![Page 1: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/1.jpg)
What's new in PDF 2.0regarding Digital Signatures
Bruno LowagieiText Software Group
![Page 2: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/2.jpg)
www.itextpdf.com
Digital Signatures are gaining importance!
• Electronic invoices– Going paperless!
• Contracts and Agreements– Workflow!
• Notarized documents– Long-Term Validation!
• Official documents– Assurance of authenticity!
![Page 3: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/3.jpg)
www.itextpdf.com
Standards: PAdES — ISO-32000-2
![Page 4: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/4.jpg)
www.itextpdf.com
iText White Paper
![Page 5: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/5.jpg)
www.itextpdf.com
iText White Paper• Chapter 1:
– The concept of digital signatures• Chapter 2:
– Digital signatures in the context of PDF• Chapter 3:
– Best practices in signing• Chapter 4:
– Architectures for digital signing• Chapter 5:
– Verification and Long-Term Validation
![Page 6: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/6.jpg)
www.itextpdf.com
Goals• Integrity — we want assurance that the
document hasn’t been changed somewhere in the workflow
• Authenticity — we want assurance that the author of the document is who we think it is (and not somebody else)
• Non-repudiation — we want assurance that the author can’t deny his authorship.
![Page 7: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/7.jpg)
www.itextpdf.com
Concept 1: Message digest• Hashing algorithm:
– a cryptographic hash function to turn an arbitrary block of data into a fixed-size bit string.
• Available algorithms:– MD5: Ron Rivest– SHA
• SHA-1: NSA• SHA-2: NSA / NIST• NEW: SHA-3 contest winner “Keccak”
– RIPEMD: KULeuven
![Page 8: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/8.jpg)
www.itextpdf.com
Concept 2: Encryption• Asymmetric key algorithms
– Encryption
– Digital signing
![Page 9: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/9.jpg)
www.itextpdf.com
Concept 1 + Concept 2• Producer
– Provides data as-is– Provides hash encrypted using private key– Provides public key
• Consumer– Creates hash from data: hash1– Decrypts hash using public key: hash2– If (hash1 == hash2) document OK!
![Page 10: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/10.jpg)
www.itextpdf.com
Goals met?• Integrity:
– hashes are identical• Authenticity:
– identity found along with public key• Non-repudiation:
– if hash can be decrypted with public key, the document was signed with the corresponding private key
![Page 11: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/11.jpg)
www.itextpdf.com
iText White Paper• Chapter 1:
– The concept of digital signatures• Chapter 2:
– Digital signatures in the context of PDF• Chapter 3:
– Best practices in signing• Chapter 4:
– Architectures for digital signing• Chapter 5:
– Verification and Long-Term Validation
![Page 12: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/12.jpg)
www.itextpdf.com
PDF Syntax• There are no bytes in
the PDF that aren’t covered, other than the PDF signature itself.
• The digital signature isn’t part of the ByteRange.
• The concept “to initial a document” doesn’t exist; you sign the complete document at once (not on a page per page basis).
![Page 13: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/13.jpg)
www.itextpdf.com
How to compose a signature?
