3-Heights™ PDF Security – encryption, decryption, signature creation & verification

The 3-Heights™ PDF Security component offers comprehensive functionality in two independent yet combinable areas: Electronic signatures and encryption.

Sign

Add and validate PDF/A-conform signatures

Safeguard

Protect PDF documents against unauthorized access

Annotation

Manage document revisions and include read-only annotations

Get a 30-days-free-trial

Request a tailored quote

Test online

Digitally signing of PDF/A documents via HSM at Swiss Mobiliar Insurance

The decision to use 3-Heights™ PDF Security was based on the functional range of the product, the ability to integrate it into the Mobiliar’s applications and IT infrastructure, and additionally the extremely promising functional and performance tests.

Encryption of care reports at MEDICPROOF with 3‑Heights™ PDF Security component

The 3-Heights™ PDF Security solution is a tremendous help in ensuring the necessary data security. A stable data interface is also essential to achieving this. The performance meets our expectations, and the flexibility of the solution sets 3-Heights™ PDF Security apart from other solutions on the market.

further sucessful use cases

Product illustration 3-Heights™ PDF Security

PDF security - features

Apply simple, advanced, and qualified electronic signatures

PDF/A conform signatures
Support European Signature Norms
Signature types
- Document signatures to "digitally sign" documents
- Modification detection & prevention (MDP) signatures to "certify" documents
- Document time-stamp signatures to "time-stamp" documents
Apply PAdES-B-LTA (long term availability and integrity of validation material) and PAdES-LTV (Long Term Validation) signatures
- Embedded trust chain, time-stamp and revocation information (OCSP, CRL)
- Enlarge the longevity of existing signatures
- Add signature validation material to the document security store (DSS)
Add an optional visual appearance of the signature (page, size, color, position, text, background image, etc.)
Cache OCSP, CRL, and other data for mass signing
Various types of cryptographic providers
- Windows certificate store
- Hardware such as hardware security module (HSM), smart cards, and USB tokens
- Online signature services
  - QuoVadis sealsign
  - Swisscom All-in Signing Service
  - GlobalSign Digital Signing Service
- Custom signature handler plugin interface
Mass signing of documents (API)
Multiple Signatures

Extract digital signatures

Validate digital signatures
Remove digital signatures
Extract signed version (revision) of document

Encrypt and decrypt PDF documents

Set document restrictions, including:
- Print document
- Modify document content
- Extract or copy content
- Add comments
- Fill in form fields
- Content extraction for accessibility
- Assemble documents
- Print in high resolution
Set crypt and stream filters
Set encryption strength
Set owner and user password

Stamping

Stamp text, images, or vector graphics
Add hyperlinks
PDF/A conform stamps
Modify existing stamps
Stamping of signed documents preserves existing signatures

Set document metadata

Optimize for the web (linearize)

Read input from and write output document to file, memory, or stream

Conformance

Standards:
- ISO 32000-1 (PDF 1.7)
- ISO 32000-2 (PDF 2.0)
- ISO 19005‑1 (PDF/A‑1)
- ISO 19005‑2 (PDF/A‑2)
- ISO 19005‑3 (PDF/A‑3)
PAdES (ETSI EN 319 142) signature levels B-B, B-T, B-LT, B-LTA, CMS
Legacy PAdES baseline signature (ETSI TS 103 172) B-Level and T-Level
Legacy PAdES (ETSI TS 102 778) Part2 (PAdES Basic), Part3 (PAdES-BES), and Part4 (PAdES-LTV, Long Term Validation)
Long term signature profiles for PAdES (ISO 14533-3)
Cryptographic Suites (ETSI TS 119 312)

Supported formats

Input formats

PDF 1.0 to 1.7
PDF 2.0
PDF/A-1, PDF/A-2, PDF/A-3

Output formats

PDF 1.0 to 1.7
PDF 2.0
PDF/A-1, PDF/A-2, PDF/A-3

“We are very happy with the tools and services provided by PDF Tools AG. Furthermore, we thank the support team for helping us speeding up the resolution of exceptional issues.”

Ankur Saxena, Development Director,
LULU Software

Areas of use - advanced PDF security

Document archiving

Documents are signed prior to archiving; this increases conformance with audit requirements, for instance. A hardware security module can be used to handle large numbers of documents. Verification enables the authenticity and integrity of signed documents to be checked prior to archiving.

Incoming mail

Verification of incoming signed PDF documents to ensure they have not been modified during transmission and were transmitted by an authenticated sender.

Outgoing mail

The component can encrypt and apply an electronic signature to PDF documents before they are sent, thus enabling the recipient to verify authenticity and integrity.

Software manufacturers/OEM

The 3‑Heights™ PDF Security component is quickly integrated in solutions without any need for extensive learning and programming.

