Aloaha Sign! (English Version)
Aloaha Sign! (English Version) All rights reserved. No parts of this work may be reproduced in any form or by any means - graphic, electronic, or mechanical, including photocopying, recording, taping, or information storage and retrieval systems - without the written permission of the publisher. Products that are referred to in this document may be either trademarks and/or registered trademarks of the respective owners. The publisher and the author make no claim to these trademarks. While every precaution has been taken in the preparation of this document, the publisher and the author assume no responsibility for errors or omissions, or for damages resulting from the use of information contained in this document or from the use of programs and source code that may accompany it. In no event shall the publisher and the author be liable for any loss of profit or any other commercial damage caused or alleged to have been caused directly or indirectly by this document. Printed: Dezember 2009
Contents 3 Table of Contents Page 1. Introduction 4 2. Installation 5 3. Usage 7 3.1 Open Files 8 3.2 Save as 9 3.3 Print 10 3.4 View 11 3.5 Sign Documents 12 3.6 Digitally Sign / Signature check 13 3.6.1 Digitally Sign 15 3.6.2 Signature check 18 3.7 Card Reader 20 3.8 Certificate check 21 3.9 Aloaha Bulk Validator 24 4. FAQ 26 Index 27
4 Aloaha Sign! (English Version) 1. Introduction Aloaha Sign! Aloaha Sign! was developed to view digitally signed files and to check digital signatures. Furthermore all kind of files can be signed. Signature types which can be checked: PKCS7 XMLDSIG PDF P7M / SMIME The signing of files can be done in the following formats: PKCS7 XMLDSIG PDF (if Aloaha Signator is installed on your System) P7M / SMIME Of course you can use the digital signatures with native smartcard support. Other Aloaha products: Aloaha PDF Suite - Creates your PDF files. This suite may be the PDF software with the most functions in the market. Supports PDF Signature, Mass signing and native signing smartcards. Aloaha PDF Saver - Fill your data to PDF Forms, save it to the PDF File and open it later for correction... Aloaha Crypto Service Provider - Use your smartcards for signing and authentication in standard office applications such as MS Outlook, Adobe Acrobat or Internet Explorer.
Introduction 5 2. Installation Installation Requirements: Windows 2000/3/8 Windows XP (Service Pack 3 suggested but not required) Windows Vista Windows 7 To install Aloaha Sign, start the installation file. (aloaha_sign_setup.exe). After the installation language is chosen, the following dialogue opens.
6 Aloaha Sign! (English Version) Setup will ask you for the installation folder before it begins to install the product. For using a different folder, click the Browse button and select the folder you want to install to. Note: It is suggested to install all Aloaha products in the same directory. If setup has installed successful the application you have to click the finish button.
Usage 7 3. Usage To launch Aloaha Sign, select the program Aloaha Sign! in Windows start menu: Start>All Programs>Aloaha>Aloaha Sign! Now following options are available: Files View Sign Card Reader
8 Aloaha Sign! (English Version) 3.1 Open Files If you liked to open an encrypted document, it is necessary that your digital ID is correctly installed. If necessary contact the author of the document. If there is no digital ID available in your system the document cannot be opened.
Usage 9 3.2 Save as If you liked to save a signed PDF file, select "save as" in the directory you choose.
10 Aloaha Sign! (English Version) 3.3 Print Print: If you choose "print" the document is sent directly to the installed printer. Print on different printers: For this printing option all installed printers in the system are available. The default printer can also be selected than every other.
Usage 11 3.4 View Views: In the menu View you have following possibilities to display documents: View Original means the fact that if the original document was created in MS Word, this is opened to view also in MS Word! View Source means the fact that the suitable source is indicated to the respective document. View ASCII means the fact that the suitable document is indicated in the ASCII format.
