Chapter 17. Using Digital Signatures and Security

Did you know that you can digitally sign a PDF document using Adobe Reader? The PDF document requires some special preparation, but once it's prepared with Adobe LiveCycle Reader Extensions, you have the ability to add a digital signature to a document.

In Adobe Reader you can view PDF documents that are signed electronically by other users and you can create your own personal digital signature. In addition, you can export a public certificate from a Digital ID that you create. A PDF author can use your exported public certificate to encrypt files in such a way that the file can only be opened with the password you used when you created your Digital ID.

There are two parts to using Digital IDs. The Private part of an ID is used for creating a Digital ID and decrypting files. The Public part is used for verifying digital signatures and encrypting files. If you don't have a PDF opened in Reader that has been enabled with usage rights using the Adobe LiveCycle Reader Extensions Server (ARES), you can only create a Digital ID, decrypt a document, and verify signatures. You need to open a document with usage rights enabled using ARES to electronically sign documents.

Creating Digital Signatures

Digital IDs are used to electronically sign PDF documents. Although you can create a Digital ID in Adobe Reader, to digitally sign a document, you need to use a PDF file prepared with special usage rights from authors using Adobe LiveCycle Reader Extensions. When you create a Digital ID, there are two parts to the ID, as explained earlier in this chapter.

When you create a Digital ID, the signature appearance is a façade that hides a unique “fingerprint” customized with encryption to prevent someone from duplicating your signature.

When you electronically sign a document or open documents signed by other users, you need to confirm the authenticity of the PDF document, and validate the signatures against a public certificate. You might think of a public certificate as a being like driver's license or identification card carrying your signature. When you write a check, a retail clerk looks at your license or ID card and compares that signature to the one on your signed check. Anyone can view your identification, but only you are legally authorized to sign a document. In Adobe Reader, when you create a Digital ID, you have a means of exporting your public certificate and sharing it with other users who can then electronically compare your certificate to documents you digitally sign. In addition, you can collect public certificates from other users when you want to authenticate their signatures. Collecting public certificates from other users is referred to as building a list of trusted identities.

Adobe Reader lets you create Digital IDs, export public certificates, and build a list of trusted identities by acquiring public certificates from other users.

Creating a Personal Digital ID

The first order of business when working with Digital IDs is to create your own personal Digital ID. You may or may not use the ID to sign documents, depending on the kind of files you work with. However, creating a Digital ID is important if you want to share a public certificate with other users. When a PDF author has your public certificate, the author can encrypt a PDF document specifically for you using your certificate. No special requirements are needed to create a Digital ID, to share your public certificate, or to open files encrypted with your certificate.

What's the advantage of securing documents with certificates?

Suppose your work involves receiving confidential material from several people. You may receive proposals, requests, applications, or other documents where the information needs to be secure against unauthorized viewing. Assume for a moment you receive 25 different documents from individuals who all secure the files with password protection. If each document author secures a file with password protection, you need to acquire and maintain a list of 25 individual passwords.

But if you send your personal certificate to users, or post your certificate on a Web site or network server, all users can acquire your certificate and encrypt each document using your certificate. Then when you receive the encrypted documents, you can open them using the password used when you created your Digital ID. In this case you need only a single password to open all 25 documents.

When you create a Digital ID, you have the option of creating a signature appearance. Appearances are only an option—they're not required when using Digital IDs. If you create an appearance, the appearance is shown on a document each time you sign it. You can use a scanned image of your analog signature, an icon or logo, a photo, or any kind of PDF document for an appearance. You can create multiple appearances and choose which appearance you want to use when signing a document. You can create an appearance either before or after you create a Digital ID.

Creating an appearance

You can create Digital IDs with or without a custom appearance. If you want to use an analog signature as part of your signature appearance, you need to scan your signature and save the file as a PDF document. If you use Adobe Photoshop or Adobe Photoshop Elements, you can save to a PDF file from either application. If you choose not to use a graphic image as part of your signature appearance, you can choose from different options Adobe Reader provides for appearances.

