My problem is this: I must digitally sign, with a token bound in an external card (PIN required), a large number of pdf files every day.
I wrote a macro to convert word files into pdf at once; now I wonder if I can insert in the same routine some other lines to accomplish the further task of digitally signing each pdf file created.
Since you are talking of word documents, I assume, you are using it on Windows. Some of the smartcard or USB Token drivers, on Windows OS (as far as I know), has feature to save or remember user PIN. Enabling that feature would prevent asking for PIN for every cryptographic operation.
If driver does not have such feature, then you may have to study and use CSP (Crypto Service Provider on Windows) of the device if available or use direct PKCS#11 API to achieve the operation by providing PIN programmatically, but these things requires sufficient expertise and understanding of PKI.
For bulk signing of pdf there are lot of free and paid softwares available which provides you lot of automated features. You may consider going for once instead of re-inventing the wheel. My Co. CISPL also provides Signer.Digital range of solutions for achieving the task.
Related
I want to replicate the core functionality of an e-signature software such as DocuSign, HelloSign or SignRequest.
Everything is clear to me, but I have a hard time understanding how does the software works itself. How does it render the boxes over the PDF, how does it place the signature over the PDF when I am done writing, how does that JS signature create a PDF on the server side?
How does these types of software work?
There is an abundance of technologies & tools available to develop such e-signature software. Let's take one example which is somewhat similar to the software you mentioned. The use-case to build such software can be realised using the front-end and back-end (server-side) technologies.
On the Client-side, you can use front end frameworks like Angular and React to develop an interface for the end-users using which they can upload the documents to the server-side. You can create signature block layouts and display them alongside the document.
Users can drop those blocks on specific locations and send the request for signing to the recipients. During the signing process, user details will be populated into the signature block and sent to the server for performing the signing process.
On the server side, the responsibility would be to take the appropriate information from the request and print/add those signature blocks to the document at the appropriate positions. On the server side, you need some library to process the documents for adding the signature blocks and signing the documents. If you're using java alongside the spring framework you can use pdfbox for doing such operations.
On server side the responisbility would be to take the appropriate information from the request and print/add those signature blocks to the document at the appropriate positions. On server side you needs some library to process the documents for adding the signature blocks and signing the documents. If you're using java alongside spring framework you can use pdfbox for doing such operations.
How does it render the boxes over the PDF, how does it place the
signature over the PDF when I am done writing, how does that JS
signature create a PDF on the server side?
The contract between client and server for the signature blocks could be a JSON object having the information about the coordinates where the request creator drops those blocks for recipients for signing. On the server side, you can manipulate the document to add those signature blocks at the mentioned coordinates in the request.
I am now motivated to explore a coding language so that I can make the best solution possible.
But I am not sure of the capabilities of all coding langugages, so I am asking for advice.
I want to automate some of the daily processes I do at the office. There is an external database on the internet that we use. We access it with a smart card and secured http.
In short, these are the actions that I do each time I restart the browser or a session ends:
Open a Secured HTTP. /....jsp
After being promted I choose an installed certificate
A smart card is called and I enter a PIN. /charismatics smart security interface/
The page asks me to log in with a username and password.
I open the desired link.
I extract the data from the opened webpage manually.
Is it possible to have all these action automated by code?
THANK YOU FOR ANY SUPPORT
If you get a PIN screen from the charismatics smart card security interface instead of from the operating system then it it may be very hard to automate this. Your program is unlikely to get access to the PIN popup Window.
If you get the PIN prompt from a CSP (as you mentioned in the comments) then it may be possible to automate the PIN login. The PIN is normally used to set up the SSL/TLS connection, so having it open in the browser won't help you much, unless you program the browser itself.
If you are bound to CSP's it may be best to keep to C#/.NET. There are of course bindings for other runtimes, but it is better to have as much control as possible.
You may want to take a look at topics such as parsing HTML, because that's something you certainly need to do. Life becomes a lot harder if the web-pages are filled in using JavaScript, so you may check for that first.
Now if you want to manually choose a link you may want to render the page in your own application and handle the download yourself.
This is certainly not a task I would recommend when starting off on an unknown programming language. I would find this a tricky task - there are a lot of ifs left with this description.
I need my native iPad application to store its data (say .DOC documents downloaded via HTTPS) in an encrypted form. Those .DOC files are to be opened in 3rd party apps on the iPad.
I need to know whether there is a way that data of both my application and those of 3rd party apps can be encrypted? Meaning that my .DOC file will never be stored in unencrypted form on the device. (motivation here being that my app downloads documents with sensitive information and I want those documents to be read on the iPad, but with the layer of disk-encryption protection.)
I was reading through Advanced App Tricks # apple.com, section "Protecting Data Using On-Disk Encryption", but was unable to find any relevant information.
First, let's get the hardware encryption aspect out of the way:
iOS supports hardware encrpytion of everything on the disk. It's encrypted with a key that has nothing to do with your device pass code. This feature is there to allow quick wiping of the device's data (by overwriting the device encryption key). It doesn't really protect your data from being retrieved by a skilled interloper who can get your device, however; a jailbreak will get around this.
Per-file encryption via the Data Protection API: iOS can be told that certain files are to be encrypted by setting a flag on them. They are then encrypted using the device pass code (if one has been set). Note: if the user hasn't set a passcode, this extra protection isn't applied! Therefore, technically, this protection is out of your control, unless your users work at an organisation that enforces passcode lock policies (using iPhone Configuration Utility or similar).
