[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:19.48,Default,,0000,0000,0000,,{\i1}36c3 preroll music{\i0}
Dialogue: 0,0:00:19.48,0:00:25.09,Default,,0000,0000,0000,,Herald: The next talk is on how to break\NPDF's, breaking the encryption and the
Dialogue: 0,0:00:25.09,0:00:32.91,Default,,0000,0000,0000,,signatures, by Fabian Ising and Vladislav\NMladenov. Their talk was accepted at CCS
Dialogue: 0,0:00:32.91,0:00:37.75,Default,,0000,0000,0000,,this year in London and they had that in\NNovember. It comes from research that
Dialogue: 0,0:00:37.75,0:00:43.66,Default,,0000,0000,0000,,basically produced two different kinds of\Npapers and it has been... people worldwide
Dialogue: 0,0:00:43.66,0:00:47.54,Default,,0000,0000,0000,,have been interested in what has been\Ngoing on. Please give them a great round
Dialogue: 0,0:00:47.54,0:00:51.76,Default,,0000,0000,0000,,of applause and welcome them to the stage.
Dialogue: 0,0:00:51.76,0:00:59.15,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:00:59.15,0:01:11.59,Default,,0000,0000,0000,,Vladi: So can you hear me? Yeah. Perfect.\NOK. Now you can see the slides. My name is
Dialogue: 0,0:01:11.59,0:01:15.22,Default,,0000,0000,0000,,Vladislav Mladenov, or just Vladi if you\Nhave some questions to me and this is
Dialogue: 0,0:01:15.22,0:01:20.67,Default,,0000,0000,0000,,Fabian. And we are allowed today to talk\Nabout how to break PDF security or more
Dialogue: 0,0:01:20.67,0:01:28.23,Default,,0000,0000,0000,,special about how to break the\Ncryptography operations in PDF files. We
Dialogue: 0,0:01:28.23,0:01:36.59,Default,,0000,0000,0000,,are a large team from university of\NBochum, Mue nster and Hackmanit GmbH. So as
Dialogue: 0,0:01:36.59,0:01:46.16,Default,,0000,0000,0000,,I mentioned: We will talk about\Ncryptography and PDF files. Does it work?
Dialogue: 0,0:01:46.16,0:01:57.72,Default,,0000,0000,0000,,Fabian: All right. OK. Let's try that\Nagain. Okay.
Dialogue: 0,0:01:57.72,0:02:02.07,Default,,0000,0000,0000,,Vladi: Perfect. This talk will consist of\Ntwo parts. The first part is about
Dialogue: 0,0:02:02.07,0:02:07.83,Default,,0000,0000,0000,,digitally signed PDF files and how can we\Nrecognize such files? If we open them we
Dialogue: 0,0:02:07.83,0:02:16.23,Default,,0000,0000,0000,,see the information regarding that the\Nfile was signed and all verification
Dialogue: 0,0:02:16.23,0:02:20.69,Default,,0000,0000,0000,,procedures were valid. And more\Ninformation regarding the signature
Dialogue: 0,0:02:20.69,0:02:27.22,Default,,0000,0000,0000,,validation panel and information about who\Nsigned this file. This is the first part
Dialogue: 0,0:02:27.22,0:02:35.66,Default,,0000,0000,0000,,of the talk and I will present this topic.\NAnd the second part is regarding PDF
Dialogue: 0,0:02:35.66,0:02:41.28,Default,,0000,0000,0000,,encrypted files and how can we recognize\Nsuch files? If you tried to open such
Dialogue: 0,0:02:41.28,0:02:47.08,Default,,0000,0000,0000,,files, the first thing you see is the\Npassword prompt. And after entering the
Dialogue: 0,0:02:47.08,0:02:51.80,Default,,0000,0000,0000,,correct password, the file is decrypted\Nand you can read the content within this
Dialogue: 0,0:02:51.80,0:02:57.72,Default,,0000,0000,0000,,file. If you open it with Adobe,\Nadditional information regarding if this
Dialogue: 0,0:02:57.72,0:03:04.42,Default,,0000,0000,0000,,file is secured or not is displayed\Nfurther. And this is the second part of
Dialogue: 0,0:03:04.42,0:03:11.65,Default,,0000,0000,0000,,our talk, and Fabian, will talk: how can\Nwe break the PDA encryption? So before we
Dialogue: 0,0:03:11.65,0:03:19.45,Default,,0000,0000,0000,,start with the attacks on signatures or\Nencryption, we first need some basics. And
Dialogue: 0,0:03:19.45,0:03:22.70,Default,,0000,0000,0000,,after six slides, you will be experts\Nregarding PDF files and you will
Dialogue: 0,0:03:22.70,0:03:28.82,Default,,0000,0000,0000,,understand everything about it. But maybe\Nit's a little bit boring, so be patient:
Dialogue: 0,0:03:28.82,0:03:34.83,Default,,0000,0000,0000,,there are only 6 slides. So the first is\Nquite easy. PDF files are... the first
Dialogue: 0,0:03:34.83,0:03:42.25,Default,,0000,0000,0000,,specification was in 1993 and almost at\Nthe beginning PDF cryptography operations
Dialogue: 0,0:03:42.25,0:03:48.92,Default,,0000,0000,0000,,like signatures and encryption was already\Nthere. The last version is PDF 2.0 and it
Dialogue: 0,0:03:48.92,0:03:57.61,Default,,0000,0000,0000,,was released in 2017. And according to\NAdobe 1.6 billion files are on the web and
Dialogue: 0,0:03:57.61,0:04:06.14,Default,,0000,0000,0000,,perhaps more exchange beyond the web. So\Nbasically PDF files are everywhere. And
Dialogue: 0,0:04:06.14,0:04:11.79,Default,,0000,0000,0000,,that's the reason why we consider this\Ntopic and tried to find or to analyze the
Dialogue: 0,0:04:11.79,0:04:19.73,Default,,0000,0000,0000,,security of the features. If we have some\Nvery simple file and we open it with Adobe
Dialogue: 0,0:04:19.73,0:04:25.39,Default,,0000,0000,0000,,Reader, the first thing we see is, of\Ncourse, the content. "Hello, world!" in
Dialogue: 0,0:04:25.39,0:04:32.06,Default,,0000,0000,0000,,this case, and additional information\Nregarding the focused page and how many
Dialogue: 0,0:04:32.06,0:04:39.63,Default,,0000,0000,0000,,pages this document has. But what would\Nhappen if we don't use a PDF viewer and
Dialogue: 0,0:04:39.63,0:04:48.21,Default,,0000,0000,0000,,just use some text editor? We use the\NNotepad++ to open and later manipulate the
Dialogue: 0,0:04:48.21,0:04:56.40,Default,,0000,0000,0000,,files. So I will zoom this thing... this\Nfile. And the first thing we see is that
Dialogue: 0,0:04:56.40,0:05:04.50,Default,,0000,0000,0000,,we can read it. Perhaps it's quite, quite\Nfunny. And but we can still extract some
Dialogue: 0,0:05:04.50,0:05:10.91,Default,,0000,0000,0000,,information of this file. For example,\Nsome information regarding the pages. And
Dialogue: 0,0:05:10.91,0:05:19.74,Default,,0000,0000,0000,,here you can see the information that the\NPDF file consists of one page. But more
Dialogue: 0,0:05:19.74,0:05:27.35,Default,,0000,0000,0000,,interesting is that we can see the\Ncontent of the file itself. So the lessons
Dialogue: 0,0:05:27.35,0:05:34.96,Default,,0000,0000,0000,,we learned is that we can use a simple\Ntext editor to view and edit PDF files.
