How to Break PDF Encryption
Jens Müller1, Fabian Ising 2, Vladislav Mladenov1, 1 Ruhr University Bochum Christian Mainka1, Sebastian Schinzel2, Jörg Schwenk2 2 Münster University of Applied Sciences PDFex
• Attack with a logo • Novel attack techniques targeting PDF encryption – Direct exfiltration – Malleability gadgets
2 Overview
1. Introduction 2. Attacker Model 3. Direct Exfiltration 4. Malleability Gadgets 5. Evaluation 6. Mitigation
3 Portable Document Format
“De facto standard for electronic exchange of documents” -- Adobe
FIRST VERSION RELEASED IN 250 BILLION 1993 PDF DOCUMENTS OPENED IN 2018 BY ADOBE USED BY ~99% PDF-2.0 COMPANIES AND GOVERNMENTAL RELEASED IN 2017, INSTITUTIONS WORLDWIDE LATEST VERSION BY ISO
4 PDF has become rather popular
5 Almost as popular as the Queen!
6 Portable Document Format
“De facto standard for electronic exchange of documents” -- Adobe
FIRST VERSION RELEASED IN 250 BILLION PDF DOCUMENTS OPENED IN 2018 1993 SUPPORTS BY ADOBE USED BY AES ~99% ENCRYPTION PDF-2.0 COMPANIES AND GOVERNMENTAL RELEASED IN 2017, INSTITUTIONS WORLDWIDE LATEST VERSION BY ISO
7 Portable Document Format
“De facto standard for electronic exchange of documents” -- Adobe
AES is good. SUPPORTS AES Nothing can go wrong. ENCRYPTION
7
Who uses PDF Encryption? Source: Kreissparkasse Stade
8 Who uses PDF Encryption?
Source: Encryptomatic LCC
9
Who uses PDF Encryption? Source: Sharp Corporation
10
Who uses PDF Encryption?
Justice
of Source: US Department
11 Overview
1. Introduction 2. Attacker Model 3. Direct Exfiltration 4. Malleability Gadgets 5. Evaluation 6. Mitigation
12 Attacker Model
Alice Bob
13 Attacker Model
Storage
14 Attacker Model
15 Attacker Model
15 Attacker Model
15 Attacker Model
Password: ******
15 Overview
1. Introduction 2. Attacker Model 3. Direct Exfiltration 4. Malleability Gadgets 5. Evaluation 6. Mitigation
16 PDF Encryption in a Nutshell
17 Gaps in PDF Encryption
18 Gaps in PDF Encryption
• Document structure is unencrypted! –Only strings and streams are encrypted • Reveals a lot information –Number/size of pages/objects/links/…
18 Gaps in PDF Encryption
19 Gaps in PDF Encryption
• Support for partial encryption! • Attacker‘s content can be mixed with actually encrypted content
We found 18 different techniques!
19 2021 Simple Content Overlay
• We can add new content to encrypted PDF files • Fair enough, protects confidentiality, not integrity • Can we do more, e.g. targeted manipulations?
21 Direct Exfiltration
Can we somehow exfiltrate the plaintext?
22 Direct Exfiltration
23 Direct Exfiltration through PDF Forms
24 Direct Exfiltration through PDF Forms
24 25 Direct Exfiltration via Hyperlinks
26 Direct Exfiltration with JavaScript
27 Overview
1. Introduction 2. Attacker Model 3. Direct Exfiltration 4. Malleability Gadgets 5. Evaluation 6. Mitigation
29 PDF Encryption - History
Specification Algorithm/Key Length Key derivation Integrity Protection State
PDF 1.1 - 1.3 RC4 40-bit Object Level Deprecated PDF 1.4 RC4 128-bit Object Level Deprecated PDF 1.5 RC4 128-bit Object Level Deprecated PDF 1.6 and 1.7 AES-CBC 128-bit Object Level PDF 1.7 EL 3 AES-CBC 256-bit Document Level Deprecated PDF 1.7 EL 8 AES-CBC 256-bit Document Level
30 PDF Encryption - History
Specification Algorithm/Key Length Key derivation State
PDF 1.1 - 1.3 RC4 40-bit Object Level Deprecated PDF 1.4 RC4 128-bit Object Level Deprecated PDF 1.5 RC4 128-bit Object Level Deprecated PDF 1.6 and 1.7 AES-CBC 128-bit Object Level PDF 1.7 EL 3 AES-CBC 256-bit Document Level Deprecated PDF 1.7 EL 8 AES-CBC 256-bit Document Level
31 CBC Gadgets
Haven‘t we seen this somewhere before?