Encryption using CommonCrypto: you can use encryption APIs such as this to manually do your own encryption/decryption. Note that if you don't know what you're doing it's easily to abuse such APIs and end up with not very secure encryption. However, there are some wrappers such as RNCryptor which make it much harder to abuse these APIs.
Protecting files used by third party apps: Can you clarify how your app will share files with third party apps please?
More info:
http://support.apple.com/kb/HT4175
http://www.ilounge.com/index.php/articles/comments/ios-encryption-and-data-protection/
http://developer.apple.com/library/ios/#documentation/security/Conceptual/cryptoservices/Introduction/Introduction.html#//apple_ref/doc/uid/TP40011172-CH1-SW1
https://github.com/rnapier/RNCryptor
Update
On using UIDocumentInteractionController:
Once you've handed off your document to another app using this method, the data is out of your hands and the third party app can do what it likes with it. If you're happy with that, and your main concern is just having the document stored on your device in a protected way, then there are a couple of possibilities:
Rely on Data Protection API to protect the document on-disk (user has to set a passcode and you need to tell iOS that the particular file is to be protected for this to work)
Using the NSURLProtocol trick mentioned here to decrypt an encrypted file on disk on-the-fly
I have a Java EE app that needs to implement e-signing of PDF Files. The user needs to be able to click a link that will generate a PDF File based on data in the database and see the PDF in their browser. The use then needs to be able to "sign" the document using their private key stored on their smart card (which is plugged into a smart card reader on the PC that they're using). Users are using Windows 7 and JRE 1.6
I was hoping to use iText for the PDF generation, but it is unclear what solution I would use on the client-side for pulling information in from from the smart card and then for applying that information to sign the PDF and show the PDF as being signed (either showing the user's signature or updating the doc to say that it has been signed).
Has anyone done this before and has a solution?
It does not help reading a certificate from the smartcard, as you
need the private key.
You should not (and most often can not) read the private key from the smartcard
(that's the reason for using a smartcard)
To access the smartcard you need to interface one of the native
API's like plain PC/SC, PKCS#11 or CSP.
To do this from the browser you need either an ActiveX or an Applet.
Building this from scratch is very ambitious
Some critical information is:
- what reader
- what smartcard
- what browser
- what os
to select or develop a solution
We have a commercial product built using applet technology that does exactly what you requested (take a PDF, interface to the smartcard, sign the hash, insert the signature in any form supported by PDF, post the signed PDF). If you are interested, i will provide a contact.
Use PDF Studio. I had an issue with my CAC reader config.cfg file but after I deleted the "slot = 1" line it worked like a champ. My file now looks like this:
name = SunPKCS11
library = /usr/lib64/libcackey.so
For further info visit:
https://www.qoppa.com/pdfstudio/
Sorry I couldn't find the best heading for this question. Following is my requirement.
I a working on a project which deals which large amount of money transactions to different account. The system automatically transfers money to accounts of A,B, C etc etc,, But before this is done Some one from A,B or C should approve(electronically) the amount to be transferred.
What do you think is the best way of doing it? I want the system to send a file (PDF of something) which is digitally signed (?) and the authorised person from A,B and C should check and confirm that the amount is correct.
Since the amount is high I must make sure the file sent out by the system is not tampered and at the same time I also want to make sure the file (reply) sent by A,B or C is also not tampered . What is the best way to achieve it? Any ideas?
Digital Signatures is what you are looking for. Adobe PDF (since you mentioned pdf) allows you to sign the pdf in the free Adobe Reader version and verification is also done automatically, as soon as you open the pdf document.
The difference between DigSig and (H)MACs as posted by Noldorin is, that MACs use symmetric encryption, where you require a secure channel to exchange the key, whereas in a PKI environment that secure channel is not required.
It depends how you want to distribute your keys.
You'll want to look into MACs (Message Authentication Codes). There are a number of libraries out there for various languages that implement common algorithms such as HMAC.
EDIT: See also DSA (http://en.wikipedia.org/wiki/Digital_Signature_Algorithm), which is a popular algorithm for digital signatures, and is fully implemented in the standard .NET framework (System.Cryptography namespace).
My first reaction would be Digital Signatures - but they have a fatal flaw: they are digital data that could be compromised by a careless user.
If that is a concern you can go for the process that South African banks use, a one-time password. This password is transferred to them via a means that is not involved in the transaction (in South Africa this is by SMS, which I strongly recommend). We first type in a username and password, and then get the OTP via SMS which we then need to type in for any transactions that lead to money leaving our accounts.
Strong forms of security (in increasing effectiveness) include (I am no expert, but I do know a few):
Knowledge (A password)
Possession (A cell-phone SIM card that can receive SMSes, or a USB thumbdrive with a certificate)
Location (A computer with a hardware-based certificate management system, CellID)
Time (OTP expires, transaction must occur at specific time)
Identity (A fingerprint reader - effectively a password - but insanely long)
Uniqueness (A fibre-optic cable encoded in the polarization of the photons)
From what I know if you have any three of those you can be comfortable with your security. Adding more increases security exponentially, but also increases the inconvenience factor. The banks use Knowledge, Possession and Time in South Africa - and phishing really doesn't work against South African banks.
Hope this helped you out a little.
To digitally sign a file, you can use any of Microsoft's partners. Arx for example provide you with a tool called CoSign which you can use for free (or at least their trial version). This will allow you to add electronic signatures to most available formats (word, pdf, xml etc').