To create an appearance for your Digital ID:

  1. Press Ctrl/Command+K to open the Preferences dialog.

  2. Click Security in the left pane, and the right pane changes (Figure 17.1).

    Click Security in the Preferences dialog to open the Digital Signatures preferences pane.

    Figure 17.1. Click Security in the Preferences dialog to open the Digital Signatures preferences pane.

    Note

    Among other settings you need to specify are the Identity preferences. If you have not filled in the Identity preferences as discussed in earlier chapters, click Identity in the Preferences dialog and fill in the text boxes in the right pane.

  3. The right pane in the Preferences dialog offers appearance settings choices. Click the New button to create a new Digital ID appearance. The Configure Signature Appearance dialog opens (Figure 17.2).

    Click New to create a new appearance.

    Figure 17.2. Click New to create a new appearance.

  4. Type a title for your appearance in the Title text box. The text can be any text you want to use to describe the appearance.

  5. The Configure Text section by default enables all text options for the signature appearance. You can choose which text items you want to include by checking the boxes on or off. In the Preview box, you see the text as it will appear on your signature.

  6. If you have a graphic image you want to use for your appearance, click the Imported graphic radio button, and then select File.

  7. The Select Picture dialog opens. Click the Browse button, and the Open dialog appears. Navigate your hard drive to find the PDF file you want to use as an appearance, select the file in the Open dialog, and click Select.

    Note

    Imported graphics can be included with or without the text appearances.

    Tip

    Macintosh users can create a PDF document from any authoring program. Select File > Print. In the Print dialog select Output Options. Click Save as File and select PDF as the format. Click Print and the file is saved as a PDF document.

  8. You are returned to the Select Picture dialog, and the preview box shows you an image preview for the selected image (Figure 17.3). Click OK, and you are returned to the Configure Signature Appearance dialog.

    The preview box in the Select Picture dialog displays the selected PDF file to be used for your appearance.

    Figure 17.3. The preview box in the Select Picture dialog displays the selected PDF file to be used for your appearance.

  9. Click OK in the Configure Signature Appearance dialog, and you are returned to the Security preferences. The name you used for the Title appears in the Appearance window.

    Tip

    If you frequently sign documents for different purposes and want to use different appearances when signing documents of various types, you can add additional appearances. Click the New button in the Digital Signatures preferences to add another appearance. Be certain to provide different descriptive titles for each new appearance you create.

  10. Click the Advanced Preferences button and the Digital Signatures Advanced Preferences dialog opens (Figure 17.4). The three tabs in the dialog offer options for signature verification, for security methods to use, and for Windows integration (for Windows users).

    Click Advanced Preferences to open the Digital Signatures Advanced Preferences dialog.

    Figure 17.4. Click Advanced Preferences to open the Digital Signatures Advanced Preferences dialog.

  11. To learn more information about the options in the Digital Signatures Advanced Preferences dialog, click the Help button. The Adobe Reader Help document opens and takes you to the page where definitions for setting options in Advanced Preferences are explained.

Why can't I sign a document after configuring the appearance settings?

All options you choose in the Configure Signature Appearance dialog apply to an appearance for a Digital ID. As yet, you have not created the Digital ID. You can create multiple appearances and use any one of them with a single Digital ID or with multiple IDs.

Creating a Digital ID

Before you can sign a document or work with public certificates, you need to create your personal Digital ID. This ID can use any of the appearance settings you create in the Security preferences dialog or you can choose not to use a custom appearance.

To create a Digital ID:

  1. Select Document > Security Settings. The Security Settings dialog opens (Figure 17.5).

    Select Document > Security Settings to open the Security Settings dialog.

    Figure 17.5. Select Document > Security Settings to open the Security Settings dialog.

    Note

    You can create a Digital ID without having a document open.

  2. Click Add ID. The Add Digital ID window opens (Figure 17.6). You can choose from three options: finding an existing ID, creating a new Self-Signed ID, and using a third-party ID.

    Click the Create a Self-Signed Digital ID radio button to create a new ID.

