0 Replies Latest reply on Jun 3, 2016 7:24 AM by Andrea Valle

    [SOLVED] Why does my smart card / USB token generates a SHA1-based instead of SHA256-based digital signature?

    Andrea Valle Adobe Employee

      The new Adobe Acrobat DC and Acrobat Reader DC update version 2015.016.20045 we have just released solves a case impacting on some signature devices (smart card and USB token) using which a digital signature generated in Acrobat is downgraded to using SHA1 hashing algorithm instead of SHA256, as required by several regulations due to SHA1 deprecation.


      In previous versions of Adobe Acrobat, despite the hashing algorithm is set by default to SHA256 since version 9.1 (back in 2009), some signature devices, when used under Microsoft Windows Vista and later using a CSP type of drivers, ignore SHA256 and the signature is carried out with the deprecated SHA1 algorithm.


      The reason for this downgrade is due to the fact that only smart card drivers compliant to the Microsoft CNG architecture offer the ability to expose "SHA-2" class hashing functions, including the SHA256 algorithm. If the adopted CSP driver does not conform to CNG, then the request to calculate a SHA256 hash fails. In these cases, in order to prevent the complete digital signature failure, earlier versions of Acrobat downgraded to SHA1 to allow the user to complete the signature.


      With the 20045 update, in case the driver is not able to perform the calculation of the required hashing algorithm, Acrobat DC will calculate it by means of internal cryptographic functions, thus solving definitively this undesired behavior.


      Hope that all those impacted would appreciate that!



      Andrea Valle

      Adobe Systems