Archive for June, 2007

Arcot Announces Two Factor Authentication in Flash Player and Apollo/AIR

Arcot, a member of Adobe’s security partner community, just announced their Flash-based two-factor browser authentication solution as well as support of Adobe Integrated Runtime (which was also announced today as available in beta, and formerly codenamed Apollo). Arcot’s “software smartcard” solution provides greatly improved simplicity and security for consumer logins to online applications.

Usernames and passwords alone have reached the end of their useful life for protecting valuable online transactions because they are often reused by consumers across sites, easily guessed, and subject to phishing. While today’s web browsers provide PKI authentication using SSLv3 client authentication, there is not a consistent or friendly user experience across browsers and operating systems to provision and utilize the necessary PKI credential. That’s why you often hear PKI = Painful Key Infrastructure instead of Public Key Infrastructure.

Arcot has developed a seamless provisioning and utilization of PKI credentials in the form of an ArcotID. While the user logs in with their existing username/password, a SWF in the browser is providing PKI authentication behind the scenes using a locally stored credential in the form of an ArcotID.

ArcotID Flash client is part of WebFort, Arcot’s two-factor authentication system for large enterprises in financial services, healthcare and other industries facing increasing regulatory pressure to protect and verify end-users’ identities such as those from the Federal Financial Institutions Examination Council (FFIEC) and the Health Insurance Portability and Accountability Act (HIPAA).

How to enable FIPS mode in Acrobat and Reader 8.1

The FIPS 140 standard is applicable to all U.S. Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106.

Version 8.1 of Adobe Acrobat and Adobe Reader on Windows provide a FIPS mode to restrict data protection to FIPS 140-2 approved algorithms (RSA/AES/SHA) using the embedded RSA BSAFE Crypto-C 2.1 encryption module.

Note the following restrictions in FIPS mode:

* You can use public key certificates or Adobe LiveCycle Rights Management to secure the document, but you cannot use password encryption to protect the document. You can still open and view documents that are protected with non-FIPS compliant algorithms, but you cannot save any changes to the document using password security.

* In FIPS mode, you cannot create self-signed certificates as local PKCS#12 files.

To Configure FIPS mode on your Windows PC

Create a new DWORD Value called bFIPSMode in the registry key:
HKEY_CURRENT_USER/SOFTWARE/Adobe/Adobe Acrobat/8.0/AVGeneral
With DWORD value set to 1 to enable FIPS mode

For information on deploying customized versions of Acrobat and Reader in your organization, read Solutions for IT professionals

Acrobat and Reader 8.1 – Now Available

Adobe Acrobat 8.1 and Adobe Reader 8.1 are now available for download. In Acrobat, check the Adobe Updater (Help menu -> Check for Updates) to look for the update. You can also directly download Adobe Reader 8.1.

A partial listing of what’s new in 8.1:
* Microsoft Windows Vista™ and Office 2007 support

* Installing on 64-bit versions of Windows XP and Vista

* Easily extract documents from a package. Search and print the current or selected document, or all documents within the package.

* Read and organize eBooks and other publications with Adobe® Digital Editions (a separate product). When you first click the Digital Editions menu item, you can download and install the Adobe Digital Editions software. After installation, choose Digital Editions to go directly to your Adobe Digital Editions bookshelf.

* Acrobat 8.1 provides a FIPS mode to restrict data protection to Federal Information Processing Standard (FIPS) 140-2 approved algorithms using the RSA BSAFE Crypto-C 2.1 encryption module. This article has more information on enabling FIPS mode.

The following knowledgebase articles describe the 8.1 update in more detail:
401730: Adobe Acrobat 8.1 Update
401732: Adobe Reader 8.1 Update

PTC and Adobe Expand Relationship to Offer Enhanced IP Protection

PTC and Adobe Systems today announced an agreement for integrating Adobe LiveCycle Rights Management ES with PTC Pro/ENGINEER. Together, Adobe LiveCycle Rights Management ES and Pro/ENGINEER will provide product development organizations with robust digital rights management (DRM) capabilities that apply persistent document security and management to native Pro/ENGINEER models, as well as specification sheets and supporting design documents (in PDF, DOC and XLS format), inside and outside the firewall.

Product development organizations began employing globalization strategies to outsource manufacturing in an effort to reduce production costs in the 1970s. The outsourcing of manufacturing can be considered as the starting point for global product development (GPD), a trend that has continued to evolve over the past 30 years and now includes outsourcing and off shoring of core design and development work. The integration of LiveCycle Rights Management ES and Pro/ENGINEER will help protect intellectual property in global product development environments. Users will be able to effectively manage document policies with capabilities for controlling access, auditing, expiration and revocation of models and documents even after they have been distributed. This level of security helps to ensure that only intended recipients can open a protected file inside and outside the firewall and that files can be made to expire on a specific date, or if necessary revoked immediately.

