First of all, a bit of background - the actual questions are at the bottom.
I'm currently working on a web-based app (sort of SaaS) which allows users to send forms to their own customers.
These forms are simple, small contracts for small jobs where their customers say "Yeah sure, I'll do this and here's my confirmation".
The sort of thing that is being "signed" does not require a fully qualified digital signature and an electronic signature will suffice.
While, in this case, a simple checkbox saying "Yeah, I'll do this" would legally be sufficient, I'm keen to implement it with a signature pad. To be honest, it's just for the factor of being seemingly more binding and, well, "neat".
The current workflow looks like this:
User's customer opens web-form (the party being asked to sign is the only person in the universe to know the direct link)
Ticks a few boxes and enters text
Clicks "Sign" which opens an HTML5 signature pad (mobile) or a simple input (PC) to type their name
Clicks "Accept"
A PDF is generated for download and stored on the server (along with timestamp, IP, and a couple of other bits of information)
As you can see, the agreement in its entirety constitutes a simple electronic signature - even without the bells and whistles.
What I would like to do
As with any simple electronic signature, it's easy for any party to say that a document may have been tampered with.
So what I did is properly sign the PDF according to the specifications (using tcpdf): that entailed first generating the PDF and then adding the signature to the /Sig dictionary, then generating a digest across all byte-ranges (excluding the signature), linking it up with a .crt file and voilá: the document is signed with the lovely benefit of the signature becoming invalid if even a single byte is changed.
Now to the questions:
Is it possible to benefit from the "tamper-validation" without using a certificate? Like I say, these are not supposed to be digital signatures but rather simple, electronic signatures. Still, I'd like to benefit from any post-signature changes being highlighted.
Alternatively, I could also simply use a proper certificate for the signing process. But this certificate would be mine rather than my users' or even my users' customers'. In that sense, would it do more harm than good? I.e. the certificate belongs to the wrong party and therefore becomes meaningless; I, rather than the signatory vouches; "The document was changed and re-signed after I signed"; etc.
Is it possible to benefit from the "tamper-validation" without using a certificate? Like I say, these are not supposed to be digital signatures but rather simple, electronic signatures. Still, I'd like to benefit from any post-signature changes being highlighted.
No, at least as long as you want to do this in an interoperable way.
You can of course invent your own security system, create a PDF viewer or at least plugins for the commonly used PDF viewers to support your system, and roll these programs out to your users.
But if you want existing Adobe Reader as-is to verify the signature, you've got to go the X509 PKI way.
Alternatively, I could also simply use a proper certificate for the signing process. But this certificate would be mine rather than my users' or even my users' customers'. In that sense, would it do more harm than good? I.e. the certificate belongs to the wrong party and therefore becomes meaningless; I, rather than the signatory vouches; "The document was changed and re-signed after I signed"; etc.
When using your own certificate for signing, don't forget to properly fill the reason field so it indicates that your signature is applied as a counter signature to guarantee validatability.
With that in place I don't see your signature doing any harm.
The question is how much good it does, though.
Obviously the user still can claim that he signed something different... because he did! He signed the web form, not the PDF. Thus, you might have to provide proof that the PDF reflects exactly what the web form showed anyways, that the user signed something equivalent.
If you want actual non-repudiation by the user, you need to make him sign personally in a manner that is commonly accepted to not allow tampering. In other words, your user needs to apply proper digital signatures himself. Everything else is open to claims of forgery.
You can use trusted time-stamp (defined in RFC3161) instead of signature created by the customer or by your server. Time-stamp protects document integrity and proves that your document existed before a particular time. Technically speaking it is a digital signature created by a trusted 3rd party.
Related
I've read the I-TEXT digital signature e-text, and also previous posts answered by MKL (who seems to be the authority along with Bruno on this topic).
essentially I have an Azure app service that gets the digital sig (base 64) and certificate chain from the company's signing API. The company's signing API returns a signature in Base64 along with a certificate chain.
I just want the to insert a signature object/container into the pdf so it will show in the signature panel when an end user opens up the pdf. I prefer to use deferred signing.
I've shifted from chapter 4's "clientseversigning example" to instead Deferred Signing in MKL's "How to create a PDF signature without knowing the signer certificate early".
The Company API returns a "plain" signature, that I am pretty sure, and also returns a chain of 3 string certificates.
I should note I do have the root and sub certs in advance (2 .cer files) but I am not using them in "prepping" the pdf for hashing right now since the deferred signing example doesn't make use of them obviously. For the container construction code (after getting the response from the Company API), I use the 3 certs chain returned from the company API, but I also tried it with the 2 .cer files, to no avail.
The only difference between my code and the one in the example is instead of byte[] certificateBytes = THE_RETRIEVED_CERTIFICATE_BYTES; X509Certificate x509Certificate = new X509CertificateParser().ReadCertificate(certificateBytes); I build 3 x509Certificates (one for each string in the chain returned from the Company API.
