File Protector

 

Actalis File Protector 5.0

 

Quick user handbook

Table of contents

·digital signature

·Time stamping

·Encryption

· digital signature time stamping

· whole document time stamping

 

This handbook is not intended for complete  and fully science compliant information about encryption,

public key infrastructures, smart cards and technical requirements. Actalis can supply training courses

about all these matters, upon request. For further details about File Protector please refer to User handbook.


Introduction

 

File protector (© Actalis S.p.A.) is a software designed for digital signature, time stamping and coding of files of any type and dimension, in compliance with current lawns and technical requirements referred to.

Very versatile and user friendly, File Protector is available for Windows, MacOS X e Linux.

This handbook gives essential information relating File protector.

For further details please refer to User Handbook.

back to table of contents


Basics

Digital signature

Digital signature is an operation that creates a crypto code that proves identity and integrity of a document. In other words, digital signature allows to verify:

- if document is signed by a specific person

- thas such document has not been modified after being signed.

Digital signature is based on crypto algorithms that request to user ownership of a private key and relevant certificate.

Private key and certificate are usually stored on a electronic device similar to a credit card, called smartcard or on a USB token (both are microchip devices with crypto functions):

Smartcard

Token USB

 

During signature creation, it is neccessary to type  Smart Card  or USB Token PIN code.

Certificate is a file containing necessary information to verify signature:

 

- owner's name and tax code

- company's  name (when needed)

- Certification Authority's  name (e.g. Actalis S.p.A:)

- expiry date

- owner's public key

- other related information

 

Certificate is granted to user by a third trusted party, called Certification Authority.

 

After being created, the signature is usually stored in a file called crypto envelop; the envelop also contains the document and subscriber's certificate, to keep together all information necessary to verify.

After being created, the signature is usually stored in a file called crypto envelop; the envelop also contains the document and subscriber's certificate, to keep together all information necessary to verify.

 

There are different kinds of crypto envelope: the most common is known as PKCS#7 (in this case file ends with P7M).

To have legal value (in this case the signature is defined as "qualified") there are legal requirements to be fulfilled that relate keys, certificate, smartcart, Certification Authority, cypto envelope size and so on.

A report about main law is available at: http://portal.actalis.it.

Icon of a document signed using File Protector is the following:

 

back to table of contents


Time Stamping

Time-stamping is an operation to get, from a trusted third party, a small file called time stamp.

This allows to prove:

- that document was really existing starting from a specific moment  (date and time), to solve any claims related thereto.

- Document time stamping is very important in several situations, such as:

- dispatch of document on a certain date

- dispatch of offers in reply to tenders

- contract registration

- patent registration

 In addition, time stamping of a digitally signed document enables to verify date and time of digital signature if such information is available in no other way.

You get time stamp sending a request via internet to an Authority called “Time Stamping Authority” (TSA). The request contains document digest. TSA replies creating time stamp and sending it to users. Time stamp contains:

 

To have legal value, time stamp must be issued by a Registered Authority, acting in compliance with ruling law. TSA is therefore a role belonging to a Certification Authority.

Time stamping icon, obtained using File Protectors, is the following:

 

back to table of contents


Encrypting

Document encryption makes a document totally illegible to anybody except for the owner of the key that allows decryption. Encryption grants to keep information as confidential.

To encrypt a document in such a way that only a particolar user can read it, sender mus have at disposal certificate of said user, as encryption needs to use public key.

To decrypt a document, user must have his own smartcard, as encryption needs to use private key.

Encryption and digital signature can be mixed: a document can be signed and subsequently encrypted, to grant both authorship and privacy

For further details please refer to User Handbook.

The icon of a document encrypted using File Protector is the following:

 

 

back to table of contents


Software configuration

If you have received software together with smartcard, File Protector should have been previously set up. Anyway, configuration is as follows:

Start application, insert smart card into the smart card reader, choose “Configuration” .on the  Device” menu.

The following dialogue box appears:

Click on the button “Automatically set up”: if smartcard is supplied by Actalis, it is automatically identified and set up, otherwise choose the right smart card type on the pop up menu. Click on “OK” button to complete. Setting is stored, therefore you don’t need to do this operation in the future.

