Digital Signatures: how it's done in PDF

iText Group nv
iText Group nviText Group nv
© 2015, iText Group NV, iText Software Corp., iText Software BVBA© 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital Signatures: How It’s Done in PDF Zetes eaZySign event (Kasteel van Ruisbroek: April 2, 2015)
© 2015, iText Group NV, iText Software Corp., iText Software BVBA© 2015, iText Group NV, iText Software Corp., iText Software BVBA Agenda • Why do we need digital signatures? • Basic concepts… • … applied to PDF • Architectures: server-side vs. client-side • Digital signatures and document workflow • Long term validation
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital signatures: How It's Done in PDF3 Why do we need digital signatures? Integrity Authenticity Non-repudiation
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Integrity Digital signatures: How It's Done in PDF4 I paid a forged invoice and lost 30K€ !
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Authenticity Digital signatures: How It's Done in PDF5 Why am I, Emperor Constantine I, in this picture? I never transferred authority to the Pope!
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Non-repudiation Digital signatures: How It's Done in PDF6 I didn’t do it!
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Three goals Integrity — we want assurance that the document hasn’t been changed somewhere in the workflow. Authenticity — we want assurance that the author of the document is who we think it is (and not somebody else). Non-repudiation — we want assurance that the author can’t deny his authorship. Digital signatures: How It's Done in PDF7
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital signatures: How It's Done in PDF8 Basic Concepts… Hashing algorithms Encryption algorithms Digital signatures
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Concept 1: Hashing Hashing algorithm a cryptographic hash function to turn an arbitrary block of data into a fixed-size bit string. Available algorithms MD5: Ron Rivest (deprecated) SHA: SHA-1: NSA (phased out!) SHA-2: NSA / NIST SHA-3: Keccak (made in Belgium!) RIPEMD: KULeuven Digital signatures: How It's Done in PDF9
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Concept 1: Integrity check using hash Digital signatures: How It's Done in PDF10 Document Generate Hash AF1B4C...D34E Secure Server / Website Retrieve Hash AF1B4C...D34E Compare!
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Concept 2: Encryption Assymetric key algorithms Encryption Digital signing Digital signatures: How It's Done in PDF11
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Concept 2: Some name dropping Public Key Cryptography Standards PKCS#1: RSA Cryptography Standard (Rivest, Shamir, Adleman) PKCS#7: Cryptographic Message Standard (CMS) PKCS#11: Cryptographic Token Interface PKCS#12: Personal Information Exchange Syntax Standard PKCS#13: Elliptic Curve Cryptography Standard (ECDSA) Federal Information Processing Standards (FIPS) DSA: Digital Signature Algorithm (DSA) European Telecommunications Standards Institute (ETSI) CMS Advanced Electronic Signatures (CAdES) Digital signatures: How It's Done in PDF12
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Concept 1 + Concept 2 Producer Provides data as-is: [A] Provides hash of data, encrypted using private key: [B] Provides public key Consumer Creates hash from data [A]: hash1 Decrypts hash [B] using public key: hash2 If (hash1 == hash2) document OK! Digital signatures: How It's Done in PDF13
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Goals met? Integrity Hashes are identical Authenticity Identity is stored in public key A time-stamp can be added Non-repudiation If hash can be decrypted with public key, the document was signed with the corresponding private key Digital signatures: How It's Done in PDF14
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Differences between EU and US In the US, we make a distinction Electronic signatures don’t necessarily involve PKI Digital signatures when a PKI infrastructure is involved In Europe, we speak of electronic signatures As a synonym for digital signatures All laws and regulations take this wording There’s no sharp distinction between electronic and digital signatures (which leads to confusion) I always speak of digital signatures Digital signatures: How It's Done in PDF15
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital signatures: How It's Done in PDF16 … Applied to PDF ISO 32000-1 ETSI TS 102 778 (PAdES) ISO 32000-2
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Standards ISO ISO-32000-1 (2008) based on PDF 1.7 (2006) ISO-32000-2 will define PDF 2.0 (2016) ETSI: TS 102 778 (2009 - 2010) PAdES 1: Overview PAdES 2: Basic – CMS based (ISO-32000-1) PAdES 3: Enhanced – CAdES based (ISO-32000-2) PAdES 4: LTV – Long Term Validation PAdES 5: XAdES based (XML content) PAdES 6: Visual representation guidelines ETSI: TS 103 172 (2011 - 2013) PAdES Baseline Profile Digital signatures: How It's Done in PDF17
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Signatures in PDF There are no bytes in the PDF that aren’t covered, other than the PDF signature itself. (*) The digital signature isn’t part of the ByteRange. The concept “to initial a document” doesn’t exist; you sign the complete document at once, not on a page per page basis. (*) Digital signatures: How It's Done in PDF18
© 2015, iText Group NV, iText Software Corp., iText Software BVBA What’s inside a signature? Digital signatures: How It's Done in PDF19 ISO-32000: At minimum the PKCS#7 object shall include the signer’s X.509 signing certificate. This certificate shall be used to verify the signature value in /Contents. Best practices (“should” also have): • Full certificate chain • Revocation information (CRL / OCSP) • Timestamp %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DIGITAL SIGNATURE • Signed Message Digest • Certificate chain • Revocation information • Timestamp
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital signatures: How It's Done in PDF20 Architectures Server-side signing Client-side signing Deferred signing
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Server-side signing Digital signatures: How It's Done in PDF21 <</Type/Sig/ /Contents < %PDF-1.x ... ... %%EOF >>> Signed Message Digest Application DeviceSERVER
