Digital Signing of Microsoft® 2007 Office System Documents August 2007
Table of Contents Introduction What is a Digital Signature?
Cover is for position only
2 4
What Digital Signatures Accomplish...................................................................4 Requirements for Digital Signatures..................................................................5 Digital Signatures in the Business Environment...................................................5 Compatibility Issues........................................................................................6 Using Digital Signatures 7 Transparent or Invisible Digital Signatures.........................................................7 How to Add an Invisible Signature.....................................................................7 Add a Signature Line.....................................................................................13 Digital Certificates 19 Summary
www.microsoft.com/office
21
i
Introduction 2007 Microsoft Office is a complete suite of productivity and database software that will help you save time and stay organized. Powerful contact management features help you manage customer and prospect information in one place. You can develop professional marketing materials for print, e-mail, and the Web, and produce effective marketing campaigns in-house. You can create dynamic business documents, spreadsheets, and presentations, and build databases with little experience or technical staff. You will learn new features rapidly using the new Microsoft® Office Fluent™ user
interface that presents the right tools when you need them. New task-based menus and toolbars automatically display the commands and options you can use, making it faster and easier to find the software features you need. And the new Live Preview feature makes it easy to sample your changes before you apply them. The new tools help you work faster and create more professional documents, spreadsheets, and presentations. These tools help you quickly accomplish routine tasks so you can spend more time with your customers and building your business. But in today’s business world, getting the work done quickly and accurately is not enough. It’s also important to protect your Microsoft 2007 Office system documents against unauthorized access and tampering. In addition to the robust productivity enhancements included with the Microsoft 2007 Office system are new security advances. The Microsoft 2007 Office system was built with security in mind, using Microsoft’s new Security Development Lifecycle approach for software development which provides a comprehensive framework of design, production, and testing methods and tools to ensure that software meets and exceeds current and anticipated security demands. The Microsoft 2007 Office system represents the most secure version of Office yet. Security encompasses many factors, and Microsoft uses a number of technologies to help secure your Office documents. Digital document signing is one of the ways you can help protect information in your Microsoft 2007 Office system documents. When you sign a document, you confirm that you are the originator of the document and that you vouch for the contents of the document. If the document is changed in any way, the digital signature is invalidated. Digital signatures on Microsoft 2007 Office system documents www.microsoft.com/office
i
help ensure that no changes to a document are made as the document moves through a “chain of custody.”
www.microsoft.com/office
i
What is a Digital Signature? You can digitally sign a document for many of the same reasons you might place a handwritten signature on a paper document. A digital signature is used to help authenticate the identity of the creator of (authenticate: The process of verifying that people and products are who and what they claim to be. For example, confirming the source and integrity of a software publisher’s code by verifying the digital signature used to sign the code.) digital information — such as documents, e-mail messages, and macros — by using cryptographic algorithms. Digital signatures are based on digital certificates. Digital certificates are verifiers of identity issued by a trusted third party, called a certification authority or CA. This works similarly to the use of standard identity documents in the non-electronic world. For example, a trusted third party such as a government entity or employer issues identity documents such as driver’s licenses, passports and employee ID cards on which others rely to verify that a person is whom he/she claims to be. Digital certificates can be issued by CAs within an organization, such as a Windows® Server 2003 server running Windows Certificate Services, or a public CA such as VeriSign or Thawte.
What Digital Signatures Accomplish Digital signatures help to establish the following authentication measures: •
Authenticity The digital signature helps to assure that the signer is whom he or she claims to be. This helps prevent others from pretending to be the originator of a particular document (the equivalent of forgery on a printed document).
•
Integrity The digital signature helps to assure that the content has not been changed or tampered with since it was digitally signed. This helps prevent documents from being intercepted and changed without knowledge of the originator of the document.
•
Non-repudiation
The digital signature helps to prove to all parties the origin of the
signed content. "Repudiation" refers to the act of a signer's denying any association with the signed content. This helps prove that the originator of the document is the www.microsoft.com/office
i
true originator and not someone else, regardless of the claims of the signer. A signer cannot repudiate the signature on that document without repudiating his or her digital key, and thus other documents signed with that key.
Requirements for Digital Signatures To establish these conditions, the content creator must digitally sign the content by using a signature that satisfies the following criteria: •
The digital signature is valid. A certification authority that is trusted by the operating system must sign the digital certificate on which the digital signature is based.