As to smart card reader, it is better to have it set automatically by File Protector (this is the result of starting set “choose automatically”), otherwise, smart card reader is chosem on the pop up menu.

back to table of contents


How to sign a file

To sign a file, you need at least one valid certificate on you smartcard. Should you have more than one, so you will have to choose the certificate when signing.

You can start digital signature in three different ways, as follows:

The firs way is available at the moment only in Windows environment. It consists of clicking on the icon of the chosen file using right mouse button to see the relevant menu, then select “Sign with File Protector” to start application and sign the file. You will be requested the smart card PIN code. Digital signature will be stored in the same folder you started with, carrying P7M end. E.g., the signature on the contract.pdf will be stored in a file called contract.pdf.p7m.

Second way is particularly useful if File Protector is already running. In this case, signing a file can be started by dragging the icon of the chosed file to File Protector Target Area.

Third  way is possible if File Protector is running:

·         Choose “Sign” on the “File” menu

·         Or

·         Click on the “Sign” button on the toolbar

In both cases you see a file selection box.

Starting signature inside File Protector also enables Multiple signature (see paragraph relevant to)

back to table of contents


How to sign a folder

 Thanks to File Protector you can sign in one step all files contained in a folder.

You can sign a folder in two ways:

- single signature of each file

- signature of a list of file ashes

In the firs case you get as many cripto P7M envelop as the files contained in input folder. In the second case, you get one crypto envelop in XML format. The second way is quicker. If input folders contains many documents, in this way you can save memory disc.

As already seen in single signature, you can start multiple signature in three different ways, as follows:

·         Inside File Protector

First way is available, at the moment, only for Windows and consists of clicking on chosen icon using right mouse button to see the relevant menu, choose “Sign folder with File Protector” to start application and signature process.

 

Second way is particularly useful if File Protector is already running. In this case you can sign a folder dragging the folder icon on File Protector Target area (see picture) la figura

Third  way is possible if File Protector is running. It consists of choosing “Sign Folder” on the “File” menu.

Whatever menu you have chosen, you see the following box:

 

In this box you have to choose way and relevant signature option. Then, clicking on “Forward” button, signature process starts.

back to table of contents


Sign one solution

By selecting "Sign one solution" (or by clicking the corresponding button) you can sign "in one solution" a set of files stored in different folders:

In the higer basket are listed the files to be signed. You can add a file to this list both by clicking on "Add" button  and by dragging the file icon in the basket (drag and drop). Can be signed also file already signed (in these cases another signature will be added).

"Remove" and "Remove all" buttons allow you to cancel the selected file or all of them from the basket.

In order to open a file before signature, you can double click on the item in the list: the file will be opened running the associated application  (for example a PDF will be opened using Adobe Reader).

By clicking "Sign" button, P7M signature will be applied  to all the files in the list. Resulting envelopes are stored in the same folder as original.

back to table of contents


Sign PDF one solution

In a similar way to  "Sign one solution" you can run "Sign PDF one solution" that allows  to sign in PDF mode a set of PDF files stored in different folders.

In the higer basket are listed the PDF files to be signed. You can add a PDF file to this list both by clicking on "Add" button  and by dragging the file icon in the basket (drag and drop). Can be signed also file already signed (in these cases another signature will be added).

"Remove" and "Remove all" buttons allow you to cancel the selected file or all of them from the basket.

In order to open a file before signature, you can double click on the item in the list: the file will be opened running the associated application  (Adobe Reader).

By clicking "Sign" button, Adobe signature will be applied  to all the files in the list. Resulting envelopes are stored in the same folder as original. Signed PDF documents are name with the suffix (signed). For example the signed version of "pippo.pdf", will be pippo(signed).pdf.

back to table of contents


Sign XML one solution

In a similar way to  "Sign one solution" you can run "Sign XML one solution" that allows  to sign in XML mode a set of XML files stored in different folders.

In the higer basket are listed the XML files to be signed. You can add a XML file to this list both by clicking on "Add" button  and by dragging the file icon in the basket (drag and drop). Can be signed also file already signed (in these cases another signature will be added).