Dialogue: 0,0:05:34.96,0:05:43.90,Default,,0000,0000,0000,,And for our attacks, we used only this\Ntext editor. So let's go to the details.
Dialogue: 0,0:05:43.90,0:05:51.56,Default,,0000,0000,0000,,How PDF files are structured and how they\Nare processed. PDF files consist of 4
Dialogue: 0,0:05:51.56,0:05:59.17,Default,,0000,0000,0000,,parts: header, body and body is the most\Nimportant part of the PDF files. The body
Dialogue: 0,0:05:59.17,0:06:03.82,Default,,0000,0000,0000,,contains the entire information presented\Nto the user. And 2 other sections: Xref
Dialogue: 0,0:06:03.82,0:06:11.49,Default,,0000,0000,0000,,section and trailer. Very important think\Nabout processing PDF files, is that
Dialogue: 0,0:06:11.49,0:06:18.02,Default,,0000,0000,0000,,they're processed not from the top to the\Nbottom, but from the bottom to the top. So
Dialogue: 0,0:06:18.02,0:06:23.70,Default,,0000,0000,0000,,the first thing is that the PDF viewer\Nanalyses or processes is the trailer. So
Dialogue: 0,0:06:23.70,0:06:28.98,Default,,0000,0000,0000,,let's start doing that. What information\Nis starting this trailer? Basically, there
Dialogue: 0,0:06:28.98,0:06:35.54,Default,,0000,0000,0000,,are two very important informations. On\Nthe first side this is the information:
Dialogue: 0,0:06:35.54,0:06:41.41,Default,,0000,0000,0000,,what is the root element of this PDF? So\Nwhich is the first object which will be
Dialogue: 0,0:06:41.41,0:06:47.86,Default,,0000,0000,0000,,processed? And the second important\Ninformation is where the Xref section
Dialogue: 0,0:06:47.86,0:06:54.00,Default,,0000,0000,0000,,starts. It's just a byte offset pointing\Nto the position of the XRef section within
Dialogue: 0,0:06:54.00,0:07:00.20,Default,,0000,0000,0000,,the PDF file. So this pointer, as\Nmentioned before, points to the Xref
Dialogue: 0,0:07:00.20,0:07:05.71,Default,,0000,0000,0000,,section. But what is the Xref section\Nabout? The Xref section is a catalog
Dialogue: 0,0:07:05.71,0:07:11.18,Default,,0000,0000,0000,,pointing or holding the information where\Nthe objects defined in the body are
Dialogue: 0,0:07:11.18,0:07:18.74,Default,,0000,0000,0000,,contained or the byte positions of this\Nobject. So how can we read this weird Xref
Dialogue: 0,0:07:18.74,0:07:25.54,Default,,0000,0000,0000,,section? The first information we extract\Nis that the first object, which is defined
Dialogue: 0,0:07:25.54,0:07:34.61,Default,,0000,0000,0000,,here, is the object with ID 0 and we have\N5 further elements or objects which are
Dialogue: 0,0:07:34.61,0:07:41.09,Default,,0000,0000,0000,,defined. So the first object is here. The\Nfirst entry is the byte position within
Dialogue: 0,0:07:41.09,0:07:46.61,Default,,0000,0000,0000,,the file. The second is its generation\Nnumber. And the last charter points, if
Dialogue: 0,0:07:46.61,0:07:53.20,Default,,0000,0000,0000,,this object is used or not used. So\Nreading it, reading this Xref section, we
Dialogue: 0,0:07:53.20,0:08:00.59,Default,,0000,0000,0000,,extract the information that the object\Nwith ID 0 is at byte position 0 and is not
Dialogue: 0,0:08:00.59,0:08:08.65,Default,,0000,0000,0000,,in use. So the object with ID 1 is at the\Nposition 9 and so on and so forth. So for
Dialogue: 0,0:08:08.65,0:08:18.37,Default,,0000,0000,0000,,the object with ID 4 and the object number\Ncomes from counting it: 0 1, 2, 3 and 4.
Dialogue: 0,0:08:18.37,0:08:29.43,Default,,0000,0000,0000,,So the object with ID 4 can be found at\Nthe offset 184 and it's in use. In other
Dialogue: 0,0:08:29.43,0:08:35.45,Default,,0000,0000,0000,,words, the PDF viewer knows where each\Nobject will be found and can properly
Dialogue: 0,0:08:35.45,0:08:42.33,Default,,0000,0000,0000,,display it and process it. Now we come to\Nthe most important part: the body, and I
Dialogue: 0,0:08:42.33,0:08:48.81,Default,,0000,0000,0000,,mentioned it that in the body the entire\Ncontent which is presented to the user is
Dialogue: 0,0:08:48.81,0:08:58.22,Default,,0000,0000,0000,,contained. So let's see. Object 4 0 is\Nthis one and as you can see, it contains
Dialogue: 0,0:08:58.22,0:09:04.87,Default,,0000,0000,0000,,the word "Hello World". The other objects\Nare a reference, too. So each pointer
Dialogue: 0,0:09:04.87,0:09:10.12,Default,,0000,0000,0000,,points exactly to the starting position of\Neach of the objects. And how can we read
Dialogue: 0,0:09:10.12,0:09:15.91,Default,,0000,0000,0000,,this object? You see, we have an object\Nstarting with the ID number, then the
Dialogue: 0,0:09:15.91,0:09:24.100,Default,,0000,0000,0000,,generation number and the word "obj". So\Nyou now know where the object starts
Dialogue: 0,0:09:24.100,0:09:32.26,Default,,0000,0000,0000,,and when it ends. Now how can we process\Nthis body? As I mentioned before in the
Dialogue: 0,0:09:32.26,0:09:40.97,Default,,0000,0000,0000,,trailer, there was a reference regarding\Nthe root element and this element was with
Dialogue: 0,0:09:40.97,0:09:48.77,Default,,0000,0000,0000,,ID 1 and generation number 0. So, we now\Nwe start reading the document here and we
Dialogue: 0,0:09:48.77,0:09:55.91,Default,,0000,0000,0000,,have a catalog and a reference to some\Npages. Pages is just a description of all
Dialogue: 0,0:09:55.91,0:10:02.89,Default,,0000,0000,0000,,the pages contained within the file. And\Nwhat can we see here is that we have this
Dialogue: 0,0:10:02.89,0:10:09.78,Default,,0000,0000,0000,,number count once or we have only one page\Nand a reference to the page object which
Dialogue: 0,0:10:09.78,0:10:15.17,Default,,0000,0000,0000,,contains the entire information\Ninscription of the page. If we have
Dialogue: 0,0:10:15.17,0:10:22.23,Default,,0000,0000,0000,,multiple pages, then we will have here\Nmultiple elements. Then we have one page.
Dialogue: 0,0:10:22.23,0:10:29.85,Default,,0000,0000,0000,,And here we have the contents, which is a\Nreference to the string we already saw.
