http://www.nsa.gov/ia/_files/vtechrep/I73_025R_2011.pdf
Redaction of PDF Files Using Adobe Acrobat Professional X
Enterprise Applications Division of the Systems and Network Analysis Center (SNAC)
Information Assurance Directorate, National Security Agency

But you still have questions:  Is it legal?  Can I use these technologies internationally?  In which sectors can I leverage these technologies?  Who else is using electronic signatures, and what benefits are they seeing in the real-world?

The E-Signatures 2011: Electronic Signatures and Records Conference will provide the answers!  Organized by the Electronic Signatures and Records Association (ESRA) and scheduled to be held in Washington, DC on November 9th and 10th, the conference brings together a number of government, industry, vendor, and customer speakers to cover topics including:

• IRS eSignature Programs and Initiatives
• International Adoption and Cross Jurisdiction Issues for eSignatures
• Enabling eSignatures and eRecords for eFiling and eTitling with Motor Vehicle Registration Offices
• eSignature Case Studies
• …and more!

As a result, key among the new features in Adobe Reader 10.1 for Mobile is support for accessing files secured by Adobe LiveCycle Rights Management. LiveCycle Rights Management protects sensitive documents by encrypting them with industry-standard AES encryption and enabling central management of their access permissions. Protections persist even when documents are accidentally distributed via email, the cloud, or saved on a lost mobile device.

Whether you’re working in private industry and reviewing confidential information like price lists on your Android tablet, or you’re a government employee and are viewing sensitive information via your mobile phone, Adobe Reader 10.1 for mobile and LiveCycle Rights Management allow you to securely access these documents. No longer are you stuck on your laptop or desktop simply to review materials!

Here’s a screenshot from an Apple iPad showing a user logging into a Rights Management-protected PDF.  (Click the picture to the right to see a larger version.)

To learn more about how our Rights Management product works check out: http://www.adobe.com/go/rm.

Some answers to frequently asked questions during our preview release testing of Reader 10.1 for Mobile are answered here.

Be sure to download Adobe Reader 10.1 for Mobile today!

In this specific instance, Adobe Acrobat and Reader X have been certified by JITC for their compliance with the DoD’s application requirements for Public Key Enabled services, e.g digital signatures.  The testing included intensive, comprehensive evaluations of Acrobat and Reader’s capabilities in:

• Certificate operations
• Signature and certificate status validation
• Path processing and validation
• Configuration and documentation

Adobe is proud to note that we have consistently been certified for JITC compliance in every version of Adobe Acrobat and Reader back to version 7 back in 2006.

Click here for a link to the official JITC list of software and solutions that have been tested for Public Key Enabled compliance.

With this latest action, new digital signatures created with certificates from these certificate families will no longer show as valid in Acrobat and Reader, regardless of version.  This is due to the fact that Acrobat and Reader check if certificates associated with the signing credential are revoked at signing and at document open.

Note that this will not necessarily invalidate existing documents, if you are opening them with Acrobat or Reader 9.1+.  This is due to the fact that these versions of the product check the validity of the signature at the signing time by default, not at the current time–assuming that the signature includes validation information from when it was signed.  For example, a PDF signed one year ago will still show as valid and trusted, whereas one created next Friday will show as invalid.

The action by the Dutch government also means that Adobe will not need to take any action regarding the Staat der Nederlanden roots in the Adobe Approved Trust List.

To be sure your copy of Adobe Reader or Acrobat will get the update, you can force a download of the AATL.  Go to Preferences->Trust Manager->Automatic Updates and click the Update Now button.  Also, be sure the “Load trusted root certificates from an Adobe server” option is checked.

A future product update of Adobe Reader and Acrobat version 9.x will enable dynamic updates of the AATL. In the meantime, users of Adobe Reader and Acrobat 9 can manually remove the DigiNotar Qualified CA using instructions provided in the blog post.

Also note that the Dutch government has published a document regarding the impact of the removal on signed PDFs.  That document (in Dutch and English) can be found at the links below:

Dutch version:

http://www.logius.nl/actueel/item/titel/verwijdering-diginotar-uit-adobe-reader/

English version:

http://www.logius.nl/english/news-message/titel/removal-of-diginotar-from-adobe-reader/

This posting is provided “AS IS” with no warranties and confers no rights.

Last week, many of the major browser vendors removed DigiNotar certificates from their list of trusted certificates, and in turn, the Dutch government renounced trust in DigiNotar and took over certificate operations at the company.