"Remove" and "Remove all" buttons allow you to cancel the selected file or all of them from the basket.

In order to open a file before signature, you can double click on the item in the list: the file will be opened running the associated application  (tipically Internet Explorer).

By clicking "Sign" button, XML Detached Signature will be applied  to all the files in the list. Resulting envelopes are stored in the same folder as original. Signed XML documents are name with the suffix (signed). For example the signed version of "pippo.xml", will be pippo(signed).xml.

back to table of contents


How to sign in pdf mode

You can put one or more digital signatures into a PDF document with no need to create a separate crypto envelope. File Protector can sign also in PDF mode, user can therefore choose P7M signature or PDF signature, if needed.

PDF signature gives you the possibility to be verified using Adobe Reader, very used, and it can be easily compared to an hand written signature. On the other hand, PDF signature in less used and accepted than P7M signature, even if having same technical and legal value. In addition, you can use it only with PDF documents.

There are two kinds of PDF signature, from a graphic point of view

- invisible signature (with no picture)

- visible signature (with picture).

File Protector is always able to create invisible signature, on the contrary, to create a visible signature the document is requested to contain a signature space, expressly conceived. Each signature creates a new document release, PDF mode signature distinguish into:

- certification signature

- approval signature.

Approval signature is generally referred to a document created by this parties, its only effectli consists of verifying subscriber's identity and document integrity.

Certification signature enables also to document authorisations to subsequent modifications.

Usually the underwriter that signs using a certification signature is either the author or the person in charge to document. In addition, a certification signature is always shown in Adobe applications, even if not create inside a signature box.

Both signature are supported by File Protector.

To sign a document in a PDF mode you have to choose item "PDF signature" on the menu "File". After having selected the chosen document, the following dialogue box appears:

If you want to create a certification signature, select relevant box and choose on the pop up menu the necessary authorizations.

It is also possible, upon choice, to fill the item "Reason" and "Place". In this case, also such information will be signed.

Finally, to add a signature to a document, you only have to choose certificate and click on the button "add signature".

* * *

It is also possible to start PDF signature process on the Windows menu, clicking with right mouse button on the chosen document, selecting menu item "Sign with File Protector"

back to table of contents


How to sign in XML mode

As an alternative to p7M and PDF modes, digital signature can also have a XML code (extended Markup language). XML mode signature is particularly suitable to XML documents, but can also be used with any kind of documents.

XML mode signature is not very common yet, as it is use most in finance and health fields, anyway XML signature has the same value of P7m and PDF ones,

In comparison with p7M singature, XML signature is more adoptable but also more "technnicale": in fact it can be issued into three different forms (enveloped, envelopeing, detached) and has many choices that, for the sake of brevity, we don't delve deeper in this handbook. For further details please refer to the User handbook.

The relevant technical requirements can be downloaded at the following link

 To sign a document in a XML mode, choose item "XML signature" on the "File" menu. After having selected the document, the following dialogue box appears:

 

back to table of contents


How to do multiple signatures

A single document can be signed by many digital signatures. These are called "multiple signatures". This allows to prove that many people had got authorship and/or resposibility as to document, maybe on different moments, as it often occurs with handwritten signature (e.g. as to contracts, balance sheets etc.).

There are three kinds of multiple signatures:

- "matrioska"

- "parallel (also called independent)

- counter signatures (also called nestled).

The first kind is obtainable by simply signing a crypto P7M envelope (that contains a document that is already signed). This digital operation is equal to sign a paper envelope already containing a signed document, as a matter of fact, sometimes this operation is really done in this way (e.g. as to paper envelopes containing offers to tenders). To create a matrioska signature it is requested to sign inside File Protector, clickin on "sign" button or choosing the relevant menu item. When File Protectors realizes that the chosen document is a P7M envelope, the following dialogue box appears:

 

To create a multiple matrioska signature you have to choose "external signature", while choosing item "inside signature" it is possible to create multiple signatures of the first and second kind.