Dialogue: 0,0:10:29.85,0:10:35.14,Default,,0000,0000,0000,,Perfect. If you understand this then you\Nknow everything or almost everything about
Dialogue: 0,0:10:35.14,0:10:39.36,Default,,0000,0000,0000,,PDF files. Now you can just use your\Neditor and open such files and analyze
Dialogue: 0,0:10:39.36,0:10:50.31,Default,,0000,0000,0000,,them. Then we need one feature... I forgot\Nthe last part. The most simple one. The
Dialogue: 0,0:10:50.31,0:10:56.13,Default,,0000,0000,0000,,header. It should just one line stating\Nwhich version is used. For example, in our
Dialogue: 0,0:10:56.13,0:11:04.78,Default,,0000,0000,0000,,case, 1.4. For the last version of Adobe\Nhere will be stated 2.0. Now, we need this
Dialogue: 0,0:11:04.78,0:11:13.70,Default,,0000,0000,0000,,one feature called "Incremental Update".\NAnd I call this feature - do you know this
Dialogue: 0,0:11:13.70,0:11:19.63,Default,,0000,0000,0000,,feature highlighting something in the PDF\Nfile or putting some sticky notes?
Dialogue: 0,0:11:19.63,0:11:24.12,Default,,0000,0000,0000,,Technically, it's called "incremental\Nupdate." I just call it reviewing master
Dialogue: 0,0:11:24.12,0:11:30.68,Default,,0000,0000,0000,,and bachelor thesis of my students because\Nthis is exactly the procedure I follow. I
Dialogue: 0,0:11:30.68,0:11:38.10,Default,,0000,0000,0000,,just read the text and highlight something\Nand store the information I put at it.
Dialogue: 0,0:11:38.10,0:11:46.97,Default,,0000,0000,0000,,Technically by putting such a sticky note.\Nthis additional information is appended
Dialogue: 0,0:11:46.97,0:11:53.16,Default,,0000,0000,0000,,after the end of the file. So we have a\Nbody update which contains exactly the
Dialogue: 0,0:11:53.16,0:12:01.37,Default,,0000,0000,0000,,information additionally of the new\Nobjects and of course, new Xref section
Dialogue: 0,0:12:01.37,0:12:15.61,Default,,0000,0000,0000,,and a new trailer pointing to this new\Nobject. Okay, we are done. Considering
Dialogue: 0,0:12:15.61,0:12:23.86,Default,,0000,0000,0000,,incremental update, we saw that it is used\Nmainly for sticky notes or highlighting.
Dialogue: 0,0:12:23.86,0:12:29.68,Default,,0000,0000,0000,,But we observed something which is very\Nimportant because an incremental update we
Dialogue: 0,0:12:29.68,0:12:36.93,Default,,0000,0000,0000,,can redefine existing objects, for\Nexample, we can redefine the object with
Dialogue: 0,0:12:36.93,0:12:45.73,Default,,0000,0000,0000,,ID 4 and put new content. So we replace in\Nthis manner the word "Hello World" with
Dialogue: 0,0:12:45.73,0:12:51.70,Default,,0000,0000,0000,,another sentence and of course the Xref\Nsection and the trailer point to this new
Dialogue: 0,0:12:51.70,0:13:00.10,Default,,0000,0000,0000,,object. So this is very important. With\Nincremental update we are not stuck to
Dialogue: 0,0:13:00.10,0:13:06.22,Default,,0000,0000,0000,,only adding some highlighting or notes. We\Ncan redefine already existing content and
Dialogue: 0,0:13:06.22,0:13:14.40,Default,,0000,0000,0000,,perhaps we need this for the attacks we\Nwill present. So let's talk about PDF
Dialogue: 0,0:13:14.40,0:13:23.34,Default,,0000,0000,0000,,signatures. First, we need a difference\Nbetween electronic signature and digital
Dialogue: 0,0:13:23.34,0:13:28.70,Default,,0000,0000,0000,,signature. Electronic signature. From a\Ntechnical point of view, it's just an
Dialogue: 0,0:13:28.70,0:13:36.37,Default,,0000,0000,0000,,image. I just wrote it on my PC and put it\Ninto the file. There is no cryptographic
Dialogue: 0,0:13:36.37,0:13:40.89,Default,,0000,0000,0000,,protection. It could be me lying on the\Nbeach doing something. From cryptographic
Dialogue: 0,0:13:40.89,0:13:45.51,Default,,0000,0000,0000,,point of view is the same. It does not\Nprovide any security, any cryptographic
Dialogue: 0,0:13:45.51,0:13:52.74,Default,,0000,0000,0000,,security. What we will talk about here is\Nabout digitally signed files, so if you
Dialogue: 0,0:13:52.74,0:14:00.29,Default,,0000,0000,0000,,open such files, you have the additional\Ninformation regarding the validation about
Dialogue: 0,0:14:00.29,0:14:08.31,Default,,0000,0000,0000,,the signatures and who signed this PDF\Nfile. So as I mentioned before, this talk
Dialogue: 0,0:14:08.31,0:14:16.69,Default,,0000,0000,0000,,will concentrate only on these digitally\Nsigned PDF files. How? What kind of
Dialogue: 0,0:14:16.69,0:14:22.88,Default,,0000,0000,0000,,process is behind digitally signing PDF\Nfiles? Imagine we have this abstract
Dialogue: 0,0:14:22.88,0:14:28.64,Default,,0000,0000,0000,,overview of a PDF document. We have the\Nheader, body, Xref section and trailer. We
Dialogue: 0,0:14:28.64,0:14:35.48,Default,,0000,0000,0000,,want to sign it. What happens is that we\Ntake this PDF file and via incremental
Dialogue: 0,0:14:35.48,0:14:41.90,Default,,0000,0000,0000,,update we put additional information\Nregarding that. There is a new catalog and
Dialogue: 0,0:14:41.90,0:14:46.38,Default,,0000,0000,0000,,more important, a new signature object\Ncontaining the signature value and
Dialogue: 0,0:14:46.38,0:14:52.10,Default,,0000,0000,0000,,information about who signed this PDF\Nfile. And of course, there is an Xref
Dialogue: 0,0:14:52.10,0:14:58.97,Default,,0000,0000,0000,,section and trailer. And relevant for you:\NThe entire file is now protected by the
Dialogue: 0,0:14:58.97,0:15:06.86,Default,,0000,0000,0000,,PDF signature. So manipulations within\Nthis area should not be possible, right?