    Figure 17.6. Click the Create a Self-Signed Digital ID radio button to create a new ID.

  3. Select Create a Self-Signed Digital ID.

  4. Click Next. An informational window informs you that you are about to create a Self-Signed Digital ID. Read the information and click Next to choose how to store your ID (Figure 17.7).

    This pane offers options for how to store your ID.

    Figure 17.7. This pane offers options for how to store your ID.

  5. In Windows, you have two options for how to store your ID. You can choose to use the ID exclusively with Adobe Reader by selecting the first radio button, or you can select Windows Certificate Store so that other Windows applications can use the ID. On the Macintosh, you have a single selection for using the New PCKS#12 Digital ID file option. On the Macintosh, click Next. In Windows, select the option you prefer and click Next.

  6. The next pane shows you identifying information derived from your Identity preferences. If the Identity preferences are not filled in, the text boxes are empty. Fill in the identifying information for any empty fields (Figure 17.8).

    Fill in any empty text boxes to complete the identifying information.

    Figure 17.8. Fill in any empty text boxes to complete the identifying information.

  7. Click Next, and the last pane in the Add Digital ID window opens (Figure 17.9). You must enter a password of at least 6 characters in the Password text box. Type the same text in the Confirm Password text box.

    Add a password and type the same password in the Confirm Password text box.

    Figure 17.9. Add a password and type the same password in the Confirm Password text box.

  8. Click Finish and your Digital ID is created. You are returned to the Security Settings dialog.

How many characters should I use for my password?

If you use few characters, you run the risk of having your password broken by a decryption algorithm. The more characters you use, the less likely someone can break the password. As a rule, use no fewer than eight characters. Note that Adobe Reader encrypts certificates with a unique “fingerprint.” As of this writing, no one has broken encryption for certificates.

If you work with highly sensitive material, you may want to use a third-party signature handler. Third-party signature handlers are the most secure method of working with Digital IDs. To find out more information about using third-party signature handlers, select Get a Third-Party Digital ID in the Add Digital ID window (Figure 17.6) when the first pane opens. Click Next, and your default Web browser launches. The browser opens the Enterprise Solutions Web page on Adobe's Web site (Figure 17.10). Information about using third-party solutions and links to vendor's Web sites are found on the Adobe Web site.

Select Get a Third-Party ID in the Add Digital ID window, and click Next to open the Enterprise Solutions Web page on Adobe's Web site for more information.

Figure 17.10. Select Get a Third-Party ID in the Add Digital ID window, and click Next to open the Enterprise Solutions Web page on Adobe's Web site for more information.

Sharing Your Digital ID Certificate

Once you create a Digital ID, you can export a public certificate. Your private ID should not be shared with others. This is the portion of your digital ID that's protected by your password. From the Security Settings dialog, you can export a public certificate that can be distributed to other users. PDF authors can use your public certificate to encrypt files according to your personal identity, and also to authenticate your signature.

To export a public certificate:

  1. If the Security Settings dialog is not open, select Document > Security Settings.

  2. The Security Settings dialog opens.

  3. At the top of the dialog (Figure 17.11), you see the Digital ID created in the last series of steps. Click the ID in the list to select it.

    Select the Digital ID you want to use for the certificate export.

    Figure 17.11. Select the Digital ID you want to use for the certificate export.

  4. Click Export Certificate at the top of the Security Settings dialog.

  5. The Data Exchange File – Export Options dialog opens (Figure 17.12). You have two options for exporting your certificate. If you want to email the certificate to another user, select Email the data to someone. If you want to save the certificate to your hard drive, select Save the data to a file. Choose the option you want to use and click Next.

    Choose to either email the certificate or save it to a file.

    Figure 17.12. Choose to either email the certificate or save it to a file.

    Tip

    If you periodically send your certificate to different users, save the certificate as a file. In your email program, attach the file to an email message when you want to send the certificate to another user.

  6. If you select Email the data to someone, the Compose Email dialog opens (Figure 17.13). Add the recipient's address in the To text box and click Email. The message window alerts the recipient that a data file is attached to the mail, and instructions are added to your email message. When you click Email, your default email program launches and the message and file attachment are added to a new message window.

