's done in PDFETDA Conference - Digital signatures: how it's done in PDF
ETDA Conference - Digital signatures: how it's done in PDFiText Group nv
 
Utilizing PKI to Reduce Risk & Cost
Utilizing PKI to Reduce Risk & CostUtilizing PKI to Reduce Risk & Cost
Utilizing PKI to Reduce Risk & CostChin Wan Lim
 
Securing .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsNETUserGroupBern
 
The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)Channy Yun
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Securityguest2a5a03
 
Thawte Code Signing Certificate Feature and Benefits
Thawte Code Signing Certificate Feature and BenefitsThawte Code Signing Certificate Feature and Benefits
Thawte Code Signing Certificate Feature and BenefitsCodeSigningStore
 
Implementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated EnvironmentImplementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated EnvironmentPerficient, Inc.
 
#Morecrypto 1.8 - with introduction to TLS
#Morecrypto 1.8 - with introduction to TLS#Morecrypto 1.8 - with introduction to TLS
#Morecrypto 1.8 - with introduction to TLSOlle E Johansson
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guideJ.D. Wade
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
Network security-primer-9544
Network security-primer-9544Network security-primer-9544
Network security-primer-9544Hfz Mushtaq
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET CoreNETUserGroupBern
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
 

Similar to Digital Signatures: how it's done in PDF (20)

What's new in PDF 2.0 regarding digital signatures
What's new in PDF 2.0 regarding digital signaturesWhat's new in PDF 2.0 regarding digital signatures
What's new in PDF 2.0 regarding digital signatures
 
Digital Signatures in the Cloud: A B2C Case Study
Digital Signatures in the Cloud: A B2C Case StudyDigital Signatures in the Cloud: A B2C Case Study
Digital Signatures in the Cloud: A B2C Case Study
 
Digital Signatures solution by ComsignTrust
Digital Signatures solution by ComsignTrustDigital Signatures solution by ComsignTrust
Digital Signatures solution by ComsignTrust
 
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
 
ETDA Conference - Digital signatures: how it's done in PDF
ETDA Conference - Digital signatures: how it's done in PDFETDA Conference - Digital signatures: how it's done in PDF
ETDA Conference - Digital signatures: how it's done in PDF
 
Utilizing PKI to Reduce Risk & Cost
Utilizing PKI to Reduce Risk & CostUtilizing PKI to Reduce Risk & Cost
Utilizing PKI to Reduce Risk & Cost
 
Securing .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applications
 
The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)
 
SHA_and_DS.pdf
SHA_and_DS.pdfSHA_and_DS.pdf
SHA_and_DS.pdf
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Security
 
Thawte Code Signing Certificate Feature and Benefits
Thawte Code Signing Certificate Feature and BenefitsThawte Code Signing Certificate Feature and Benefits
Thawte Code Signing Certificate Feature and Benefits
 
Implementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated EnvironmentImplementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated Environment
 
#Morecrypto 1.8 - with introduction to TLS
#Morecrypto 1.8 - with introduction to TLS#Morecrypto 1.8 - with introduction to TLS
#Morecrypto 1.8 - with introduction to TLS
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guide
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
Network security-primer-9544
Network security-primer-9544Network security-primer-9544
Network security-primer-9544
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET Core
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 

More from iText Group nv

The effects of the GDPR
The effects of the GDPRThe effects of the GDPR
The effects of the GDPRiText Group nv
 
Build your own_photobooth
Build your own_photoboothBuild your own_photobooth
Build your own_photoboothiText Group nv
 
Start-ups: the tortoise and the hare
Start-ups: the tortoise and the hareStart-ups: the tortoise and the hare
Start-ups: the tortoise and the hareiText Group nv
 
IANAL: what developers should know about IP and Legal
IANAL: what developers should know about IP and LegalIANAL: what developers should know about IP and Legal
IANAL: what developers should know about IP and LegaliText Group nv
 
PDF is dead. Long live PDF... with Java!
PDF is dead. Long live PDF... with Java!PDF is dead. Long live PDF... with Java!
PDF is dead. Long live PDF... with Java!iText Group nv
 
iText Summit 2014: Talk: iText throughout the document life cycle
iText Summit 2014: Talk: iText throughout the document life cycleiText Summit 2014: Talk: iText throughout the document life cycle
iText Summit 2014: Talk: iText throughout the document life cycleiText Group nv
 
iText Summit 2014: Talk: eGriffie and JustX, introducing digital documents at...
iText Summit 2014: Talk: eGriffie and JustX, introducing digital documents at...iText Summit 2014: Talk: eGriffie and JustX, introducing digital documents at...
iText Summit 2014: Talk: eGriffie and JustX, introducing digital documents at...iText Group nv
 