What Does This Mean for Adobe Customers?

The DigiNotar Qualified CA root certificate is part of the Adobe Approved Trust List (AATL) program, which we have mentioned in this space on multiple occasions.  The AATL is designed to make it easier for authors to create digitally signed PDF files that are trusted automatically by Adobe Reader and Acrobat versions 9 and above, and includes many certificates from around the world.

While Adobe is not aware of any evidence at this time of rogue certificates being issued directly from the DigiNotar Qualified CA root in particular, an official report by Dutch security consultancy Fox-IT stated that there was evidence of the hacker having access to this CA, thus possibly compromising its security.  (The rogue certificates known today are SSL certificates originating from the DigiNotar Public CA.)

Adobe takes the security and trust of our users very seriously. Based on the nature of the breach, Adobe is now taking the action to remove the DigiNotar Qualified CA from the Adobe Approved Trust List. This update will be published next Tuesday, September 13, 2011 for Adobe Reader and Acrobat X. We have delayed the removal of this certificate until next Tuesday at the explicit request of the Dutch government, while they explore the implications of this action and prepare their systems for the change.

The latest releases of Adobe Reader and Acrobat X (version 10.x) include a trust list that Adobe can dynamically manage without requiring a product update/patch.  A future product update of Adobe Reader and Acrobat version 9.x will also enable dynamic updates of the AATL.  In the meantime, users of Adobe Reader and Acrobat 9 and X can manually remove the DigiNotar Qualified CA using one of several methods described below.

With all of the enhancements in Adobe Reader and Acrobat X, including new features and security capabilities, Adobe recommends customers migrate to these latest releases–especially for the free Adobe Reader.

To be sure your copy of Adobe Reader or Acrobat will get the update, you can force a download of the AATL.  Go to Preferences->Trust Manager->Automatic Updates and click the Update Now button.  Also, be sure the “Load trusted root certificates from an Adobe server” option is checked.

We are also in discussions with the Dutch government about the status of the DigiNotar intermediate certificates under the “Staat der Nederlanden” roots, which are included in the AATL.  We will continue to update you on the latest developments regarding these other certificates via this “Security Matters” blog and the Adobe Product Security Incident Response Team (PSIRT) blog.

Finally, Adobe will be proactively implementing a number of changes to the policies, terms and Technical Requirements for our AATL program in light of the DigiNotar breach and will communicate these changes within the next few weeks.

How to Remove the DigiNotar Qualified CA Certificate

If you would like to remove the DigiNotar Qualified CA certificate manually from Adobe Reader and/or Acrobat, versions 9 or X, we describe below two ways to do so.  Note that if you are operating a version of Adobe Reader and/or Acrobat prior to version 9, you do not need to take any action. Also, if you are an enterprise operating Adobe Reader and/or Acrobat, you should consult the Acrobat security and administration documentation located  here for information about removing this certificate.

Method One – Security Settings File

1) Download this ZIP file, and extract the RemoveDigiNotar.acrobatsecuritysettings file inside it.

2) Open Adobe Reader and/or Acrobat.

3) In Adobe Reader/Acrobat 9, open the Advanced menu (Document menu in Reader)->Security->Import Security Settings. In Adobe Reader/Acrobat X, open the Edit Menu->Protection->Import Security Settings.

4) Browse to the file you just downloaded, select it, and click Open.

5) Click Import.

6) If the certificate was found on your machine, it will be removed.

Method Two – Manual Removal – Adobe Reader 9

1)   Open Adobe Reader.

2)   Open the Document Menu and choose Manage Trusted Identities.

3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’

4)   Select the DigiNotar Qualified CA.

5)   Click Delete, and then confirm the deletion by clicking OK.

Method Two – Manual Removal – Adobe Acrobat 9

1)   Open Adobe Acrobat.

2)   Open the Advanced Menu and choose Manage Trusted Identities.

3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’

4)   Select the DigiNotar Qualified CA.

5)   Click Delete, and then confirm the deletion by clicking OK.

Method Two – Manual Removal – Adobe Reader X (Win/Mac) and Acrobat X (Mac)

1)   Open Adobe Reader or Acrobat.

2)   Open the Edit Menu->Protection->Manage Trusted Identities.

3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’

4)   Select the DigiNotar Qualified CA.

5)   Click Delete, and then confirm the deletion by clicking OK.