Dialogue: 0,0:15:06.86,0:15:15.88,Default,,0000,0000,0000,,Yeah, let's talk about this: why it's not\Npossible and how can we break it? First,
Dialogue: 0,0:15:15.88,0:15:21.37,Default,,0000,0000,0000,,we need an attack scenario. What we want\Nto achieve as an attacker. We assumed in
Dialogue: 0,0:15:21.37,0:15:27.84,Default,,0000,0000,0000,,our research that the attacker possesses\Nthis signed PDF file. This could be an old
Dialogue: 0,0:15:27.84,0:15:35.99,Default,,0000,0000,0000,,contract, receipt or, in our case, a bill\Nfrom Amazon. And if we open this file, the
Dialogue: 0,0:15:35.99,0:15:41.44,Default,,0000,0000,0000,,signature is valid. So everything is\Ngreen. No warnings are thrown and
Dialogue: 0,0:15:41.44,0:15:48.33,Default,,0000,0000,0000,,everything is fine. What we tried to do is\Nto take this file, manipulate it somehow
Dialogue: 0,0:15:48.33,0:15:56.32,Default,,0000,0000,0000,,and then send it to the victim. And now\Nthe victim expects to receive a digitally
Dialogue: 0,0:15:56.32,0:16:01.78,Default,,0000,0000,0000,,signed PDF file, so just tripping the\Ndigital signature is a very trivial
Dialogue: 0,0:16:01.78,0:16:07.60,Default,,0000,0000,0000,,scenario and we did not consider it\Nbecause it's trivial. We considered that
Dialogue: 0,0:16:07.60,0:16:13.24,Default,,0000,0000,0000,,the victim expects to see that there is a\Nsignature and it is valid. So no warning
Dialogue: 0,0:16:13.24,0:16:20.42,Default,,0000,0000,0000,,casts are thrown and the entire left side\Nis exactly the same from the normal
Dialogue: 0,0:16:20.42,0:16:28.11,Default,,0000,0000,0000,,behavior. But on the other side, the\Ncontent was exchanged so we manipulated
Dialogue: 0,0:16:28.11,0:16:33.79,Default,,0000,0000,0000,,the receipt and exchanged it with another\Ncontent. The question is now: how can we
Dialogue: 0,0:16:33.79,0:16:41.08,Default,,0000,0000,0000,,do it on a technical level? And we came up\Nwith three attacks: incremental saving
Dialogue: 0,0:16:41.08,0:16:45.93,Default,,0000,0000,0000,,attacks, signature wrapping and universal\Nsignature forgery. And I will now
Dialogue: 0,0:16:45.93,0:16:51.21,Default,,0000,0000,0000,,introduce the techniques and how these\Nattacks are working. The first attack is
Dialogue: 0,0:16:51.21,0:16:56.84,Default,,0000,0000,0000,,the incremental saving attack. So I\Nmentioned before that via incremental
Dialogue: 0,0:16:56.84,0:17:06.44,Default,,0000,0000,0000,,saving or via incremental updates, we can\Nadd and remove and even redefine already
Dialogue: 0,0:17:06.44,0:17:14.65,Default,,0000,0000,0000,,existing objects and the signature still\Nstays valid. Why is this happening?
Dialogue: 0,0:17:14.65,0:17:21.11,Default,,0000,0000,0000,,Consider now again our case. We have some\Nheader, body, Xref table and trailer and
Dialogue: 0,0:17:21.11,0:17:27.56,Default,,0000,0000,0000,,the file is now signed and the signature\Nprotects only the signed area. So what
Dialogue: 0,0:17:27.56,0:17:32.60,Default,,0000,0000,0000,,would happen if I put a sticky note or\Nsome highlighting? An incremental update
Dialogue: 0,0:17:32.60,0:17:39.17,Default,,0000,0000,0000,,happens. If I open this file, usually this\Nhappens: We have the information that this
Dialogue: 0,0:17:39.17,0:17:45.80,Default,,0000,0000,0000,,signature is valid, when it was signed and\Nso on and so forth. So our first idea was
Dialogue: 0,0:17:45.80,0:17:53.25,Default,,0000,0000,0000,,to just put new body updates, redefine\Nalready existing content and with a Xref
Dialogue: 0,0:17:53.25,0:17:59.42,Default,,0000,0000,0000,,table and trailer we point to the new\Ncontent. This is quite trivial because
Dialogue: 0,0:17:59.42,0:18:04.82,Default,,0000,0000,0000,,it's a legitimate feature in PDF files, so\Nwe didn't expect to be quite successful
Dialogue: 0,0:18:04.82,0:18:11.76,Default,,0000,0000,0000,,and we were not so successful. But the\Nfirst idea: we applied this attack, we
Dialogue: 0,0:18:11.76,0:18:22.08,Default,,0000,0000,0000,,opened it and we got this message. So it's\Nkind of a weird message because an
Dialogue: 0,0:18:22.08,0:18:27.97,Default,,0000,0000,0000,,experienced user sees valid, but the\Ndocument has been updated and you should
Dialogue: 0,0:18:27.97,0:18:33.58,Default,,0000,0000,0000,,know what does this exactly mean. But we\Ndid not consider this attack as successful
Dialogue: 0,0:18:33.58,0:18:41.11,Default,,0000,0000,0000,,because the warning is not the same or the\Nstatus of the signature validation is not
Dialogue: 0,0:18:41.11,0:18:50.91,Default,,0000,0000,0000,,the same. So what we did is to evaluate\Nthis first against this trivial case,
Dialogue: 0,0:18:50.91,0:18:56.86,Default,,0000,0000,0000,,against older viewers we have, and Libre\Noffice, for example, was vulnerable
Dialogue: 0,0:18:56.86,0:19:01.77,Default,,0000,0000,0000,,against this trivial attack. This was the\Nonly viewer which was vulnerable against
Dialogue: 0,0:19:01.77,0:19:07.44,Default,,0000,0000,0000,,this trivial variation. But then we asked\Nourselves: Okay, the other viewers are
Dialogue: 0,0:19:07.44,0:19:14.25,Default,,0000,0000,0000,,quite secure. But how do they detect these\Nincremental updates? And from developer
Dialogue: 0,0:19:14.25,0:19:22.41,Default,,0000,0000,0000,,point of view, the laziest thing we can do\Nis just to check if another Xref table and
Dialogue: 0,0:19:22.41,0:19:28.33,Default,,0000,0000,0000,,trailer were added after the signature was\Napplied. So we just put our body updates
Dialogue: 0,0:19:28.33,0:19:37.45,Default,,0000,0000,0000,,but just deleted the other two parts. This\Nis not a standard compliant PDF file. It's
Dialogue: 0,0:19:37.45,0:19:44.79,Default,,0000,0000,0000,,broken. But our hope was that the PDF\Nviewer fixes this kind of stuff for us and
Dialogue: 0,0:19:44.79,0:19:51.21,Default,,0000,0000,0000,,that these viewers are error-tolerant. And\Nwe were quite successful because the
Dialogue: 0,0:19:51.21,0:19:56.32,Default,,0000,0000,0000,,verification logic just checked: Is there\Nan Xref table and trailer after the
Dialogue: 0,0:19:56.32,0:20:01.58,Default,,0000,0000,0000,,signature was applied? No? Okay.\NEverything's fine. The signature is valid.
Dialogue: 0,0:20:01.58,0:20:05.45,Default,,0000,0000,0000,,No warning was thrown. But then the\Napplication logic saw that incremental
Dialogue: 0,0:20:05.45,0:20:13.58,Default,,0000,0000,0000,,updates were applied and fixed this for us\Nand processed these body updates and no
Dialogue: 0,0:20:13.58,0:20:21.16,Default,,0000,0000,0000,,warning was thrown. Some of the viewers\Nrequired to have a trailer. I don't know
Dialogue: 0,0:20:21.16,0:20:25.35,Default,,0000,0000,0000,,why - it was a Black box testing. So we\Njust removed the Xref table, but the
Dialogue: 0,0:20:25.35,0:20:32.03,Default,,0000,0000,0000,,trailer was there and we were able to\Nbreak further PDF viewers. The most
Dialogue: 0,0:20:32.03,0:20:38.49,Default,,0000,0000,0000,,complex variation of the attack was the\Nfollowing: We had the PDF viewers checked
Dialogue: 0,0:20:38.49,0:20:47.33,Default,,0000,0000,0000,,if every incremental update contains a\Nsignature object. But they did not check
Dialogue: 0,0:20:47.33,0:20:53.20,Default,,0000,0000,0000,,if this signature is covered by the\Nincremental update. So we just copy-pasted
Dialogue: 0,0:20:53.20,0:21:01.29,Default,,0000,0000,0000,,the signature which was provided here and\Nwe just forced the PDF viewer to validate
Dialogue: 0,0:21:01.29,0:21:10.10,Default,,0000,0000,0000,,this signed content twice - and still our\Nbody updates were processed and for
Dialogue: 0,0:21:10.10,0:21:18.67,Default,,0000,0000,0000,,example, Foxit or Master PDF were\Nvulnerable against this type of attack. So
Dialogue: 0,0:21:18.67,0:21:24.91,Default,,0000,0000,0000,,the evaluation of our attack: We\Nconsidered as part of our evaluation 22
Dialogue: 0,0:21:24.91,0:21:31.05,Default,,0000,0000,0000,,different viewers - among others, Adobe\Nwith different versions, Foxit, and so on.