Other areas of use

Add encryption and/or digital signatures for PDF files to applications (client, server, web)
Centralized signature service with HSM for mass signatures in input/output management
Workflow support systems (author, review, release, etc.)
Client solutions (signature application software)
e‑books

Checklist how to create electronic signatures

Preparation steps
for example:

Identify whether an advanced or a qualified signature is required
Acquire a corresponding certificate from a CA
Setup and configure the certificate’s cryptographic provider
Identify regulatory requirements regarding the content and life cycle of the signature
Optional: Acquire access to a trusted time server (TSA)
Optional: Ensure your input documents conform to the PDF/A standard

Application of the signature
for example:

Apply the signature by providing the following information:

The cryptographic provider where the certificate is located
Values for the selection of the signing certificate
Optional: Time-stamp service URL
Optional: Time-stamp service credentials
Optional: Add validation information
Optional: Visual appearance of the signature on a page of the document

Sign a PDF using DigiCert-QuoVadis sealsign

Add a digital signature to a PDF document. Use the DigiCert-QuoVadis sealsign service to create the signature. Set different mandatory properties such as the account ID, the password to access the account, the client ID and the PIN code to activate the signing key.

More samples...

C# sample:

// Create secure object
using (Secure secure = new Secure())
{
    // Open input file
    if (!secure.Open(inputPath, ""))
        throw new Exception(String.Format("Input file {0} cannot be opened. " + 
            "{1} (ErrorCode: 0x{2:x}).", inputPath, secure.ErrorMessage, secure.ErrorCode));

    // Required: unique name of the accountspecified on the server.
    secure.SetSessionPropertyString("Identity", "Rigora");
    // Required: identifies the signature specifications by a unique name.
    secure.SetSessionPropertyString("Profile", "Default");
    // Required: password which secures the access to the account.
    secure.SetSessionPropertyString("secret", "NeE=EKEd33FeCk70");
    // Required: helps to separate access and to create better statistics.
    secure.SetSessionPropertyString("clientId", "3949-4929-3179-2818");
    // Required: activates the signing key.
    secure.SetSessionPropertyString("pin", "123456");
    // Optional: default value "SHA-256"
    secure.SetSessionPropertyString("MessageDigestAlgorithm", "SHA-256");

    // Begin session using DigiCert-QuoVadis Sealsign (demo version)
    if (!secure.BeginSession(@"https://services.sealsignportal.com/sealsign/ws/BrokerClient"))
        throw new Exception(String.Format("Unable to establish connection to DigiCert-QuoVadis Sealsign. " +
            "{0} (ErrorCode: 0x{1:x}).", secure.ErrorMessage, secure.ErrorCode));

    // Add signature
    using (Signature signature = new Signature())
    {
        // Required, name of the signer
        signature.Name = "Rigora";
        secure.AddSignature(signature);
    }

    // Sign document
    if (!secure.SaveAs(outputPath, "", "", PDFPermission.ePermNoEncryption, 0, "", ""))
        throw new Exception(String.Format("Unable to sign document {0}. {1} (ErrorCode: 0x{2:x}).", 
            outputPath, secure.ErrorMessage, secure.ErrorCode));

    // Cleanup
    secure.Close();
    secure.EndSession();
}

C# sample:

Java sample:

// Create secure object
secure = new Secure();

// Open input file 
if (!secure.open(inputPath, ""))
    throw new IOException(String.format("Input file %s cannot be opened. %s (ErrorCode: 0x%08x).",
            inputPath, secure.getErrorMessage(), secure.getErrorCode()));

// Required: unique name of the account specified on the server.
secure.setSessionPropertyString("Identity", "Rigora");
// Required: identifies the signature specifications by a unique name.
secure.setSessionPropertyString("Profile", "Default");
// Required: password which secures the access to the account.
secure.setSessionPropertyString("secret", "NeE=EKEd33FeCk70");
// Required: helps to separate access and to create better statistics.
secure.setSessionPropertyString("clientId", "3949-4929-3179-2818");
// Required: activates the signing key.
secure.setSessionPropertyString("pin", "123456");
// Optional: default value "SHA-256"
secure.setSessionPropertyString("MessageDigestAlgorithm", "SHA-256");

// Begin session using DigiCert-QuoVadis Sealsign (demo version)
if (!secure.beginSession("https://services.sealsignportal.com/sealsign/ws/BrokerClient"))
    throw new IOException(String.format("Unable to establish connection to DigiCert-QuoVadis Sealsign. " + 
            "%s (ErrorCode: 0x%08x).", secure.getErrorMessage(), secure.getErrorCode()));

// Add signature
signature = new Signature();

// Required, name of the signer
signature.setName("Rigora");
secure.addSignature(signature);

// Sign document
if (!secure.saveAs(outputPath, "", "", NativeLibrary.PERMISSION.ePermNoEncryption, 0, "", ""))
    throw new IOException(String.format("Unable to sign document %s. %s (ErrorCode: 0x%08x).", 
            outputPath, secure.getErrorMessage(), secure.getErrorCode()));

// Cleanup
secure.close();
secure.endSession();

Java sample:

C sample:

// Create secure object
pSecure = PdfSecureCreateObject();

// Open input file
if (!PdfSecureOpen(pSecure, szInputPath, _T("")))
{
    _tprintf(_T("Input file %s cannot be opened. %s (ErrorCode: 0x%08x).\n"), szInputPath, PdfSecureGetErrorMessage(pSecure), PdfSecureGetErrorCode(pSecure));
    iReturnValue = 1;
    goto cleanup;
}