Method Two – Manual Removal – Adobe  Acrobat X (Win)

1)   Open Adobe Reader or Acrobat.

2)   Open the View Menu->Tools->Sign & Certify.  In the right-hand sidebar, click on More Sign & Certify->Manage Trusted Identities.

3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’

4)   Select the DigiNotar Qualified CA.

5)   Click Delete, and then confirm the deletion by clicking OK.

This posting is provided “AS IS” with no warranties and confers no rights.

Another advantage of using the built in encryption of PDF is that it can be persistently integrated in the file – and not enveloped.  This means that anywhere the file goes, independent of storage and transport, it stays protected.  Common alternatives like PGP, ZIP, and S/MIME use enveloping encryption around content that gets discarded when the envelope is open – leaving the content unprotected, subject to accidental or malicious redistribution.

There are three main ways to encrypt a PDF file:

1. Password encryption
2. Public Key Infrastructure (PKI) encryption
3. Rights Management

Password encryption relies on a shared password between the publisher and all the recipients.  The publisher selects a phrase like “No1Kn0w$” to encrypt the document, and the recipient uses the same to decrypt it.  To mitigate brute force attacks as well as simple guessing of common passwords – be sure to use long complex passwords with multiple upper, lower, number, and symbol combinations.  Remember to be creative, like song lyrics, poetry, and other long phrases as source material.

PKI encryption can provide greater protection by using additional cryptography and digital certificates.  Each recipient has a keypair (up to RSA4096), and publishes their public key certificate.  While encrypting, the publisher’s computer randomly generates a symmetric key(up to AES256), and encrypts that key to each recipient’s asymmetric public key to include in the document with the symmetric key encrypted content.  In return, the recipient computer uses their own private key to decrypt the symmetric key, and then decrypt the document.  When the private key is stored on a token, e.g. USB, CAC, PIV, eID – it can provide two factor security – requiring the token, and any PIN codes to unlock the token.

Rights Management was developed to provide integration into enterprise authentication (AuthN) and authorization (AuthZ) infrastructure without requiring PKI.  A Rights Management server ties into LDAP, Active Directory (AD), or other user databases to identify the ecosystem of users sharing a document.  Rights Management can also use those same directories to read in groups of users.  An administrator can create a rights management “policy” which is an easily reusable way to protect documents in a certain way.  The policy can define which users or groups can open the document, what they can do with the document, and track what they have done with the document.  These can be internal or external users – whether employees, partners, or consumers.  The publisher then selects the policy to protect a document.  The recipient opens the document and the Acrobat/Reader client will call back to the server to authenticate them, then determine whether they are authorized to open the document.  In addition to username/password types of authentication, the server can also support Kerberos single sign on (SSO),PKI authentication (which is different than PKI encryption above), OTP, and other custom methods.  With Rights Management you can also expire, revoke, version control, watermark, and audit document usage, too.  Rights Management is great for communities of users that have existing authentication and authorization systems in place – whether it’s secure information sharing, or electronic statements to consumers.  In addition to PDF, Rights Management can also apply to native Office and CAD documents, too.  Stay tuned for news on rights management capabilities being available on smartphone and tablet devices in Fall’11, too!

For all three encryption methods, it is also possible to restrict printing, clipboard, and modification after a protected document is opened.

Applying these encryption capabilities can be done ad-hoc on the desktop with Acrobat, as well as part of automated structured workflows on a server, too.

Cintas provides specialized services—among them uniform delivery, document management, and cleanroom resources—around the world for clients in a variety of markets.  Their trucks and personnel are recognizable the world over…and by the end of 2011, all Cintas sales representatives will be able to collect customer signatures directly on a tablet computer, eliminating the paper from their workflows and making the company both more efficient and more ecologically sustainable.

According to Brian Daniel, Director IT, at Cintas:

SOFTPRO is an excellent partner for us for two reasons. First, they understood our needs and worked closely with us to deploy and support our implementation. We knew we could count on them. Second, their solution is both robust and easy to implement. We are deploying a combination of technologies and SOFTPRO brings them all together.  Both our sales team and customers have been quite pleased with this roll-out.

SOFTPRO’s software integrates directly with Reader and LiveCycle ES, and allows Cintas to not only produce easy to use PDF forms with LiveCycle ES, but also easily electronically sign them in Reader.

Read the press release here, and for more on SOFTPRO, visit their website here.