The following dialogue box appears:

 

The second kind of digital signature (called parallel or independent) consists of adding more signature beside the first one, each signature is independent (each subscriber signs the same data the others have already signed). This digital operations is equal to signature made by different people at the bottom of the same paper document.

To add an independent signature, click on the button "add signature" in the box shown before. When verifying, you see that the document contains three added signatures:

 

The third kind of multiple signature (called counter or nestled signature) is created by signing an already existing signature and keeping the result (called countersignature)inside the same envelope. In this way the second subscriber agrees with or validates the first signature. The second signature can be also signed by a third person, and so on.

To add a counter signature, choose the relevant box, then click on the button "counter sign" in the box shown above.

When verifying, you see the document contains counter signature (please note the tree shape).

back to table of contents


File Encryption

Encrypting a file requires the encrypting certificate of the addressee (the user ment to be the only one to decrypt the document).

Should the certificate be issued on a directory server, you can download and import it in your certificates database, directly from inside File protector (see paragrafph referred to)

Otherwise, you can ask the addresse for the certificate and manually import it in your certificates database,

It is possible to encrypt a document for many addressee, so that they - and only they -  are the only ones able to decrypt it.

To encrypt a document, click on the "encrypt" button in the mail File Protector box, or choose the relevant item on the "File" menu.

After having chosen the document, the following dialogue box appears:

On the left there is a list of available encryption certificates (the ones in your own certificates database), on the right there is a list of addresses certificates. You can add and remove the addressee of encrypted document.

To complete operation, click on "save" button.

Digtal signature and encryption can be made togehter on the same document, to grant both origin (and integrity) and secrecy. To do this, click on "sign and encrypt" button on the main File protector box, or choose the relevant item on the File menu.

back to table of contents


Folder Encryption

Encrypting a file requires the encrypting certificate of the addressee (the user ment to be the only one to decrypt the document).

Similary to file encryption, you can encrypt all files in a folder and recursively in subfolders.

In order to encrypt a folder select "Encrypt folder" in "File" menu . You are requested to specify folder to encrypt and application will proceeed like file encryption.

  back to table of contents


Verification and/or decryption

To verify and / or decrypt a document signed using P7M standard can be done in five different ways:

- by double clicking on the file to be verified

- on Windows Explorer menu (choose the item "verify using file protector)

- with "Drag and drop"

- clicking on "verify" button or choosing the item "verify" of File menu.

 At the end of verification the following dialogue box appears:

 

In this box you can:

- verify the signature validity

- verify the validity of the signature of each subscriber

- see the signed document, take it and store it in a file

- see and verify digital stamp of the digital signature (when existing).

Verification of a document signed using xml standard can be done in two different ways:

-outside application, with Widows explorer menu (as above described)

-inside File Protector (as above described)

At the end of verification the following dialogue box appears:

In this box you can:

- verify the signature validity

- verify validity of the certificate of each subscriber

- see the list of signed documents and store them in a file

- see and verify digital stamp of digital signature (when existing)

The same procedure is provided in case of document signed in PDF standard.

To encryption of a document can be made different ways:

- click on "verify" button in the main box

- choose the "verify" item on the "File" menu

- either drag the chosen document on the target area

- either with double click on document icon

then choose item "encrypt with File Protector" on the relevant menu.

If you do not have the private encryption key, the following error message appears:

Otherwise, the following dialogue box will let you save the original document:

back to table of contents


Signatory verification

Complete verification of a digital signature always requires two steps:

- digital signature verification (integrity verification)

- verification of subscriber's certificate

In previous passage we described the first step. The second step starts with clicking on the button "verify subscriber" of the summary digital signature box. In a short time, a box of the following kind appears, to show the result of verifications:

 

Please note that verification of a certificate is always at the same date of digital signature, as follows:

- time and date of digital stamp of the digital signature (when existing)

- otherwise date and time taken form signing Time (when existing)

- otherwise current date and time of operating system.

To verity a document on a different date and time, click on the "verify certificate ad a different date and time" button. The following dialogue box appears:

Using the selectors provided, it is possible to set chosen date and time to verify certificate. Clicking on "today" button, date and time are resettled according to operating system:

Back to certificate box, use the button "import certificate in personal database" to see the certificate in your own certificate database, to be able to take it afterward, if encrypting is needed.

