what's new in pdf 2.0 regarding digital signatures
TRANSCRIPT
What's new in PDF 2.0regarding Digital Signatures
Bruno LowagieiText Software Group
www.itextpdf.com
Digital Signatures are gaining importance!
• Electronic invoices– Going paperless!
• Contracts and Agreements– Workflow!
• Notarized documents– Long-Term Validation!
• Official documents– Assurance of authenticity!
www.itextpdf.com
Standards: PAdES — ISO-32000-2
www.itextpdf.com
iText White Paper
www.itextpdf.com
iText White Paper• Chapter 1:
– The concept of digital signatures• Chapter 2:
– Digital signatures in the context of PDF• Chapter 3:
– Best practices in signing• Chapter 4:
– Architectures for digital signing• Chapter 5:
– Verification and Long-Term Validation
www.itextpdf.com
Goals• Integrity — we want assurance that the
document hasn’t been changed somewhere in the workflow
• Authenticity — we want assurance that the author of the document is who we think it is (and not somebody else)
• Non-repudiation — we want assurance that the author can’t deny his authorship.
www.itextpdf.com
Concept 1: Message digest• Hashing algorithm:
– a cryptographic hash function to turn an arbitrary block of data into a fixed-size bit string.
• Available algorithms:– MD5: Ron Rivest– SHA
• SHA-1: NSA• SHA-2: NSA / NIST• NEW: SHA-3 contest winner “Keccak”
– RIPEMD: KULeuven
www.itextpdf.com
Concept 2: Encryption• Asymmetric key algorithms
– Encryption
– Digital signing
www.itextpdf.com
Concept 1 + Concept 2• Producer
– Provides data as-is– Provides hash encrypted using private key– Provides public key
• Consumer– Creates hash from data: hash1– Decrypts hash using public key: hash2– If (hash1 == hash2) document OK!
www.itextpdf.com
Goals met?• Integrity:
– hashes are identical• Authenticity:
– identity found along with public key• Non-repudiation:
– if hash can be decrypted with public key, the document was signed with the corresponding private key
www.itextpdf.com
iText White Paper• Chapter 1:
– The concept of digital signatures• Chapter 2:
– Digital signatures in the context of PDF• Chapter 3:
– Best practices in signing• Chapter 4:
– Architectures for digital signing• Chapter 5:
– Verification and Long-Term Validation
www.itextpdf.com
PDF Syntax• There are no bytes in
the PDF that aren’t covered, other than the PDF signature itself.
• The digital signature isn’t part of the ByteRange.
• The concept “to initial a document” doesn’t exist; you sign the complete document at once (not on a page per page basis).
www.itextpdf.com
How to compose a signature?
www.itextpdf.com
Old subfilters• adbe.x509.rsa_sha1
– Message Digest: SHA-1, SHA256, SHA384, SHA512, RIPEMD160
– Encryption: RSA– Uses PKCS#1: forbidden in PAdES
• adbe.pkcs7.sha1 – Message Digest: SHA-1– Encryption: RSA, DSA– Subfilter deprecated in ISO-32000-2
www.itextpdf.com
Detached signatures• adbe.pkcs7.detached • ETSI.CAdES.detached
– SHA-1, SHA256, SHA384, SHA512, RIPEMD160
– RSA, DSA, ECDSA• Warning
– SHA-1 is being phased out– Key length ≥ 2048-bit– Some combinations won’t work in old versions
www.itextpdf.com
Private key & CertificatesBouncyCastleProvider provider = new BouncyCastleProvider();Security.addProvider(provider);KeyStore ks = KeyStore.getInstance("pkcs12", provider.getName());ks.load(new FileInputStream(path), pass);String alias = (String)ks.aliases().nextElement();PrivateKey pk = (PrivateKey) ks.getKey(alias, pass);Certificate[] chain = ks.getCertificateChain(alias);
www.itextpdf.com
iText Reader & StamperPdfReader reader = new PdfReader(src);OutputStream os = new FileOutputStream(dest);PdfStamper stamper = PdfStamper.createSignature(reader, os, '\0');
www.itextpdf.com
Signature appearancePdfSignatureAppearance appearance = stamper.getSignatureAppearance();appearance.setReason(reason);appearance.setLocation(location);appearance.setVisibleSignature( new Rectangle(36, 748, 144, 780), 1, "sig");appearance.setCertificationLevel(certificationLevel);
www.itextpdf.com
Creating the signatureExternalDigest digest = new BouncyCastleDigest();ExternalSignature pks = new PrivateKeySignature( pk, digestAlgorithm, provider); MakeSignature.signDetached( appearance, digest, pks, chain, null, null, null, 0, subfilter);
CMS/CADES
Chapter 3
www.itextpdf.com
Default appearance
www.itextpdf.com
Custom appearance
www.itextpdf.com
Certification Level• Certification (aka author) signature— only
possible for the first revision; involves modification detection and prevention (MDP).
• Approval (aka recipient) signature— workflow with subsequent signers.