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Use cases server-side signing Company signature Invoices Contracts … Signing services in the Cloud Docusign Echosign … Security management responsibilities! Digital signatures: How It's Done in PDF22
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Client-side signing Digital signatures: How It's Done in PDF23 <</Type/Sig/ /Contents < %PDF-1.x ... ... %%EOF >>> Signed Message Digest ApplicationDevice CLIENT
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Use cases client-side signing Desktop applications Adobe Acrobat Pro Adobe Reaer (for Reader-enabled documents) Home-made, e.g. using iText In a web context The PDF software runs on the client, e.g. using Java Web Start Access to the token or smart card through MSCAPI PKCS#11 Custom smart card library Security User has smart card and PIN or USB token and passphrase Digital signatures: How It's Done in PDF24
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Deferred signing Digital signatures: How It's Done in PDF25 Signed Message Digest AppDevice CLIENT <</Type/Sig/ /Contents < %PDF-1.x ... ... %%EOF >>> Application SERVER
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Use cases deferred signing Signing on an iPad/Tablet App on the device has a low footprint Easy to integrate into a document management system Disadvantage You need to trust the server that the hash you receive is actually the hash of the document you want to sign Common Criteria A framework in which computer system users can specify their security functional and assurance requirements (SFRs and SARs respectively) through the use of Protection Profiles (PPs), vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. Digital signatures: How It's Done in PDF26
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital signatures: How It's Done in PDF27 Digital signatures and workflow Author signatures Recipient signatures Locking fields / documents
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Serial signatures 28 %PDF-1.x % Original document % Additional content 1 ... ... %%EOF DIGITAL SIGNATURE 1 ... %%EOF DIGITAL SIGNATURE 2 % Additional content 2 ... ... %%EOF DIGITAL SIGNATURE 3 Rev1 Rev2 Rev3 A PDF document can be signed more than once, but parallel signatures aren’t supported, only serial signatures: additional signatures sign all previous signatures. Digital signatures: How It's Done in PDF
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital signatures: types Certification (aka author) signature Only possible for the first revision Involves modification detection permissions: No changes allowed Form filling and signing allowed Form filling, signing and commenting allowed Approval (aka recipient) signature Workflow with subsequent signers New in PDF 2.0: modification detection permissions Digital signatures: How It's Done in PDF29
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Other possible icons Signer’s identity is unknown Document has been altered or corrupted Digital signatures: How It's Done in PDF30
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Certified by Alice Digital signatures: How It's Done in PDF31
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Read, approved and signed by Bob Digital signatures: How It's Done in PDF32
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Bob’s signature invalidated by Chuck Digital signatures: How It's Done in PDF33
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Read, approved and signed by Carol Digital signatures: How It's Done in PDF34
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Read, approved and signed by Dave Digital signatures: How It's Done in PDF35
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Signature and lock broken by Chuck Digital signatures: How It's Done in PDF36
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital signatures: How It's Done in PDF37 Long-term validation Revocation Timestamps LTV
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Certificates expire Digital signatures: How It's Done in PDF38 Expiration date 2013 2014 2015
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Certificates get revoked Digital signatures: How It's Done in PDF39 Expiration dateRevocation date 2013 2014 2015
© 2015, iText Group NV, iText Software Corp., iText Software BVBA How to survive revocation / expiration? Digital signatures: How It's Done in PDF40 Expiration dateRevocation date
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Timestamps Digital signatures: How It's Done in PDF41
© 2015, iText Group NV, iText Software Corp., iText Software BVBA What to do when: There’s no CRL/OCSP/TS in the document? The certificate is about to expire in one of your documents? The hashing/encryption algorithm is about to be deprecated? Digital signatures: How It's Done in PDF42
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Document Security Store (DSS) Digital signatures: How It's Done in PDF43 %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DIGITAL SIGNATURE • Signed Message Digest • Certificate %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE • VRI, Certs, OCSPs, CRLs DIGITAL SIGNATURE • Signed Message Digest • Certificate
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Document-level timestamp Digital signatures: How It's Done in PDF44 %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE • VRI, Certs, OCSPs, CRLs %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE • VRI, Certs, OCSPs, CRLs DOCUMENT TIMESTAMP TS1 ETSI.RFC3161 DIGITAL SIGNATURE • Signed Message Digest • Certificate DIGITAL SIGNATURE • Signed Message Digest • Certificate
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital signatures: How It's Done in PDF45 %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE • VRI, Certs, OCSPs, CRLs DOCUMENT TIMESTAMP TS1 %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE • VRI, Certs, OCSPs, CRLs DOCUMENT TIMESTAMP TS1 DSS for TS1 DOCUMENT TIMESTAMP TS2 DIGITAL SIGNATURE • Signed Message Digest • Certificate DIGITAL SIGNATURE • Signed Message Digest • Certificate
© 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital signatures: How It's Done in PDF46 Questions? itextpdf.com SG: sales.isa@itextpdf.com +65 31 58 39 47 BE: sales.isb@itextpdf.com +32 92 98 02 31 US: sales.isc@itextpdf.com +1 617 982 646
1 of 46