32 Malleability Gadgets
Ciphertext Malleability
Known Plaintext
Exfiltration Channel
34 Malleability Gadgets
퐼푉 퐶0 퐶1
Decryption Decryption
BT\n/F1 22 Tf\n 70 750 Td 푃0 푃1 35 Malleability Gadgets
퐼푉′ 퐶0 퐶1
Decryption Decryption
ZT\n/F1 22 Tf\n 70 750 Td ′ 푃0 푃1 36 Malleability GadgetsCBC Malleability Gadget 퐼푉⊕푃0 퐶0 퐶1
Decryption Decryption
00 00 00 00 00 00 00 00 70 750 Td 푃0⨁푃0 푃1 37 Malleability GadgetsCBC Malleability
퐼푉⊕푃0⊕푃푐 퐶0 퐶1
Decryption Decryption
(http://p.df/ 70 750 Td 푃푐 푃1 38 Malleability GadgetsCBC Malleability
퐶푛−1 퐼푉⊕푃0⊕푃푐 퐶0
Decryption Decryption Decryption
70 750 Td Random (http://p.df/ 푃푛−1 푃퐶 39 Prerequisites
Ciphertext Malleability
Known Plaintext
Exfiltration Channel
40 Known Plaintext
known plaintext by design
41 Known Plaintext
Document wide Key
42 Add Encrypt permissions them to to the PDF prevent Format tampering
Known Known plaintext is plaintext is available to available to attackers! attackers! 43 Malleability Gadgets
Ciphertext Malleability
Known Plaintext
Exfiltration Channel
44 Gadget Attacks
• 12 Bytes of known plaintext are enough to • Change displayed text stream BT % 20 (4 + 16) random bytes (This ) Tj% 20 random bytes (is in) Tj% 20 random bytes (jecte) Tj% 20 random bytes (d!!!) Tj% 20 random bytes ET % 20 random bytes endstream
45 Gadget Attacks
• 12 Bytes of known plaintext are enough to • Change displayed text stream BT % 20 (4 + 16) random bytes (This ) Tj% 20 random bytes (is in) Tj% 20 random bytes (jecte) Tj% 20 random bytes (d!!!) Tj% 20 random bytes ET % 20 random bytes endstream
46 Gadget Attacks
• 12 Bytes of known plaintext are enough to • Change displayed text • Define a new form submit URL 1 0 obj << /Type /Catalog /AcroForm << /Fields [<< /T (x) /V 2 0 R >>] >> /OpenAction << /S /SubmitForm /F
2 0 obj stream [encrypted data] % content to exfiltrate endstream endobj 47 48 Gadget Attacks
• 12 Bytes of known plaintext are enough to • Change displayed text • Define a new form submit URL • Prepend URLs to existing plaintext 2 0 obj
http://p.df/[20 bytes random]Confidential plaintext!