12 Aloaha Sign! (English Version) 3.5 Sign Documents With Aloaha Sign! you have the possibility to sign documents. Following signature formats are available: D2D Signature P7M Signature XML Signature PKCS7 Signature PDF Signature More informations you find in the column "Digitally Sign / Signature check"
Usage 13 3.6 Digitally Sign / Signature check PDF files electronically sign With Aloaha Sign! you can sign files digitally. An electronic signature is supported after the default of the signature law (SigG) of the Federal Republic of Germany. Legal electronic calculations can be created. Calculations which are transmitted by fax or e-mail and/or are provided to download from the Internet (e.g., as a PDF document) and no "certified electronic signature" carry, display no calculation for the purposes of the section 14 to paragraph 3 sales tax law. Digital Signature A digital signature for the purposes of the law is a seal generated with a private signature key to digital data which with the help of an accompanying public key, with a signature key certificate of a certification authority stock is, the owner of the signature key and the unadulterated quality of the data reveals (SigG.). With the development of the digital signature the destination was traced to develop one of the personal signature equivalent signature method with which on electronic way data can be signed. The main problem by transmission of electronic data is the manipulability. The problem could be eliminated only by electronic signature, because an unnoticed manipulation of data is no more possible. Requirement is that the electronic signature is connected like a handwritten signature inseparably with the respective document. It can be seen by everybody, but only be changed by the signer itself. The signer can be identified and the signature makes every possible manipulation, like additional pranks or changing text passages, immediately recognizable. By the certificate check can be proved that the signature was not faked and the certificate owner is real. except his name no personal data is revealed. Legal regulations Definitions of different kinds of the digital signature are found in the signature law (SigG) and in the order to the signature law (SigV). In it demands for the electronic signatures are as well displayed as Certification Service Provider (ZDA) were defined. It is distinguished in easy, advanced and certified digital signatures. Every signature stands for a certain quality level. The higher valued the signature, the more meaning she has for the legal relations, and the greater is her functionality. Only certified signatures fulfil the demands concerning electronic data just as the handwritten signature demands concerning data in paper form. They are admitted in court as an evidence. The cryptographic algorithms admitted for certified electronic signatures are approved and published by the federal network agency. under www.bundesnetzagentur.de you find a list of all accredited Certification Service Provider (trust centres). There are also listed the products admitted for a certified electronic signature. The requirements for a certified signature are given when: this can be associated exclusively to the signatory who admits unequivocal identification of the signatory with means is created which only the signatory controls makes every additional update of the signed data evident is based on a certified certificate A certified certificate can only be issued by an accredited Certification Service Provider. Particularly strict demands concerning the security of the key creation and the organisation of the trust centre are valid. The observance of the legal instructions through the trust centre is in Germany also controlled by the federal network agency.
14 Aloaha Sign! (English Version) Public Key procedures Digital signatures are based on asymmetrical Crypto systems and use a key pair which passes signature key of a private (confidential one) and public (not confidential). The data which were encoded with one key can be opened again only with the other. In order to sign the private key is used. The key is on the chip of the card and cannot be read out. The data to be processed are loaded on the chip, are encrypted or decrypted there and transmitted again back to the computer. To use the private key, the right PIN which guarantees additional security is required. The signature can be only from the card owner, because only he is in possession of card and PIN. The public key is integrated into a certificate and is available for everyone. This can also be retrieved by directory services via LDAP or HTTP. Of course he can also be dispatched by e-mail. To guarantee that the certificate and therefore the key was not faked, every certificate is signed by the publisher. Therefore checks up to themselves whether the certificate of a trustworthy place was published. While checking the signature the public key of the receiver is used. The encrypted Hash value of the publisher is decrypted and compared to the Hash value of the document. If both values agree the document was not modified. While signing a file a Hash value which is comparable with a fingerprint is formed. Two different documents can never have the same Hash value. The Hash value is encrypted under use of a key with a length of at least 1024 bits (depending on the used card) after the procedure RSA. The encryption of the Hash value takes place on the card with electronic chip processor which can process smaller data volumes. Thus it is made sure that the private key does not leave the card. The encoded Hash value is sent back again to the computer and is seated in the document to be signed. Before the document could be signed the private key must be released by the right PIN (Personal Identification Number).