Digital Signatures: how it's done in PDF

Download to read offline
Technology

Talk about digital signatures, more specifically about how digital signatures are implemented in PDF.

iText Group nv
iText Group nviText Group nv

Recommended

What makes a successful SSI strategy? by
What makes a successful SSI strategy?What makes a successful SSI strategy?
What makes a successful SSI strategy?Evernym
409 views40 slides
Google Developer Student Club Avantika University Info Session by
Google Developer Student Club Avantika University Info SessionGoogle Developer Student Club Avantika University Info Session
Google Developer Student Club Avantika University Info SessionAKSHATPATEL48
313 views27 slides
Electronic voting machine using RFID by
Electronic voting machine using RFIDElectronic voting machine using RFID
Electronic voting machine using RFIDBharath Chapala
6.9K views18 slides
Contrato Compromisso Divisao Amigavel by
Contrato Compromisso Divisao AmigavelContrato Compromisso Divisao Amigavel
Contrato Compromisso Divisao AmigavelRodolfo Rodrigo Acosta
15.4K views1 slide
How to use Goautodial by
How to use GoautodialHow to use Goautodial
How to use GoautodialSachin Kumar
5.9K views35 slides
Application of QR Codes in Academic Libraries: With Special Reference to Cent... by
Application of QR Codes in Academic Libraries: With Special Reference to Cent...Application of QR Codes in Academic Libraries: With Special Reference to Cent...
Application of QR Codes in Academic Libraries: With Special Reference to Cent...Jishnu Mandal
920 views21 slides

More Related Content

Similar to Digital Signatures: how it's done in PDF

ETDA Conference - Digital signatures: how it's done in PDF by
ETDA Conference - Digital signatures: how it's done in PDFETDA Conference - Digital signatures: how it's done in PDF
ETDA Conference - Digital signatures: how it's done in PDFiText Group nv
1K views69 slides
Digital Signatures in PDF: how it's done by
Digital Signatures in PDF: how it's doneDigital Signatures in PDF: how it's done
Digital Signatures in PDF: how it's doneBruno Lowagie
1.1K views52 slides
ECM & Digital Signature by
ECM & Digital SignatureECM & Digital Signature
ECM & Digital SignatureLeonardo da Silva
2.2K views18 slides
ZUGFeRD: an overview by
ZUGFeRD: an overviewZUGFeRD: an overview
ZUGFeRD: an overviewiText Group nv
34.8K views25 slides
Digital Signatures in the Cloud: A B2C Case Study by
Digital Signatures in the Cloud: A B2C Case StudyDigital Signatures in the Cloud: A B2C Case Study
Digital Signatures in the Cloud: A B2C Case StudyiText Group nv
3.8K views33 slides
Digital Signatures: how it's done in PDF by
Digital Signatures: how it's done in PDFDigital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDFiText Group nv
6.1K views50 slides

Similar to Digital Signatures: how it's done in PDF(20)