The XML Forms Architecture
The XML Forms ArchitectureThe XML Forms Architecture
The XML Forms ArchitectureiText Group nv
 
Damn, the new generation kids are getting iPads in Highschool!
Damn, the new generation kids are getting iPads in Highschool!Damn, the new generation kids are getting iPads in Highschool!
Damn, the new generation kids are getting iPads in Highschool!iText Group nv
 
Best practices in Certifying and Signing PDFs
Best practices in Certifying and Signing PDFsBest practices in Certifying and Signing PDFs
Best practices in Certifying and Signing PDFsiText Group nv
 
Choosing the iText Solution that is right for you: Community or Commercial ed...
Choosing the iText Solution that is right for you: Community or Commercial ed...Choosing the iText Solution that is right for you: Community or Commercial ed...
Choosing the iText Solution that is right for you: Community or Commercial ed...iText Group nv
 

More from iText Group nv (11)

The effects of the GDPR
The effects of the GDPRThe effects of the GDPR
The effects of the GDPR
 
Build your own_photobooth
Build your own_photoboothBuild your own_photobooth
Build your own_photobooth
 
Start-ups: the tortoise and the hare
Start-ups: the tortoise and the hareStart-ups: the tortoise and the hare
Start-ups: the tortoise and the hare
 
IANAL: what developers should know about IP and Legal
IANAL: what developers should know about IP and LegalIANAL: what developers should know about IP and Legal
IANAL: what developers should know about IP and Legal
 
PDF is dead. Long live PDF... with Java!
PDF is dead. Long live PDF... with Java!PDF is dead. Long live PDF... with Java!
PDF is dead. Long live PDF... with Java!
 
iText Summit 2014: Talk: iText throughout the document life cycle
iText Summit 2014: Talk: iText throughout the document life cycleiText Summit 2014: Talk: iText throughout the document life cycle
iText Summit 2014: Talk: iText throughout the document life cycle
 
iText Summit 2014: Talk: eGriffie and JustX, introducing digital documents at...
iText Summit 2014: Talk: eGriffie and JustX, introducing digital documents at...iText Summit 2014: Talk: eGriffie and JustX, introducing digital documents at...
iText Summit 2014: Talk: eGriffie and JustX, introducing digital documents at...
 
The XML Forms Architecture
The XML Forms ArchitectureThe XML Forms Architecture
The XML Forms Architecture
 
Damn, the new generation kids are getting iPads in Highschool!
Damn, the new generation kids are getting iPads in Highschool!Damn, the new generation kids are getting iPads in Highschool!
Damn, the new generation kids are getting iPads in Highschool!
 
Best practices in Certifying and Signing PDFs
Best practices in Certifying and Signing PDFsBest practices in Certifying and Signing PDFs
Best practices in Certifying and Signing PDFs
 
Choosing the iText Solution that is right for you: Community or Commercial ed...
Choosing the iText Solution that is right for you: Community or Commercial ed...Choosing the iText Solution that is right for you: Community or Commercial ed...
Choosing the iText Solution that is right for you: Community or Commercial ed...
 

Recently uploaded

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Digital Signatures: how it's done in PDF

