Fax Invoice Digital Signature with airSlate SignNow

Digital signature commercial invoice

hello everyone and welcome to today's webinar digital signatures my name is scaring people and I'm working the marketing team here at architects and I'm excited to be your host of today's webinar I'm pleased to introduce Michael domain to you he's going to speak to you today he's our research engineer and also our digital signatures enthusiast and he's going to show you how digital signing works in PDFs and how itix technology enables digital signing for some reason my slides seems we have it okay before I hand over to Mike to Michael just a few practical items today's webinar will be available on the moms everyone will receive an email after the webinar with a link to the recording and you'll also be able to access it from our website our text PDF dot-com as well as our YouTube channel if you have questions for Michael during the webinar feel free to send them through the questions tab and the GoToWebinar panel we'll be answering questions at the end of the webinar and if you don't get to your question because of lack of time then we can guarantee that we will get back to you afterwards now ITEX has always been at the forefront of digital signatures in PDF by supporting pattice and by being one of the first to support signatures and the latest PDF 2.0 release our mature and easy to use API has been thoroughly tested by the industry and has proven to be a success as it's been used throughout several use cases such as company signatures desktop applications integrations into document management systems and more Michael will now present you how digital signing works in PDFs and he will introduce a variety of use cases and different types of industries Michael the floor is yours let me change this yeah you should be able to present now okay thank you carrying Fred introduction so hi everyone before we enter into digital signatures I'm more than happy to introduce I texted you I texted an international software company that has specialized in a GPL and commercial software more specifically PDF libraries and solutions we're headquartered in Belgium but we have offices in the u.s. and South Korea and Singapore our products and solutions are used for various purposes invoices credit card statements boarding passes patient documentation certificates regular PDF documents and many more so with that overview out of the way let's dive into signatures before we get into the technical know-how of how PDF works with signatures let's first define what the signature tries to achieve there's a few goals that we need to explain and a few concepts technical concepts that we need to know before we can start about talking about introducing em into PDF so one of the first goals that we try to achieve EF signatures are is integrity so I've put here a screenshot or at least a picture of a newspaper clipping and this guy Eddie he was renovating his house and every month or bimonthly he would get a bill an invoice from his contractor and being a good man that he is he paid it without checking it but one of his invoices was a forge invoice bank account number was changed on the statements and Eddie just took the statement and went to his bank and he lost thirty thousand euros all because he had no way of checking whether or not the document was forged and that's what integrity is all about you want to make sure that your document has not been changed from its inception or from when it's been signed and you need a way to do that and Eddie unfortunately did not have such a way the second concept that we want to get at least the goal that we want to get his authenticity back in the day Emperor Constantine the first was being depicted on murals and takis trees all over Europe as having transferred his authority to the Pope this was a widely believed historian history fact but that was never really true not until recently it was found out that the letter sent by Constantine to the Pope was actually a forgery as well and because constant the Pope had no way of checking whether or not Constantine actually transferred this Authority it was assumed to be so so we want to make sure that the author is who we think he is the Pope has a way of checking whether or not the author of the letter of transfer of power was actually the Emperor itself himself instead of somebody else the third goal that we want to achieve is non-repudiation in this picture here you can see Bart Simpson he drew his name and what concrete and he says that he didn't do it clearly he did do it but he's trying to deny his authorship and that's what non-repudiation is all about we want to make sure that authors cannot deny having signed the documents for instance if I have a legally binding contract that somebody and at the end of a certain period of time and have to pay them 25k they want to have to guarantee that I cannot deny having signed the document ever so and that's what we try to do with non repudiation and we have a few tools to our disposal to try and achieve those goals and that's what we're going to discuss in the next few in the next section so before we do that a small recap so we have integrity making sure the document has not been changed either by malicious intent or by corruption in the download we have authenticity that we want to know who the author is and that we can be sure that he is who we think he is and non-repudiation that we want to make sure that he did yeah but the author of the signature cannot deny his authorship that he cannot refute having ever signed the document so excuse me going into the basic concepts these are a few technical mathematical concepts that we try to bail out try to explain to you and these will be used to try and achieve there were three goals which we'll explain later how we will combine these concepts so the first concept that I want to introduce to you is hashing hashing out it is a mathematical critter graphic function in which you can turn any kind of input into a fixed-size output meaning that if you input a file of 1 