ETDA Conference - Digital signatures: how it's done in PDF by iText Group nv
ETDA Conference - Digital signatures: how it's done in PDFETDA Conference - Digital signatures: how it's done in PDF
ETDA Conference - Digital signatures: how it's done in PDF
iText Group nv1K views
Digital Signatures in PDF: how it's done by Bruno Lowagie
Digital Signatures in PDF: how it's doneDigital Signatures in PDF: how it's done
Digital Signatures in PDF: how it's done
Bruno Lowagie1.1K views
ECM & Digital Signature by Leonardo da Silva
ECM & Digital SignatureECM & Digital Signature
ECM & Digital Signature
Leonardo da Silva2.2K views
ZUGFeRD: an overview by iText Group nv
ZUGFeRD: an overviewZUGFeRD: an overview
ZUGFeRD: an overview
iText Group nv34.8K views
Digital Signatures in the Cloud: A B2C Case Study by iText Group nv
Digital Signatures in the Cloud: A B2C Case StudyDigital Signatures in the Cloud: A B2C Case Study
Digital Signatures in the Cloud: A B2C Case Study
iText Group nv3.8K views
Digital Signatures: how it's done in PDF by iText Group nv
Digital Signatures: how it's done in PDFDigital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDF
iText Group nv6.1K views
Voip security by Shethwala Ridhvesh
Voip securityVoip security
Voip security
Shethwala Ridhvesh789 views
How do you secure an electronic signature? by XeniT Solutions nv
How do you secure an electronic signature?How do you secure an electronic signature?
How do you secure an electronic signature?
XeniT Solutions nv44 views
1.31.17 Asignet Technology FAQ & Vendor Assurance Summary by Jason Koenigsberg,MBA
1.31.17 Asignet Technology FAQ & Vendor Assurance Summary1.31.17 Asignet Technology FAQ & Vendor Assurance Summary
1.31.17 Asignet Technology FAQ & Vendor Assurance Summary
Jason Koenigsberg,MBA185 views
Digital leadership event ipt und swisscom 28.10.2015 by Noemi Haag
Digital leadership event ipt und swisscom 28.10.2015Digital leadership event ipt und swisscom 28.10.2015
Digital leadership event ipt und swisscom 28.10.2015
Noemi Haag400 views
IOTprotocols and overview (SSI) by Dania Rashid
IOTprotocols and overview (SSI)IOTprotocols and overview (SSI)
IOTprotocols and overview (SSI)
Dania Rashid606 views
Xybermotive introduction (en) 092014 by Hans-Chr. Brockmann
Xybermotive introduction (en) 092014Xybermotive introduction (en) 092014
Xybermotive introduction (en) 092014
Hans-Chr. Brockmann3.1K views
V3.1.Ds Generic Presentation Pptshow [Autosaved] by Robert Grawet
V3.1.Ds Generic Presentation Pptshow [Autosaved]V3.1.Ds Generic Presentation Pptshow [Autosaved]
V3.1.Ds Generic Presentation Pptshow [Autosaved]
Robert Grawet591 views
Embed trust in your software & data by Strategic Business & IT Services
Embed trust in your software & dataEmbed trust in your software & data
Embed trust in your software & data
Strategic Business & IT Services93 views
Serial RS232 to Keyboard wedge software by topomax
Serial RS232 to Keyboard wedge softwareSerial RS232 to Keyboard wedge software
Serial RS232 to Keyboard wedge software
topomax847 views
Digital signatur by Ruwandi Madhunamali
Digital signaturDigital signatur
Digital signatur
Ruwandi Madhunamali97 views
Easy Invoice Solution Package by hromzykowski
Easy Invoice Solution PackageEasy Invoice Solution Package
Easy Invoice Solution Package
hromzykowski688 views
Digital Signatures solution by ComsignTrust by Zeev Shetach
Digital Signatures solution by ComsignTrustDigital Signatures solution by ComsignTrust
Digital Signatures solution by ComsignTrust
Zeev Shetach1.2K views
WSO2 ITALIA SMART TALK #4 - Telefonica Use Case by Profesia Srl, Lynx Group
WSO2 ITALIA SMART TALK #4 - Telefonica Use CaseWSO2 ITALIA SMART TALK #4 - Telefonica Use Case
WSO2 ITALIA SMART TALK #4 - Telefonica Use Case
Profesia Srl, Lynx Group12 views
A Brief Note On Peer Communication And The Client Server... by Miles Priar
A Brief Note On Peer Communication And The Client Server...A Brief Note On Peer Communication And The Client Server...
A Brief Note On Peer Communication And The Client Server...
Miles Priar2 views

More from iText Group nv

The effects of the GDPR by
The effects of the GDPRThe effects of the GDPR
The effects of the GDPRiText Group nv
1.2K views35 slides
Build your own_photobooth by
Build your own_photoboothBuild your own_photobooth
Build your own_photoboothiText Group nv
468 views14 slides
FIT Seminar Singapore presentation by
FIT Seminar Singapore presentationFIT Seminar Singapore presentation
FIT Seminar Singapore presentationiText Group nv
814 views20 slides
Tech Startup Day 2015: 4 failures and 1 hit by
Tech Startup Day 2015: 4 failures and 1 hitTech Startup Day 2015: 4 failures and 1 hit
Tech Startup Day 2015: 4 failures and 1 hitiText Group nv
453 views15 slides
Intellectual property and licensing by
Intellectual property and licensingIntellectual property and licensing
Intellectual property and licensingiText Group nv
1K views44 slides
Monetizing open-source projects by
Monetizing open-source projectsMonetizing open-source projects
Monetizing open-source projectsiText Group nv
937 views41 slides

