Security experts found PDF digital signatures can not be trusted Security


A research has found that PDF digital signatures saved within the file can not be trusted.

On November 8th 2018 a research group shared a paper that demonstrates how to circumvent digital signatures in PDF files: the vulnerability will result in most common readers to show the signature as valid even if it is not.

A website that analyzes the issue and shows results of such vulnerabilities is available here: https://www.pdf-insecurity.org/index.html

Digital Signature is a mathematical scheme for presenting the authenticity of digital messages or documents. Once applied to a digital document by its author or creator, anyone can verify whether the document has been tampered or not, as well as who is the author (in PGP for example).

The main issue of Digital Signatures is that they are usually "bundled" within the file, or as a companion file to the original document. The overall meaning is that Digital Signatures are prone to tampering or removal by third parties that may have access to the document.

For this issue Rights Chain developed an on Blockchain Digital Signature solution that stores the signature in a Blockchain database.

Unlike other solutions that stores only the "hash" of a document in a public blockchain, resulting in a "timestamping" of the document using a public ledger, Rights Chain stores also additional information that can contextualize the signature for better identification and verification.

The document has no digital signature bundled within, so any modification to the file will result in a different hash of the document and therefore failing the digital signature verification.

The Digital Signature stored in the Blockchain supplies a timestamp of the registration, as well as a tampering proof storage where information can not be tampered, and the original document can be verified at any time using a simple web interface and uploading the file for verification.

Do you want to know more about our Data Protection solutions? Contact us.

Sebastian Zdrojewski

System, Network and Data Security advisor for over 20 years, in 2017 co-founded Rights Chain, a company aiming the development of copyright and intellectual property protection and enforcement solutions.


Last update 2019-02-28


#Infosec, #Pdf, #Digitalsignature, #Pki, #P7b, #Adobe, #Vulnerability, #Pcks7, #Tampering

Last articles


Another year has passed: 2019 closure notes and thoughts

by Sebastian Zdrojewski, 2020-01-03

Closure note from the CEO at Rights Chain: an intense year has just ended, a new challenging year has begun.

Getty Images shuts down Rights Managed model for a Royalty Free

by Sebastian Zdrojewski, 2019-11-11

If you are a Getty Images subscriber or photographer, you probably received an advisory where the licensing model turns from a Rights Managed (RM) model to a Royalty Free (RF) licensing mode. What's going on?

Using Rights Chain: commissioned works

by Sebastian Zdrojewski, 2019-10-25

This week we start a column of articles to talk about the reasons why it is important to think about copyright. Our first example will be about works done on commission.

EU Directive on Copyright: for big publishers, but not for independent authors

by Sebastian Zdrojewski, 2019-09-09

Long story short: in the next two years, all EU countries will have to adhere to the new directive on copyright. But what's hiding behind this new work that is supposed to protect creators?