Introduction
Overview
SecurSign is a server-based application which Encrypts, Digitally Signs and Verifies Digital Signatures on PDF documents. Digital signatures placed by SecurSign are compatible with the Adobe® Acrobat® Digital Signature Mechanism and can be verified using Adobe Acrobat or Adobe Reader.
SecurSign is designed to run in real time with other processes in an unattended environment to handle high-volume and on-demand production needs. SecurSign can also run in batch mode to encrypt, digitally sign or verify large collections of PDF documents.
NEW in SecurSign 5!
- PDF/A Support ~ Sign PDF/A documents without losing PDF/A compliance!
- Signature Validation ~ detects tampering!
- 2048-Bit Key Lengths ~ the latest standard for Digital Certificates!
- OpenType Fonts ~ Place signature text using any OpenType font!
Digital Signature and Verification Features
- Digitally Sign using visible or invisible digital signatures
- X.509v3 Digital Certificates from any Certificate Authority
- Add Signature Fields to any PDF page
- Multiple Digital Signatures can be applied sequentially
- Custom Graphics including watermarks, logos and handwritten signatures
- Verification to detect file modification or tampering since it was signed
- Linearization to optimize signed PDF documents with Fast Web View for faster viewing on a network
- No additional software is required – use any digital-signature aware PDF viewer to view or verify signatures
Encryption Features
- Advanced Encryption Standard (AES ) encryption algorithm with 128-bit or 256-bit key lengths
- RC4 encryption algorithm with 40-bit or 128-bit key length for compatibility with older PDF viewers
- Secure envelopes; encrypt PDF and non-PDF attachments, leaving the “envelope” PDF unencrypted
- Set User Passwords to control who may view, print, or modify a document
- Set Owner Passwords to control who may change security settings
- Set Document Permissions to control viewing, printing, copying, assembly and accessibility.
Technical Features
- X.509v3 Digital Certificates
- PKCS#12 Personal Information Exchange Syntax Standard
- SHA-1 Message Digests
- RC4 Stream Ciphers
Encryption
SecurSign can encrypt using the Advanced Encryption Standard (AES ) encryption algorithm; or; the RC4 encryption algorithm for compatibility with older PDF viewers.
The Advanced Encryption Standard (AES ) encryption algorithm supports 128-bit or 256-bit key lengths.
The RC4 encryption algorithm supports 40-bit or 128-bit key lengths.
The following security features are available at the 40-bit encryption level:
- Do not allow printing
- Do not allow modifying the document
- Do not allow selecting text and graphics
- Do not allow adding or changing notes and form fields
At the 128-bit encryption level, these additional security features are available:
- Do not allow filling-in or signing of form fields
- Do not allow accessibility
- Do not allow document assembly
- Do not allow high-resolution printing
Using AES encryption, these additional security features are available:
- Encrypt attachments only
At all encryption levels, two types of passwords can be assigned to your documents:
- User password: required to open a document
- Owner password: required to change permissions and passwords
An Owner password should always be assigned to prevent other users from changing your security settings. If a document is already encrypted and has an Owner password, only a person who knows the password can re-encrypt the document with different security options.
Digital Signatures
A digital signature serves two purposes: it identifies the signer of a document and it guarantees the document’s integrity. SecurSign is compatible with the Adobe Acrobat Digital Signature Mechanism. It uses the Adobe Raw Signature Format to create digital signatures on PDF files using standard X.509 digital certificates available from commercial certificate authorities. While Adobe Acrobat and Adobe Reader can be used to verify signatures applied with SecurSign, these products are not required to apply digital signatures. You can apply two types of digital signatures with SecurSign:
- Invisible signature (also called blind signature) — The signature is not displayed in the document. It is only viewable in the document’s Signatures pane (as shown in the figure below).
- Visible signature (also called signature with appearances) — The signature is displayed in the document. It can be placed in an existing form field (it doesn’t have to be a signature field) or in a new signature field that you create using SecurSign. The new field can be positioned anywhere on the page.A visible signature contains two parts: a seal and signature text. The signature in the figure below uses the default seal supplied with SecurSign, but it can be replaced with any image in PDF format. Here’s an example:
A handwritten signature is used for a custom seal in the signature shown in the figure below. Note that the signature text is above the seal, rather than to the right of it, as in the previous example.
Sequence of Operations
Encrypting a signed file corrupts the signatures in the file, so it’s important to use SecurSign in the correct sequence, as follows:
- Encrypt
- Sign
Building SecurSign into a Workflow
As a server-based command-line driven application, SecurSign can be easily incorporated into scripts that you build to add security to already processed documents. Appligent sells a suite of products for modifying and customizing PDF documents, of which SecurSign would be the final step before document delivery. The additional products include:
- AppendPDF Pro — Append several PDF documents or pages of documents together to produce one complete document. Add a cover page and a table of contents, as well as text or JPEG image stamps, to any of the pages.
