3-Heights™ PDF Security – encryption, decryption, signature creation & verification

The 3-Heights™ PDF Security component offers comprehensive functionality in two independent yet combinable areas: Electronic signatures and encryption.

Sign

Add and validate PDF/A-conform signatures

Safeguard

Protect PDF documents against unauthorized access

Annotation

Manage document revisions and include read-only annotations

Digitally signing of PDF/A documents via HSM at Swiss Mobiliar Insurance

The decision to use 3-Heights™ PDF Security was based on the functional range of the product, the ability to integrate it into the Mobiliar’s applications and IT infrastructure, and additionally the extremely promising functional and performance tests. 

Encryption of care reports at MEDICPROOF with 3‑Heights™ PDF Security component

The 3-Heights™ PDF Security solution is a tremendous help in ensuring the necessary data security. A stable data interface is also essential to achieving this. The performance meets our expectations, and the flexibility of the solution sets 3-Heights™ PDF Security apart from other solutions on the market.

Product illustration 3-Heights™ PDF Security

PDF security - features

Apply simple, advanced, and qualified electronic signatures

  • PDF/A conform signatures
  • Support European Signature Norms
  • Signature types
    • Document signatures to "digitally sign" documents
    • Modification detection & prevention (MDP) signatures to "certify" documents
    • Document time-stamp signatures to "time-stamp" documents
  • Apply PAdES-B-LTA (long term availability and integrity of validation material) and PAdES-LTV (Long Term Validation) signatures
    • Embedded trust chain, time-stamp and revocation information (OCSP, CRL)
    • Enlarge the longevity of existing signatures
    • Add signature validation material to the document security store (DSS)
  • Add an optional visual appearance of the signature (page, size, color, position, text, background image, etc.)
  • Cache OCSP, CRL, and other data for mass signing
  • Various types of cryptographic providers
    • Windows certificate store
    • Hardware such as hardware security module (HSM), smart cards, and USB tokens
    • Online signature services
      • QuoVadis sealsign
      • Swisscom All-in Signing Service
      • GlobalSign Digital Signing Service
    • Custom signature handler plugin interface
  • Mass signing of documents (API)
  • Multiple Signatures

Extract digital signatures

  • Validate digital signatures
  • Remove digital signatures
  • Extract signed version (revision) of document

Encrypt and decrypt PDF documents

  • Set document restrictions, including:
    • Print document
    • Modify document content
    • Extract or copy content
    • Add comments
    • Fill in form fields
    • Content extraction for accessibility
    • Assemble documents
    • Print in high resolution
  • Set crypt and stream filters
  • Set encryption strength
  • Set owner and user password

Stamping

  • Stamp text, images, or vector graphics
  • Add hyperlinks
  • PDF/A conform stamps
  • Modify existing stamps
  • Stamping of signed documents preserves existing signatures

Set document metadata

Optimize for the web (linearize)

Read input from and write output document to file, memory, or stream

Conformance

  • Standards:
    • ISO 32000-1 (PDF 1.7)
    • ISO 32000-2 (PDF 2.0)
    • ISO 19005‑1 (PDF/A‑1)
    • ISO 19005‑2 (PDF/A‑2)
    • ISO 19005‑3 (PDF/A‑3)
  • PAdES (ETSI EN 319 142) signature levels B-B, B-T, B-LT, B-LTA, CMS
  • Legacy PAdES baseline signature (ETSI TS 103 172) B-Level and T-Level
  • Legacy PAdES (ETSI TS 102 778) Part2 (PAdES Basic), Part3 (PAdES-BES), and Part4 (PAdES-LTV, Long Term Validation)
  • Long term signature profiles for PAdES (ISO 14533-3)
  • Cryptographic Suites (ETSI TS 119 312)

Supported formats

Input formats

  • PDF 1.0 to 1.7
  • PDF 2.0
  • PDF/A-1, PDF/A-2, PDF/A-3

Output formats

  • PDF 1.0 to 1.7
  • PDF 2.0
  • PDF/A-1, PDF/A-2, PDF/A-3

    Areas of use - advanced PDF security

    Document archiving

    Documents are signed prior to archiving; this increases conformance with audit requirements, for instance. A hardware security module can be used to handle large numbers of documents. Verification enables the authenticity and integrity of signed documents to be checked prior to archiving.

    Incoming mail

    Verification of incoming signed PDF documents to ensure they have not been modified during transmission and were transmitted by an authenticated sender.

    Outgoing mail

    The component can encrypt and apply an electronic signature to PDF documents before they are sent, thus enabling the recipient to verify authenticity and integrity.

    Software manufacturers/OEM

    The 3‑Heights™ PDF Security component is quickly integrated in solutions without any need for extensive learning and programming.