49 Gadget Attacks - Issues
• Gadgets are short (12 bytes) • Short URLs • Random Bytes
• Compressed plaintexts are harder to exfiltrate • Breaks URL encoders • Pre- and appending to compressed plaintexts is complicated
50 Compression – Friend or Foe
2 0 obj << /Type /ObjStm /N 1 /First 65 /Length ... >> stream
(http://p.df/Decompressed Confidential content endstream endobj
54 Overview
1. Introduction 2. Attacker Model 3. Direct Exfiltration 4. Malleability Gadgets 5. Evaluation 6. Mitigation
55 Platform Application Direct Exfiltration Malleability Gadgets Acrobat Reader DC ● ◐ Foxit Reader ◐ ◐ PDF-XChange Viewer ● ◐ Perfect PDF Reader ● ● Evaluation results PDF Studio Viewer ● ● ● Exfiltration (no user interaction) Nitro Reader ● ● Acrobat Pro DC ● ◐ ◐ Exfiltration (with user interaction) Foxit PhantomPDF ◐ ◐ ○ No exfiltration / not vulnerable PDF-XChange Editor ● ◐ Windows Perfect PDF Premium ● ● PDF Studio Pro ● ● Nitro Pro ● ● Nuance Power PDF ● ◐ iSkysoft PDF Editor ◐ ◐ Master PDF Editor ● ● Soda PDF Desktop ◐ ◐ PDF Architect ◐ ◐ PDFelement ◐ ◐ Preview ○ ◐ macOS Skim ○ ◐ Evince ◐ ◐ Linux Okular ◐ ◐ MuPDF ◐ ◐ Chrome ● ● Firefox ○ ◐ Web Safari ○ ◐ Opera ● ● 56 Platform Application Direct Exfiltration Malleability Gadgets Acrobat Reader DC ● ◐ Foxit Reader ◐ ◐ PDF-XChange Viewer ● ◐ Perfect PDF Reader ● ● Evaluation results PDF Studio Viewer ● ● ● Exfiltration (no user interaction) Nitro Reader ● ● Acrobat Pro DC ● ◐ ◐ Exfiltration (with user interaction) Foxit PhantomPDF ◐ ◐ ○ No exfiltration / not vulnerable PDF-XChange Editor ● ◐ Windows Perfect PDF Premium ● ● PDF Studio Pro ● ● Nitro Pro ● ● Nuance Power PDF ● ◐ iSkysoft PDF Editor ◐ ◐ Master PDF Editor ● ● Soda PDF Desktop ◐ ◐ PDF Architect ◐ ◐ PDFelement ◐ ◐ Preview ○ ◐ macOS Skim ○ ◐ Evince ◐ ◐ Linux Okular ◐ ◐ MuPDF ◐ ◐ Chrome ● ● Firefox ○ ◐ Web Safari ○ ◐ Opera ● ● 56 Overview
1. Introduction 2. Attacker Model 3. Direct Exfiltration 4. Malleability Gadgets 5. Evaluation 6. Mitigation
57 Signatures
• Signed PDFs should prevent the attack, right?
58 Signatures
• Signed PDFs should prevent the attack, right?
WRONG: 1. Do not prevent opening 2. Can be stripped 3. Can be forged
58 Closing Backchannels
• Close all exfiltration channels! • Hard to do! • How do you even find all of them in a ca. 800 pages standard?
• Should we really remove … • Forms • Hyperlinks • JavaScript (okay, maybe that one)
• Ask the user before connecting to a server
59 Short Term Mitigation
Apple:
Google:
60 Mitigation
• Against wrapping attacks: • Deprecate partial encryption • Short term: Disallow access from unencrypted to encrypted objects
• Against CBC Gadget attacks: • Use authenticated encryption • Be careful of downgrade attacks
61 Mitigation
“This• Against has wrapping been escalated attacks: to the ISO working group • Deprecate partial encryption on• CryptoShort term: and Disallow Signatures access from and unencrypted will be totaken encrypted up objectsin the next revision of the PDF Spec.” • Against CBC Gadget attacks: • Use authenticated encryption • Be careful of downgrade attacks - Adobe
62 Black Hat Sound Bytes
• PDF documents allow for partial encryption • PDF uses legacy crypto (Unauthenticated CBC) • PDF is a data format that can "exfiltrate itself"
Thank you! ▪ team@pdf-insecurity.org Questions? ▪ https://pdf-insecurity.org
63