Dialogue: 0,0:21:31.05,0:21:41.14,Default,,0000,0000,0000,,And as you can see 11 of 22 were\Nvulnerable against incremental saving. So
Dialogue: 0,0:21:41.14,0:21:47.16,Default,,0000,0000,0000,,50 percent, and we were quite surprised\Nbecause we saw that the developers saw
Dialogue: 0,0:21:47.16,0:21:51.64,Default,,0000,0000,0000,,that incremental updates could be\Ndangerous regarding the signature
Dialogue: 0,0:21:51.64,0:22:01.07,Default,,0000,0000,0000,,validation. But we were still able to\Nbypass their considerations. We had - a
Dialogue: 0,0:22:01.07,0:22:07.77,Default,,0000,0000,0000,,full signature bypass means that there is\Nno possibility for the victim to detect
Dialogue: 0,0:22:07.77,0:22:14.27,Default,,0000,0000,0000,,the attack. A limited signature bypass\Nmeans that the victim, if the victim
Dialogue: 0,0:22:14.27,0:22:23.47,Default,,0000,0000,0000,,clicks on one - at least one - additional\Nwindow and explicitly wants to validate
Dialogue: 0,0:22:23.47,0:22:31.52,Default,,0000,0000,0000,,the signature, then the viewer was\Nvulnerable. But the most important thing
Dialogue: 0,0:22:31.52,0:22:38.08,Default,,0000,0000,0000,,is by opening the file, there was a status\Nmessage that the signature validation and
Dialogue: 0,0:22:38.08,0:22:44.29,Default,,0000,0000,0000,,all signatures are valid. So this was the\Nfirst layer and the viewers were
Dialogue: 0,0:22:44.29,0:22:51.39,Default,,0000,0000,0000,,vulnerable against this. So let's talk\Nabout the second attack class. We called
Dialogue: 0,0:22:51.39,0:22:57.97,Default,,0000,0000,0000,,it "signature wrapping attack" and this is\Nthe most complex attack of the 3 classes.
Dialogue: 0,0:22:57.97,0:23:04.58,Default,,0000,0000,0000,,And now we have to go a little bit into\Nthe details of how PDF signatures are
Dialogue: 0,0:23:04.58,0:23:10.45,Default,,0000,0000,0000,,made. So imagine now we have a PDF file.\NWe have some header and the original
Dialogue: 0,0:23:10.45,0:23:15.55,Default,,0000,0000,0000,,document. The original document contains\Nthe header, the body, the Xref section and
Dialogue: 0,0:23:15.55,0:23:21.92,Default,,0000,0000,0000,,so on and so forth. And we want to sign\Nthis document. Technically, again, an
Dialogue: 0,0:23:21.92,0:23:28.70,Default,,0000,0000,0000,,incremental update is provided and we have\Na new catalog here. We have some other
Dialogue: 0,0:23:28.70,0:23:35.16,Default,,0000,0000,0000,,objects, for example, certificates and so\Non and the signature objects. And we will
Dialogue: 0,0:23:35.16,0:23:38.72,Default,,0000,0000,0000,,now concentrate on this signature object\Nbecause it's essential for the attack we
Dialogue: 0,0:23:38.72,0:23:45.40,Default,,0000,0000,0000,,want to to carry out. And the signature\Nobject contains a lot of information, but
Dialogue: 0,0:23:45.40,0:23:51.46,Default,,0000,0000,0000,,we want for this attacks only two elements\Nare relevant: The contents and the byte
Dialogue: 0,0:23:51.46,0:23:57.94,Default,,0000,0000,0000,,range. The contents contains the signature\Nvalue. It's a PKCS7 container containing
Dialogue: 0,0:23:57.94,0:24:05.71,Default,,0000,0000,0000,,the signature value and the certificates\Nused to validate the signature and the
Dialogue: 0,0:24:05.71,0:24:11.30,Default,,0000,0000,0000,,bytes range. The byte range contains four\Ndifferent values and what how these values
Dialogue: 0,0:24:11.30,0:24:23.09,Default,,0000,0000,0000,,are being used. The first two, A and B\Ndefine the first signed area. And this is
Dialogue: 0,0:24:23.09,0:24:29.16,Default,,0000,0000,0000,,here from the beginning of the document\Nuntil the start of the signature value.
Dialogue: 0,0:24:29.16,0:24:35.37,Default,,0000,0000,0000,,Why we need this? Because the signature\Nvalue is part of the signed area. So we need
Dialogue: 0,0:24:35.37,0:24:42.78,Default,,0000,0000,0000,,to exclude the signature value from the\Ndocument computation. And this is how the
Dialogue: 0,0:24:42.78,0:24:49.18,Default,,0000,0000,0000,,bytes range is used. The first part is\Nfrom the beginning of the document until
Dialogue: 0,0:24:49.18,0:24:54.63,Default,,0000,0000,0000,,the signed the signature value starts and\Nafter the signature ends until the end of
Dialogue: 0,0:24:54.63,0:25:04.76,Default,,0000,0000,0000,,the file is the second area specified by\Nthe two digits C and D. So, now we have
Dialogue: 0,0:25:04.76,0:25:13.50,Default,,0000,0000,0000,,everything protected besides the signature\Nvalue itself. What we wanted to try is to
Dialogue: 0,0:25:13.50,0:25:21.89,Default,,0000,0000,0000,,create additional space for our attacks.\NSo our idea was to move the second signed
Dialogue: 0,0:25:21.89,0:25:30.35,Default,,0000,0000,0000,,area. And how can we do it? So basically\Nwe can do it by just defining another byte
Dialogue: 0,0:25:30.35,0:25:40.24,Default,,0000,0000,0000,,range. And as you can see here, the byte\Nrange points from area A to B. So this
Dialogue: 0,0:25:40.24,0:25:46.89,Default,,0000,0000,0000,,area we didn't made any manipulation in\Nthis part, right? It was not modified at
Dialogue: 0,0:25:46.89,0:25:53.31,Default,,0000,0000,0000,,all. So it's still valid. And the second\Npart, the new C value and the next D
Dialogue: 0,0:25:53.31,0:26:00.17,Default,,0000,0000,0000,,bytes, we didn't change anything here,\Nright? So basically, we didn't changed
Dialogue: 0,0:26:00.17,0:26:06.75,Default,,0000,0000,0000,,anything in the signed area. And the\Nsignature is still valid. But what we
Dialogue: 0,0:26:06.75,0:26:13.98,Default,,0000,0000,0000,,created was a space for some malicious\Nobjects; sometimes we needed some padding
Dialogue: 0,0:26:13.98,0:26:20.96,Default,,0000,0000,0000,,and a new extra section pointing to this\Nmalicious objects. Important thing was
