Florian Zumbiehl discovered a fundamental flaw in the PDF standard that makes it possible to create valid digital signatures over an arbitrary content.
The flaw allows an attacker to create a pre-defined document with two different contents (say, one "visible" to the signer and another one "hidden"), make the signer sign the "visible" content, and then substitute it with the "hidden" one without invalidating the signature. I should note that signing should be performed with special software that "knows" about the flaw and the "Janus" feature of the document, and can sign it in the proper way to make content substitution possible in the future.
As far as I am aware of the way the Acrobat works, it cannot be used to perform such an attack on the signer. However, the flaw itself is extremely serious and may lead to various problems in future. For instance, one can attack their own signature and then insist on revoking it, arguing that the signature was attacked by a third party.
Friday, August 20, 2010
Subscribe to:
Posts (Atom)