  • 1. Digital Signatures How it’s done in PDF
  • 2. iText, an open source PDF library Java C#
  • 3. Shareholders: -Ingeborg Willaert (50%) -Bruno Lowagie (50%) iText Group NV °2008 Belgium IP, TM, Development Marketing iText Software BVBA °2011 Belgium Sales EMEA/Asia iText Software Corp. °2009 USA (CA/MA) Sales Americas/Oceania Board of Directors: -Peter Camps (chairman) -Ingeborg Willaert -Bruno Lowagie Advisory Board: -Andrew Binstock -Mark de Visser -Bernard Slede iTextGroup Benelux: 10th place Belgium: 3rd place
  • 4. Agenda •Why do we need digital signatures? •Basic concepts… •… applied to PDF •Architectures: server-side vs. client-side •Digital signatures and document workflow •Long term validation
  • 5. Introduction Why do we need digital signatures?
  • 6. Integrity I paid a forged invoice and lost 30K€!
  • 7. Authenticity Why am I, Emperor Constantine I, in this picture? I never transferred authority to the Pope!
  • 9. Three goals •Integrity —we want assurance that the document hasn’t been changed somewhere in the workflow •Authenticity —we want assurance that the author of the document is who we think it is (and not somebody else) •Non-repudiation —we want assurance that the author can’t deny his authorship.
  • 10. Part 1 Basic concepts…
  • 11. Concept 1: Hashing •Hashing algorithm: •a cryptographic hash function to turn an arbitrary block of data into a fixed-size bit string. •Available algorithms: •MD5: Ron Rivest •SHA: •SHA-1: NSA (Being phased out!) •SHA-2: NSA / NIST •NEW: SHA-3 contest winner “Keccak” •RIPEMD: KULeuven
  • 12. Concept 1: Integrity check using hash Document Generate Hash AF1B4C...D34E Secure Server / Website Retrieve Hash AF1B4C...D34E Compare!
  • 13. Concept 2: encryption •Assymetric key algorithms •Encryption •Digital signing
  • 14. Some name dropping •Public Key Cryptography Standards •PKCS#1: RSA Cryptography Standard (Rivest, Shamir, Adleman) •PKCS#7: Cryptographic Message Standard (CMS) •PKCS#11: Cryptographic Token Interface •PKCS#12: PersonalInformation Exchange SyntaxStandard •PKCS#13: Elliptic Curve Cryptography Standard (ECDSA) •Federal Information Processing Standards (FIPS) •DSA: Digital Signature Algorithm (DSA) •European Telecommunications Standards Institute (ETSI) •CMS Advanced Electronic Signatures (CAdES)
  • 15. Concept 1 + Concept 2 •Producer •Provides data as-is •Provides hash encrypted using private key •Provides public key •Consumer •Creates hash from data: hash1 •Decrypts hash using public key: hash2 •If (hash1== hash2) document OK!
  • 16. Goals met? •Integrity: •hashes are identical •Authenticity: •identity found along with public key •Non-repudiation: •if hash can be decrypted with public key, the document was signed with the corresponding private key
  • 17. Differences between EU and US •In the US, we make a distinction: •Electronic signatures don’t necessarily involve PKI •Digital signatures when a PKI infrastructure is involved •In Europe, we speak of electronic signatures •As a synonymfor digital signatures •All laws and regulations take this wording •There’s no sharp distinction between electronic and digital signatures (which leads to confusion) •I always speak of digital signatures
  • 18. Part 2 … applied to PDF
  • 19. Standards •ISO •ISO-32000-1 (2008) based on PDF 1.7 (2006) •ISO-32000-2 will define PDF 2.0 (2016) •ETSI: TS 102 778 (2009 -2010) •PAdES1: Overview •PAdES2: Basic –CMS based (ISO-32000-1) •PAdES3: Enhanced –CAdESbased (ISO-32000-2) •PAdES4: LTV –Long Term Validation •PAdES5: XAdESbased (XML content) •PAdES6: Visual representation guidelines •ETSI: TS 103 172 (2011 -2013) •PAdESBaseline Profile
  • 20. Signatures in PDF •There are no bytes in the PDF that aren’t covered, other than the PDF signature itself. (*) •The digital signature isn’t part of the ByteRange. •The concept “to initial a document” doesn’t exist; you sign the complete document at once, not on a page per page basis. (*)
  • 21. Some PDF terminology •Signature field: •Visualisation (onewidget annotation) •Extra info about signature (Lock, SV) •/V refers to the signature dictionary •Signing: •Creating an /APfor the widget annotation •Creating a signature dictionary for /V
  • 22. What’s inside the signature? %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DIGITAL SIGNATURE •Signed Message Digest •Certificatechain •Revocation information •Timestamp ISO-32000-2: At minimum the PKCS#7 object shall include the signer’s X.509 signing certificate. This certificate shall be used to verify the signature value in /Contents. Best practices (“should” also have): •Full certificate chain •Revocation information (CRL / OCSP) •Timestamp