    Add your recipient's address, and click Next to email the certificate to that user.

    Figure 17.13. Add your recipient's address, and click Next to email the certificate to that user.

Building a List of Trusted Identities

Public certificates are exchanged freely among users and will not compromise your private ID. You can collect certificates from other users and send your certificate to members of your workgroup and anyone you choose. Certificates you collect can be used to create a list of trusted identities you can then use to verify digital signatures. And PDF authors can use your certificate to encrypt PDF documents for your use.

Note

Building a List of Trusted Identitiescertificatescollectingdigital signaturesdigital signaturesvalidatingimportingcertificatesJohnSmith.fdfManage Trusted Identities dialogpublic certificatescollectingpublic certificatessharingtrusted identitiesbuilding list ofvalidating signatures

Use the public certificate JohnSmith.fdf file, which you can download from www.peachpit.com/adobereader7.

To build a list of trusted identities:

  1. Select Document > Trusted Identities. The Manage Trusted Identities dialog opens (Figure 17.14).

    Select Document > Trusted Identities to open the Manage Trusted Identities dialog.

    Figure 17.14. Select Document > Trusted Identities to open the Manage Trusted Identities dialog.

    Note

    You can build a list of trusted identities without opening a file in Adobe Reader.

  2. Click Add Contacts. The Choose Contacts to Import dialog opens.

  3. Click Browse, and the Locate Certificate File dialog opens. Navigate your hard drive to locate public certificates you've received from others. For this step, use the JohnSmith.fdf file you downloaded. Be certain the file is selected and click Open.

  4. Continue adding as many certificates as needed by clicking the Browse button. You return to the Choose Contacts to Import dialog after opening each certificate. All added certificates are listed in a window. In this example, a single certificate is added (Figure 17.15).

    All added certificates are listed in the Choose Contacts to Import dialog.

    Figure 17.15. All added certificates are listed in the Choose Contacts to Import dialog.

    Note

    Selecting Search will initiate a search, via a preconfigured path through your directories, to locate public certificates you can place in your trusted identities list. For example, a system administrator can configure your search to look in your company's LDAP server to locate certificates from other employees if you need to verify their digital signatures.

  5. When you're finished collecting certificates, click the Import button and you are returned to the Manage Trusted Certificates dialog. All the new contacts are added in the list window (Figure 17.16).

    All added contacts are listed in the Manage Trusted Identities dialog.

    Figure 17.16. All added contacts are listed in the Manage Trusted Identities dialog.

  6. Click Close. Your trusted identities are ready to use for validating signatures.

Signing a Document

You can sign PDF files only when those files are assigned usage rights with the Adobe LiveCycle Reader Extensions software. Adobe LiveCycle Reader Extensions is a server-based utility that allows organizations to extend the functionality of PDF documents within Adobe Reader. Among the usage rights that can be applied to PDF files is the ability to digitally sign PDF documents and save form data from within Adobe Reader.

Note

To learn more about Adobe LiveCycle Reader Extensions, visit www.adobe.com/products/server/readerextensions/main.html.

Note

Note

Use the REeSupportForm.pdf document you can download from www.peachpit.com/adobereader7 for all steps in this chapter. This PDF document is provided courtesy of Adobe Systems and was prepared using Adobe LiveCycle Reader Extensions. Many thanks to Charles Myers and Lori DeFurio of Adobe Systems for adding usage rights to this document.

To digitally sign a PDF file:

  1. Open the REeSupportForm.pdf file you downloaded.

  2. Notice that the Sign tool is available in the Adobe Reader Toolbar Well (Figure 17.17).

    PDF documents enabled with usage rights provide a tool and menu commands for signing documents.

    Figure 17.17. PDF documents enabled with usage rights provide a tool and menu commands for signing documents.

  3. Select Document > Digital Signatures > Sign this Document. Note: If you don't see this submenu, the document you're working with doesn't have the usage rights for adding a digital signature.

