Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Wednesday February 27 2019, @01:15AM   Printer-friendly
from the jest-sine-hear dept.

Researchers break digital signatures for most desktop PDF viewers | ZDNet

A team of academics from the Ruhr-University Bochum in Germany say they've managed to break the digital signing system and create fake signatures on 21 of 22 desktop PDF viewer apps and five out of seven online PDF digital signing services.

[...] The five-person research team has been working since early October 2018 together with experts from Germany's Computer Emergency Response Team (BSI-CERT) to notify impacted services.

The team went public with their findings over the weekend after all affected app makers and commercial companies finished patching their products.

The reason why researchers were willing to wait months so all products would receive fixes is because of the importance of PDF digital signatures.

Digitally signed PDF documents are admissible in court, can be used as legally-binding contracts, can be used to approve financial transactions, can be used for tax filing purposes, and can be used to relay government-approved press releases and announcements.

Having the ability to fake a digital signature on an official PDF document can help threat actors steal large amounts of money or cause chaos inside private companies and public institutions.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by DannyB on Wednesday February 27 2019, @03:32PM (4 children)

    by DannyB (5839) Subscriber Badge on Wednesday February 27 2019, @03:32PM (#807639) Journal

    Yes. That.

    Document signing should be a separate application which does exactly one thing and does it whale.

    It should also be a specification that can be implemented by multiple applications on all platforms. Making the standard widely available and able to sign all kinds of files, not just PDF, makes it more suitable for its intended porpoise.

    Sort of how tar and gzip work well together but separately are different fish.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by FatPhil on Wednesday February 27 2019, @04:38PM (3 children)

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday February 27 2019, @04:38PM (#807669) Homepage
    Exactly. And it's funny you should mention tar/gzip in this context. Here in Estonia, we have a governmentally approved public key infrastructure (in teh form of chipped ID cards) that we can use to sign everything from our tax returns to arbitrary formal documents. And if you peek into the structure of the "signed document", you'll see it's nothing more than a Zip file with a (open standard) defined layout. No invention of a new proprietory file format - just reuse what's already there for that purpose, bundling files together.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    • (Score: 2) by DannyB on Wednesday February 27 2019, @05:22PM (2 children)

      by DannyB (5839) Subscriber Badge on Wednesday February 27 2019, @05:22PM (#807695) Journal

      Zip may already be the closest thing to a universal container format.

      LibreOffice files are really zip files.

      Java executable JAR files / libraries (java equivalent of exe/dll) are actually zip files.

      Java WAR and EAR files are zip files.

      LibreOffice can export PDF files, and optionally include the original document file into the PDF -- in this case the outer structure is an actual PDF not a zip.

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 2) by FatPhil on Thursday February 28 2019, @12:01AM (1 child)

        by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Thursday February 28 2019, @12:01AM (#807883) Homepage
        Pretty universal, yeah. And not only OpenOffice, but Microsoft's OfficeOpenetrationXML is also Zip-based. (After OO.O did their format. Always leading from behind, those MS geniouses.)
        --
        Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
        • (Score: 0) by Anonymous Coward on Thursday February 28 2019, @07:27AM

          by Anonymous Coward on Thursday February 28 2019, @07:27AM (#808014)

          There are many application formats that use the Open Packaging Conventions besides Microsoft. Another one I've seen is using SQLite files as application file formats, i.e. https://www.sqlite.org/aff_short.html [sqlite.org]. In fact, after discussing it with coworkers about the various alternatives, we are considering either using OPC or SQLite. However, we are still leaning to OPC, given the fact that they have an actual specification and recommendations, rather than just telling people to put them in whatever way makes sense to them (to be fair, there is a sort of suggestion spread around the documentation, but good luck with interoperability).