•
The certificate is associated with the digital signature is not expired.
•
The signing person or organization (known as the publisher) is trusted by the recipient.
•
The certificate associated with the digital signature is issued to the signing publisher by a reputable certification authority (CA).
Microsoft Office Word 2007, Office Excel 2007 and Office PowerPoint 2007 detect these criteria for you and alert you if there appears to be a problem with the digital signature. Information about problematic certificates is easily viewed in a certificate task pane that appears within the Microsoft 2007 Office System program. Microsoft 2007 Office System applications allow you to add multiple digital signatures to the same document.
Digital Signatures in the Business Environment The following scenario illustrates how digital signing of documents can be used in a business environment: 1. An employee uses an Excel spreadsheet to create an expense report. The employee then creates three signature lines: one for herself, one for her manager and one for accounting. These lines are used to identify that the employee is the originator of the document, that no changes will take place in the document as it moves to the manager and the accounting division, and that there is proof that both the manager and accounting department have received and reviewed the document. 2. The manager receives the document and adds her digital signature to the document, confirming that she has reviewed and approved it. She then forwards it to the accounting department for payment. www.microsoft.com/office
i
3. A representative in the accounting department receives the document and signs it, confirm receipt of the document. This example demonstrates the ability to add multiple signatures to a single Microsoft office document. In addition to the digital signature, the signer of the document can add a graphic of her actual signature, or use a tablet PC to actually write a signature into the signature line in the document. There is also a “rubber stamp” feature that can be used by departments, indicating that a member of a specific department received the document.
Compatibility Issues 2007 Microsoft Office, unlike its predecessors, uses the XMLDSig format for digital signatures. It is important to note that digital signatures are not compatible across Microsoft Office platforms. For example, if a document is signed using Microsoft 2007 Office system and opened in a Microsoft Office 2003 application with the Office Compatibility Pack installed, the user will be informed that the document was signed by a newer version of Microsoft Office and the digital signature will be lost, as seen in figure 1.
Figure 1: Warning that the digital signature is moved when opened in a earlier version of Office
www.microsoft.com/office
i
Using Digital Signatures There are two ways you can apply a digital signature to a Microsoft 2007 Office system document, spreadsheet or presentation: •
Add a transparent or invisible digital signature
•
Add one or more digital signature lines
In the following sections you will see examples of both methods of adding digital signatures to Microsoft Office documents
Transparent or Invisible Digital Signatures If you do not need to insert visible signature lines into a document, but you still want to provide assurance as to the authenticity, integrity, and origin of a document, you can add an invisible digital signature to the document. You can add invisible digital signatures to Word documents, Excel workbooks, and PowerPoint presentations. Unlike an Office signature line, an invisible digital signature cannot be seen within the contents of the document itself, but recipients of the document can determine that the document has been digitally signed by viewing the document's digital signature or by looking for the Signatures button on the status bar at the bottom of the screen After a document has been digitally signed, it becomes read-only to prevent modifications.
How to Add an Invisible Signature Perform the following steps to add a transparent digital signature to an Microsoft 2007 Office system document: 1. Click the Office Button, point to Prepare and click Add a Digital Signature 2. You will see a Microsoft Office dialog box that provides you with information about adding digital signatures. Read this information and then put a checkmark in the Don’t show this message again checkbox. Click OK. Note that this dialog box also contains an option to obtain signature services from the Office Marketplace online.
www.microsoft.com/office
i
Figure 2: Office dialog box providing information about digital signatures
3. A Microsoft Office dialog box appears informing you that before you can add a signature, you have to save the document in a format that supports digital signatures. You can save the file in the new Office formats (.docx, .xlsx and .pptx) or the old ones (.doc, xls and .ppt). Click Yes and the document will be saved the format you’ve set as the default for the Office application.
Figure 3: Office dialog box providing information about document type required for signing
4. In the Save As dialog box, select a location to save the document and give the document a name. Make sure that you save the document in the .doc or .docx format. Click Save.
www.microsoft.com/office
i
Figure 4: Selecting a location to save the document
5. In the Sign dialog box, you can enter a reason for signing the document in the Purpose for signing this document text box. You can also leave this field blank if you want. Note that there is a default user entered in the Signing as section. You can change the signer of the document by clicking the Change button.
