-
1. Re: SHA256 with Win7?
Steven.Madwin Mar 23, 2011 9:28 PM (in response to mh@epa-connect)Hi MH,
It's not Windows as Win 7 most certainly supports SHA-256. It sounds to me like you might be using a third party CSP that is causing the fallback to SHA-1. If you are using a smart card it could be the CSP software that your card supplier provided. If so you need to check with the CSP provider to see if they have updated software.
Steve
-
2. Re: SHA256 with Win7?
GuidoPPP111 May 29, 2011 1:42 AM (in response to mh@epa-connect)Hi.
It happens also to me.
With the same Acrobat (9.4.4) version, the same smart cart and smart card driver (Bit4id),
installing the software on windows XP professional, ACROBAT uses SHA256,
while installing all the software on WINDOWS 7 professional, ACROBAT uses SHA1.
And the rule for hash algorithm is the same in Italy so I have to fix it.
I have looked at windows registers for ACROBAT algorith to use for signing on both
operating systems and it reports SHA256 for both.
Guido
-
3. Re: SHA256 with Win7?
capitanvancram Jul 25, 2011 9:59 AM (in response to Steven.Madwin)It seems that no-one in Adobe has a vague idea of what is going on here about this issue.....
Just for the records, it doesn't depend from the OS nor from the driver. Same PKCS11 driver, same token, same document, same Reader (9.1) but different PCs (clean. created from scratch): one signs SHA1 and one signs SHA256.
Maybe something regarding the "Cryptography" registry keys and the algos names, instead?
BR,
D.
-
4. Re: SHA256 with Win7?
Steven.Madwin Jul 25, 2011 10:46 AM (in response to capitanvancram)Hi capitanvancram,
You mentioned that you are getting different digest algorithms in different OS's. Are you seeing the same that that Guido is seeing, that is, signing on Win XP uses SHA-2565, but signing on Win 7 uses SHA-1?
I have to admit that I'm surprised to see that scenario. The other way around makes sense because of the changes Microsoft made in the going from CAPI (on Win XP) to CNG on Vista/Win7. CNG (crypto next generation) has better support for the SHA-2 family of digest algorithms, so if you are using the Microsoft mini-driver you get the newer algorithms on Vista/Win7. We haven't had a case in the test lab that works the other way around.
There was a change in version 9.1 of Acrobat/Reader where default digest method was changed from SHA-1 to SHA-256, so if you were using version 9.0.1 or earlier I could understand you getting SHA-1, but from 9.1 and on we default to using SHA-256.
The way signing works is the whole file is written to disk before the digest is generated. The next step is to compute the byte range to sign (we leave a hole in the middle of the file to write in the actual signature) and then the digest is computed over the byte range. When signing with a smart card or token the digest is sent to the hardware device (via either CAPI/CNG or a PKCS#11 interface) where the private key encrypts the digest. At this point Acrobat (and when I say Acrobat I mean both Acrobat and Reader) is waiting to get something back from the hardware device. Either, we get the encrypted digest back or an error code. If we get the error code, and SHA-256 was used initially, we then recompute the digest using SHA-1, resend the digest and again wait for a response from the hardware.
The actual cryptography is pretty complex (if you've ever talked to a real crytographer the conversaion rapidly descends into arcane number theory ), but the sequence of events that Acrobat takes is pretty straight forward. All we do is write out the file, define the byte range, compute the hash using either the override setting in the registry or if there is nothing there then the default setting, send the hash to the private-key, get the response back, acquire the certificate chain and the revocation information and then write all of that into the hole we build in the file.
The problem that I have testing (and when I say "I have" and mean me because I'm the person that tests this feature) is I'm always dependent on getting the third party hardware and software to see what is going on. I need the drivers for the hardware (token or smart card reader and smart card), the CSP and/or PKCS#11 DLL, the actual hardware, and the hardware has to contain a valid digital ID. If you let me know who the CA is that supplied you with the PKI components I've just listed I can try to contact them and see if they can send them to me and we can test his in the debugger.
Thanks,
Steve
-
5. Re: SHA256 with Win7?
GuidoPPP111 Jul 25, 2011 3:51 PM (in response to Steven.Madwin)I Steve
Card reader is USB mini-lector here:
digital signature provider is this the company here:
the free software ****
https://www.firma.infocert.it/installazione/installazione_****.php
installed on the same systems signs all kind of files with SHA-256 (but using p7m "envelope").
