12 Replies Latest reply: Jul 28, 2011 12:54 AM by GuidoPPP111 RSS

    SHA256 with Win7?

    mh@epa-connect

      Hi

       

      When I use Acrobat 9.4.3 with Win7 Crypt-API, I can only sign with SHA1, fallback from SHA256.

      The problem is ... SHA1 is not permitted by german signature law.

      So I have to attach the cert directly with nexus' personal.dll in Acrobat -> now I get signatures with SHA256.

       

      Is there a way to enable SHA256 in the Win7 crypt API?

       

      MH

        • 1. Re: SHA256 with Win7?
          Steven.Madwin Adobe Employee

          Hi MH,

           

          It's not Windows as Win 7 most certainly supports SHA-256. It sounds to me like you might be using a third party CSP that is causing the fallback to SHA-1. If you are using a smart card it could be the CSP software that your card supplier provided. If so you need to check with the CSP provider to see if they have updated software.

           

          Steve

          • 2. Re: SHA256 with Win7?
            GuidoPPP111

            Hi.

            It happens also to me.

            With the same Acrobat  (9.4.4) version, the same smart cart and smart card driver (Bit4id),

            installing the software on windows XP professional, ACROBAT uses SHA256,

            while installing all the software on WINDOWS 7 professional, ACROBAT uses SHA1.

            And the rule for hash algorithm is the same in Italy so I have to fix it.

            I have looked at windows registers for ACROBAT algorith to use for signing on both

            operating systems and it reports SHA256 for both.

            Guido

            • 3. Re: SHA256 with Win7?
              capitanvancram Community Member

              It seems that no-one in Adobe has a vague idea of what is going on here about this issue.....

               

              Just for the records, it doesn't depend from the OS nor from the driver. Same PKCS11 driver, same token, same document, same Reader (9.1) but different PCs (clean. created from scratch): one signs SHA1 and one signs SHA256.

               

              Maybe something regarding the "Cryptography" registry keys and the algos names, instead?

               

               

              BR,

               

              D.

              • 4. Re: SHA256 with Win7?
                Steven.Madwin Adobe Employee

                Hi capitanvancram,

                 

                You mentioned that you are getting different digest algorithms in different OS's. Are you seeing the same that that Guido is seeing, that is, signing on Win XP uses SHA-2565, but signing on Win 7 uses SHA-1?

                 

                I have to admit that I'm surprised to see that scenario. The other way around makes sense because of the changes Microsoft made in the going from CAPI (on Win XP) to CNG on Vista/Win7. CNG (crypto next generation) has better support for the SHA-2 family of digest algorithms, so if you are using the Microsoft mini-driver you get the newer algorithms on Vista/Win7. We haven't had a case in the test lab that works the other way around.

                 

                There was a change in version 9.1 of Acrobat/Reader where default digest method was changed from SHA-1 to SHA-256, so if you were using version 9.0.1 or earlier I could understand you getting SHA-1, but from 9.1 and on we default to using SHA-256.

                 

                The way signing works is the whole file is written to disk before the digest is generated. The next step is to compute the byte range to sign (we leave a hole in the middle of the file to write in the actual signature) and then the digest is computed over the byte range. When signing with a smart card or token the digest is sent to the hardware device (via either CAPI/CNG or a PKCS#11 interface) where the private key encrypts the digest. At this point Acrobat (and when I say Acrobat I mean both Acrobat and Reader) is waiting to get something back from the hardware device. Either, we get the encrypted digest back or an error code. If we get the error code, and SHA-256 was used initially, we then recompute the digest using SHA-1, resend the digest and again wait for a response from the hardware.

                 

                The actual cryptography is pretty complex (if you've ever talked to a real crytographer the conversaion rapidly descends into arcane number theory ), but the sequence of events that Acrobat takes is pretty straight forward. All we do is write out the file, define the byte range, compute the hash using either the override setting in the registry or if there is nothing there then the default setting, send the hash to the private-key, get the response back, acquire the certificate chain and the revocation information and then write all of that into the hole we build in the file.

                 

                The problem that I have testing (and when I say "I have" and mean me because I'm the person that tests this feature) is I'm always dependent on getting the third party hardware and software to see what is going on. I need the drivers for the hardware (token or smart card reader and smart card), the CSP and/or PKCS#11 DLL, the actual hardware, and the hardware has to contain a valid digital ID. If you let me know who the CA is that supplied you with the PKI components I've just listed I can try to contact them and see if they can send them to me and we can test his in the debugger.