Figure 5: Providing a reason for the digital signature
www.microsoft.com/office
i
6. The Select Certificate dialog box appears after clicking the Change button in the Sign dialog box. If you have multiple user certificates, you can select one from this box. This is most useful when you are using a shared computer. Before selecting one, you can view details about the certificates, including issuer, expiration dates, the certificate path and whether the certificate is trusted. 7. Click Cancel, then click Sign in the Sign dialog box.
Figure 6: Option for selecting an alternate certificate
8. The Signature Confirmation dialog box appears, informing you that the signature was saved with the document and that if the document is changed, the signature will become invalid. Click OK to dismiss the dialog box.
Figure 7: Confirming that the document was signed
9. A Signatures task pane appears on the right side of the application window. In this example there appears to be a problem with the signature, as indicated by the Certificate issues warning icon.
www.microsoft.com/office
i
Figure 8: The Signatures task pane informs about certificate issues
10. Click on the problematic signature and then click the pull down arrow. Click Signature details to discover the problem with the signature.
Figure 9: Investigating problems with the digital certificate
11. In the Signature Details detail box, there is information indicating that the problem with the signature is that it is not trusted. The signature used in this example is a self-signed certificate created by Microsoft 2007 Office system. This type of certificate would typically be used in small and medium sized businesses that do not have a public key infrastructure (PKI) in place. In the enterprise environment where there is an established PKI, this problem would indicate that the machine this document is being read on does not trust the CA that signed the user’s digital certificate. In this example, we can choose to trust the user’s certificate by clicking the Click here to trust this user’s identity.
www.microsoft.com/office
i
Figure 10: Assessing issues with a digital certificate
12. After clicking Click here to trust this user’s identity, the Signature Details dialog box indicates that the signature is valid. If you wish, you can see additional signing information by clicking the See the additional signing information that was collected link.
Figure 11: Verifying the valid signature
13. In the Additional Information dialog box, you can see information about what the signature signs, the system date/time, the version of Windows, the version of Microsoft Office, the version of the Office application signing the document, the number of monitors on the machine, and the resolution of the primary monitor. Click OK to dismiss this dialog box and then click Close in the Signature Details dialog box.
www.microsoft.com/office
i
Figure 12: Viewing additional information about the signed document
14. If there are no problems with the certificate, the certificate task pane will not appear. However, if you want to view details of the signers and their certificates, you can click the red “ribbon” icon in the status bar of the office application. This will enable the Signatures task pane.
Figure 13: Digital signature indicator and enabling the Signature task pane
Add a Signature Line Another way to add a digital signature to a document is to add one or more digital signature lines. The following procedures describe how to create a digital signature line: 1. Click the Insert tab and then click the Signature Line button. The Signature Setup dialog box appears. Enter information about the Suggested signer, Suggested signer’s title, and Suggested signer’s e-mail address. Put a checkmark in the Allow the signer to add comments to the Sign dialog if you want the signer to add additional information into the signature line, and put a checkmark in the Show sign date in signature line checkbox to add the date the document was signed in the text box. Click OK.
www.microsoft.com/office
i
Figure 14: Signature setup
2. A digital signature line now appears in the document. Double click the signature line to provide more information.
Figure 15: The digital signature line
3. In the Sign dialog box you can type your name or if you have a table PC, you can write your name into the text box. If you don’t have a tablet PC, but would like an image of your actual signature to be included in the signature line, you can click the Select Image link and insert a graphic file containing your handwritten signature. In this example we will click the Select Image link to insert a graphic of an actual signature.
www.microsoft.com/office
i
Figure 16: Inserting the digital signature
4. In the Select Signature Image dialog box, select the image of your signature and click the Select button.
Figure 17: Selecting the digital signature graphic
www.microsoft.com/office
i
5. The image appears in the Sign dialog box. Before signing the document, you can enter a reason for signing the document in the Purpose for signing this document text box. Click Sign to digitally sign the document.
Figure 18: Entering the purpose for digitally signing the document
6. The Signature Confirmation dialog box appears informing you that the digital signature has been applied to the document.
Figure 19: Confirming the digital certificate was applied
7. Note in this example that there appears an Invalid signature warning in the signature line box. Click Invalid signature to investigate reasons why the signature is valid.
www.microsoft.com/office
i
Figure 20: Warning that the signature may not be valid
8. In the Signature Details dialog box you will see that the certificate is not trusted. You can choose to trust the certificate by clicking the Click here to trust this user’s identity link.