  4. You will receive a warning dialog if the document is not certified. Click OK. A second dialog informs you that Reader has scrolled to the digital signature field on the form and highlighted the field for you. Move the cursor and click the signature field. A dialog informs you that you are about to sign a document. Click OK to dismiss the dialog. The next dialog appearing is the Apply Digital Signature dialog (Figure 17.18).

    Click the cursor in a digital signature field to open the Apply Digital Signature dialog box.

    Figure 17.18. Click the cursor in a digital signature field to open the Apply Digital Signature dialog box.

  5. Select your Digital ID in the Apply Digital Signature dialog and click OK. The Apply Signature to Document dialog opens (Figure 17.19).

    After selecting your ID and clicking OK in the Apply Digital Signature dialog, the Apply Signature to Document dialog opens.

    Figure 17.19. After selecting your ID and clicking OK in the Apply Digital Signature dialog, the Apply Signature to Document dialog opens.

  6. Click Show Options in the Apply Digital Signature dialog. The dialog expands to reveal more options and the button name changes to Hide Options.

  7. Type your password in the Confirm Password text box.

  8. Open the Reason for Signing Document pull-down menu. Make a selection that describes why you are signing the document.

  9. From the Signature Appearance pull-down menu, select an appearance option you configured in the Security preferences. All the appearances you create appear in the pull-down menu.

  10. Click Sign and Save As. This saves a copy of the file without overwriting the original.

Validating Digital Signatures

Digital signatures are meaningless unless you can validate a signature and verify its authenticity. When you receive PDF files that carry certification or a digital signature, you can verify the signature using the public certificate from the signing party.

Note

Validating Digital Signatures

Use the eCertify.pdf file you can download from www.peachpit.com/adobereader7. In addition, you need to add the file JohnSmith.fdf to your trusted identities as described in the “Building a List of Trusted Identities” section earlier in this chapter.

To verify a digital signature:

  1. Be certain the JohnSmith.fdf file is added to your trusted identities. If it is not, follow the steps in the section “Building a list of Trusted Identities earlier in this chapter.

  2. Click the Open tool and open the eCertify.pdf file. This document is a certified document.

  3. When you open a certified document, a dialog like the one shown in Figure 17.20 opens informing you that the validity of the document is not confirmed unless you've added the certificate from the signing party to your trusted identities. Click Close and the dialog box disappears.

    Review the Document Status dialog information and click Close.

    Figure 17.20. Review the Document Status dialog information and click Close.

  4. The certified document is shown in the Document pane. The digital signature on the document appears with a question mark (Figure 17.21). When you see a signature with a question mark, you know immediately that the signature is not validated.

    Signatures not validated appear with a question mark.

    Figure 17.21. Signatures not validated appear with a question mark.

    Note

    If you want to examine the certificate of the PDF author who signed the document, click the Signature Properties button in the Document Status dialog.

    What's the difference between a certified document and a signed document?

    PDF authors can save files as certified documents. When a file is saved as a certified document, the PDF author adds a digital signature, and has options for encrypting the file against certain editing features. When PDF authors sign a document, a digital signature field is added to the file or the author signs an existing signature field, and the file doesn't necessarily carry encryption prohibiting editing features. When examining both certified documents and signed documents, you need to use a trusted identity to verify the digital signature.

  5. Although the PDF author's certificate has been added to your trusted identities list, no settings are enabled for trusting the certificate. You need to inform Adobe Reader what kinds of signatures by this author you want to trust. To edit the trust settings, select Document > Trusted Identities.

  6. The Manage Trusted Identities dialog opens. Select the name for John Smith and click Details.

  7. The Edit Contact dialog opens (Figure 17.22).

    Select an identity name and click Details in the Manage Trusted Identities dialog to open the Edit Contact dialog.

    Figure 17.22. Select an identity name and click Details in the Manage Trusted Identities dialog to open the Edit Contact dialog.

  8. Select the contact name.

  9. Click Edit Trust.

  10. The Import Contact Settings dialog opens (Figure 17.23). On the Trust Settings tab, check the boxes for Signatures and as a trusted root and Certified documents.