Sadly things wont work, I get these errors in Acrobat: Signature is invalid, There are errors in the formatting or information contained in this signature, signature's identity has not yet been verified, signing time is from the clock on the signer's computer...also if I click Certificate details just below of this error in Acrobat it is blank. This was pretty much the errors I was getting when trying the "clientserversigning example"
I am trying really hard and wondering what it could be... should I try modifying the estimated size from 12000 and bump it up? or the errors I am getting in Acrobat, maybe they are hinting the certificate chain from the Company API is not being picked up by the signing deferral container construction code ... I am struggling but any tips would be so greatly appreciated
Evan
Just to clarify, I am following chapter 4's clientserversigningexample but I am getting the following once my pdf is recreated with the signature from the company API
Its saying 1) there are errors in the formatting of information
2) signer's identity has not been verified
3) signing time is from the clock on the signer's computer
now as far as "prepping" the pdf before hashing it to send for signing...I don't see anything in the ClientSigning example that specifically preps it, can I assume the IText library is prepping it under the hood?
In your question and in your comments to it you appear to be in particular interested in
whether or not one can use a signature API that returns the certificates only together with the signature, and
when to to deferred signing.
Can You Use a Signature API That Provides the User Certificate Only After Signing
To answer this one first has to clarify what kind of signatures the signature API in question creates, plain signature values (e.g. PKCS#1 RSA signatures) or full-fledged CMS signature containers.
If it creates full-fledged CMS signature containers, you can create signatures following arbitrary signature profiles as long as the signature containers follow the requirements for them (which they often do). They only restriction you have is that you cannot have information from the signer certificate in the signature visualization because that visualization is defined in the signed data of the PDF.
If it only creates plain signature values, the best you can do is create and embed simple CMS containers that don't contain pointers to the signer certificate in the signed attributes (if they have any signed attributes as all to start with). Many signature policies of interest do require such pointers, but at least Adobe Reader accepts signatures without.
If you are in this situation and want to try creating signatures with such simple signature containers, you may want to use the code from this answer, section "How to create a PDF signature without knowing the signer certificate early".
When to Use Deferred Signing
The difference between deferred signing and other iText signing calls is not that deferred signing requires less information (compared to ExternalContainer signing).
In contrast to the other iText signing methods, signDeferred re-uses the outermost existing, filled signature field of the PDF to sign and merely replaces the signature container therein.
The method name is derived from the most common use case it’s used for:
In a first step a signature field is (probably first created and then) filled using signExternalContainer with an IExternalSignatureContainer implementation that calculates the document hash to be signed but does not return the final CMS container yet, merely some (usually) empty array. The generated PDF with a filled signature field (albeit without the final signature container) is then temporarily stored (in the file system or a database).
In a second step a signature container for the determined document hash is requested and (probably asynchronously) awaited.
In a final step signDeferred is used to inject the retrieved signature container into the PDF prepared in the first step.
This deferred signing process usually is preferred in setups in which the second step, the signature container creation and retrieval, can take longer than one wants to keep the resources blocked which are required for the document in signing. This includes in particular signatures generated by remote servers or clients, especially if that signing process awaits some third party clearance or activation.
I'm planning on using an online contract form where customers will agree to certain terms and conditions and sign with an electronic signature (using the mouse to spell their name). I'm wondering if this type of signature should be encrypted or if this information doesn't really need the extra layer of protection. Ideally I think having the extra layer of protection would be a good choice, but I'm a little strapped on cash.
You can get certificate for free from Let’s Encrypt. Its better than nothing.
I am currently working on a project that deals with sensitivity customer data, and we are being recommended to use Digital Signatures as appose to Electronic Signatures due to its new scale and the sensitive nature of the customers' data.
I personally don't know what the legal issues are with Digital Signatures, but I know that sometimes a Certificate Authority are needed?
This program is being written in C# visual studios if that matters, but I don't really know where to start with this process. I know it works like a public and private key encryption , a Public Key Infrastructure, but I have been informed that you must "buy" a certification from a Certificate authority. You could also create your own?
I was also informed that I need to make sure this would also allow documents created by our program to be legally binding in the USA. That certain laws and procedures are different in different countries so I need to make sure these are in order before I even start coding.
I'm sorry if this sounds more like a legal question then a coding question. My searches aren't helping and I can't start coding until I know what I can and can't do.
SSL encrypts the data channel. It can be broken by the NSA and perhaps others but it is considered quite hard to do so.
I certainly think it is a reasonable and appropriate level of data security for many uses, but that is merely my personal opinion.
Digital Signatures do not encrypt your data. Digital signatures sign your data, assuring you and the recipients that the data was not changed en route, and giving you confidence that you know who signed the data.
You can use a digital certificate purchased from a certificate authority to sign data. Or you can create a self-signed key for your organization and then use subordinate signer keys. We have many many customers who do this.
Documents signed with digital signatures are legally binding everywhere in the world. In some jurisdictions, for some purposes, you need a qualified digital signature. That means that the certificate was issued to the signer by a recognized national certificate authority.
I suggest that you are a ways from coding--you need to better understand your business requirements first.