    Other areas of use

    • Add encryption and/or digital signatures for PDF files to applications (client, server, web)
    • Centralized signature service with HSM for mass signatures in input/output management
    • Workflow support systems (author, review, release, etc.)
    • Client solutions (signature application software)
    • e‑books

    Checklist how to create electronic signatures

    Preparation steps
    for example: 

    • Identify whether an advanced or a qualified signature is required
    • Acquire a corresponding certificate from a CA
    • Setup and configure the certificate’s cryptographic provider
    • Identify regulatory requirements regarding the content and life cycle of the signature
    • Optional: Acquire access to a trusted time server (TSA)
    • Optional: Ensure your input documents conform to the PDF/A standard 
       

     

    Application of the signature
    for example: 

    Apply the signature by providing the following information:

    • The cryptographic provider where the certificate is located
    • Values for the selection of the signing certificate
    • Optional: Time-stamp service URL
    • Optional: Time-stamp service credentials
    • Optional: Add validation information
    • Optional: Visual appearance of the signature on a page of the document

    Sign a PDF using DigiCert-QuoVadis sealsign

    Add a digital signature to a PDF document. Use the DigiCert-QuoVadis sealsign service to create the signature. Set different mandatory properties such as the account ID, the password to access the account, the client ID and the PIN code to activate the signing key.

    C# sample:
    // Create secure object
    using (Secure secure = new Secure())
    {
        // Open input file
        if (!secure.Open(inputPath, ""))
            throw new Exception(String.Format("Input file {0} cannot be opened. " + 
                "{1} (ErrorCode: 0x{2:x}).", inputPath, secure.ErrorMessage, secure.ErrorCode));
    
        // Required: unique name of the accountspecified on the server.
        secure.SetSessionPropertyString("Identity", "Rigora");
        // Required: identifies the signature specifications by a unique name.
        secure.SetSessionPropertyString("Profile", "Default");
        // Required: password which secures the access to the account.
        secure.SetSessionPropertyString("secret", "NeE=EKEd33FeCk70");
        // Required: helps to separate access and to create better statistics.
        secure.SetSessionPropertyString("clientId", "3949-4929-3179-2818");
        // Required: activates the signing key.
        secure.SetSessionPropertyString("pin", "123456");
        // Optional: default value "SHA-256"
        secure.SetSessionPropertyString("MessageDigestAlgorithm", "SHA-256");
    
        // Begin session using DigiCert-QuoVadis Sealsign (demo version)
        if (!secure.BeginSession(@"https://services.sealsignportal.com/sealsign/ws/BrokerClient"))
            throw new Exception(String.Format("Unable to establish connection to DigiCert-QuoVadis Sealsign. " +
                "{0} (ErrorCode: 0x{1:x}).", secure.ErrorMessage, secure.ErrorCode));
    
        // Add signature
        using (Signature signature = new Signature())
        {
            // Required, name of the signer
            signature.Name = "Rigora";
            secure.AddSignature(signature);
        }
    
        // Sign document
        if (!secure.SaveAs(outputPath, "", "", PDFPermission.ePermNoEncryption, 0, "", ""))
            throw new Exception(String.Format("Unable to sign document {0}. {1} (ErrorCode: 0x{2:x}).", 
                outputPath, secure.ErrorMessage, secure.ErrorCode));
    
        // Cleanup
        secure.Close();
        secure.EndSession();
    }
    
    Java sample:
    // Create secure object
    secure = new Secure();
    
    // Open input file 
    if (!secure.open(inputPath, ""))
        throw new IOException(String.format("Input file %s cannot be opened. %s (ErrorCode: 0x%08x).",
                inputPath, secure.getErrorMessage(), secure.getErrorCode()));
    
    // Required: unique name of the account specified on the server.
    secure.setSessionPropertyString("Identity", "Rigora");
    // Required: identifies the signature specifications by a unique name.
    secure.setSessionPropertyString("Profile", "Default");
    // Required: password which secures the access to the account.
    secure.setSessionPropertyString("secret", "NeE=EKEd33FeCk70");
    // Required: helps to separate access and to create better statistics.
    secure.setSessionPropertyString("clientId", "3949-4929-3179-2818");
    // Required: activates the signing key.
    secure.setSessionPropertyString("pin", "123456");
    // Optional: default value "SHA-256"
    secure.setSessionPropertyString("MessageDigestAlgorithm", "SHA-256");
    
    // Begin session using DigiCert-QuoVadis Sealsign (demo version)
    if (!secure.beginSession("https://services.sealsignportal.com/sealsign/ws/BrokerClient"))
        throw new IOException(String.format("Unable to establish connection to DigiCert-QuoVadis Sealsign. " + 
                "%s (ErrorCode: 0x%08x).", secure.getErrorMessage(), secure.getErrorCode()));
    
    // Add signature
    signature = new Signature();
    
    // Required, name of the signer
    signature.setName("Rigora");
    secure.addSignature(signature);
    
    // Sign document
    if (!secure.saveAs(outputPath, "", "", NativeLibrary.PERMISSION.ePermNoEncryption, 0, "", ""))
        throw new IOException(String.format("Unable to sign document %s. %s (ErrorCode: 0x%08x).", 
                outputPath, secure.getErrorMessage(), secure.getErrorCode()));
    
    // Cleanup
    secure.close();
    secure.endSession();
    