![Page 14: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/14.jpg)
www.itextpdf.com
Old subfilters• adbe.x509.rsa_sha1
– Message Digest: SHA-1, SHA256, SHA384, SHA512, RIPEMD160
– Encryption: RSA– Uses PKCS#1: forbidden in PAdES
• adbe.pkcs7.sha1 – Message Digest: SHA-1– Encryption: RSA, DSA– Subfilter deprecated in ISO-32000-2
![Page 15: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/15.jpg)
www.itextpdf.com
Detached signatures• adbe.pkcs7.detached • ETSI.CAdES.detached
– SHA-1, SHA256, SHA384, SHA512, RIPEMD160
– RSA, DSA, ECDSA• Warning
– SHA-1 is being phased out– Key length ≥ 2048-bit– Some combinations won’t work in old versions
![Page 16: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/16.jpg)
www.itextpdf.com
Private key & CertificatesBouncyCastleProvider provider = new BouncyCastleProvider();Security.addProvider(provider);KeyStore ks = KeyStore.getInstance("pkcs12", provider.getName());ks.load(new FileInputStream(path), pass);String alias = (String)ks.aliases().nextElement();PrivateKey pk = (PrivateKey) ks.getKey(alias, pass);Certificate[] chain = ks.getCertificateChain(alias);
![Page 17: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/17.jpg)
www.itextpdf.com
iText Reader & StamperPdfReader reader = new PdfReader(src);OutputStream os = new FileOutputStream(dest);PdfStamper stamper = PdfStamper.createSignature(reader, os, '\0');
![Page 18: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/18.jpg)
www.itextpdf.com
Signature appearancePdfSignatureAppearance appearance = stamper.getSignatureAppearance();appearance.setReason(reason);appearance.setLocation(location);appearance.setVisibleSignature( new Rectangle(36, 748, 144, 780), 1, "sig");appearance.setCertificationLevel(certificationLevel);
![Page 19: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/19.jpg)
www.itextpdf.com
Creating the signatureExternalDigest digest = new BouncyCastleDigest();ExternalSignature pks = new PrivateKeySignature( pk, digestAlgorithm, provider); MakeSignature.signDetached( appearance, digest, pks, chain, null, null, null, 0, subfilter);
CMS/CADES
Chapter 3
![Page 20: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/20.jpg)
www.itextpdf.com
Default appearance
![Page 21: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/21.jpg)
www.itextpdf.com
Custom appearance
![Page 22: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/22.jpg)
www.itextpdf.com
Certification Level• Certification (aka author) signature— only
possible for the first revision; involves modification detection and prevention (MDP).
• Approval (aka recipient) signature— workflow with subsequent signers.
• Usage Rights signature— involving Adobe’s private key to Reader enable a PDF (off-topic here).
![Page 23: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/23.jpg)
www.itextpdf.com
Author signature
![Page 24: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/24.jpg)
www.itextpdf.com
Approval signature
![Page 25: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/25.jpg)
www.itextpdf.com
Approval signature: broken
![Page 26: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/26.jpg)
www.itextpdf.com
Approval signature: update
![Page 27: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/27.jpg)
www.itextpdf.com
Serial signatures• A document can be
signed more than once.
• Parallel signatures aren’t supported.
• Additional signatures sign all previous signatures.
![Page 28: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/28.jpg)
www.itextpdf.com
Workflow: Certified by Alice
![Page 29: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/29.jpg)
www.itextpdf.com
Read & Approved by Bob
![Page 30: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/30.jpg)
www.itextpdf.com
Signed by Bob
![Page 31: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/31.jpg)
www.itextpdf.com
Chuck and the MDP settings
![Page 32: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/32.jpg)
www.itextpdf.com
Read & Approved by Carol
![Page 33: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/33.jpg)
www.itextpdf.com
Signed by Carol
![Page 34: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/34.jpg)
www.itextpdf.com
Filled out and signed by Dave
![Page 35: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/35.jpg)
www.itextpdf.com
Chuck and the MDP settings
![Page 36: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/36.jpg)
www.itextpdf.com
iText White Paper• Chapter 1:
– The concept of digital signatures• Chapter 2:
– Digital signatures in the context of PDF• Chapter 3:
– Best practices in signing• Chapter 4:
– Architectures for digital signing• Chapter 5:
– Verification and Long-Term Validation
![Page 37: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/37.jpg)
www.itextpdf.com
Certificate Authorities
![Page 38: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/38.jpg)
www.itextpdf.com
Self-signed certificate
![Page 39: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/39.jpg)
www.itextpdf.com
Certificate Authority
![Page 40: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/40.jpg)
www.itextpdf.com
CDS / AATL
![Page 41: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/41.jpg)
www.itextpdf.com
Certificate Revocation• What if your certificate is compromised?
• CRL: Certificate Revocation List• OCSP: Online Certificate Status Protocol
![Page 42: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/42.jpg)
List<CrlClient> crlList = new ArrayList<CrlClient>();
• CrlClientOnline• CrlClientOffline
![Page 43: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/43.jpg)
OcspClient ocspClient =new OcspClientBouncyCastle();
![Page 44: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/44.jpg)
www.itextpdf.com
CRL versus OSCP• File Size:
– OCSP: small, predictable size– CRL: depends on the CA
• Performance:– CRL: can be cached– OCSP: online connection
• Legal requirements
![Page 45: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/45.jpg)
www.itextpdf.com
Certificates expire
2012 2013 2014
Expiration date
![Page 46: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/46.jpg)
www.itextpdf.com
Certificates get revoked
2012 2013 2014
Expiration dateRevocation date
![Page 47: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/47.jpg)
www.itextpdf.com
How to survive expiration?