Usage 15 3.6.1 Digitally Sign This software is developed to be able to check or to indicate digital signatures. Moreover, every file can be signed digitally. Signing of files is supported in following formats: - PKCS7 - XMLDSIG - PDF (only if the Aloaha Sigantor / PDF Suite is installed on the system) - P7M / SMIME Sign: With Aloaha Sign! you have the possibility to sign documents. Following signature formats are available: D2D Signature P7M Signature XML Signature PKC#7 Signature PDF Signature
16 Aloaha Sign! (English Version) Signature process: If you liked to sign an opened document, you are asked first for the file store where the document should be saved after occurred signature. After you have selected the file store and have fixed the filename, a window with "Cetificate Properties" opens.
Usage 17 Confirm the certificate while you click on the field with the green hook. Now you are requested to enter the PIN associated to the certificate. Enter the PIN and confirm the input. After the signature process the document shall be found at the memory place you selected. Note: Embedded files are also signed.
18 Aloaha Sign! (English Version) 3.6.2 Signature check Supported to check of digital signatures are: - PKCS7 - XMLDSIG - PDF - P7M / SMIME To be able to use Aloaha Sign! in full extent, it makes sense to instal also the Aloaha PDF suite or the Aloaha Signator. If you liked to check a signature or open a document which was created with another application, you can select the file in the Windows explorer with the right mouse button and afterwards open with Aloaha Sign!. Afterwards you are asked whether you want to open or save the file. After the file was imported the Aloaha PDF Editor shows the file.
Usage 19 Note: If the file is not encrypted/signed, the document will be opened in the application in which it was created although you have selected the command "Open" in Aloaha Sign!. In case of encrypted / signed PDF documents the Aloaha PDF Editor is used. Here another window opens. Before another window opens to indicate the properties associated to the certificate like "validity, exhibitor, etc.". If signed documents are edited afterwards, the signature loses her validity.
20 Aloaha Sign! (English Version) 3.7 Card Reader In the menu item Card Reader you can see whether and which Reader is connected with the system. By a click with the right mouse button on the Card Reader's icon you will get informations to the used signature card.
Usage 21 3.8 Certificate check In this item you find information to the particular certificate. Here you receive informations about: Alaoaha Certification Authority - Informations to the currently used certificate
22 Aloaha Sign! (English Version) Demo User / TestCert - currently used card in the Card Reader
Usage 23 Get Report - displays the report about the signature check and the currently used signature setting.
24 Aloaha Sign! (English Version) 3.9 Aloaha Bulk Validator The Aloaha PDF Signature Bulk Validator is an commercial add-on to the popular Aloaha sign!. It is being delivered as a simple.exe file which can be started with some parameters to bulk validate PDF signatures. Validated PDF Documents are being sorted into sub directories. To validate a complete directory of PDF Documents just start AloSiVal.exe <Directory>. It is IMPORTANT that <Directory> ends with a backslash!. For example AloSiVal.exe C: \PDF\ Validated documents will be sorted into subdirectories under \ValidatedPDF\. This subdirectory can be configured in HKEY_LOCAL_MACHINE\SOFTWARE\Aloaha\Validator\TargetDir. Suspicious PDF Documents are sorted into the subdirectory suspicious. Such documents have been edited AFTER having been signed. For evey status of a signature a bitmask representing the signature quality is being created and used as the directory name. In HKEY_LOCAL_MACHINE\SOFTWARE\Aloaha\Validator it is possible to give those directories a clear text name. Possible Bitmask Values IS NOT TIME VALID = &H1 This certificate or one of the certificates in the certificate chain is not time valid. IS NOT TIME NESTED = &H2 Certificates in the chain are not properly time nested. IS REVOKED = &H4 Trust for this certificate or one of the certificates in the certificate chain has been revoked. NOT SIGNATURE VALID = &H8 The certificate or one of the certificates in the certificate chain does not have a valid signature. NOT VALID FOR USAGE = &H10 The certificate or certificate chain is not valid for its proposed usage. IS UNTRUSTED ROOT = &H20 The certificate or certificate chain is based on an untrusted root. REVOCATION STATUS UNKNOWN = &H40 The revocation status of the certificate or one of the certificates in the certificate chain is unknown. IS CYCLIC = &H80 One of the certificates in the chain was issued by a certification authority that the original certificate had certified. INVALID EXTENSION = &H100 One of the certificates has an extension that is not valid. INVALID POLICY CONSTRAINTS = &H200 The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension. INVALID BASIC CONSTRAINTS = &H400 The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded. INVALID NAME CONSTRAINTS = &H800 The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.