More from iText Group nv(20)

The effects of the GDPR by iText Group nv
The effects of the GDPRThe effects of the GDPR
The effects of the GDPR
iText Group nv1.2K views
Build your own_photobooth by iText Group nv
Build your own_photoboothBuild your own_photobooth
Build your own_photobooth
iText Group nv468 views
FIT Seminar Singapore presentation by iText Group nv
FIT Seminar Singapore presentationFIT Seminar Singapore presentation
FIT Seminar Singapore presentation
iText Group nv814 views
Tech Startup Day 2015: 4 failures and 1 hit by iText Group nv
Tech Startup Day 2015: 4 failures and 1 hitTech Startup Day 2015: 4 failures and 1 hit
Tech Startup Day 2015: 4 failures and 1 hit
iText Group nv453 views
Intellectual property and licensing by iText Group nv
Intellectual property and licensingIntellectual property and licensing
Intellectual property and licensing
iText Group nv1K views
Monetizing open-source projects by iText Group nv
Monetizing open-source projectsMonetizing open-source projects
Monetizing open-source projects
iText Group nv937 views
Oops, I broke my API by iText Group nv
Oops, I broke my APIOops, I broke my API
Oops, I broke my API
iText Group nv2.3K views
PDF made easy with iText 7 by iText Group nv
PDF made easy with iText 7PDF made easy with iText 7
PDF made easy with iText 7
iText Group nv5.4K views
Start-ups: the tortoise and the hare by iText Group nv
Start-ups: the tortoise and the hareStart-ups: the tortoise and the hare
Start-ups: the tortoise and the hare
iText Group nv582 views
IANAL: what developers should know about IP and Legal by iText Group nv
IANAL: what developers should know about IP and LegalIANAL: what developers should know about IP and Legal
IANAL: what developers should know about IP and Legal
iText Group nv3.5K views
PDF is dead. Long live PDF... with Java! by iText Group nv
PDF is dead. Long live PDF... with Java!PDF is dead. Long live PDF... with Java!
PDF is dead. Long live PDF... with Java!
iText Group nv2.3K views
iText Summit 2014: Talk: iText throughout the document life cycle by iText Group nv
iText Summit 2014: Talk: iText throughout the document life cycleiText Summit 2014: Talk: iText throughout the document life cycle
iText Summit 2014: Talk: iText throughout the document life cycle
iText Group nv829 views
iText Summit 2014: Keynote talk by iText Group nv
iText Summit 2014: Keynote talkiText Summit 2014: Keynote talk
iText Summit 2014: Keynote talk
iText Group nv1.4K views
iText Summit 2014: Talk: eGriffie and JustX, introducing digital documents at... by iText Group nv
iText Summit 2014: Talk: eGriffie and JustX, introducing digital documents at...iText Summit 2014: Talk: eGriffie and JustX, introducing digital documents at...
iText Summit 2014: Talk: eGriffie and JustX, introducing digital documents at...
iText Group nv818 views
The XML Forms Architecture by iText Group nv
The XML Forms ArchitectureThe XML Forms Architecture
The XML Forms Architecture
iText Group nv1.9K views
Damn, the new generation kids are getting iPads in Highschool! by iText Group nv
Damn, the new generation kids are getting iPads in Highschool!Damn, the new generation kids are getting iPads in Highschool!
Damn, the new generation kids are getting iPads in Highschool!
iText Group nv938 views
PAdES signatures in iText and the road ahead by iText Group nv
PAdES signatures in iText and the road aheadPAdES signatures in iText and the road ahead
PAdES signatures in iText and the road ahead
iText Group nv5.3K views
Best practices in Certifying and Signing PDFs by iText Group nv
Best practices in Certifying and Signing PDFsBest practices in Certifying and Signing PDFs
Best practices in Certifying and Signing PDFs
iText Group nv1.4K views
Choosing the iText Solution that is right for you: Community or Commercial ed... by iText Group nv
Choosing the iText Solution that is right for you: Community or Commercial ed...Choosing the iText Solution that is right for you: Community or Commercial ed...
Choosing the iText Solution that is right for you: Community or Commercial ed...
iText Group nv944 views
The importance of standards by iText Group nv
The importance of standardsThe importance of standards
The importance of standards
iText Group nv1.2K views

Recently uploaded

Business Analyst Series 2023 - Week 4 Session 7 by
Business Analyst Series 2023 - Week 4 Session 7Business Analyst Series 2023 - Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7DianaGray10
146 views31 slides
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading... by
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...The Digital Insurer
91 views52 slides
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De... by
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...Moses Kemibaro
35 views38 slides
Business Analyst Series 2023 - Week 4 Session 8 by
Business Analyst Series 2023 - Week 4 Session 8Business Analyst Series 2023 - Week 4 Session 8
Business Analyst Series 2023 - Week 4 Session 8DianaGray10
145 views13 slides
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue by
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueCloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueShapeBlue
137 views13 slides
"Running students' code in isolation. The hard way", Yurii Holiuk by
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk Fwdays
36 views34 slides