2012 2013 2014
Expiration dateRevocation date
![Page 48: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/48.jpg)
TSAClient tsa = new TSAClientBouncyCastle( tsaUrl, tsaUser, tsaPass);
![Page 49: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/49.jpg)
www.itextpdf.com
iText White Paper• Chapter 1:
– The concept of digital signatures• Chapter 2:
– Digital signatures in the context of PDF• Chapter 3:
– Best practices in signing• Chapter 4:
– Architectures for digital signing• Chapter 5:
– Verification and Long-Term Validation
![Page 50: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/50.jpg)
www.itextpdf.com
Client + software certificate
![Page 51: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/51.jpg)
www.itextpdf.com
Client + key on hardware
![Page 52: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/52.jpg)
www.itextpdf.com
Server + software certificate
![Page 53: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/53.jpg)
www.itextpdf.com
Server + key on hardware
![Page 54: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/54.jpg)
www.itextpdf.com
iText White Paper• Chapter 1:
– The concept of digital signatures• Chapter 2:
– Digital signatures in the context of PDF• Chapter 3:
– Best practices in signing• Chapter 4:
– Architectures for digital signing• Chapter 5:
– Verification and Long-Term Validation
![Page 55: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/55.jpg)
www.itextpdf.com
Inspecting signed documents• Manually• Automated process
– Checking the integrity of a signed PDF– Checking the certificate chain– Retrieving information from the signature– TODO: validate MDP settings
![Page 56: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/56.jpg)
www.itextpdf.com
What to do when...• There’s no CRL/OCSP/TS in the
document?• The certificate is about to expire?• The hashing / encryption algorithm is
about to be deprecated?
![Page 57: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/57.jpg)
www.itextpdf.com
Long-Term Validation (LTV)
![Page 58: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/58.jpg)
www.itextpdf.com
Long-Term Validation (LTV)
![Page 59: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/59.jpg)
www.itextpdf.com
Validation of LTVPAdES 4 section 4.3:• The “latest” document timestamp should be validated at current
time with validation data collected at current time.• The “inner” document timestamp should be validated at
previous document timestamp time with the validation present (and timestamped for the successive enveloping timestamps) in the previous DSS.
• The signature and the signature timestamp should be validated at the latest innermost LTV document timestamp time using the validation data stored in the DSS and timestamped by the successive enveloping timestamps.
![Page 60: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/60.jpg)
What's new in PDF 2.0regarding Digital Signatures
Bruno LowagieCEOiText Software Group
![Page 61: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/61.jpg)
www.itextpdf.com
Conclusion• ISO-32000-2 (PDF 2.0)
– Deprecation of old subfiltertypes– Support for new subfiltertypes– Support for CAdES signatures– Support for ECDSA encryption– MDP extended to approval signatures– LTV: Long-term validation
![Page 62: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/62.jpg)
www.itextpdf.com
Conclusion• PAdES
– PAdES 1: summary of PAdES– PAdES 2: CMS (ISO-32000-1)– PAdES 3: CAdES (ISO-32000-2)– PAdES 4: LTV (ISO-32000-2)– PAdES 5: not discussed (iText Roadmap 2013)– PAdES 6: signature appearance
![Page 63: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/63.jpg)
www.itextpdf.com
Conclusion• Technology
– Software certificates (PKCS#12)– HSM (PKCS#11)– USB token (PKCS#11, MSCAPI)– Smart card (PKCS#11, MSCAPI, smartcardio, ...)
![Page 64: What's new in PDF 2.0 regarding digital signatures](https://reader035.vdocuments.us/reader035/viewer/2022062523/543979d88d7f7246668b597d/html5/thumbnails/64.jpg)
www.itextpdf.com
Thank you!http://itextpdf.com/book/digitalsignatures