Changing the content of a PDF file without invalidating the digital signature is apparently possible if you manipulate the code beforehand.


E-business and e-government both commonly use digital signatures on portable document format (PDF) files to confirm the integrity of the document and the identity of its signatory. However, it now seems that this method is not infallible. A researcher at the Military Technical Academy in Bucharest, Romania has found a means of modifying the information content of a signed PDF without it being invalidated. What the researcher actually did was to use the structure of the document code to insert, from the outset, hidden elements which are difficult to detect. The procedure is based on a technique called Dali Attack. An attacker can create a dual file - an original PDF, plus a TIFF image in which there are, for example, changes to a sum of money or a percentage figure. Using a ‘hex editor’, the attacker can copy the whole of the PDF content as a code inside the image file. Then all he has to do is introduce the PDF tracker, which ensures that the new file is compatible with Acrobat Reader.

A dynamic file which reacts according to the software used to open the file

By manipulating the document structure, it is thus possible to establish dynamic content which will react according to the method of opening the file. If you use Acrobat, you will see the original amount of money stated in the PDF. On the other hand, if you use software for looking at images, you’ll see the ‘doctored’ amount from the TIFF file. So, by modifying the extension of the polymorphically constituted document from .TIFF to .PDF, the attacker ensures the PDF document can be read without any problems in Acrobat Reader and no syntax error will be detected. When the signatory receives the file, s/he just sees an ordinary PDF document and signs it using a software application or a smartcard. The file then takes the extension .PDF.PKCS7. All the attacker has to do is to change the new extension back to .TIFF.PKCS7 and open it with an "Image Viewer" to show the fraudulent amount. This works because the digital signature verification process does not use the document extension.

Relatively simple means of detection

The verification will not be invalidated because no file ‘bits’ have been altered and all the elements of the code were already there from the beginning. Fortunately, it’s possible to detect this type of polymorphic file. Acrobat Reader X Pro systematically rewrites documents when they are opened, taking out all previous modifications. Only the amount from the original PDF will be kept. The researcher has also created a batch file using the ImageMagick suite. This spots when a PDF document contains the parameters of a TIFF image – such as sizing or image resolution. If this is the case, it replicates the document, converts the extension to TIFF and opens it with a web browser, thus revealing the attempted fraud.