Recently uploaded(20)

Business Analyst Series 2023 - Week 4 Session 7 by DianaGray10
Business Analyst Series 2023 - Week 4 Session 7Business Analyst Series 2023 - Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7
DianaGray10146 views
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading... by The Digital Insurer
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
The Digital Insurer91 views
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De... by Moses Kemibaro
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Moses Kemibaro35 views
Business Analyst Series 2023 - Week 4 Session 8 by DianaGray10
Business Analyst Series 2023 - Week 4 Session 8Business Analyst Series 2023 - Week 4 Session 8
Business Analyst Series 2023 - Week 4 Session 8
DianaGray10145 views
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue by ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueCloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
ShapeBlue137 views
"Running students' code in isolation. The hard way", Yurii Holiuk by Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays36 views
"Node.js Development in 2024: trends and tools", Nikita Galkin by Fwdays
"Node.js Development in 2024: trends and tools", Nikita Galkin "Node.js Development in 2024: trends and tools", Nikita Galkin
"Node.js Development in 2024: trends and tools", Nikita Galkin
Fwdays33 views
MVP and prioritization.pdf by rahuldharwal141
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdf
rahuldharwal14139 views
Optimizing Communication to Optimize Human Behavior - LCBM by Yaman Kumar
Optimizing Communication to Optimize Human Behavior - LCBMOptimizing Communication to Optimize Human Behavior - LCBM
Optimizing Communication to Optimize Human Behavior - LCBM
Yaman Kumar38 views
Digital Personal Data Protection (DPDP) Practical Approach For CISOs by Priyanka Aash
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash162 views
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue by ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueElevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
ShapeBlue224 views
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti... by ShapeBlue
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
ShapeBlue141 views
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And... by ShapeBlue
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
ShapeBlue108 views
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT by ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue208 views
"Package management in monorepos", Zoltan Kochan by Fwdays
"Package management in monorepos", Zoltan Kochan"Package management in monorepos", Zoltan Kochan
"Package management in monorepos", Zoltan Kochan
Fwdays34 views
"Surviving highload with Node.js", Andrii Shumada by Fwdays
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada
Fwdays58 views
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P... by ShapeBlue
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
ShapeBlue196 views
Evaluation of Quality of Experience of ABR Schemes in Gaming Stream by Alpen-Adria-Universität
Evaluation of Quality of Experience of ABR Schemes in Gaming StreamEvaluation of Quality of Experience of ABR Schemes in Gaming Stream
Evaluation of Quality of Experience of ABR Schemes in Gaming Stream
Alpen-Adria-Universität38 views
CryptoBotsAI by chandureddyvadala199
CryptoBotsAICryptoBotsAI
CryptoBotsAI
chandureddyvadala19942 views
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ... by ShapeBlue
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
ShapeBlue171 views

