Security experts found PDF digital signatures can not be trusted

A research has found that PDF digital signatures saved within the file can not be trusted.

On November 8th 2018 a research group shared a paper that demonstrates how to circumvent digital signatures in PDF files: the vulnerability will result in most common readers to show the signature as valid even if it is not.

A website that analyzes the issue and shows results of such vulnerabilities is available here: https://www.pdf-insecurity.org/index.html

Digital Signature is a mathematical scheme for presenting the authenticity of digital messages or documents. Once applied to a digital document by its author or creator, anyone can verify whether the document has been tampered or not, as well as who is the author (in PGP for example).

The main issue of Digital Signatures is that they are usually "bundled" within the file, or as a companion file to the original document. The overall meaning is that Digital Signatures are prone to tampering or removal by third parties that may have access to the document.

For this issue Rights Chain developed an on Blockchain Digital Signature solution that stores the signature in a Blockchain database.

Unlike other solutions that stores only the "hash" of a document in a public blockchain, resulting in a "timestamping" of the document using a public ledger, Rights Chain stores also additional information that can contextualize the signature for better identification and verification.

The document has no digital signature bundled within, so any modification to the file will result in a different hash of the document and therefore failing the digital signature verification.

The Digital Signature stored in the Blockchain supplies a timestamp of the registration, as well as a tampering proof storage where information can not be tampered, and the original document can be verified at any time using a simple web interface and uploading the file for verification.

Do you want to know more about our Data Protection solutions? Contact us.

Published on 28/02/2019 00:00

Sebastian Zdrojewski

System, Network and Data Security advisor for over 20 years, in 2017 co-founded Rights Chain, a company aiming the development of copyright and intellectual property protection and enforcement solutions.

Request Information