{"id":33827,"date":"2020-02-28T16:49:42","date_gmt":"2020-02-28T21:49:42","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=33827"},"modified":"2020-09-02T12:24:10","modified_gmt":"2020-09-02T16:24:10","slug":"36c3-pdf-encryption","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/36c3-pdf-encryption\/33827\/","title":{"rendered":"Can you read an encrypted PDF?"},"content":{"rendered":"<p>According to the file format\u2019s specifications, PDF supports encryption, using the AES algorithm with Cipher Block Chaining encryption mode. Therefore \u2014 at least, in theory \u2014 whoever encrypts a PDF file can be sure that only someone who has the password can see what\u2019s in the file. Continuing the study of <a href=\"https:\/\/www.kaspersky.com\/blog\/36c3-pdf-digital-signature\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">PDF security<\/a>, a team of researchers from several German universities tested how reliable the encryption implementation in this format is. Fabian Ising of M\u00fcnster University of Applied Sciences presented their conclusions \u2014 and they were disappointing.<\/p>\n<p>In theory, companies use encrypted PDFs to transfer data through an unsecured or untrusted channel \u2014 for example, to upload a file to cloud storage that many people have access to. The researchers were looking for a way to modify the source file such that when the password was entered, the information in the PDF was sent to a third party, but without making any changes visible to the recipient.<\/p>\n<p>The researchers developed two attack concepts that let them give a third party access to the encrypted content. Furthermore, the first attack (direct exfiltration) does not require any special cryptography skills \u2014 only an understanding of the PDF format specifications. The researchers called it \u201chacking cryptography without touching cryptography.\u201d The second attack, called a <em>malleability attack<\/em>, is more complicated and requires an understanding of Cipher Block Chaining mode.<\/p>\n<h2>Who uses encrypted PDFs, and why?<\/h2>\n<p>Businesses find many uses for encrypted PDFs.<\/p>\n<ul>\n<li>Banks use them for confidentiality when exchanging documents with customers.<\/li>\n<li>MFPs may accept scanned documents by e-mail, password-protecting PDFs if the sender selects the \u201cin encrypted form\u201d option.<\/li>\n<li>Medical diagnostic devices use secure PDFs to send test results to patients or medics.<\/li>\n<li>Government agencies such as the US Department of Justice accept incoming documents as encrypted PDFs.<\/li>\n<\/ul>\n<p>A number of e-mail application plugins provide the ability to send a document as an encrypted PDF, so a demand for the option clearly exists.<\/p>\n<h2>Direct exfiltration attack<\/h2>\n<p>Encrypting a PDF file encrypts the content only (i.e., objects in the file, which are characterized as either strings or streams). The remaining objects, determining the structure of the document, remain unencrypted. In other words, you can still find out the number and size of pages, objects, and links. That information should not be left to potential attackers, who can use it to engineer a way to circumvent the encryption.<\/p>\n<p>The researchers wondered first if they could add their own information to the file \u2014 in theory that could allow them to invent an exfiltration channel. They learned from the format documentation that PDFs allow granular control over encryption such that, for example, you can encrypt only objects of type \u201cstring\u201d or only objects of type \u201cstream,\u201d leaving other content unencrypted.<\/p>\n<p>Moreover, no integrity checks are implemented, so if you add something to an encrypted document, users won\u2019t be alerted. That \u201csomething\u201d might include a submit-form action function, which means you could embed a form in a PDF file that sends data \u2014 for example, the entire contents of the document \u2014 to a third party. The function can be tied to an action such as opening the document, too.<\/p>\n<p>The above is simply one example of exfiltration, but options abound. Attackers might place a simple link to their site with the entire contents of the file added to the URL. Or they could use JavaScript to send the decrypted contents anywhere. Of course, some PDF readers double-check with the user before communicating with a website, but not all of them \u2014 and not every user will think before allowing it.<\/p>\n<h2>Malleability attack<\/h2>\n<p>The second attack on PDF encryption employs a known drawback of Cipher Block Chaining (CBC) mode, which lacks integrity control. The essence of this well-known attack is that an attacker who knows part of the plain-text information that was encrypted can change the contents of a block.<\/p>\n<p>However, according to the PDF format specifications, each time content in a PDF file is encrypted, it also encrypts different permissions (for example, giving the author the ability to edit the document and denying a simple reader the ability to do so). In theory, that was done to prevent attackers from tampering with permissions, which are encrypted with the same AES key as the rest of the document.