Digital Signatures: how it's done in PDF

  • 1. © 2015, iText Group NV, iText Software Corp., iText Software BVBA© 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital Signatures: How It’s Done in PDF Zetes eaZySign event (Kasteel van Ruisbroek: April 2, 2015)
  • 2. © 2015, iText Group NV, iText Software Corp., iText Software BVBA© 2015, iText Group NV, iText Software Corp., iText Software BVBA Agenda • Why do we need digital signatures? • Basic concepts… • … applied to PDF • Architectures: server-side vs. client-side • Digital signatures and document workflow • Long term validation
  • 3. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital signatures: How It's Done in PDF3 Why do we need digital signatures? Integrity Authenticity Non-repudiation
  • 4. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Integrity Digital signatures: How It's Done in PDF4 I paid a forged invoice and lost 30K€ !
  • 5. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Authenticity Digital signatures: How It's Done in PDF5 Why am I, Emperor Constantine I, in this picture? I never transferred authority to the Pope!
  • 6. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Non-repudiation Digital signatures: How It's Done in PDF6 I didn’t do it!
  • 7. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Three goals Integrity — we want assurance that the document hasn’t been changed somewhere in the workflow. Authenticity — we want assurance that the author of the document is who we think it is (and not somebody else). Non-repudiation — we want assurance that the author can’t deny his authorship. Digital signatures: How It's Done in PDF7
  • 8. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital signatures: How It's Done in PDF8 Basic Concepts… Hashing algorithms Encryption algorithms Digital signatures
  • 9. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Concept 1: Hashing Hashing algorithm a cryptographic hash function to turn an arbitrary block of data into a fixed-size bit string. Available algorithms MD5: Ron Rivest (deprecated) SHA: SHA-1: NSA (phased out!) SHA-2: NSA / NIST SHA-3: Keccak (made in Belgium!) RIPEMD: KULeuven Digital signatures: How It's Done in PDF9
  • 10. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Concept 1: Integrity check using hash Digital signatures: How It's Done in PDF10 Document Generate Hash AF1B4C...D34E Secure Server / Website Retrieve Hash AF1B4C...D34E Compare!
  • 11. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Concept 2: Encryption Assymetric key algorithms Encryption Digital signing Digital signatures: How It's Done in PDF11
  • 12. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Concept 2: Some name dropping Public Key Cryptography Standards PKCS#1: RSA Cryptography Standard (Rivest, Shamir, Adleman) PKCS#7: Cryptographic Message Standard (CMS) PKCS#11: Cryptographic Token Interface PKCS#12: Personal Information Exchange Syntax Standard PKCS#13: Elliptic Curve Cryptography Standard (ECDSA) Federal Information Processing Standards (FIPS) DSA: Digital Signature Algorithm (DSA) European Telecommunications Standards Institute (ETSI) CMS Advanced Electronic Signatures (CAdES) Digital signatures: How It's Done in PDF12
  • 13. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Concept 1 + Concept 2 Producer Provides data as-is: [A] Provides hash of data, encrypted using private key: [B] Provides public key Consumer Creates hash from data [A]: hash1 Decrypts hash [B] using public key: hash2 If (hash1 == hash2) document OK! Digital signatures: How It's Done in PDF13
  • 14. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Goals met? Integrity Hashes are identical Authenticity Identity is stored in public key A time-stamp can be added Non-repudiation If hash can be decrypted with public key, the document was signed with the corresponding private key Digital signatures: How It's Done in PDF14
  • 15. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Differences between EU and US In the US, we make a distinction Electronic signatures don’t necessarily involve PKI Digital signatures when a PKI infrastructure is involved In Europe, we speak of electronic signatures As a synonym for digital signatures All laws and regulations take this wording There’s no sharp distinction between electronic and digital signatures (which leads to confusion) I always speak of digital signatures Digital signatures: How It's Done in PDF15
  • 16. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital signatures: How It's Done in PDF16 … Applied to PDF ISO 32000-1 ETSI TS 102 778 (PAdES) ISO 32000-2
  • 17. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Standards ISO ISO-32000-1 (2008) based on PDF 1.7 (2006) ISO-32000-2 will define PDF 2.0 (2016) ETSI: TS 102 778 (2009 - 2010) PAdES 1: Overview PAdES 2: Basic – CMS based (ISO-32000-1) PAdES 3: Enhanced – CAdES based (ISO-32000-2) PAdES 4: LTV – Long Term Validation PAdES 5: XAdES based (XML content) PAdES 6: Visual representation guidelines ETSI: TS 103 172 (2011 - 2013) PAdES Baseline Profile Digital signatures: How It's Done in PDF17
  • 18. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Signatures in PDF There are no bytes in the PDF that aren’t covered, other than the PDF signature itself. (*) The digital signature isn’t part of the ByteRange. The concept “to initial a document” doesn’t exist; you sign the complete document at once, not on a page per page basis. (*) Digital signatures: How It's Done in PDF18
  • 19. © 2015, iText Group NV, iText Software Corp., iText Software BVBA What’s inside a signature? Digital signatures: How It's Done in PDF19 ISO-32000: At minimum the PKCS#7 object shall include the signer’s X.509 signing certificate. This certificate shall be used to verify the signature value in /Contents. Best practices (“should” also have): • Full certificate chain • Revocation information (CRL / OCSP) • Timestamp %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DIGITAL SIGNATURE • Signed Message Digest • Certificate chain • Revocation information • Timestamp
  • 20. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital signatures: How It's Done in PDF20 Architectures Server-side signing Client-side signing Deferred signing
  • 21. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Server-side signing Digital signatures: How It's Done in PDF21 <</Type/Sig/ /Contents < %PDF-1.x ... ... %%EOF >>> Signed Message Digest Application DeviceSERVER