// Required: unique name of the accountspecified on the server.
PdfSecureSetSessionPropertyString(pSecure, _T("Identity"), _T("Rigora"));
// Required: identifies the signature specifications by a unique name.
PdfSecureSetSessionPropertyString(pSecure, _T("Profile"), _T("Default"));
// Required: password which secures the access to the account.
PdfSecureSetSessionPropertyString(pSecure, _T("secret"), _T("NeE=EKEd33FeCk70"));
// Required: helps to separate access and to create better statistics.
PdfSecureSetSessionPropertyString(pSecure, _T("clientId"), _T("3949-4929-3179-2818"));
// Required: activates the signing key.
PdfSecureSetSessionPropertyString(pSecure, _T("pin"), _T("123456"));
// Optional: default value "SHA-256"
PdfSecureSetSessionPropertyString(pSecure, _T("MessageDigestAlgorithm"), _T("SHA-256"));

// Begin session using DigiCert-QuoVadis Sealsign (demo version)
if (!PdfSecureBeginSession(pSecure, _T("https://services.sealsignportal.com/sealsign/ws/BrokerClient")))
{
    _tprintf(_T("Unable to connect to DigiCert-QuoVadis Sealsign. %s (ErrorCode: 0x%08x).\n"), PdfSecureGetErrorMessage(pSecure), PdfSecureGetErrorCode(pSecure));
    iReturnValue = 1;
    goto cleanup;
}

// Create signature object
pSignature = PdfSignatureCreateObject();

// Add signature
// Required, name of the signer
PdfSignatureSetName(pSignature, _T("Rigora"));
PdfSecureAddSignature(pSecure, pSignature);

// Sign document
if (!PdfSecureSaveAs(pSecure, szOutputPath, _T(""), _T(""), ePermNoEncryption, 0, _T(""), _T("")))
{
    _tprintf(_T("Unable to sign document %s. %s (ErrorCode: 0x%08x).\n"), szOutputPath, PdfSecureGetErrorMessage(pSecure), PdfSecureGetErrorCode(pSecure));
    iReturnValue = 1;
    goto cleanup;
}

// Cleanup
PdfSecureClose(pSecure);
PdfSecureEndSession(pSecure);

C sample:

Functionality graphic 3-Heights™ PDF Security

Electronic signatures

Applying an electronic signature guarantees the authenticity and integrity of documents, both of which are important requirements in electronic data exchange. Depending on the characteristics of the signature and the country it is used in, an electronic signature can be equivalent to signing a document by hand. Electronic signatures offer advantages with regard to the speed, security and automation of business correspondence.

The 3-Heights™ PDF Security component is able to apply various types of electronic signature (simple, advanced and qualified). The component’s benefits include PDF/A conformity, embedding information on the validity of certificates (OCSP, CRL), time stamps and compatibility with signature hardware (HSM) for mass signature applications. The component can verify existing signatures by checking their integrity.

Encryption

PDF documents used in professional circumstances contain important information that needs to be protected against unauthorized access and unintentional alteration. This is achieved by protecting PDF documents through encryption and user permission flags.

Difference between an electronic signature and a digital signature

The term “digital signature” is used in legal contexts; its meaning is comparable with the expression “signed by hand”.

An “electronic signature”, on the other hand, refers to the technical implementation of a signature.

Furthermore, how these terms are interpreted differs between various countries.

Signature types

There are various signature types:

Document signature: Any user can apply a signature to a document
Author’s signature (MDP): Only the document’s author is permitted to sign the document
Qualified signature: A signature that is guaranteed through the use of hardware such as a USB key or smart card. The German identity card is an example of a qualified signature.
Document Time-stamp signature: A time-stamp signature provides evidence, that the document existed at a specific time. Furthermore, the time-stamp proves the document’s integrity, i.e. that the document has not been modified.

Advantages of digital signatures in comparison to manual signatures

Time-saving

Processes in which large numbers of documents need to be signed or where the signees are in different locations can take days to complete. Digital signatures can drastically reduce this time span.

Security

Unlike a manual signature, a digital signature has more than just legal implications. It offers the additional option to programmatically verify the authenticity and integrity of a document and the time at which it was signed.

Requirements and legislation

Certain processes have specific requirements concerning the exchange of documents. In some countries (e. g. Germany and Switzerland) applying a qualified electronic signature is equivalent to signing a document by hand.

Further information about PDF security, encrpytion and digital signature

White paper: Digital signatures from the cloud - Basics and Applications
PDF expert blog: Using blockchains as an alternative to PKIs for digital signatures
PDF expert blog: Digital signatures in PDF/A
PDF expert blog: Utiltiy to simplify the import of certificates and private keys into a PKS#11 cryptographic token (HSM)
PDF expert blog: PAdES - PDF Advanced Electronic Signature
Security Glossary: Explanation of terms and expressions that are used within PDF Security

Protect your PDF documents