Dialogue: 0,0:26:20.96,0:26:27.56,Default,,0000,0000,0000,,that this malicious Xref sections, the\Nposition is defined by the trailer. And
Dialogue: 0,0:26:27.56,0:26:32.80,Default,,0000,0000,0000,,since we can not modify this trailer, this\Nposition is fixed. So this is the only
Dialogue: 0,0:26:32.80,0:26:42.88,Default,,0000,0000,0000,,limitation of the attack, but it works\Nlike a charm. And the question is now: How
Dialogue: 0,0:26:42.88,0:26:49.73,Default,,0000,0000,0000,,many PDF viewers were vulnerable against\Nthis attack? And as you can see, this is
Dialogue: 0,0:26:49.73,0:26:58.17,Default,,0000,0000,0000,,the signature wrapping column. 17 out of\N22 applications were vulnerable against
Dialogue: 0,0:26:58.17,0:27:06.00,Default,,0000,0000,0000,,this attack. This was quite expected\Nresult because the attack was complex we
Dialogue: 0,0:27:06.00,0:27:14.79,Default,,0000,0000,0000,,saw that many developers didn't, were not\Naware of this threat and that's the reason
Dialogue: 0,0:27:14.79,0:27:22.60,Default,,0000,0000,0000,,why so many vulnerabilities were there.\NNow to the last class of attacks,
Dialogue: 0,0:27:22.60,0:27:28.58,Default,,0000,0000,0000,,universal signature forgery. And we called\Nit universal signature forgery, but I
Dialogue: 0,0:27:28.58,0:27:33.88,Default,,0000,0000,0000,,preferred to use another definition for\Nthis attacks. I call them stupid
Dialogue: 0,0:27:33.88,0:27:40.91,Default,,0000,0000,0000,,implementation flaws. We are coming from\Nthe PenTesting area and I know a lot of
Dialogue: 0,0:27:40.91,0:27:49.88,Default,,0000,0000,0000,,you are PenTesters, too. And, many of you\Nhave experience, quite interesting
Dialogue: 0,0:27:49.88,0:27:58.46,Default,,0000,0000,0000,,experience with zero bytes, null values or\Nsome kind of weird values. And this is
Dialogue: 0,0:27:58.46,0:28:06.31,Default,,0000,0000,0000,,what we tried in this kind of attacks.\NJust tried to do some stupid values or
Dialogue: 0,0:28:06.31,0:28:13.10,Default,,0000,0000,0000,,remove references and see what happen.\NConsidering the signature, there are two
Dialogue: 0,0:28:13.10,0:28:18.39,Default,,0000,0000,0000,,different important elements: The contents\Ncontaining the signature value and the
Dialogue: 0,0:28:18.39,0:28:25.22,Default,,0000,0000,0000,,byte range pointing to what is exactly\Nsigned. So, what would happen if we remove
Dialogue: 0,0:28:25.22,0:28:30.68,Default,,0000,0000,0000,,the contents? Our hope was that the\Ninformation regarding the signature is
Dialogue: 0,0:28:30.68,0:28:37.78,Default,,0000,0000,0000,,still shown by the viewer as valid without\Nvalidating any signature because it was
Dialogue: 0,0:28:37.78,0:28:45.17,Default,,0000,0000,0000,,not possible. And by just removing the\Nsignature value is quite obvious idea. And
Dialogue: 0,0:28:45.17,0:28:48.90,Default,,0000,0000,0000,,we were not successful with this kind of\Nattack. But let's proceed with another
Dialogue: 0,0:28:48.90,0:28:57.09,Default,,0000,0000,0000,,values like for example, contents without\Nany value or contents like equals NULL or
Dialogue: 0,0:28:57.09,0:29:04.71,Default,,0000,0000,0000,,zero bytes. And considering this last\Nversion, we had two viewers which were
Dialogue: 0,0:29:04.71,0:29:15.05,Default,,0000,0000,0000,,vulnerable against this attack. And\Nanother, another case is, for example, by
Dialogue: 0,0:29:15.05,0:29:19.93,Default,,0000,0000,0000,,removing the byte range. By removing this\Nbyte range we have some signature value,
Dialogue: 0,0:29:19.93,0:29:29.59,Default,,0000,0000,0000,,but we don't know what is exactly signed.\NSo, we tried this attack and of course,
Dialogue: 0,0:29:29.59,0:29:38.39,Default,,0000,0000,0000,,byte range without any value or NULL bytes\Nor byte range with a minus or negative,
Dialogue: 0,0:29:38.39,0:29:46.17,Default,,0000,0000,0000,,negative numbers. And usually this last\Ncrashed very a lot of viewers. But the
Dialogue: 0,0:29:46.17,0:29:51.80,Default,,0000,0000,0000,,most interesting is that Adobe made this\Nmistake by just removing the byte range.
Dialogue: 0,0:29:51.80,0:29:56.99,Default,,0000,0000,0000,,We were able to bypass the entire\Nsecurity. We didn't expect this behavior,
Dialogue: 0,0:29:56.99,0:30:00.95,Default,,0000,0000,0000,,but it was a stupid implementation flaw,\Nallowing us to do anything in this
Dialogue: 0,0:30:00.95,0:30:08.19,Default,,0000,0000,0000,,document and all the exploits we show in\Nour presentations were made on Adobe with
Dialogue: 0,0:30:08.19,0:30:14.91,Default,,0000,0000,0000,,this attack. So let's see what were the\Nresults of this attack. As you can see,
Dialogue: 0,0:30:14.91,0:30:21.11,Default,,0000,0000,0000,,only 4 of 22 viewers were vulnerable\Nagainst this attack and only Adobe
Dialogue: 0,0:30:21.11,0:30:26.28,Default,,0000,0000,0000,,unlimited; for the others, there was\Nlimitation because if you click on the
Dialogue: 0,0:30:26.28,0:30:32.76,Default,,0000,0000,0000,,signature validation, then a warning was\Nthrown. It was very easy for Adobe to fix.
Dialogue: 0,0:30:32.76,0:30:37.54,Default,,0000,0000,0000,,And as you can see, Adobe didn't mistake,\Nmade any mistake regarding incremental
Dialogue: 0,0:30:37.54,0:30:40.82,Default,,0000,0000,0000,,saving, a signature wrapping, but\Nregarding controversial signature forgery.
Dialogue: 0,0:30:40.82,0:30:48.17,Default,,0000,0000,0000,,There were vulnerable against this attack.\NAnd this was the hope of our approach. In
Dialogue: 0,0:30:48.17,0:30:56.03,Default,,0000,0000,0000,,summary, we were able to break 21 of 22\NPDF viewers. The only
Dialogue: 0,0:30:56.03,0:31:00.85,Default,,0000,0000,0000,,{\i1}Applause{\i0}\NThanks.
