3 min read

Attacks on PDF Certification and the impact on Approval Signatures

Cryptomathic : 20. July 2021

eIDAS Signer WYSIWYS

Attacks on PDF Certification and the impact on Approval Signatures

In May 2021, researchers published two attacks on certified PDFs, which enabled unintentional and fraudulent modifications to be applied to signed documents. Here we provide a brief summary of the attacks and explain why documents that are digitally signed using Cryptomathic Signer and its WYSIWYS technology is not susceptible to these attacks.

The Attack

The attacks apply to "certified" PDF documents. A certified PDF document is a PDF document with a digital signature that serves as a certificate of the content of the document. A certified document allows certain modifications to be made after the certification. A typical use-case of certified documents is a questionnaire where the form itself is certified, but a questionee is allowed to fill in answers to the questions without invalidating the certification signature.

The webpage PDF Insecurity is dedicated to these attacks and gives good explanations of the attacks as well as analysis of the impact on several of the most popular PDF readers.

Certification signatures and the allowed modifications to certified documents are described in the PDF standard (ISO 32000). Though the intention of the allowed modification is to allow additional content in the certified document, some of the allowed modifications can be abused to change existing content.

The "FreeText" annotation, for instance, allows additional text anywhere on a page. This could be abused to change a billing amount from $100 to $100,000.

Any additions to the certified document are made as "annotations" that are added to the document. By looking at the certified file, it is thus simple to see the difference between the original document and any additions made after certification. The attack occurs because some PDF viewers provide no visible indication that allows the user to identify added content. A "safe" PDF viewer will clearly indicate what content has been added, either directly in the viewer, or in status or information panels.

The Impact on Approval Signatures and WYSIWYS

Cryptomathic Signer implements “What You See Is What You Sign” (WYSIWYS) technology, which applies "approval signatures" to PDF documents. In contrast to certification signatures, approval signatures do not allow any modification to the main document after signing (additional signatures, timestamps, e.t.c. are allowed). WYSIWYS guarantees that what the signee sees when s/he signs the document will also be what anyone else sees in the future when they open the signed document.

The WYSIWYS technology, used by Cryptomathic Signer, can give this guarantee since it insists on PDF documents adhering to the PDF/A 2 standard.

The PDF/A 2 standard does not allow any content that can change over time or from PDF viewer to PDF viewer. Even when a certified document is signed with WYSIWYS, WYSIWYS ensures that no further changes can happen to the certified document after an approval signature has been applied through WYSIWYS.

While WYSIWYS will happily render a certified document that has been updated with elements as suggested in the attack, it is important to note that the visual representation given by WYSIWYS at the time of signing is identical to the visual representation of the document at any future time. From the point of view of WYSIWYS, there is no difference between content that is added before or after the certification. Any certification flow that is required by the document must take place before WYSIWYS is involved. Finally, it’s also worth noting that WYSIWYS itself does not validate any certification signature.

In summary, PDFs signed with digital signatures created by Cryptomathic Signer are not endangered by these attacks. Contact us for more information on how Cryptomathic Signer protects against attacks on digital signatures.

References

Selected articles on eIDAS (2014-today), by Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner, and more

CEN/TC 224 - Trustworthy Systems Supporting Server Signing Part 2: Protection Profile for QSCD for Server Signing (05.2018), by AFNOR
Conformity assessment of Trust Service Providers - Technical guidelines on trust services (2017), by the European Agency for Cyber Security

Mutual Recognition Agreement of Information Technology Security Evaluation Certificates, VERSION 3.0 (Jan, 2010), SOG-IS
Trustworthy Systems Supporting Server Signing Part 2: Protection
Profile for QSCD for Server Signing (2019) by CEN/TC 224
About The Common Criteria (retrieved October 2020), by Common Criteria

Digital Trade and Trade Financing - Embracing and Shaping the Transformation (2018), by SWIFT & OPUS Advisory Services International Inc
REGULATION (EU) No 1316/2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010(12/2013), by the European Parliament and the European Council

Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more

The European Interoperability Framework - Implementation Strategy (2017), by the European Commission