  • 22. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Use cases server-side signing Company signature Invoices Contracts … Signing services in the Cloud Docusign Echosign … Security management responsibilities! Digital signatures: How It's Done in PDF22
  • 23. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Client-side signing Digital signatures: How It's Done in PDF23 <</Type/Sig/ /Contents < %PDF-1.x ... ... %%EOF >>> Signed Message Digest ApplicationDevice CLIENT
  • 24. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Use cases client-side signing Desktop applications Adobe Acrobat Pro Adobe Reaer (for Reader-enabled documents) Home-made, e.g. using iText In a web context The PDF software runs on the client, e.g. using Java Web Start Access to the token or smart card through MSCAPI PKCS#11 Custom smart card library Security User has smart card and PIN or USB token and passphrase Digital signatures: How It's Done in PDF24
  • 25. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Deferred signing Digital signatures: How It's Done in PDF25 Signed Message Digest AppDevice CLIENT <</Type/Sig/ /Contents < %PDF-1.x ... ... %%EOF >>> Application SERVER
  • 26. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Use cases deferred signing Signing on an iPad/Tablet App on the device has a low footprint Easy to integrate into a document management system Disadvantage You need to trust the server that the hash you receive is actually the hash of the document you want to sign Common Criteria A framework in which computer system users can specify their security functional and assurance requirements (SFRs and SARs respectively) through the use of Protection Profiles (PPs), vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. Digital signatures: How It's Done in PDF26
  • 27. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital signatures: How It's Done in PDF27 Digital signatures and workflow Author signatures Recipient signatures Locking fields / documents
  • 28. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Serial signatures 28 %PDF-1.x % Original document % Additional content 1 ... ... %%EOF DIGITAL SIGNATURE 1 ... %%EOF DIGITAL SIGNATURE 2 % Additional content 2 ... ... %%EOF DIGITAL SIGNATURE 3 Rev1 Rev2 Rev3 A PDF document can be signed more than once, but parallel signatures aren’t supported, only serial signatures: additional signatures sign all previous signatures. Digital signatures: How It's Done in PDF
  • 29. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital signatures: types Certification (aka author) signature Only possible for the first revision Involves modification detection permissions: No changes allowed Form filling and signing allowed Form filling, signing and commenting allowed Approval (aka recipient) signature Workflow with subsequent signers New in PDF 2.0: modification detection permissions Digital signatures: How It's Done in PDF29
  • 30. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Other possible icons Signer’s identity is unknown Document has been altered or corrupted Digital signatures: How It's Done in PDF30
  • 31. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Certified by Alice Digital signatures: How It's Done in PDF31
  • 32. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Read, approved and signed by Bob Digital signatures: How It's Done in PDF32
  • 33. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Bob’s signature invalidated by Chuck Digital signatures: How It's Done in PDF33
  • 34. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Read, approved and signed by Carol Digital signatures: How It's Done in PDF34
  • 35. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Read, approved and signed by Dave Digital signatures: How It's Done in PDF35
  • 36. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Signature and lock broken by Chuck Digital signatures: How It's Done in PDF36
  • 37. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital signatures: How It's Done in PDF37 Long-term validation Revocation Timestamps LTV
  • 38. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Certificates expire Digital signatures: How It's Done in PDF38 Expiration date 2013 2014 2015
  • 39. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Certificates get revoked Digital signatures: How It's Done in PDF39 Expiration dateRevocation date 2013 2014 2015
  • 40. © 2015, iText Group NV, iText Software Corp., iText Software BVBA How to survive revocation / expiration? Digital signatures: How It's Done in PDF40 Expiration dateRevocation date
  • 41. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Timestamps Digital signatures: How It's Done in PDF41
  • 42. © 2015, iText Group NV, iText Software Corp., iText Software BVBA What to do when: There’s no CRL/OCSP/TS in the document? The certificate is about to expire in one of your documents? The hashing/encryption algorithm is about to be deprecated? Digital signatures: How It's Done in PDF42
  • 43. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Document Security Store (DSS) Digital signatures: How It's Done in PDF43 %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DIGITAL SIGNATURE • Signed Message Digest • Certificate %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE • VRI, Certs, OCSPs, CRLs DIGITAL SIGNATURE • Signed Message Digest • Certificate
  • 44. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Document-level timestamp Digital signatures: How It's Done in PDF44 %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE • VRI, Certs, OCSPs, CRLs %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE • VRI, Certs, OCSPs, CRLs DOCUMENT TIMESTAMP TS1 ETSI.RFC3161 DIGITAL SIGNATURE • Signed Message Digest • Certificate DIGITAL SIGNATURE • Signed Message Digest • Certificate
  • 45. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital signatures: How It's Done in PDF45 %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE • VRI, Certs, OCSPs, CRLs DOCUMENT TIMESTAMP TS1 %PDF-1.x ... /ByteRange ... /Contents< >... %%EOF DSS for DIGITAL SIGNATURE • VRI, Certs, OCSPs, CRLs DOCUMENT TIMESTAMP TS1 DSS for TS1 DOCUMENT TIMESTAMP TS2 DIGITAL SIGNATURE • Signed Message Digest • Certificate DIGITAL SIGNATURE • Signed Message Digest • Certificate
  • 46. © 2015, iText Group NV, iText Software Corp., iText Software BVBA Digital signatures: How It's Done in PDF46 Questions? itextpdf.com SG: sales.isa@itextpdf.com +65 31 58 39 47 BE: sales.isb@itextpdf.com +32 92 98 02 31 US: sales.isc@itextpdf.com +1 617 982 646