2

Background scenario:

So we had a problem where our system (Alice's shiny widgets) generated a PDF with a quote amount for 10 widgets. Someone (Eve) took the PDF, altered it to increase the price by 20%, they then presented the PDF as an expense claim to their boss; hoping to pocket the 20% difference! The boss (Bob) knew what the normal price should be, and accused us of price gouging. Very embarrassing for CEO Alice. Fortunately we has a backup copy of the original PDF. Eve 'was let go'...

CEO Alice said they didn't want that to happen again. So CTO Charlie said: 'Fix it with signed PDFs'

My question is, will that help?

Is there anything forcing Bob to check if the PDF is signed?

What stops Eve2.0 from copying the content of the signed PDF, altering it herself, and then signing herself (perhaps with cert named 'Alice's shiny widgetz'?

DarcyThomas
  • 1,298
  • 1
  • 10
  • 15

1 Answers1

3

If Alice signs the PDF before sending to Bob, it will look like this:

valid signature

source

If Eve changes anything on the PDF, when Bob opens it, it will show something like this:

invalid signature

source

The signature contains the certificate of the issuer, and if anyone but Alice signs the document in her place, the signature will not be valid, and the PDF reader will show the invalid signature message. What Eve could do is to remove the signature and change the PDF, akin to SSL-Strip on a PDF.

How Alice could make sure the signature isn't stripped? She could call Bob and say from now on, every single document will be signed, without exception. And put that message on her website. And on every email she sends. When Alice earns the reputation of sending only secure and signed emails and documents, few people will accept an unsigned counterfeit document.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • 1
    So signing would foil simple content changes, but not the sophisticated Eve's who can setup certs that at a glance look legit? – DarcyThomas Aug 15 '18 at 02:25
  • No, would foil almost every Eve, because the cost of creating a legit Alice certificate would probably be way greater than the expected profit. Forging a certificate is hard, it's not something anyone can Google and do it. – ThoriumBR Aug 15 '18 at 02:35
  • Well in this case it was $200k So it might be worth the effort... – DarcyThomas Aug 15 '18 at 02:41
  • 3
    @ThoriumBR The issue is not forging a certificate, but obtaining a legitimate certificate under a deceptive name. For example, somebody could register "alicewidgets.net" and forge some paperwork for "Alice's Shiny Widgets LLC" instead of Inc. and get a reasonable looking certificate. Analogously, the x.509 PKI of HTTPS/TLS does not provide strong protections against phishing. – user71659 Aug 15 '18 at 06:38
  • Will this work with other viewers than Adobe? – Martin Schröder Aug 16 '18 at 12:00
  • @MartinSchröder It should work with the majority of the readers. – ThoriumBR Aug 16 '18 at 12:05
  • 1
    Actually most viewers, in particular all those previewers, don't check signatures. On the other hand there are numerous signature validation services allowing to validate integrated PDF signatures. – mkl Aug 17 '18 at 11:08