Usage 25 HAS NOT SUPPORTED NAME CONSTRAINT = &H1000 The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields. The minimum and maximum fields are not supported. Thus minimum must always be zero and maximum must always be absent. Only UPN is supported for an Other Name. The following alternative name choices are not supported: - X400 Address - EDI Party Name - Registered Id HAS NOT DEFINED NAME CONSTRAINT = &H2000 The certificate or one of the certificates in the certificate chain has a name constraints extension, and a name constraint is missing for one of the name choices in the end certificate. HAS NOT PERMITTED NAME CONSTRAINT = &H4000 The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate. HAS EXCLUDED NAME CONSTRAINT = &H8000 The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded. IS OFFLINE REVOCATION = &H1000000 The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale. NO ISSUANCE CHAIN POLICY = &H2000000 The end certificate does not have any resultant issuance policies, and one of the issuing CA certificates has a policy constraints extension requiring it. IS PARTIAL CHAIN = &H10000 The certificate chain is not compete. CTL IS NOT TIME VALID = &H20000 A CTL used to create this chain was not time valid. CTL IS NOT SIGNATURE VALID = &H40000 A CTL used to create this chain did not have a valid signature. CTL IS NOT VALID FOR USAGE = &H80000 A CTL used to create this chain is not valid for this usage. Every possible value can be mapped to a clear text name in HKEY_LOCAL_MACHINE\SOFTWARE\Aloaha\Validator
26 Aloaha Sign! (English Version) 4. FAQ Can I use Aloaha sign! to apply a digital signature to PDF Documents? You need one of the Aloaha PDF Products to apply digital signatures to PDF Documents. Aloaha sign! is designed to sign NON PDF documents. Do I need a CSP to be able to sign a file? Aloahas innovative technology supports a broad range of smartcards native. That means that no CSP is required for such smart cards! Which type of signatures can I create with sign! sign! is able to create p7m, PKCS#7 and XMLDSIG Signatures. What is a p7m file? A p7m file is a digitally signed electronic envelope containing the original file. P7M is also called s/ Mime. What is a PKCS7 file? A PKCS7 file contains the digital signature and the signing certificate. Unlike s/mime it does NOT contain the original data. What is xmldsig? When signing a XML file it is possible to place the signature itself directly inside the XML itself. This is called xmldsig. How can I validate p7m and p7s signatures? Just right click on them and choose validate!
Index 27 Index - A - Aloaha Bulk Validator 24 - B - Bitmask Values 24 - C - Card reader 20 Certificate check 21 Certification Authority 21 - D - Print on different printers: 10 Public Key procedures 13 - S - Save as 9 Sign Documents 12 Signature check 18 Signature process 15 - U - Usage 7 - V - View 11 Views 11 Demo User 21 Digitally Sign 15 Digitally Sign / Signature check 13 - F - FAQ 26 - G - Get Report 21 - I - Installation 5 Installation Requirements 5 Introduction 4 - L - Legal regulations 13 - O - Open 8 - P - Print 10