<\/p>\n<p>At the same time, \u00a0those permissions are also stored in the file in unencrypted form. That means by default attackers know what 12 bytes of the file are, and as a result, they can tamper with Cipher Block Chaining to target and manipulate encrypted data, for example, adding the data exfiltration mechanism to the encrypted file to send the contents of the file to a third-party site.<\/p>\n<h2>Results<\/h2>\n<p>The researchers tested their methods on 23 PDF readers and 4 browsers. They found each of them at least partially vulnerable to at least one of these attacks.<\/p>\n<div id=\"attachment_33831\" style=\"width: 1377px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2020\/02\/28164344\/36C3-PDF-encryption-table.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-33831\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2020\/02\/28164344\/36C3-PDF-encryption-table.jpg\" alt=\"Summary table of vulnerabilities of PDF viewers. Source: https:\/\/media.ccc.de\/v\/36c3-10832-how_to_break_pdfs\" width=\"1367\" height=\"782\" class=\"size-full wp-image-33831\"><\/a><p id=\"caption-attachment-33831\" class=\"wp-caption-text\">Summary table of vulnerabilities of PDF viewers. <a href=\"https:\/\/media.ccc.de\/v\/36c3-10832-how_to_break_pdfs\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Source<\/a>.<\/p><\/div>\n<p>Unfortunately, no client-side solution can fully mitigate the format\u2019s weakness. It is not possible to block all exfiltration channels without crippling the format. The researchers contacted software developers and reported the problems, and some of the companies, including Apple, tried to help by emphasizing notifications that the file was accessing a third-party site. Others said they\u2019d tried but couldn\u2019t \u201cfix the unfixable.\u201d<\/p>\n<p>Our recommendation if you need to transmit confidential data is to use an alternative method of securing that information. For example, you can use <a href=\"https:\/\/www.kaspersky.com\/small-business-security\/small-office-security?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____ksos___\" target=\"_blank\" rel=\"noopener nofollow\">our solutions<\/a> to create encrypted containers.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"ksos-generic\">\n","protected":false},"excerpt":{"rendered":"<p>Researcher Fabian Ising, speaking at the Chaos Communication Congress, showed the limits of PDF encryption\u2019s strength.<\/p>\n","protected":false},"author":700,"featured_media":33828,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[3616,2800,2802,597,261,390],"class_list":{"0":"post-33827","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-36c3","10":"tag-ccc","11":"tag-chaos-communication-congress","12":"tag-cryptography","13":"tag-encryption","14":"tag-pdf"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/36c3-pdf-encryption\/33827\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/36c3-pdf-encryption\/19448\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/36c3-pdf-encryption\/16068\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/36c3-pdf-encryption\/21082\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/36c3-pdf-encryption\/19357\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/36c3-pdf-encryption\/17840\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/36c3-pdf-encryption\/22010\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/36c3-pdf-encryption\/20769\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/36c3-pdf-encryption\/26391\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/36c3-pdf-encryption\/7856\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/36c3-pdf-encryption\/14420\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/36c3-pdf-encryption\/14513\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/36c3-pdf-encryption\/13128\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/36c3-pdf-encryption\/23177\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/36c3-pdf-encryption\/11179\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/36c3-pdf-encryption\/27784\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/36c3-pdf-encryption\/25075\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/36c3-pdf-encryption\/21019\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/36c3-pdf-encryption\/26979\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/36c3-pdf-encryption\/26818\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/36c3\/","name":"36c3"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/33827","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/700"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=33827"}],"version-history":[{"count":5,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/33827\/revisions"}],"predecessor-version":[{"id":35517,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/33827\/revisions\/35517"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/33828"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=33827"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=33827"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=33827"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}