kilobytes it will output the same length the same size of output as a file of 10 gigabytes for instance important to know is that the hashing algorithm should be deterministic that means that every time you run the function the output should be the same regardless of the time that you run it the system the environment that I run it on every time we run the same algorithm on the same input data it should have the same output data another interesting fact about these algorithms is that even as well a small variation in the input like if you have an input string of ABC and if you change that to a BD the way that these algorithms are designed the output should be completely different so that's it should be hard to find neighboring collisions you should not be able to deduce the input based on the output there are a few available algorithms some of you might have already been been in contact with a few of those of these like md5 is a very well-known one it's also very old one it's been deprecated it's been cracked since it feels like the dawn of time and then try is the more well-known one the more recent one sha-1 has also been correct recently um I want to say 2017 but my memory is a bit hazy but shrah 2 is the bigger family and the more recent used family of shia algorithms amongst which sha-256 and 512 which some of you might know already so how can we apply this concept to be one of the goals that we discussed earlier so um as mentioned the algorithms the hashing algorithms are deterministic so take a document that is being offered on the server you want to make sure that this document has not been altered or corrupted during the download what you can do is you can download the document and if the server provides you at the hash you can generate the hash on your local machine as well so assuming that the server gave you an md5 hash what you will do is on your own machine you will pull an md5 hash from the document and you will compare that against the hash that the server provides you if they are the same then the document has not been changed and you can assume and trust the file that you download and that's how we will make sure the integrity of the document is still the same the second one it has to deal with public and private key pairs they are a pair so you have a public and a private key in a single pair in Belgium where I'm from every citizen has at least two pairs and we are issued a digital ID card by the government and on that card there is a chip it used to be sure that this chip contains two private key pairs I haven't read up on the latest standard but I think it's still the same then their use is already described in their name so there's a public key and a private key the private key is your key and should not be distributed to anyone ever if that happens then your key has been compromised to use a technical term and the public key you can distribute that to whoever you want just put it online somewhere people will find these two keys are linked to each other using mathematical magic what one key can encrypt the other can decrypt you cannot decrypt this the if you encrypt something with the public key you cannot decrypt it at about the same value key you need it's um it's linked private key so from this we can derive two concepts so we have encryption let's say I want to send a private message to get him so what I will do is I will take cuttings public key and I will encrypt my message that will give me a locked message indicated by the locked paper on the top half of the image here and only her private we can open this no other private key no other public key can decrypt this message meaning that I can send messages that are her caring size only if we reverse the process we can deduce authorship from this let's say I want to send out a message and I want to make sure that everybody knows that the message came from me then I will use my private key to digitally sign it and that will give us a locked message as well this message can then be decrypted or validated by my corresponding public key because you can decrypt it or validate it with my public key you know that my private key encrypted the message meaning that only I could have sent out that message and that's two ways that we will use public and private keys to the Deus authorship but before we do so we still need to do the third concept of certificate authorities it's quite easy to make your own keys everybody can Google a tutorial online and then find out how to use self-signed certificates to create to create our own self-signed keys what we introduced here is a third party a certificate authority it's a trusted party that just hangs out keys to their customers our government the Belgian government is a trusted party they are a certificate authority another example is Global sign they that's a company and you can buy private public key pairs from them and what what happened here is if you find a scientist with my public key then you can go and ask the certificate authority is this key valid and thus really belong to Michael and they will say yes or they will say no and then depending from that you will trust the documentary ones so these are organized hierarchically in a tree-like structure adobe is a CA for instance every time document is signed and opened in Adobe Reader or Acrobat and your key is part of the three here then your document is automatically that because it's part of this structure here that gives you the green checkmark in the user interface from Adobe so um if we want to combine these concepts so assuming that I'm the producer I create a PDF document then I will provide the data as is I will give this data in the form of a PDF file I will also hash that data the PDF file using an hashing element and I will encrypt that using my private key I will also embed my public key and these three is what I will deliver to the consumer consumer will then take the document it will create a hash using the same hashing algorithm and it will decrypt my encrypted hash using my public key that I provided and so the consumer