    Check the boxes for Signatures and as a trusted root and Certified documents and click OK.

    Figure 17.23. Check the boxes for Signatures and as a trusted root and Certified documents and click OK.

  11. Click OK. Then click OK in the Edit Contact dialog and click Close in the Manage Trusted Identities dialog. The signature still appears with a question mark indicating that you have not yet validated the document.

  12. Click the Signatures tab to open the Signatures pane.

  13. Open the Options pull-down menu and select Validate All Signatures in Document (Figure 17.24).

    Select Validate All Signatures in Document from the Options menu in the Signatures pane.

    Figure 17.24. Select Validate All Signatures in Document from the Options menu in the Signatures pane.

    Note

    You can also validate signatures by selecting Document > Digital Signatures > Validate All Signatures in Document, or hover over the signature field, open a context menu, and select Validate Signature.

  14. The signature is validated and the Signature icon changes from a question mark to a Certified Document icon (Figure 17.25).

    The Signature icon changes when the signature is validated.

    Figure 17.25. The Signature icon changes when the signature is validated.

What's the purpose of the Signatures pane?

You may have a document with several signatures on different pages. The Signatures pane offers you options for validating all or selected signatures. The Options menu also offers you an easy way to navigate to signature fields and examine certificates.

Encryption Using Certificates

PDF authors can encrypt documents with selective permissions and distribute the files to a number of different Adobe Reader users. Using a user's public certificate, authors can encrypt a PDF document with password protection that allows only the intended party to view the file and denies all other users access to the document. PDF authors can protect the file against unauthorized access and prevent other users from accessing the document and any file attachments contained in the document.

To open files that have been encrypted with public certificates:

  1. Open a file that has been encrypted using your public certificate. If you don't have such a file, contact a PDF author who can encrypt a document for you. You need to create your personal Digital ID and send the PDF author your public certificate. The PDF author then adds your certificate to his or her list of trusted identities, and, when preparing the PDF file for your use, and using your public certificate, selects permissions options that are saved with the file.

  2. Click the Open tool in Adobe Reader and select a PDF document encrypted using your public certificate.

  3. The first thing that opens is a dialog prompting you for your password (Figure 17.26). Type the password you used when you created your Digital ID and click OK.

    Type the same password you used when you created your Digital ID.

    Figure 17.26. Type the same password you used when you created your Digital ID.

    Note

    Passwords are case-sensitive. Be certain to type your password using the same letter case as when you first created your Digital ID.

  4. If you type your password correctly, the document opens. PDF authors can assign different permissions to the file. Files can be protected against editing and printing. To determine what permissions are assigned to encrypted files, press Ctrl/Command+D to open the Document Properties dialog.

  5. Click the Security tab. In the Document Restrictions Summary, you can review the permissions assigned to the document. In Figure 17.27, notice that printing the PDF document and filling in form fields are not allowed.

    Click the Security tab in the Document Properties dialog to review a restrictions summary.

    Figure 17.27. Click the Security tab in the Document Properties dialog to review a restrictions summary.

  6. Click OK in the Document Properties to return to the file in the Document pane.

Do PDF authors who encrypt PDF documents always need to acquire public certificates?

PDF authors have several options for protecting PDF documents. A PDF author can use a Password Security option and add security to a PDF file using a password of the PDF author's choice. Any user knowing the password can open the PDF document.

When Certificate Security is used, PDF documents are opened only when a password used with your Digital ID is supplied in the opening dialog that prompts you for a password. This form of encryption has several benefits. First, the PDF author does not need to send you a password to open the document; not distributing passwords provides you and the PDF author with greater protection against unauthorized viewing. Second, the same PDF document can be encrypted with different permissions rights for different users. For example, a PDF author can grant you permission to fill in form fields and print a document. The same file sent to another user can be assigned permissions that prevent printing. Again, the same document can be sent to a third user preventing that user from filling in form fields. Each user opens the document using personal passwords derived from Digital IDs and public certificates.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.217.145.223