  • 23. Part 3 Architectures: Server-side vs. client-side signing
  • 24. Server-side signing <</Type/Sig/ /Contents < %PDF-1.x ... ... %%EOF >>> Signed Message Digest Application Device SERVER
  • 25. Use cases server-side signing •Company signature •Invoices •Contracts •… •Signing services in the Cloud •Docusign •Echosign •… •Security management responsibilities!
  • 26. Client-side signing <</Type/Sig/ /Contents < %PDF-1.x ... ... %%EOF >>> Signed Message Digest Application Device CLIENT
  • 27. Use cases client-side signing •Desktop applications •Adobe Acrobat Pro •Adobe Reader (only for Reader-enabled documents) •Home made, e.g. using iText •In a web context •The PDF software runs on the client, e.g. using Java Web Start •Access to the token or smart card through •MSCAPI •PKCS#11 •Custom smart card library •Security •User has smart card and PIN or USB token and passphrase
  • 28. Deferred signing Signed Message Digest App Device CLIENT <</Type/Sig/ /Contents < %PDF-1.x ... ... %%EOF >>> Application SERVER
  • 29. Use cases deferred signing •Signing on an iPad / Tablet •App on the device has low footprint •Easy to link to integrate into a document management system •Disadvantage •You need to trust the server that the hash you receive is actually the hash of the document you want to sign •Common Criteria •a framework in which computer system users can specifytheir security functionaland assurancerequirements (SFRs and SARs respectively) through the use of Protection Profiles (PPs), vendors can then implementand/or make claims about the security attributes of their products, and testing laboratories can evaluatethe products to determine if they actually meet the claims.
  • 30. Part 4 Digital signatures and document workflow
  • 31. Digital signatures: types •Certification (aka author) signature •only possible for the first revision (*) •involves modification detection permissions: •No changes allowed •Form filling and signing allowed •Form filling, signing and commenting allowed •Approval (aka recipient) signature •workflow with subsequent signers •New in PDF 2.0: modification detection permissions •Usage Rights signature •involving Adobe’s private key to Reader enable a PDF
  • 32. Other possible icons •Signer’s identity is unknown •Document has been altered or corrupted
  • 33. Serial signatures %PDF-1.x %Originaldocument % Additional content 1 ... ... %%EOF DIGITAL SIGNATURE 1 ... %%EOF DIGITAL SIGNATURE 2 % Additional content 2 ... ... %%EOF DIGITAL SIGNATURE 3 Rev1 Rev2 Rev3 A PDF document can be signed more than once, but parallel signatures aren’t supported, only serial signatures: additional signatures sign all previous signatures.
  • 38. Read, approved and signed by Carol
  • 39. Read, approved, and signed by Dave
  • 40. Signature and lock broken by Chuck
  • 41. Part 5 Long-term validation
  • 42. Certificates expire Expiration date 2012 2013 2014
  • 43. Certificates get revoked Expiration date Revocation date 2012 2013 2014
  • 44. How to survive revocation / expiration? 2012 2013 2014 Expiration date Revocation date
  • 46. What to do when: •There’s no CRL/OCSP/TS in the document? •The certificate is about to expire in one of your documents? •The hashing / encryption algorithm is about to be deprecated?
  • 47. Document Security Store %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DIGITAL SIGNATURE •Signed Message Digest •Certificate %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE •VRI, Certs, OCSPs, CRLs DIGITAL SIGNATURE •Signed Message Digest •Certificate
  • 48. Document-level timestamp %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE •VRI, Certs, OCSPs, CRLs %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE •VRI, Certs, OCSPs, CRLs DOCUMENT TIMESTAMP TS1 ETSI.RFC3161 DIGITAL SIGNATURE •Signed Message Digest •Certificate DIGITAL SIGNATURE •Signed Message Digest •Certificate
  • 49. Repeat as soon as needed %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE •VRI, Certs, OCSPs, CRLs DOCUMENT TIMESTAMP TS1 %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE •VRI, Certs, OCSPs, CRLs DOCUMENT TIMESTAMP TS1 DSS for TS1 DOCUMENT TIMESTAMP TS2 DIGITAL SIGNATURE •Signed Message Digest •Certificate DIGITAL SIGNATURE •Signed Message Digest •Certificate
  • 50. Q & A EMEAKerkstraat 1089050 GentbruggeBELGIUME: sales.isb@itextpdf.com T: +32 92 98 02 31F: +32 92 70 33 75 Americas, Oceania1 Broadway, 14th floorCambridge, MA 02142USA E: sales.isc@itextpdf.comT: +1 617 982 2646 F: +1 617 982 2647 iText HQAdolf Baeyensstraat 1219040 Sint-AmandsbergBELGIUM Asia71 Ayer Rajah Crescent #05-04139951SINGAPOREE: sales.isa@itextpdf,com T: tel: +65 31 58 39 47 http://itextpdf.com