                 

                Thanks,

                Steve

                • 5. Re: SHA256 with Win7?
                  GuidoPPP111 Community Member

                  I Steve

                  Card reader is USB mini-lector here:

                  http://www.bit4id.com/english/

                  digital signature provider is this the company here:

                  https://www.firma.infocert.it/

                  the free software ****

                  https://www.firma.infocert.it/installazione/installazione_****.php

                  installed on the same systems signs all kind of files with SHA-256 (but using p7m "envelope").

                   

                  Thanks for assistance.

                  Guido

                   

                   

                   

                  • 6. Re: SHA256 with Win7?
                    Steven.Madwin Adobe Employee

                    Hi Guido,

                     

                    Thanks for the insights. Could you tell me what the name and model of the smart card is (it should be printed on the back of the card)? The reason I ask is the crypto software is on the gold chip on the card and that's where the real work takes place. The card reader (the mini-lector) is just a transmission devise for moving the bits to and from the card. Sometimes cards will only work with specific readers which is why it's good to know that you are using a mini-lector bit4ID, but I'd still like to figure out what crypto software is in play and the is dependant on the card.

                     

                    And just to double check, when you sign a PDF file in either Acrobat or Reader; on Win XP the signatures is created using SHA-256, but on Win 7 the signature is created using SHA-1? It would be the first time I've seen that so I want to make sure.

                     

                    Ciao,

                    Steve

                     

                    Message was edited by: Steven.Madwin - Added request for card name and model.

                    • 7. Re: SHA256 with Win7?
                      GuidoPPP111 Community Member

                      I Steve, here is same more data:

                       

                      Smart card:

                       

                      from an application which reads the data inside the card:

                      Etichetta/Modello:   CNS/CNS (LB)

                      Produttore:   ST Incard

                      Lunghezza del PIN:   min. 5, max. 8

                      Memoria libera:   N/D (totale: 31988)

                      Lettore in uso:   ACS CCID USB Reader 0

                       

                      Informazioni sull'installazione:
                      bit4pin.exe:  1.1.16.0
                      bit4CKI.dll:  1.2.1.0

                       

                      printed on the card:

                      Carta nazionale dei servizi con dispostivo di firma digitale.

                       

                       

                       

                      Smart card reader P/N B4ID-1-0004392

                       

                       

                      My collegues have have different devices and more recent cards, but the problem is exactely the same.

                      Verifying the sign with Reader or Acrobat produces the same result.


                      Guido

                      • 8. Re: SHA256 with Win7?
                        Andrea Valle techies

                        Hello Guido,

                        in order to investigate with InfoCert and try to reproduce your issue we need to know a few more details:

                         

                        - the serial number of your smart card which was not included in your previous post. It is a sequence of numbers starting with 1401, 1402, 1501 or similar.

                        - which version of drivers are you using? It should be one among those available from this page: https://www.firma.infocert.it/installazione/installazione_****.php

                        - can you specify if your version of Windows 7 is 32 or 64 bit?

                         

                        In addition, can you please sign the attached file and post the result? It has a seed value to force SHA256 and Non repudiation as key usage.

                        Let us also know in case Acrobat is not allowing you to sign with your smart card.

                         

                        Thanks

                        Andrea

                        • 9. Re: SHA256 with Win7?
                          GuidoPPP111 Community Member

                           

                          Smart card reader driver, from windows control panel:

                          Advanced Card Systems ltd.

                          File version: 1.1.6.5 built by: WinDDK

                          Copyright ACS ltd. 2009

                          The attachet file has been signed with SHA1.

                          I have various systems with installed **** and adobe, some whith winxp pro some with win 7 pro all 32 bit

                          with three different smart card and many usb reader all from the same producer

                          we sign more than 2000 file a year, part with ****, part with adobe,

                          all **** sign SHA256

                          all adobe with win 7 sign SHA1

                          all adobe whith win xp sign SHA256

                           

                          • 10. Re: SHA256 with Win7?
                            GuidoPPP111 Community Member

                             

                             

                             

                             

                             

                            In any case, by now: WIN 7 is 32 bit.

                            About the smart card number, which I'll send togheter whith signed

                            file, keep into accont that all 3 at my office have a smart card, the oldest is mine,

                            the newest has been issued this year, and all 3 have the same exact problem.

                            • 11. Re: SHA256 with Win7?
                              GuidoPPP111 Community Member

                               

                              For signed file and smart card number, could you please contact my by e-mail at:

                               

                               

                               

                              I think these are too sensible informations for a public forum.

                              Moreover, If an Italian operator of Adobe contacts me directely by e-mail or by phone (in italian please) I can provide more informations.

                              I'll reply soon.

                              Thanks.

                              Guido

                              • 12. Re: SHA256 with Win7?
                                GuidoPPP111 Community Member

                                The post with e-mail address can't be posted....

                                In any case I registered my e-mail, please contact me directely on e-mail

                                if you need more information.

                                Guido