Ultimately, the integration of LiveCycle Rights Management ES with Pro/ENGINEER will help improve collaboration with supply chains, outsourcing partners, and teams across dispersed locations. Global businesses will have the ability to access lower cost specialty-skilled labor pools and develop products in a continuous 24/7 timeframe.

The integration is expected to be available from PTC with the next production release of Pro/ENGINEER.

Adobe Unveils LiveCycle Enterprise Suite

Adobe Systems today introduced Adobe LiveCycle Enterprise Suite (ES), an integrated family of software for more securely automating processes that help businesses and governments engage with customers, citizens, employees, partners, and suppliers.

With LiveCycle ES, organizations can deliver applications that are easier to interact with. This enables companies to better communicate with people who may be frustrated with, or confused by on-line procedures, and are likely to abandon transactions, resorting to higher cost avenues such as in-person visits or phone assistance. By transforming processes such as account enrollment, claims processing or guided self service into engaging applications, businesses and governments can improve customer service, decrease costly cycle times, and manage information faster, more accurately, and more securely.

LiveCycle ES includes scalable solution components to build, manage and optimize business critical processes. Information assurance capabilities are provided by LiveCycle Rights Management ES and LiveCycle Digital Signatures ES.

Click below for more information on:
* New features in LiveCycle Rights Management ES
* New features in LiveCycle Digital Signatures ES
* Adobe LiveCycle ES Platform Support

What’s new in Adobe LiveCycle Rights Management ES

Adobe LiveCycle Rights Management ES (formerly Adobe LiveCycle Policy Server) provides added assurances that the sensitive information you manage and distribute is exposed only to the people you intended. You specify how people can use protected documents to restrict accidental or intentional forwarding to unauthorized recipients. The protections are persistently applied to a document, independent of subsequent storage and transport – inside and outside your organization.

Using Rights Management ES, you can protect PDF as well as native Microsoft Word, Microsoft Excel, and CATIA documents by using confidentiality policies. A policy is a collection of information that includes document confidentiality settings and a list of authorized users. The confidentiality settings you specify in a policy determine how a recipient can use documents to which you apply the policy. Because PDF documents can contain any type of information, such as text, audio, and video files, you can use Rights Management ES to more safely distribute any information that is saved in a PDF document.

You can use policies to do these tasks:
● Specify who can open policy-protected documents. Recipients can belong to your organization or can be external to your organization. You can also specify different confidentiality options on the same policy for different users.

● Specify the document confidentiality settings. You can restrict access to various permissions, including the ability to print and copy text, make changes, and add signatures and comments to a document. Administrators can also specify some additional confidentiality options, including the ability of a recipient to view a document offline and the ability of the user who applies the policy to revoke the document access rights or switch the policy.

● After distributing a policy-protected document, you can monitor and revoke access to the document, switch the policy, and change the access and confidentiality settings. Users can change confidentiality settings in policies they create. Administrators can change any organizational or user-created policy.

New Features in LiveCycle Rights Management ES

● Introduces policy sets to help administrators manage document policies. Policy set coordinators can organize and share policies that have a common business purpose into workgroup policy sets. Policy sets let administrators control and administer multiple policies simultaneously.

● Delivers scalability and performance improvements including enhanced directory synchronization performance as part of LiveCycle Foundation.

● Provides two-factor authentication using PKI and smartcards with Adobe Reader 8.0.

● Enhances external authorization, enabling another system to determine a user’s access to a document or file. For example, your organization may have a Content Management System (CMS) in which all of your documents are stored. Your CMS already has Access Control Lists (ACLs). The external authorization feature enables Rights Management ES to use the ACLs specified in your CMS, eliminating the need to keep ACLs in sync with Rights Management ES policies.

● Supports the ability to initiate a process in response to a particular audit event, for example, a request to
print a document.

● Provides extensible audit events, which enable implementors of client applications to define application-specific audit events and load these new event definitions onto the LiveCycle ES server.

● Implements server-side packaging features such as applying policies or removing policies as part of the Rights Management service instead of using a separate component that was needed in the previous version.

● Supports role-based administration for segregation of duties. Administrative tasks are now divided into different roles. For example, one administrator may be able to administer policies, but not server configurations. Another administrator may only be able to view the audit logs and other server configuration settings.

● Supports server side encryption packaging in FIPS mode: You can enable the Federal Information Processing Standards (FIPS) option restricting data protection to FIPS 140-2 approved algorithms using the RSA BSAFE Crypto-J 3.5.2 encryption module with FIPS 140-2 validation certificate #590

What’s new in Adobe LiveCycle Digital Signatures ES

Adobe LiveCycle Digital Signatures ES (formerly Adobe LiveCycle Document Security) lets you use digital signatures to preserve the integrity and authenticity of a document as it is transferred among users within and beyond the firewall, when it is downloaded offline, and when it is submitted back to your organization.

With Digital Signatures ES, you can automate the process of bulk certifying and signing documents, as well as
validating signatures in documents that are submitted back to your organization.