    C sample:
    // Create secure object
    pSecure = PdfSecureCreateObject();
    
    // Open input file
    if (!PdfSecureOpen(pSecure, szInputPath, _T("")))
    {
        _tprintf(_T("Input file %s cannot be opened. %s (ErrorCode: 0x%08x).\n"), szInputPath, PdfSecureGetErrorMessage(pSecure), PdfSecureGetErrorCode(pSecure));
        iReturnValue = 1;
        goto cleanup;
    }
    
    // Required: unique name of the accountspecified on the server.
    PdfSecureSetSessionPropertyString(pSecure, _T("Identity"), _T("Rigora"));
    // Required: identifies the signature specifications by a unique name.
    PdfSecureSetSessionPropertyString(pSecure, _T("Profile"), _T("Default"));
    // Required: password which secures the access to the account.
    PdfSecureSetSessionPropertyString(pSecure, _T("secret"), _T("NeE=EKEd33FeCk70"));
    // Required: helps to separate access and to create better statistics.
    PdfSecureSetSessionPropertyString(pSecure, _T("clientId"), _T("3949-4929-3179-2818"));
    // Required: activates the signing key.
    PdfSecureSetSessionPropertyString(pSecure, _T("pin"), _T("123456"));
    // Optional: default value "SHA-256"
    PdfSecureSetSessionPropertyString(pSecure, _T("MessageDigestAlgorithm"), _T("SHA-256"));
    
    // Begin session using DigiCert-QuoVadis Sealsign (demo version)
    if (!PdfSecureBeginSession(pSecure, _T("https://services.sealsignportal.com/sealsign/ws/BrokerClient")))
    {
        _tprintf(_T("Unable to connect to DigiCert-QuoVadis Sealsign. %s (ErrorCode: 0x%08x).\n"), PdfSecureGetErrorMessage(pSecure), PdfSecureGetErrorCode(pSecure));
        iReturnValue = 1;
        goto cleanup;
    }
    
    // Create signature object
    pSignature = PdfSignatureCreateObject();
    
    // Add signature
    // Required, name of the signer
    PdfSignatureSetName(pSignature, _T("Rigora"));
    PdfSecureAddSignature(pSecure, pSignature);
    
    // Sign document
    if (!PdfSecureSaveAs(pSecure, szOutputPath, _T(""), _T(""), ePermNoEncryption, 0, _T(""), _T("")))
    {
        _tprintf(_T("Unable to sign document %s. %s (ErrorCode: 0x%08x).\n"), szOutputPath, PdfSecureGetErrorMessage(pSecure), PdfSecureGetErrorCode(pSecure));
        iReturnValue = 1;
        goto cleanup;
    }
    
    // Cleanup
    PdfSecureClose(pSecure);
    PdfSecureEndSession(pSecure);
    
    Functionality graphic 3-Heights™ PDF Security

    Electronic signatures

    Applying an electronic signature guarantees the authenticity and integrity of documents, both of which are important requirements in electronic data exchange. Depending on the characteristics of the signature and the country it is used in, an electronic signature can be equivalent to signing a document by hand. Electronic signatures offer advantages with regard to the speed, security and automation of business correspondence.

    The 3-Heights™ PDF Security component is able to apply various types of electronic signature (simple, advanced and qualified). The component’s benefits include PDF/A conformity, embedding information on the validity of certificates (OCSP, CRL), time stamps and compatibility with signature hardware (HSM) for mass signature applications. The component can verify existing signatures by checking their integrity.

    Encryption

    PDF documents used in professional circumstances contain important information that needs to be protected against unauthorized access and unintentional alteration. This is achieved by protecting PDF documents through encryption and user permission flags.

    Difference between an electronic signature and a digital signature

    The term “digital signature” is used in legal contexts; its meaning is comparable with the expression “signed by hand”.

    An “electronic signature”, on the other hand, refers to the technical implementation of a signature.

    Furthermore, how these terms are interpreted differs between various countries.

    Signature types

    There are various signature types:

    • Document signature: Any user can apply a signature to a document
    • Author’s signature (MDP): Only the document’s author is permitted to sign the document
    • Qualified signature: A signature that is guaranteed through the use of hardware such as a USB key or smart card. The German identity card is an example of a qualified signature.
    • Document Time-stamp signature: A time-stamp signature provides evidence, that the document existed at a specific time. Furthermore, the time-stamp proves the document’s integrity, i.e. that the document has not been modified.

    Advantages of digital signatures in comparison to manual signatures

    Time-saving

    Processes in which large numbers of documents need to be signed or where the signees are in different locations can take days to complete. Digital signatures can drastically reduce this time span.

    Security

    Unlike a manual signature, a digital signature has more than just legal implications. It offers the additional option to programmatically verify the authenticity and integrity of a document and the time at which it was signed.

    Requirements and legislation

    Certain processes have specific requirements concerning the exchange of documents. In some countries (e. g. Germany and Switzerland) applying a qualified electronic signature is equivalent to signing a document by hand.