This step is valid only for encryption certificates (e.g. S/MIME or general) and is not valid for qualified certificates, as the latter cannot be used to encrypt.

back to table of contents


Folder verification

If a folder has been signed using list of ashed mode, to verify it please proceed as provided for an ordinary XML digital signature verification. Please choose carefully the file named "signature.xml" in the folder signed.

If single files of a folder have been signed, you can do a mass verification by choosing the item "verify folder" of the "File"

application menu. After selecting input folder (containing signed documents to be verified) the following dialogue box appears:

Should the selected document have a single signature - as normally provided for a folder signature - the box shows main information resulting from verification: subscriber's name (taken form certificate) signature date and time (when existing, and proved by a digital stamp), digital signature validity and, if any, additional notes issued in case of error. To complete verification, click on the "verify subscriber" button and on  "verify digital stamp" button, when existing.

Should the selected file have many signatures, so it is necessary to click on "complete verification" button.

If document is in the signed file, it is possible to see it and save it by clicking on "open document" button.

Function "verify folder" supports all kinds of signature managed by following applications: P7M/CMS, PDF, XML.

back to table of contents


Folder decryption

If a folder (and its subfolders) has been encrypted using  "Folder encryption", you can do a mass decryption by choosing the item "Folder decryption" in the "File" menu.

After selecting input folder you are requested to enter token and PIN. If credentials need for decryption are available on the token, every file will be decrypted.

The functionality is performed recursively on the encrypted files in the subfolders.

back to table of contents


Time stamping

With File Protector time stamping can be done in two ways:

- time stamping of a single digital signature

- time stamping of a whole document

Time stamping of a single digital signature

Time stamping proves date and time of a particular digital signature (also consider the possibility to multiple signing). This stamp is therefore linked to digital signature and is inside the crypto envelope.

It is granted that that particular signature was created at digital stamp date and time to the person in charge to subsequent verification of digital signature. 

To start this function, as to P7M  and PDF mode signature, open signature choice item box and select "time stamp after signature" box:

As to XML mode signature, it is possible to start this function on a case basis, by clicking on the button "advanced options" (see picture).

Time stamps associated to single signatures can be seen and verified upon document verification.

Time stamping of a whole document

It is possible to get a time stamp proving a document existance by a certain date and time, no matter how many digital signatures it has (but it can also be a not signed document).

You can start this funcion by cliking on main box or choosing the relevant item on the "File" menu. 

Digital stamp of a whole document can be saved in two ways:

1. as a separate file (carrying TSR extension)

2. together the relevant document, in a "stamped envelope" (carrying TSD extension).

Stamped envelope is an envelope complying with requirements of TimeStampedData, which contains:

- a general document of file (no need to be signed)

- ptionally, metadata referring to document (e.g. the name)

- one or more digital stamps.

Digital stamps are associated to document as follows:

- the first time stamp ( T1 time) is calculated basing on document referred to and, if necessary, on METADATA.

- the second time stamp (T2 time) is calculated basing on the first one (and it proves it was existing at T1 time)

- the third digital stamp (T3 time) is calculated basing on the second one (and it proves it was existing at T2 time)

- and so on ...

Stamped envelope allows to extend proof of existence of a document at T1 time even after a long time from the first time stamping. It also gives the benefit to contain the document referred to.

The choice between separate or enveloped time stamp can be done in the preference box, choosing the item "save the time stamp together with document".

* * *

In both above mentioned cases, to get time stamps you have to access to a digital stamping service, setting service address and access credential in the preference box (click on the button referred to in the main box, then select "time stamping" form). Actalis supplies a high quality Time Stamping service, please get in touch with Actalis’ Sales Dept.

back to table of contents


Time stamping verification

It is possible to verify either "free" or "stamped" envelopes. In both cases, verification can be done in four different ways:

 - "double click" on the chosen file (having TSR or TSD extension)

- click on the chosen file with right mouse button and then select item "verify with File protector"

- drag the chosen file on File Protector Target Area

- select iten on "verify time stamp" menu

When verifying a "free" time stamp (file with .TSR extension) the following dialogue box appears:

 

This box gives important information, such as:

- date and time of issue of digital stamp

- TSA signature validity relating digital stamp

- TSA (Authority) that issued digital stamp

Click on the button "verify document" to select the relevant document and chech that it really refers to the digital stamp under verification (the re-calculated document ash overlaps with the time stamp hash).