has two hashes if they are the same hash then the document has not been changed and the integrity has been warranted now if my key was provided by a certificate authority then you would be able to go to the certificate authority and then just ask whether or not I am who I claim to be and there we have proven the artisan authenticity and the non repudiation is also included so are the goals met sure so the document still has its its integrity meaning the hashes are identical authenticity is also proven because my identity is stored in my public key which the CA provides and you can always validate that against the CA and non-repudiation has also been proven because my public key can decrypt the hash meaning that only my private key can was the one that that encrypted it and because it was provided by the CA my identity is also linked to my private key so now that we've met our three goals let's see how PDF does it so um this is an abstract view of a PDF file the blue parts are what are the document and the pink or reddish part is the signature itself so as you can see everything but signature is included in the so-called bite range this bite range is what is going to be the document hash everything in blue is going to be hashed in by a certain algorithm and then signed by my private key this signed hash is then inserted into the pinkie or the red part and that document is then provided to the consumer as you can see here there is no way of making only signing one page you cannot sign page for page the specification is quite clear on that both in 1.7 2.0 and others you should sign everything except for the hash itself of course because that's not known at the time of signing so you cannot sign page webpage let's zoom in a bit on the pink part so at minimum there both parts should be embedded into the signature so what's that that's the hash another word for that is message digest and the signing certificates ISO 32000 - which is the item number for PDF 2.0 and others which is a european standard they describe that you should add more the best practices as described by those is that you should I mean that also the change certificates meaning the parent certificates and the root certificate from the CA you should also include replication information that is information whether or not the certificate the key is valid at the time of signing or validation and the timestamp the timestamp will that's that's a very basic date/time object that's been signed by trusted party as well let's include them document to make sure that the document and the signature were valid at the time of signing so PDF does not know the concept of parallel signing unfortunately but it does know the concept of incremental updates you can add multiple revisions to the documents and you can use revisions to add multiple signatures for instance revision 2 will sign everything that's also in the first rotation meaning also the first signature and same goes to three what signature to and one so if you change something in the second revision if you add a word or you remove a word I mean second revision then the signature for revision two and three will be broken because the hash will be different thing back to the hashing algorithm explanation that I gave earlier just the slightest variation and input will give a very very different outputs meaning that the hash will be broken so these are two signature types we have a certification signature that's also known as the author of signature that's the first signature of the document and then there's approval signatures this has changed a bit of PDF 2.0 but their uses are still and big lines same the same as in 1.7 so now we have a very quick workflow so we have a document that need to be signed by four people and Alice already scientists so the document is then sent to Bob who needs to sign document as well and he enters read and approved by Bob excuse me so Bob read and approved the document he signed it with his private key and everything is fine and dandy but then chuck comes along and Chuck changes the wording that Bob added so he wrote down changed by Chuck and as you can see in the left-hand panel and indicated by the ribbon up top the signature has been broken there's a Red Cross the panel says there have been changes made to this document the signature is invalid and there's a very first indication that something is invalid this is also something that you can test by code using ITEX but luckily we found Bob's version again and Carol already signed it she also read and approved and then the document gets sent to Dave Dave also signs and approves and everything is swell again until Chuck comes back and he changes the text up Carol wrote as you can see in the center change by Chuck on the left hand side you can now see that every subsequent revision the one by dave has all been broken that's the concept of the serial signatures that I explained earlier so you can easily see where a certain document has been altered so revision one and two still valid and proper so we have a quick overview of some signing architectures so on the server side what you usually have is a very specific device called an HSM hardware security module so the application will call this device to sign hashes this device is a high speed high-volume very secure module that is inserted into your server rack or hosted by a CA like global sign for instance we have a very similar setup on the client side if you ever sign something Adobe this is how I don't even do it and the devices there are very specific as well so you have an ID card reader I have a USB token that you can use that the application will talk to you and then get a signed hash back from an insert into the PDF file deferred signing is something that I also referred to as signing in two steps so what you do is the first application on the right-hand side will prepare the documents and then in a later step either instantly or sometime later those will send the hash over and then declines or some kind of device will sign that hash and put it back into the