Skip to main content

Signature Data Encryption

Signature Data Encryption

Overview

From version 4.x, industry-standard encryption can be applied to signature data while maintaining existing SigObj processing. Encryption is enabled by default for signature collection but can be disabled via registry key.

Signature data can be obtained from, or stored in a SigObj by:

  • Reading SigText property
  • Reading SigData property
  • Steganographic encoding in signature image (RenderBitmap)
  • COM object persistence (i.e., writing to an IStream)

Correspondingly, a SigObj can be initialized with signature data by:

  • Assignment to SigText property
  • Assignment to SigData property
  • Reading from encoded bitmap (ReadEncodedBitmap)
  • COM object persistence (i.e., read from an IStream)
  • Signature Capture

The added layer of encryption prevents unauthorized use while allowing authorized access to the full range of operations of a signature object (SigObj).

Both symmetric and asymmetric encryption methods are supported:

  • Symmetric encryption uses the AES algorithm with a 256-bit key in CBC mode.
  • Asymmetric encryption uses OpenSSL "envelope" functions. Signature data is encrypted with a symmetric "session key" (AES, 256-bit, CBC mode as above). The session key itself is then encrypted using the public key.

Unencrypted (binary) FSS data begins with the 2 bytes 'F' & 'S'. Encrypted data begins with an 8-byte header:

  • "wgssAES_" for AES (symmetric) encryption
  • "wgssRSA_" for RSA (asymmetric) encryption

When a SigObj is initialized with encrypted signature data, until the data is decrypted:

  • SigCtl will display a 'locked' icon to indicate the signature is encrypted
  • SigText & SigData will return the encrypted value (and continue to do so after decryption)
  • Clear() method deletes the encrypted data, returning the object to its uninitialized state
  • All other properties & methods fail with E_ACCESSDENIED

When the decryption key is set, data will be decrypted and SigObj will operate as normal (except for SigText/SigData returning encrypted values as noted above).

Setting an Encryption Key

SetProperty is used to enable encryption and decryption by setting symmetric or asymmetric key(s). It can be "turned off" by calling SetProperty with a null/empty key.

For symmetric encryption:

SetProperty("EncryptionPassword", password);

For asymmetric encryption:

SetProperty("EncryptionPublicKey", key);
SetProperty("EncryptionPublicKeyFile", filename);
SetProperty("EncryptionPrivateKey", key);
SetProperty("EncryptionPrivateKeyFile", filename);

"key" (string) or file contents must be in PEM format. If the key is password-protected, the password can be passed to SetProperty by appending it to the key or filename, separated by a comma. For example:

SetProperty("EncryptionPrivateKeyFile", "private_key.pem,mypassword")

In practice, the password will most likely be retrieved by the application at runtime rather than being hardcoded and visible.

Key Generation using OpenSSL

Private key:

openssl.exe genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048

To make the key password-protected, add:

-aes128 -pass pass:password

(optionally, use -aes256 instead of -aes128)

Public key:

openssl rsa -pubout -in private_key.pem -out public_key.pem

Encryption Status

The following values can be retrieved using GetProperty:

GetProperty("IsEncrypted")Returns TRUE if the SigObj contains encrypted signature data which has not (yet) been decrypted.
GetProperty("CanEncrypt")Returns TRUE if a password or public key has been set. If the SigObj already contains sig data, or if it is subsequently set (via SigData, SigText, Capture etc), it will be encrypted.
GetProperty("CanDecrypt")Returns TRUE if a password or private key has been set. Sig data encrypted (with the appropriate password or public key) can be set and will be decrypted.