Key features
Digital Signatures ES can apply security features to any PDF document whether it is generated by other Adobe server products, on a desktop by Acrobat, or even by a third-party solution. Because PDF documents can contain any type of information, such as text, audio, and video files, you can use Digital Signatures ES to secure any type of information that is saved in a PDF document.

Digital Signatures ES can apply the appropriate security features through automated business processes
or programmatically through the API:

Certification and Approval signatures: Specify digital signing of documents so that recipients can validate the authenticity and integrity of the content. Digital signatures can be applied individually or in batches by using digital certificates from third-party vendors. With digital signatures applied, documents maintain authenticity even when archived.

Signature validation: Specify signature validation so that your organization can verify the authenticity of returned documents it receives. When digitally signed documents are received, Digital Signatures ES can open the document and validate it based on its signature status.

How Digital Signatures ES secures a document
In a typical Digital Signatures ES process, a developer creates an application that retrieves a PDF document from a specified repository, applies a digital signature by using a credential (private key) in a specified keystore (including HSMs), encrypts the document with a password, and sends the document to several specified recipients by email. In another example, a custom application created by using the Java API may get a series of documents, apply a digital signature to all of them, and distribute them online through the web to a number of specified locations.

This new LiveCycle Digital Signatures ES release offers many new features, including:

Signing operation: The signing operation lets you control several aspects of digital signatures used in a document. When designing a PDF document, you can define the following items:
● The appearance of the digital signature when it displays on the document
● The signature algorithm used for signing
● The properties set in signature profiles used while signing
● Embedded revocation checks in the signature field property.

Signature field creation: Digital Signatures ES supports seed values through the Signature APIs that are defined in the PDF 1.7 specification. You can create these using LiveCycle Designer 8.0 or 8.1.

Signature validation: Digital Signatures ES supports several new signature validation features:
● Validation of XML digital signatures
● Configuration of revocation check failover from OCSP to CRL, and CRL to OSCP
● Enhanced Signatures Status information that can be used when developing business processes
● RFC3280-compliant validation, and support for specifying path validation options at runtime
● Per invocation control of the verification time and revocation check styles which are used for revocation checks (rather than a global setting).

TrustStore configuration: Digital Signatures ES now uses the TrustStore repository as the database in which security data is stored. Trust chains are dynamically added to the TrustStore repository without requiring a restart of the server.

New API functionality: The following new APIs enable granular control over signature processing:
ClearSignature(), ClearSignatureField, RemoveSignatureField. The Signing Profile can also be controlled using the API (seed values). You can also use the API to specify a policy OID for each trust anchor.

Added standards compliancy: Digital Signatures ES now supports the following standards:
● XML digital signature standards (http://www.w3.org/TR/xmldsig-core)
● SHA-2 family of encryption algorithms
● RFC3280 certificates and certificate revocation lists

Support for FIPS mode: You can enable the Federal Information Processing Standards (FIPS) option restricting data protection to FIPS 140-2 approved algorithms using the RSA BSAFE Crypto-J 3.5.2 encryption module with FIPS 140-2 validation certificate #590

Configure service attributes in a web-based interface: You can configure Signature service attributes in the Archive Administration area of the LiveCycle Administration Console. For example, you can set up watched folders and endpoints for service invocation, configure remote APIs and parameters for processing.

Adobe LiveCycle ES platform support

Adobe LiveCycle Rights Management ES (formerly Adobe LiveCycle Policy Server) and Adobe LiveCycle Digital Signatures ES (formerly Adobe LiveCycle Document Security) support additional platform combinations and updated application server versions:

Operating Systems: Microsoft Windows Server 2003, Red Hat Enterprise Linux AS or ES 4.0, SUSE Linux Enterprise Server 9.0, IBM AIX 5L 5.3, Solaris 9 &10

Application Servers: Red Hat JBoss Application Server 4.0.3 SP1, BEA WebLogic 9.2, IBM WebSphere 6.1.0.5

Databases: MySQL 5.0, IBM DB2 8.2 & 8.1 FP7, Oracle 9i & 10g, Microsoft SQL Server 2005

Directories: Sun ONE 5.1 & 5.2, Microsoft Active Directory 2000 & 2003, Novell eDirectory 8.7, IBM Tivoli Directory Server 6.0

Adobe at IP Protection Summit

Adobe Systems will be discussing information assurance solutions at the Tal Global & Pro-Tec Data IP Protection Summit “Demystifying Trade Secret Protection Strategies“, to be held at Sun Microsystems in Santa Clara on June 13. This event provides an opportunity to network with peers, executives and other information protection professionals on topics essential for staying up to date on:

– Legal and regulatory obligations to protect trade secrets
– Identifying and classifying your company’s crown jewels
– Risk assessment and mitigation strategies
– Forensic investigation of trade secret loss
– Motivating, enabling and enforcing information protection
– An overview of enabling technologies, including digital rights management and content monitoring and filtering
– Practical case studies to apply lessons learned

More information is available here.