PDF file some use cases for this is that you might not know not know when you have internet connection when you have to sign so you can prepare a document upfront and when you go to a client or something and they do have internet you can still sign offline and lastly I wanted to give you one use case so CP Trust is one of our customers and partners and they have an application called smart certificate where you where they try to combat skill fraud online so what I have is they have a system set up that signs and issues degrees and certificates diplomas and you can easily verify them to their database and to their certificates so they have a template designer in which you can easily design a template of a diploma so John Doe is gonna diploma for the Business School of the world for the world it's signed by the beam and by the President and then you can issue these to your clients and to your students so Malina for instance has has not been granted a certificate yet but Bruno has and so has come me so it's a very easy way to do this and this is all done through signatures and blockchain technology by the way they have integration to LinkedIn for instance where you can see okay Bruno he has been awarded or granted two certificates and those are verified by CP trust so he's been awarded something by MIT and by license if he trusts itself Oh it integrates very well all feel free to check this out so I think we still have five minutes left for questions Karine so yeah thank you for the explanation already so far we indeed have received a few questions perhaps the first one does I text support goddess yeah so that's an easy one but maybe I should give a bit more background information so pas des is the PDF advanced electronic signatures it's a standard by by Etsy which is European standards Organization for telecommunications and technology and it's a super set of rules built on top of PDF 1.7 they define extra rules that you should follow in order to be compliant its signatures it we support most of it so far this exists consists out of six parts the sixth part is how you should design your signatures visually so that's not something that we support we are customers that's the software customers to do but the first five parts we do support out of the box and also others has mostly absorbed into PDF 2.0 and given that I text already had supported us but also support in also support and 2.2 2.0 for a high tech 7.0 we do supported us both in five and most definitely in seven okay thanks for this explanation another question we still have some time someone's asking whether CRL OCSP information is included in the certificates so can you explain a explain the deviations yes sure so Cyril and OCSP those are two methods of checking whether or not a document certificates excuse me has been revoked so assuming that you lose your key for instance or you use your your identity card get stolen or you leave a company where you had signing rights then you need to be able to revoke that key otherwise somebody else could be signing with your key and that's not that's not allowed and there's two ways of doing that so there's a CL and an OCR or CSP or CSP isn't easy were easy one to explain so that's where you just basically ask a question to the CA hey is this key still valid they very simply put they tell you yes or no and then you can embed that into the signature it's not embedded in the certificate if I recall correctly that you embed that at least in the envelope of the signature and this URL is a list of revoked certificates so it's the response is a bit bigger size wise and you can embed that as well that's a list that's freely available on any CAS website so you can download that cache that for a few minutes and then put it in your PDF file okay thanks for answering that question have another one someone is asking what are the main differences between IX 5 and 7 when it concerns signatures so I briefly touched this earlier so I text 7 supports PDF 2.0 2.0 has absorbed others and some other guidelines have been edited so the main difference is there are PDF 2.0 compliance and better API support from us because we did redesigned the API from 5 to 7 okay okay perhaps one more question what happens on a signed PDF after this certificate expires Michael yeah that's a good question so of course the time dimension of the signature is very important so there's a few there's this one thing that you can do to change that to combat that so what happens is if your signature if your certificate expires tomorrow and you open the document the day after tomorrow the signature will appear as being invalid because your certificate is not valid anymore it's expired its revoked it cannot be trusted anymore so what you can do is and this European standards does have a few provisions for that so other support for handles about that it's long term validation and simply put because I could give a presentation on that as well it it works with time stamps so you add a timestamp to documents you add all the relocation information to the document and the time stamp basically ties down the certificate to a certain point in time you say ok at this point in time everything was valid and then you log down the document basically what happens is the time stamp also has a certificate attached to it so that will also expire in 10 20 years or 20 is too much about 5 to 10 years then you will also have to re-sign document for that information you have to make sure that that information was also valid at the time of signing so but a support for does have a few requirements to combat that ok I see we received a lot of questions but we're running out of time so propose Michael that we answer all the questions individually with individual people right after the webinar so okay so then I would say thank you very much everyone for attending Michael thank you for the explanation thank you forever and everyone if we haven't been able to answer your question you will receive an answer from Michael to your question shortly thank you very much again or attending