Thanks for assistance.
Guido
-
6. Re: SHA256 with Win7?
Steven.Madwin Jul 25, 2011 4:15 PM (in response to GuidoPPP111)Hi Guido,
Thanks for the insights. Could you tell me what the name and model of the smart card is (it should be printed on the back of the card)? The reason I ask is the crypto software is on the gold chip on the card and that's where the real work takes place. The card reader (the mini-lector) is just a transmission devise for moving the bits to and from the card. Sometimes cards will only work with specific readers which is why it's good to know that you are using a mini-lector bit4ID, but I'd still like to figure out what crypto software is in play and the is dependant on the card.
And just to double check, when you sign a PDF file in either Acrobat or Reader; on Win XP the signatures is created using SHA-256, but on Win 7 the signature is created using SHA-1? It would be the first time I've seen that so I want to make sure.
Ciao,
Steve
Message was edited by: Steven.Madwin - Added request for card name and model.
-
7. Re: SHA256 with Win7?
GuidoPPP111 Jul 25, 2011 11:20 PM (in response to Steven.Madwin)I Steve, here is same more data:
Smart card:
from an application which reads the data inside the card:
Etichetta/Modello: CNS/CNS (LB)
Produttore: ST Incard
Lunghezza del PIN: min. 5, max. 8
Memoria libera: N/D (totale: 31988)
Lettore in uso: ACS CCID USB Reader 0
Informazioni sull'installazione:
bit4pin.exe: 1.1.16.0
bit4CKI.dll: 1.2.1.0printed on the card:
Carta nazionale dei servizi con dispostivo di firma digitale.
Smart card reader P/N B4ID-1-0004392
My collegues have have different devices and more recent cards, but the problem is exactely the same.
Verifying the sign with Reader or Acrobat produces the same result.
Guido -
8. Re: SHA256 with Win7?
Andrea Valle Jul 27, 2011 1:42 PM (in response to GuidoPPP111)Hello Guido,
in order to investigate with InfoCert and try to reproduce your issue we need to know a few more details:
- the serial number of your smart card which was not included in your previous post. It is a sequence of numbers starting with 1401, 1402, 1501 or similar.
- which version of drivers are you using? It should be one among those available from this page: https://www.firma.infocert.it/installazione/installazione_****.php
- can you specify if your version of Windows 7 is 32 or 64 bit?
In addition, can you please sign the attached file and post the result? It has a seed value to force SHA256 and Non repudiation as key usage.
Let us also know in case Acrobat is not allowing you to sign with your smart card.
Thanks
Andrea
-
9. Re: SHA256 with Win7?
GuidoPPP111 Jul 28, 2011 12:50 AM (in response to Andrea Valle)Smart card reader driver, from windows control panel:
Advanced Card Systems ltd.
File version: 1.1.6.5 built by: WinDDK
Copyright ACS ltd. 2009
The attachet file has been signed with SHA1.
I have various systems with installed **** and adobe, some whith winxp pro some with win 7 pro all 32 bit
with three different smart card and many usb reader all from the same producer
we sign more than 2000 file a year, part with ****, part with adobe,
all **** sign SHA256
all adobe with win 7 sign SHA1
all adobe whith win xp sign SHA256
-
10. Re: SHA256 with Win7?
GuidoPPP111 Jul 28, 2011 12:52 AM (in response to Andrea Valle)In any case, by now: WIN 7 is 32 bit.
About the smart card number, which I'll send togheter whith signed
file, keep into accont that all 3 at my office have a smart card, the oldest is mine,
the newest has been issued this year, and all 3 have the same exact problem.
-
11. Re: SHA256 with Win7?
GuidoPPP111 Jul 28, 2011 12:52 AM (in response to Andrea Valle)For signed file and smart card number, could you please contact my by e-mail at:
I think these are too sensible informations for a public forum.
Moreover, If an Italian operator of Adobe contacts me directely by e-mail or by phone (in italian please) I can provide more informations.
I'll reply soon.
Thanks.
Guido
-
12. Re: SHA256 with Win7?
GuidoPPP111 Jul 28, 2011 12:54 AM (in response to Andrea Valle)The post with e-mail address can't be posted....
In any case I registered my e-mail, please contact me directely on e-mail
if you need more information.
Guido