Figure 21: Trusting the digital identity
9. After choosing to trust the signature, the Signature Details dialog box will confirm that the signature is valid. Click Close.
Figure 22: Signature details confirms that the signature is trusted
www.microsoft.com/office
i
10. The signature line no longer shows a problem with the certificate and the date the document was signed now appears above the signature line.
Figure 23: Signature line now reflects a trusted digital identity
www.microsoft.com/office
i
Digital Certificates In the above examples we used self-signed certificates. These are certificates that are created by the Microsoft 2007 Office system and can be used to digitally sign and encrypted Microsoft 2007 Office system documents. Self-signed certificates are typically used by individuals and small businesses who do not wish to set up a public key infrastructure for their organizations and do not want to purchase a commercial certificate. The primary drawback of using self-signed certificates is that they are only useful if you exchange documents with those who know you personally and are confident that you are the actual originator of the document. With self-signed certificates, there is no third-party that validates the authenticity of your certificate. Each person that receives your signed document will need to decide on her own whether or not to trust your certificate. Larger organizations have two other options that scale much better than self-signed certificates. These are: •
Certificates created by a corporate public key infrastructure (PKI)
•
Commercial certificates
Organizations have the option to create their own PKI. In this scenario, the company sets up one or more certification authorities which can create digital certificates for machines and users throughout the company. When combined with Microsoft Active Directory, a company can create a complete PKI solution so that all corporate managed machines have the corporate certificate authority chain installed and both users and machines are automatically assigned digital certificates for document signing and encryption. For more information on using a Microsoft PKI, please see the Public Key Infrastructure for Windows Server 2003 page at http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx Another option is to use commercial certificates. A commercial certificate is one that is purchased from a company whose line of business is to sell digital certificates. The main advantage of using commercial certificates is that the commercial certificate vendor’s root CA certificate is automatically installed on Windows operating systems, which enables these machines to automatically trust these certificate authorities. Unlike the www.microsoft.com/office
i
corporate PKI solution, commercial certificates enable you to share your signed documents with users who do not belong to your organization. There are three types of commercial certificates: •
Class 1 Class 1 Certificates are issued to Individuals with valid e-mail addresses. Class 1 Certificates are appropriate for Digital Signatures, encryption, and electronic access control for non-commercial transactions where proof of identity is not required
•
Class 2 Class 2 Individual Certificates are appropriate for Digital Signatures, encryption, and electronic access control in transactions where proof of identity based on information in the Validating database is sufficient. Class 2 Device Certificates are appropriate for device authentication; message, software, and content integrity; and confidentiality encryption
•
Class 3 Class 3 Certificates are issued to Individuals, Organizations, Servers, Devices, and Administrators for CAs and RAs. Class 3 Individual Certificates are appropriate for Digital Signatures, encryption, and access control in transactions requiring a high assurance about the subscriber's identity. Class 3 Server Certificates are appropriate for server authentication; message, software, and content integrity; and confidentiality encryption
For more information on commercial certificates, please visit the Microsoft Office Marketplace at http://office.microsoft.com/en-us/marketplace/EY010504841033.aspx Companies that are interested in signing documents that are only shared among other employees in the organization will prefer a corporate PKI to reduce costs. For companies that wish to share signed documents with people outside their organization, a commercial certificate may fit their needs best.
www.microsoft.com/office
i
Summary Microsoft 2007 Office system provides many security improvements over its predecessors. One of the improvements is in the area of digital document signing. By digitally signing a document, you can confirm that you are the originator of the document and help prove that the document has not changed since the time you signed it. Digital signatures depend on digital certificates. Smaller organizations can use “self-signed” certificates, while larger organizations will prefer to use a corporate public key infrastructure. Microsoft 2007 Office system documents can have invisible signatures or signatures lines added to them. When used together with other Microsoft 2007 Office system security technologies and security technologies included in the Microsoft Office Servers and Windows operating system, digital signatures provide another significant component of a strong defense in depth approach to security data stored in Microsoft 2007 Office system documents, workbooks and presentations.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2007 Microsoft Corporation. All rights reserved.
www.microsoft.com/office
i