Click on the button "certificate ..." to see all details relevant to TSA certificate.

In case of a "stamped envelope" the following dialogue box appears:

This box shows main information relating the envelope:

- METADATA (usually name of document contained into the envelope)

- list of digital stamps issued to save the document.

There are also two button "open" and "save" that respectively allow to see and save document into the envelope.

To verify time stamps, select the chosen one from the list and click on the button "verify"; the following dialogue box appears:

In this case there is not the button "verify document" as verification is automatically done with reference to document in the envelope.

Click on the button "add ..." in the verification box of a stamped envelope to add a time stamp to the ones already existing, according to procedure above described. This operation is useful if document is to be stored for a long time, beyond expiry date of time stamp.

back to table of contents


Certificates management

File protector can manage a personal certificate database both of Certification Authorities and users:

- CA certificates are used to verify user certificates' validity

- users' certificates are used only in encryption

Database is protected with a profile access password.

To add, remove and see certificates using certificates management box, select item "certificates database" on ""tools and options" menu.

back to table of contents


Device management

File protector can fully manage signature device (e.g. smartcard or USB token), as to:

- show main information about device

- show objects into the device

- rename objects

- erase object

- import objects

- export objects

- export any kind of data

- create new couples of keys

- ask for certificates, even on line

- PIN change

- PIN unlock

- PUK change

To use these functions, select the item "device management" on "tools and options" menu; the following dialogue box appears:

Warning:

  1. Actalis has no responsibility in case of problems arising from a not proper use of these funcions
  2. Objects deletion (certificates, keys and so on) is permanent.
  3. A private key is not exportable, as smart card forbids it; should it be possible, we remind you that such operation is a current law violation

back to table of contents


User profile management

File protector is a multi user application that allows several user to use the same INSTALLATION, keeping their own options and preferences. At File Protector start the following dialogue box appears:

In this box you can create new user profiles and select the chosen profile. To log on to application with chosen profile, you need to know the relevant password, chosen by user when creating profile.

If you are the only user, we recommend to choose option "Save password" and option "Self login".

The second option makes the start quicker, as this dialogue box does not appear any more.

back to table of contents


PIN management

Digital signature device (smartcard or other similar device) is protected by a secret code called PIN. During a session with File Protector, to digitally sign or encrypt you have to type your smartcard PIN at least once (click on the "login" button on main dialogue box).

In some occasions you will be automatically asked to type PIN:

If you want to have the application running after a session with File Protector, please click on the "logout" button,to avoid third persons the illegal use of you smartcard.

It is not possible either to create your digital signature or decrypt a document if you don't know your PIN code.

It is very important that you are the only person to know the PIN code and that it is difficult to guess it.

Smart card is usually given to user together with adequate pre-settled PIN; yet you can change PIN by selecting item "PIN Change" on the "device" menu in the main box.

Due to security reasons,if you type wrong PIN more than a certain number of times (usually 3) smartcard is locked, To unlock your smartcard you have to know a secret code called PUK. Select item "unlock PIN" on the "device" menu, in the main box,

Carefully type PUK, because it can be locked too if you type the wrong code. If also PUK is locked, smart card is no more usable.

back to table of contents


In case of problems

In case of problems with File Protector, you can ask for assistance by calling the telephone number in our website or sending a message using the form you can find on -line.

In any case, at least following information are requested:

·         type and release of Operating System

·         Software Java release

·         File Protector release

·         signature device

·         ATR smartcard 2

1)You can get all information in File Protector box.

2) to see these information insert card into the driver and choose item "show ATR" on the

"Device" menu.

back to table of contents


Copyright © 2010 Actalis S.p.A. – All rights reserved