ADoc changes: the most important homework

Office of the Chief Archivist of Lithuania is planning to renew ADoc document format specifications this year in order to ensure security and originality of documents.This decision was taken in the light of the announcement by the Ministry of the Interior about technologically vulnerable e-signature chip cards on Lithuanian personal identity cards, issued between 2009 and 2012, and public servant ID cards, issued until 2017 November.

What to expect?

The new specification will completely ban the use of SHA-1 hash algorithm. SHA-1 is considered to be outdated and insecure as with this hash algorithm signed documents can be changed, thus, creating a possibility to forge a signature. Simply put, information on e-signed documents can be changed in such a way that these changes are not visible which means that e-signatures and documents remain valid even after the changes.

In theory, this has been discussed since 2005 but in practice it’s been proven only in 2017 when Google managed to generate two different, colliding documents with the same SHA-1 hash. Therefore, in order to avoid signature falsification, it’s recommended to replace SHA-1 with more secure alternatives, e.g., SHA-256.

What does that mean?

The planned update of ADoc specifications means that signatures with SHA-1 hash algorithm generated until now will no longer be valid. However, it can be easily avoided and validity of previously generated signatures can be extended by adding archive timestamps on signatures.

It’s important to note though that archive timestamps differ from the regular ones — while forming archive timestamps, hash is recalculated using all of the content files in that document, which prevents from algorithm outdating.

What to do?

For all the users of Dokobit API solutions that need to extend signature validity, it is important to take care of archive timestamps. It can be done by using this documentation or contacting your service providers that integrated our solutions to your systems. You can also contact our support centre directly — we are ready to answer all the questions on this topic.

Meanwhile, Dokobit portal users with paid accounts do not have to take any additional actions — we will take care that the signatures on the documents generated thus far remain valid.

This post is also available in: Lithuanian