- FDFMerge — Merge PDF forms together with FDF or XFDF data files to create a completed form. With FDFMerge’s form-flattening feature, form fields can be removed, making the output document more portable and less easily modified.
- StampPDF Batch — Add text, PDF, JPEG or TIFF images to PDF documents as headers or footers, watermarks, etc., which can include page numbers, date/time, file names, and more. Stamps can be in any RGB color, Adobe PostScript Type 1 font, point size, and position. They can be overlaid or underlaid text, outline text, invisible text and/or multi-line.
More information on these and other Appligent products is available on our Server Software information page.
About the Examples in This Guide
Many of the example commands in this manual reference files that are available to you in the samples subdirectory where SecurSign was installed. You can use these files to try the commands yourself by substituting your information for the option specifications in the examples.
Understanding a typical example command
The following illustrates a typical example command from this guide. Like all of the example commands, it is run from the directory that contains the SecurSign application. Note that the Windows path specification format is used (backward slashes).
$ secursign -p -encrypt -ownerpass Pa55w0rd -userpass paSsWoRd -nomodify -noassembly -nonotes -nofill -nohighres -nocopy -o pathname\secured128.pdf pathname\securitysample1.pdf
The secursign command is required at the beginning of the command line. Following it are command-line options, which begin with a dash. Some options are followed by values; others are not. The -o option, for example, requires an output file name (secured128.pdf in this example). An input file is required at the end of the command. We recommend full path names for all files.
Trying the example command in Windows
In Windows, the default installation directory is C:\Appligent\SecurSign\, and the default samples subdirectory is C:\Appligent\SecurSign\samples\. If you accepted the installation defaults, then you would submit the command from C:\Appligent\SecurSign\ and expand the pathnames in the command as follows. The path for the secured128.pdf file assumes that you want to direct your output to the samples subdirectory.
> secursign -p -encrypt -ownerpass Pa55w0rd -userpass paSsWoRd -nomodify -noassembly -nonotes -nofill -nohighres -nocopy -o C:\Appligent\SecurSign\samples\secured128.pdf C:\Appligent\SecurSign\samples\securitysample1.pdf
Trying the example command in UNIX or Macintosh
In UNIX and Macintosh systems, the SecurSign directories are wherever you install them. If you installed SecurSign in /apps/secursign/ and the sample files in /apps/secursign/samples/, then you would submit the command from /apps/secursign/ and expand the pathnames in the command as follows. The path for the secured128.pdf file assumes that you want to direct your output to the samples subdirectory.
$ ./secursign -p -encrypt -ownerpass Pa55w0rd -userpass paSsWoRd -nomodify -noassembly -nonotes -nofill -nohighres -nocopy -o /apps/SecurSign/samples/secured128.pdf /apps/SecurSign/samples/securitysample1.pdf
Getting help with the command-line
If you are new to entering commands in a terminal window, or just need a refresher, read Command Line Introduction before trying the example commands in this manual.
Typographic Conventions Used in this Guide
The following typographic conventions are used in this guide:
- Courier Font is used for commands, command options, and output to mimic the appearance of the screen:
the -encrypt option
- The dollar sign character ($) is used to represent the command prompt:
$ secursign -encrypt -ownerpass Pa55w0rd -noprint -o outfile.pdf samplefile.pdf
- Square brackets in a command indicate that the enclosed information may optionally be included but is not required. In the following example, [inPDFFile2…] indicates that additional input files may be included with the command, but are not required.
$ secursign -encrypt -ownerpass Pa55w0rd -noprint -o outDIR inPDFFile1 [inPDFFile2...]
In This Guide
The remainder of this guide contains the following chapters:
- General Options describes the general options available in SecurSign.
- Applying Standard Security describes how to apply standard Adobe Acrobat security to the output file.
- Digital Signature Options provides an introduction to digital signatures and describes their SecurSign options in detail.
- Applying Digital Signatures explains how to obtain your own PKCS#12 certificate and apply digital signatures to documents.
- Verifying Digital Signatures explains how to verify digital signatures in desktop applications.
- SecurSign Unattended contains guidelines and examples for using SecurSign as part of a public document-server solution.
- Command Line Introduction provides a brief introduction to using command-line software on Windows and Mac OS X operating systems.
- Troubleshooting provides a quick problem list to check if you are getting errors with the software.
- Support tells you how to contact Appligent in case you have any problems working with SecurSign.
Credits and Trademark Information
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).