Introduction
Nowadays, people increasingly rely on electronic signatures to guarantee the integrity and authenticity of electronic documents, such as contracts or agreements. A commonly used format for electronic documents is PDF (Portable Document Format). PDF documents can be signed electronically, they can be viewed using PDF viewer applications, and signed PDF documents can be validated using various validation services for electronic signatures.
Different types of attacks have recently been discovered on electronic signature systems for PDF. In 2019, researchers from the Ruhr-Universität Bochum, Germany, and from Hackmanit GmbH, Germany, showed that it is possible to manipulate signed PDF documents while the electronic signature was still a valid electronic signature on the document according to several PDF viewers (see [2]).
In July 2020, researchers from the Ruhr-Universität Bochum published new attacks on electronic signature systems for PDF (see [1]), which they call “shadow attacks”. Compared to the setting in [2], the attacker is given “write access” to the PDF document before it is signed. The idea behind “shadow attacks” is that the attacker creates a PDF document with two different types of content: the content expected by the signing entity and the hidden content that will be displayed after the PDF is signed. The attacker first prepares a PDF document with hidden content that is submitted to the signing entity. The signer then returns the document to the attacker who modifies it and sends it to the relying party. After opening the signed PDF document, the relying party successfully validates the electronic signature but sees a different content than the signer. The authors of [1] also provide a generic countermeasure of how shadow attacks can be prevented.
In the European Union, the eIDAS Regulation [3] grants to qualified electronic signatures, which have to meet specific requirements defined in this Regulation, the equivalent legal effect of handwritten signatures. In addition, qualified electronic signatures are recognised in all EU Member States. It is thus of utmost importance that, when creating a qualified electronic signature, the content that is shown to the signer faithfully represents the content of the PDF document and that these signatures can be correctly validated using trustworthy validation systems.
In order to address the issues related to “shadow attacks” on electronically signed PDF documents, the following recommendations are made:
Recommendations for providers of electronic signature creation services (in particular, services for creating qualified electronic signatures remotely) and for developers of electronic signature creation applications
- Check whether the electronic signature creation service or application is vulnerable to shadow attacks (test files can be found on the webpage under reference [4]).
- Ensure that the document that is to be signed does not contain any hidden or dynamic content (e.g. by filtering out content that is not shown to the user or depends on the current environment). This can be achieved by converting the PDF document to PDF/A before presenting it to the signatory (see ISO 19005‑1:2005, ISO 19005‑2:2011, ISO 19005‑3:2012 including technical corrigenda).
- The document that has been signed by the user should be shown to the user after it has been signed so that the user can view the content he has actually signed.
- Ensure that the electronic signature meets the requirements of the PAdES Baseline Profile at conformance level B, T or LT (see ETSI TS 103172 v.2.2.2).
Recommendations for providers of validation services for electronic signatures (in particular, qualified validation services for qualified electronic signatures) and for developers of electronic signature validation applications:
- Check whether the validation service or application is impacted by shadow attacks (test files can be found on the webpage under reference [4]).
- Implement the validation algorithm proposed as a countermeasure to shadow attacks in (see [1]) in particular, the user should be informed if there are changes (incremental updates) present in a PDF document that were not signed, even if those changes only relate to seemingly innocuous metadata, for instance.
- The validation report produced by a validation service or application should indicate the byte range that has been covered by each electronic signature.
- The validation report produced by a validation service or application should indicate whether the signed document contains hidden or dynamic content. If applicable, it should also indicate the level of PDF/A conformance (see ISO 19005‑1:2005, ISO 19005‑2:2011, ISO 19005‑3:2012 including technical corrigenda).
- If applicable, the validation report produced by a validation service or application should indicate the level of PAdES Baseline Profile conformance (see ETSI TS 103172 v.2.2.2).
- Adapt the validation policy, if necessary.
References
[1] Mainka, C., Mladenov, V., Rohlmann, S., & Schwenk, J. (2020). Attacks bypassing the signature validation in PDF, available electronically at https://www.pdf-insecurity.org/download/report-pdf-signatures-2020-03-02.pdf.
[2] Mladenov, V., Mainka, C., Meyer zu Selhausen, K., Grothe, M., & Schwenk, J. 1 trillion dollar refund – how to spoof pdf signatures. ACM Conference on Computer and Communications Security, November 2019, available electronically at https://www.nds.ruhr-uni-bochum.de/media/ei/veroeffentlichungen/2019/06/28/PDF_Signature.pdf.
[3] Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, 2014, available electronically at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG.
[4] PDF Insecurity, https://www.pdf-insecurity.org/signature-shadow/downloads.html.