Dialogue: 0,0:31:00.85,0:31:08.15,Default,,0000,0000,0000,,{\i1}Applause{\i0}\NThe only secure PDF viewer is Adobe 9,
Dialogue: 0,0:31:08.15,0:31:12.86,Default,,0000,0000,0000,,which is deprecated and has remote code\Nexecution. The only
Dialogue: 0,0:31:12.86,0:31:18.04,Default,,0000,0000,0000,,{\i1}Laugh{\i0}\NThe only users allowed to use them or are
Dialogue: 0,0:31:18.04,0:31:25.45,Default,,0000,0000,0000,,using it are Linux users, because this is\Nthe last version available for Linux and
Dialogue: 0,0:31:25.45,0:31:31.78,Default,,0000,0000,0000,,that's the reason why you consider it. So,\NI'm done with the talk about PDF
Dialogue: 0,0:31:31.78,0:31:36.64,Default,,0000,0000,0000,,signatures and now Fabian can talk about\NPDF encryption. Thank you.
Dialogue: 0,0:31:36.64,0:31:42.54,Default,,0000,0000,0000,,Fabian: Yes\N{\i1}Applause{\i0}
Dialogue: 0,0:31:42.54,0:31:46.76,Default,,0000,0000,0000,,OK, now that we have dealt with the\Nsignatures, let's talk about another
Dialogue: 0,0:31:46.76,0:31:52.76,Default,,0000,0000,0000,,cryptographic aspect in PDFs. And that is\Nencryption. And some of you might remember
Dialogue: 0,0:31:52.76,0:31:58.48,Default,,0000,0000,0000,,our PDFex vulnerability from earlier this\Nyear. It's, of course, an attack with a
Dialogue: 0,0:31:58.48,0:32:03.72,Default,,0000,0000,0000,,logo and it presents two novel tech\Ntechniques targeting PDF encryption that
Dialogue: 0,0:32:03.72,0:32:08.03,Default,,0000,0000,0000,,have never been applied to PDF encryption\Nbefore. So one of them is these so-called
Dialogue: 0,0:32:08.03,0:32:12.55,Default,,0000,0000,0000,,direct exfiltration where we break the\Ncryptography without even touching the
Dialogue: 0,0:32:12.55,0:32:18.84,Default,,0000,0000,0000,,cryptography. So no ciphertext\Nmanipulation here. The second one as so-
Dialogue: 0,0:32:18.84,0:32:24.69,Default,,0000,0000,0000,,called malleability gadgets. And those are\Nactually targeted modifications of the
Dialogue: 0,0:32:24.69,0:32:31.24,Default,,0000,0000,0000,,ciphertext of the document. But first,\Nlet's take a step back and let again take
Dialogue: 0,0:32:31.24,0:32:39.52,Default,,0000,0000,0000,,some keywords in. So PDF uses AES. OK.\NWell, AES is good. Nothing can go wrong,
Dialogue: 0,0:32:39.52,0:32:44.22,Default,,0000,0000,0000,,right? So let's go home. Encryption is\Nfine. Well, of course, we didn't stop
Dialogue: 0,0:32:44.22,0:32:52.16,Default,,0000,0000,0000,,here, but took a closer look. So they use\NCBC mode of operation, so cipher block
Dialogue: 0,0:32:52.16,0:32:58.31,Default,,0000,0000,0000,,chaining. And, what's more important is\Nthat they don't use any integrity
Dialogue: 0,0:32:58.31,0:33:04.12,Default,,0000,0000,0000,,protection. So it's unintegrity protected\NAES-CBC. And you might remember the
Dialogue: 0,0:33:04.12,0:33:08.91,Default,,0000,0000,0000,,scenario from the attacks against\Nencrypted e-mail, so against OpenPGP and
Dialogue: 0,0:33:08.91,0:33:15.100,Default,,0000,0000,0000,,S-MIME, it's basically the same problem.\NBut first, who actually uses PDF
Dialogue: 0,0:33:15.100,0:33:20.94,Default,,0000,0000,0000,,encryption? You might ask. For one, we\Nfound some local banks in Germany use
Dialogue: 0,0:33:20.94,0:33:26.03,Default,,0000,0000,0000,,encrypted PDFs as a drop-in replacement\Nfor S-MIME or OpenPGP because their
Dialogue: 0,0:33:26.03,0:33:34.90,Default,,0000,0000,0000,,customers might not want to deal with uhm,\Nset, with the setup of encrypted e-mail.
Dialogue: 0,0:33:34.90,0:33:39.74,Default,,0000,0000,0000,,Second one, were some drop-in plugins for\Nencrypt e-mail as well. So there are some
Dialogue: 0,0:33:39.74,0:33:44.57,Default,,0000,0000,0000,,companies out there that produce product\Nthat you can put into your outlook and you
Dialogue: 0,0:33:44.57,0:33:51.33,Default,,0000,0000,0000,,can use encrypted PDF files instead of\Nencrypted email. We also found that some
Dialogue: 0,0:33:51.33,0:33:57.92,Default,,0000,0000,0000,,scanners and medical devices were able to\Nsend encrypted PDF files via e-mail. So
Dialogue: 0,0:33:57.92,0:34:02.99,Default,,0000,0000,0000,,you can set a password on that machine and\Nthey will send the encrypted PDF via
Dialogue: 0,0:34:02.99,0:34:10.37,Default,,0000,0000,0000,,e-mail and you have to put in the\Npassword some other way. And lastly, we
Dialogue: 0,0:34:10.37,0:34:14.64,Default,,0000,0000,0000,,found that some governmental organizations\Nuse encrypted PDF documents, for example,
Dialogue: 0,0:34:14.64,0:34:20.41,Default,,0000,0000,0000,,the US Department of Justice allows for\Nthe send, sending in some claims via
Dialogue: 0,0:34:20.41,0:34:25.28,Default,,0000,0000,0000,,encrypted PDFs. And I've exactly no idea\Nhow you how they get the password, but at
Dialogue: 0,0:34:25.28,0:34:30.85,Default,,0000,0000,0000,,least they allow it. So as we are from\Nacademia, let's take a step back and look
Dialogue: 0,0:34:30.85,0:34:36.86,Default,,0000,0000,0000,,at our attacker model. So we've got Alice\Nand Bob. Alice wants to send a document to
Dialogue: 0,0:34:36.86,0:34:42.12,Default,,0000,0000,0000,,Bob. And she wants to send it over an\Nunencrypted channel or a channel she
Dialogue: 0,0:34:42.12,0:34:48.61,Default,,0000,0000,0000,,doesn't trust. So of course, she decides\Nto encrypt it. Second scenario is, they
Dialogue: 0,0:34:48.61,0:34:53.02,Default,,0000,0000,0000,,want to upload it to a shared storage. For\Nexample, Dropbox or any other shared
Dialogue: 0,0:34:53.02,0:34:57.19,Default,,0000,0000,0000,,storage. And of course, they don't trust\Nthe storage. So, again, they use end-to-
Dialogue: 0,0:34:57.19,0:35:05.12,Default,,0000,0000,0000,,end encryption. So let's assume that this\Nshared storage is indeed dangerous or
Dialogue: 0,0:35:05.12,0:35:11.42,Default,,0000,0000,0000,,malicious. So, Alice will, of course,\Nagain upload the encrypted document to the
Dialogue: 0,0:35:11.42,0:35:17.49,Default,,0000,0000,0000,,attacker in this case, will perform some\Ntargeted modification of that, and will
Dialogue: 0,0:35:17.49,0:35:22.29,Default,,0000,0000,0000,,send the modified documents back to Bob,\Nwho will happily put in the password
Dialogue: 0,0:35:22.29,0:35:26.80,Default,,0000,0000,0000,,because from his point of view, it's\Nundistinguishable from the original
Dialogue: 0,0:35:26.80,0:35:32.88,Default,,0000,0000,0000,,document and the original plain text will\Nbe leaked back to the attacker, breaking
Dialogue: 0,0:35:32.88,0:35:39.73,Default,,0000,0000,0000,,the confidentiality. So let's take a look\Nat the first attack on how we did that.