With digital signatures, protecting the security of the signers' private keys is extremely important. These days, centralized hardware-hardened appliances are often used.
Here are some APIs which make it easy to digitally sign documents and data while managing the keys via an appliance.
Disclosure: I work for CoSign.
Context
My overall goal is to make a set of PDFs available, in such a way that users can be assured of the provenance of the documents (i.e., they came from the origin that they are expected to come from). I'm thinking about doing this by digitally signing the PDFs on the server. These signatures won't be in risk of expiring, because the server can just reissue new signed PDFs when the certificate is updated. Using SSL to serve the documents wouldn't be enough, because the files can be passed on to third parties, who don't want/need to access the server.
Problem
The expiration issue arises because some of these PDFs will already have one or more digital signatures (e.g., created for legal purposes). My question is, if the server signs the PDFs, will it also be ensuring the continued validity of the previous signatures, even after they expire, as long as the latest signature is valid?
I'm asking more on the theoretical side, although I plan to implement what I describe using iText, so any pointers on how to use it for my purpose are also welcome.
No, in a PDF all signatures should be validated independently. If you open a PDF with multiple signatures In Adbobe Reader all signatures are validated and you are going to get a warning message if one of the signature validations fails.
If you want to prevent against signature validation issues (for instance a validation failure due to signing certificate expiration) you should look at the PAdES standard (PDF Advanced Electronic Signature) Part #4 (PAdES-LTV Profile - PAdES Long Term Validation). This section of the standard deals with maintaining a proof of the validation across time in order to be able to revalidate the signatures in the future.
I don't know iText very much but it seems that PAdES-LTV is supported since I found this code sample : How to apply verification according to PAdES-LTV
Immagine a web application that lets you digitally sign (with personal digital certificates pkcs12 released by trusted CAs) and timestamp PDF documents with a Java applet or Active X. This must obviously happen on the machine of the user because the private key of the certificate is stored locally.
So once the PDF is signed and timestamped it is uploaded on the server.
Does the uploaded file have the same features of the one created locally? Does it have sense to talk about "the original version of the file"?
I'm a bit confused on this.
Correction:
i mean digitally sign a document with the private key of a personal digital certificate (should be pkcs7, pkcs12) to ensure that it has really been signed by someone and not someone else.
If by "the original version of the file" you mean that you intend to "freeze" the document so that nobody can ever make changes to it again - that is neither possible nor the purpose of a digital signature. Anyone could simply "cut out" the a signature embedded within a document, nobody would notice.
Protecting a document from subsequent modification involves some kind of DRM mechanism. For example, "watermarking" involving steganography is used to protect photos so that noone should be able to claim ownership of a photo, even after having modified it. But the technology is not very advanced yet, most algorithms can be easily broken.
This implies that the notion of "the original version of the file" in let's say a legal dispute is something that the involved parties have to agree upon in consent. There's no way to prove origin without either consent or a trusted third party that will attest the integrity of a document, e.g. if they have an independent copy of the document.
Apart from that, uploading a file should not change its contents. The file will have the exact same properties than the local one including the signature that was added on the client side.
The signature will only attest authenticity and integrity of the document. If it is vital for your application to be able to tell that the signed document received is actually the one that was expected, then I'd advise you to do the following:
Create the PDF on the server
Create a hash of the document (same algorithm that will be used by the signature applet)
Send the PDF to the client
Let the client sign it and send it back
Compare the client's hash with the one previously computed on the server
Validate the signature
Validating the signature will ensure integrity and authenticity, comparing the hashes will guarantee you that the signed document you received on the server is indeed a signed version of the original document previously created.
Concerning timestamps using local clocks: they're worthless, it's very easy to cheat. What you actually should use there is RFC 3161-compliant cryptographically secured timestamps, issued by a trusted third party. Currently that's the only reliable way to include the notion of time in PDF signatures. There's also built-in support for this in Adobe Reader for example. As these services are generally not available for free, it would make sense to add such a timestamp on the server after receiving the signed document. They are added as an unsigned attribute to the CMS (Adobe still speaks of PKCS7) signature, so it won't break the signature and can safely be added after signature creation.
Okay, let's try to answer your question (as I understand it).
You have some software which uses some private key (and a clock) to add a signature to a file.
This signature is depending on the contents of the file, and thus makes sure that the signer knew (or could have known) the contents of the file at the time it signed it. (There are some ways to have "blind signatures", but I assume this is not the case here.)
Uploading the signed file anywhere does not change anything here.
About the timestamp: The key holder can put in any timestamp it wants - so this only helps if you want to prove knowledge of the document at some point in time against the key holder, not if you are the key holder and want to prove that you signed at some point in time and not earlier or later. (Also, are you sure his clock is not skewed?)
About whether this is legally relevant, you will have to ask your lawyer. It might depend on
the jurisdiction in which the signature happened, and the one in which you want the signed document to be valid
whether the owner of the key had a chance to actually read the document before signing
whether the owner of the key had actually a choice of signing or not.
If you use some applet or ActiveX control in the user's browser, I would not be totally sure that the last two points really hold.