Publikation:

1 Trillion Dollar Refund : How To Spoof PDF Signatures

Vorschaubild

Dateien

Zu diesem Dokument gibt es keine Dateien.

Datum

2019

Autor:innen

Mainka, Christian
Meyer zu Selhausen, Karsten
Grothe, Martin
Schwenk, Jörg

Herausgeber:innen

Kontakt

ISSN der Zeitschrift

Electronic ISSN

ISBN

Bibliografische Daten

Verlag

Schriftenreihe

Auflagebezeichnung

URI (zitierfähiger Link)
DOI (zitierfähiger Link)
https://doi.org/10.1145/3319535.3339812
ArXiv-ID

Internationale Patentnummer

Angaben zur Forschungsförderung

Projekt

Open Access-Veröffentlichung

Sammlungen

Informatik und Informationswissenschaft: Publikationen
Core Facility der Universität Konstanz

Gesperrt bis

Titel in einer weiteren Sprache

Publikationstyp
Beitrag zu einem Konferenzband
Publikationsstatus
Published

Erschienen in

CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York: Association for Computing Machinery, 2019, pp. 1-14. ISBN 978-1-4503-6747-9. Available under: doi: 10.1145/3319535.3339812

Zusammenfassung

The Portable Document Format (PDF) is the de-facto standard for document exchange worldwide. To guarantee the authenticity and integrity of documents, digital signatures are used. Several public and private services ranging from governments, public enterprises, banks, and payment services rely on the security of PDF signatures. In this paper, we present the first comprehensive security evaluation on digital signatures in PDFs. We introduce three novel attack classes which bypass the cryptographic protection of digitally signed PDF files allowing an attacker to spoof the content of a signed PDF. We analyzed 22 different PDF viewers and found 21 of them to be vulnerable, including prominent and widely used applications such as Adobe Reader DC and Foxit. We additionally evaluated eight online validation services and found six to be vulnerable. A possible explanation for these results could be the absence of a standard algorithm to verify PDF signatures -- each client verifies signatures differently, and attacks can be tailored to these differences. We, therefore, propose the standardization of a secure verification algorithm, which we describe in this paper.

Zusammenfassung in einer weiteren Sprache

Fachgebiet (DDC)
004 Informatik

Schlagwörter

Konferenz

The 26th ACM Conference on Computer and Communications Security, 11. Nov. 2019 - 15. Nov. 2019, London
Rezension
undefined / . - undefined, undefined

Forschungsvorhaben

Organisationseinheiten

Zeitschriftenheft

Zugehörige Datensätze in KOPS

Zitieren

ISO 690MLADENOV, Vladislav, Christian MAINKA, Karsten MEYER ZU SELHAUSEN, Martin GROTHE, Jörg SCHWENK, 2019. 1 Trillion Dollar Refund : How To Spoof PDF Signatures. The 26th ACM Conference on Computer and Communications Security. London, 11. Nov. 2019 - 15. Nov. 2019. In: CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York: Association for Computing Machinery, 2019, pp. 1-14. ISBN 978-1-4503-6747-9. Available under: doi: 10.1145/3319535.3339812
BibTex
@inproceedings{Mladenov2019Trill-49651,
  year={2019},
  doi={10.1145/3319535.3339812},
  title={1 Trillion Dollar Refund : How To Spoof PDF Signatures},
  isbn={978-1-4503-6747-9},
  publisher={Association for Computing Machinery},
  address={New York},
  booktitle={CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security},
  pages={1--14},
  author={Mladenov, Vladislav and Mainka, Christian and Meyer zu Selhausen, Karsten and Grothe, Martin and Schwenk, Jörg}
}
RDF
<rdf:RDF
    xmlns:dcterms="http://purl.org/dc/terms/"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
    xmlns:bibo="http://purl.org/ontology/bibo/"
    xmlns:dspace="http://digital-repositories.org/ontologies/dspace/0.1.0#"
    xmlns:foaf="http://xmlns.com/foaf/0.1/"
    xmlns:void="http://rdfs.org/ns/void#"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema#" > 
  <rdf:Description rdf:about="https://kops.uni-konstanz.de/server/rdf/resource/123456789/49651">
    <dc:creator>Grothe, Martin</dc:creator>
    <dc:creator>Schwenk, Jörg</dc:creator>
    <dc:language>eng</dc:language>
    <void:sparqlEndpoint rdf:resource="http://localhost/fuseki/dspace/sparql"/>
    <dc:contributor>Schwenk, Jörg</dc:contributor>
    <dc:contributor>Mladenov, Vladislav</dc:contributor>
    <dc:rights>terms-of-use</dc:rights>
    <dc:contributor>Mainka, Christian</dc:contributor>
    <dc:contributor>Grothe, Martin</dc:contributor>
    <bibo:uri rdf:resource="https://kops.uni-konstanz.de/handle/123456789/49651"/>
    <dspace:isPartOfCollection rdf:resource="https://kops.uni-konstanz.de/server/rdf/resource/123456789/36"/>
    <dcterms:available rdf:datatype="http://www.w3.org/2001/XMLSchema#dateTime">2020-05-26T16:17:21Z</dcterms:available>
    <dcterms:isPartOf rdf:resource="https://kops.uni-konstanz.de/server/rdf/resource/123456789/36"/>
    <dc:creator>Meyer zu Selhausen, Karsten</dc:creator>
    <dc:contributor>Meyer zu Selhausen, Karsten</dc:contributor>
    <dc:creator>Mladenov, Vladislav</dc:creator>
    <dcterms:issued>2019</dcterms:issued>
    <dcterms:title>1 Trillion Dollar Refund : How To Spoof PDF Signatures</dcterms:title>
    <dc:creator>Mainka, Christian</dc:creator>
    <foaf:homepage rdf:resource="http://localhost:8080/"/>
    <dcterms:rights rdf:resource="https://rightsstatements.org/page/InC/1.0/"/>
    <dc:date rdf:datatype="http://www.w3.org/2001/XMLSchema#dateTime">2020-05-26T16:17:21Z</dc:date>
    <dcterms:abstract xml:lang="eng">The Portable Document Format (PDF) is the de-facto standard for document exchange worldwide. To guarantee the authenticity and integrity of documents, digital signatures are used. Several public and private services ranging from governments, public enterprises, banks, and payment services rely on the security of PDF signatures. In this paper, we present the first comprehensive security evaluation on digital signatures in PDFs. We introduce three novel attack classes which bypass the cryptographic protection of digitally signed PDF files allowing an attacker to spoof the content of a signed PDF. We analyzed 22 different PDF viewers and found 21 of them to be vulnerable, including prominent and widely used applications such as Adobe Reader DC and Foxit. We additionally evaluated eight online validation services and found six to be vulnerable. A possible explanation for these results could be the absence of a standard algorithm to verify PDF signatures -- each client verifies signatures differently, and attacks can be tailored to these differences. We, therefore, propose the standardization of a secure verification algorithm, which we describe in this paper.</dcterms:abstract>
  </rdf:Description>
</rdf:RDF>

Interner Vermerk

xmlui.Submission.submit.DescribeStep.inputForms.label.kops_note_fromSubmitter

Kontakt
URL der Originalveröffentl.

Prüfdatum der URL

Prüfungsdatum der Dissertation

Finanzierungsart

Kommentar zur Publikation

Allianzlizenz
Corresponding Authors der Uni Konstanz vorhanden
Internationale Co-Autor:innen
Universitätsbibliographie
Begutachtet
Diese Publikation teilen