• Usage Rights signature— involving Adobe’s private key to Reader enable a PDF (off-topic here).
www.itextpdf.com
Author signature
www.itextpdf.com
Approval signature
www.itextpdf.com
Approval signature: broken
www.itextpdf.com
Approval signature: update
www.itextpdf.com
Serial signatures• A document can be
signed more than once.
• Parallel signatures aren’t supported.
• Additional signatures sign all previous signatures.
www.itextpdf.com
Workflow: Certified by Alice
www.itextpdf.com
Read & Approved by Bob
www.itextpdf.com
Signed by Bob
www.itextpdf.com
Chuck and the MDP settings
www.itextpdf.com
Read & Approved by Carol
www.itextpdf.com
Signed by Carol
www.itextpdf.com
Filled out and signed by Dave
www.itextpdf.com
Chuck and the MDP settings
www.itextpdf.com
iText White Paper• Chapter 1:
– The concept of digital signatures• Chapter 2:
– Digital signatures in the context of PDF• Chapter 3:
– Best practices in signing• Chapter 4:
– Architectures for digital signing• Chapter 5:
– Verification and Long-Term Validation
www.itextpdf.com
Certificate Authorities
www.itextpdf.com
Self-signed certificate
www.itextpdf.com
Certificate Authority
www.itextpdf.com
CDS / AATL
www.itextpdf.com
Certificate Revocation• What if your certificate is compromised?
• CRL: Certificate Revocation List• OCSP: Online Certificate Status Protocol
List<CrlClient> crlList = new ArrayList<CrlClient>();
• CrlClientOnline• CrlClientOffline
OcspClient ocspClient =new OcspClientBouncyCastle();
www.itextpdf.com
CRL versus OSCP• File Size:
– OCSP: small, predictable size– CRL: depends on the CA
• Performance:– CRL: can be cached– OCSP: online connection
• Legal requirements
www.itextpdf.com
Certificates expire
2012 2013 2014
Expiration date
www.itextpdf.com
Certificates get revoked
2012 2013 2014
Expiration dateRevocation date
www.itextpdf.com
How to survive expiration?
2012 2013 2014
Expiration dateRevocation date
TSAClient tsa = new TSAClientBouncyCastle( tsaUrl, tsaUser, tsaPass);
www.itextpdf.com
iText White Paper• Chapter 1:
– The concept of digital signatures• Chapter 2:
– Digital signatures in the context of PDF• Chapter 3:
– Best practices in signing• Chapter 4:
– Architectures for digital signing• Chapter 5:
– Verification and Long-Term Validation
www.itextpdf.com
Client + software certificate
www.itextpdf.com
Client + key on hardware
www.itextpdf.com
Server + software certificate
www.itextpdf.com
Server + key on hardware
www.itextpdf.com
iText White Paper• Chapter 1:
– The concept of digital signatures• Chapter 2:
– Digital signatures in the context of PDF• Chapter 3:
– Best practices in signing• Chapter 4:
– Architectures for digital signing• Chapter 5:
– Verification and Long-Term Validation
www.itextpdf.com
Inspecting signed documents• Manually• Automated process
– Checking the integrity of a signed PDF– Checking the certificate chain– Retrieving information from the signature– TODO: validate MDP settings
www.itextpdf.com
What to do when...• There’s no CRL/OCSP/TS in the
document?• The certificate is about to expire?• The hashing / encryption algorithm is
about to be deprecated?
www.itextpdf.com
Long-Term Validation (LTV)
www.itextpdf.com
Long-Term Validation (LTV)
www.itextpdf.com
Validation of LTVPAdES 4 section 4.3:• The “latest” document timestamp should be validated at current
time with validation data collected at current time.• The “inner” document timestamp should be validated at
previous document timestamp time with the validation present (and timestamped for the successive enveloping timestamps) in the previous DSS.
• The signature and the signature timestamp should be validated at the latest innermost LTV document timestamp time using the validation data stored in the DSS and timestamped by the successive enveloping timestamps.
What's new in PDF 2.0regarding Digital Signatures
Bruno LowagieCEOiText Software Group
www.itextpdf.com
Conclusion• ISO-32000-2 (PDF 2.0)
– Deprecation of old subfiltertypes– Support for new subfiltertypes– Support for CAdES signatures– Support for ECDSA encryption– MDP extended to approval signatures– LTV: Long-term validation
www.itextpdf.com
Conclusion• PAdES
– PAdES 1: summary of PAdES– PAdES 2: CMS (ISO-32000-1)– PAdES 3: CAdES (ISO-32000-2)– PAdES 4: LTV (ISO-32000-2)– PAdES 5: not discussed (iText Roadmap 2013)– PAdES 6: signature appearance
www.itextpdf.com
Conclusion• Technology
– Software certificates (PKCS#12)– HSM (PKCS#11)– USB token (PKCS#11, MSCAPI)– Smart card (PKCS#11, MSCAPI, smartcardio, ...)
www.itextpdf.com
Thank you!http://itextpdf.com/book/digitalsignatures