Dialogue: 0,0:35:39.73,0:35:43.41,Default,,0000,0000,0000,,That's the direct exfiltration, so\Nbreaking the cryptography without touching
Dialogue: 0,0:35:43.41,0:35:51.36,Default,,0000,0000,0000,,any cryptography, as I like to say. But\Nfirst, encryption in, in a nutshell, PDF
Dialogue: 0,0:35:51.36,0:35:54.57,Default,,0000,0000,0000,,encryption. So you have seen the structure\Nof the PDF document. There is a header
Dialogue: 0,0:35:54.57,0:35:59.99,Default,,0000,0000,0000,,with a version number. There's a body\Nwhere all the interesting objects live. So
Dialogue: 0,0:35:59.99,0:36:06.82,Default,,0000,0000,0000,,there is our confidential content that we\Nwant to actually, well, to actually
Dialogue: 0,0:36:06.82,0:36:14.74,Default,,0000,0000,0000,,exfiltrate as an attacker. And finally,\Nthere is Xref table and the trailer. So
Dialogue: 0,0:36:14.74,0:36:19.73,Default,,0000,0000,0000,,what changes if we decide to encrypt this\Ndocument? Well, actually, not a whole lot.
Dialogue: 0,0:36:19.73,0:36:24.08,Default,,0000,0000,0000,,So instead of confidential data, of\Ncourse, there's now some encrypted
Dialogue: 0,0:36:24.08,0:36:29.01,Default,,0000,0000,0000,,ciphertext. Okay. And the rest pretty much\Nremains the same. The only thing that is
Dialogue: 0,0:36:29.01,0:36:36.96,Default,,0000,0000,0000,,added is a new value in the trailer that\Ntells us how to decrypt this data again.
Dialogue: 0,0:36:36.96,0:36:43.56,Default,,0000,0000,0000,,So there's pretty much of the structure\Nleft unencrypted. And we thought about:
Dialogue: 0,0:36:43.56,0:36:50.12,Default,,0000,0000,0000,,Why is this? And we took a look at the\Nstandard. So, this is an excerpt from the
Dialogue: 0,0:36:50.12,0:36:55.94,Default,,0000,0000,0000,,PDF specification and I've highlighted the\Ninteresting parts for you. Encryption is
Dialogue: 0,0:36:55.94,0:37:00.69,Default,,0000,0000,0000,,only applied to strings and streams. Well,\Nthose of the values that actually can
Dialogue: 0,0:37:00.69,0:37:07.64,Default,,0000,0000,0000,,contain any text in the document and all\Nother objects are not encrypted. And that
Dialogue: 0,0:37:07.64,0:37:12.27,Default,,0000,0000,0000,,is because, well, they want to allow\Nrandom access to the whole document. So no
Dialogue: 0,0:37:12.27,0:37:17.60,Default,,0000,0000,0000,,parsing the whole document before actually\Nshowing page 16 of the encrypted document.
Dialogue: 0,0:37:17.60,0:37:24.56,Default,,0000,0000,0000,,Well, that seems kind of reasonable. So,\Nbut that also means that the whole
Dialogue: 0,0:37:24.56,0:37:27.97,Default,,0000,0000,0000,,documents structure is unencrypted and\Nonly the streams and strings are
Dialogue: 0,0:37:27.97,0:37:31.38,Default,,0000,0000,0000,,encrypted. This reveals a lot of\Ninformation to an attacker that he or she
Dialogue: 0,0:37:31.38,0:37:36.42,Default,,0000,0000,0000,,shouldn't have probably. That's for one\Nthe number and size of pages, that's the
Dialogue: 0,0:37:36.42,0:37:42.61,Default,,0000,0000,0000,,number and size of objects in the document\Nand that's also including any links, so
Dialogue: 0,0:37:42.61,0:37:48.12,Default,,0000,0000,0000,,any hyperlinks in document that are\Nactually there. So, that's a lot of
Dialogue: 0,0:37:48.12,0:37:55.26,Default,,0000,0000,0000,,information an attacker probably shouldn't\Nhave. So, next we thought maybe we can do
Dialogue: 0,0:37:55.26,0:38:01.27,Default,,0000,0000,0000,,some more stuff. Can we add our own\Nunencrypted content? And we took a look at
Dialogue: 0,0:38:01.27,0:38:05.91,Default,,0000,0000,0000,,the standard again and found that our so-\Ncalled crypt filters, which provide finer
Dialogue: 0,0:38:05.91,0:38:10.75,Default,,0000,0000,0000,,granularity control of the encryption.\NThis basically means as an attacker, I can
Dialogue: 0,0:38:10.75,0:38:15.92,Default,,0000,0000,0000,,change a document to say, hey, only\Nstrings in this document are encrypted and
Dialogue: 0,0:38:15.92,0:38:21.34,Default,,0000,0000,0000,,streams are unencrypted. That's what the\Nidentity filter is for. I have no idea why
Dialogue: 0,0:38:21.34,0:38:27.19,Default,,0000,0000,0000,,they decided to add that to a document\Nformat, but it's there. So that means
Dialogue: 0,0:38:27.19,0:38:31.57,Default,,0000,0000,0000,,their support for partial encryption and\Nthat means attackers content can be mixed
Dialogue: 0,0:38:31.57,0:38:36.88,Default,,0000,0000,0000,,with actual encrypted content. And we\Nfound 18 different techniques to do that
Dialogue: 0,0:38:36.88,0:38:42.29,Default,,0000,0000,0000,,in different readers. So there is a lot of\Nways to do that in the different readers.
Dialogue: 0,0:38:42.29,0:38:48.15,Default,,0000,0000,0000,,So let's have a look at a demo. So we have\Nthis document, this encrypted document, we
Dialogue: 0,0:38:48.15,0:38:54.17,Default,,0000,0000,0000,,put in our password and get our secret\Nmessage. We now open it again in a text
Dialogue: 0,0:38:54.17,0:39:00.14,Default,,0000,0000,0000,,editor. We see, in object 4 0 down here,\Nthere's the actual ciphertext of the
Dialogue: 0,0:39:00.14,0:39:06.11,Default,,0000,0000,0000,,object, so of the message, and we see it's\NAES encrypted, with a 32 byte key, so it's
Dialogue: 0,0:39:06.11,0:39:15.67,Default,,0000,0000,0000,,AES-256. OK. Now we decide to add a new\Nobject that contains, well, plaintext.
Dialogue: 0,0:39:15.67,0:39:22.22,Default,,0000,0000,0000,,And, well, we simply add that to the\Ncontents array of this document. So, we
Dialogue: 0,0:39:22.22,0:39:28.24,Default,,0000,0000,0000,,say "Display this on the first page", save\Nthe document. We open it, and we'll put in
Dialogue: 0,0:39:28.24,0:39:38.30,Default,,0000,0000,0000,,our password and, oh well, this is indeed\Nawkward. OK. So, now, we have broken the
Dialogue: 0,0:39:38.30,0:39:44.16,Default,,0000,0000,0000,,integrity of an encrypted document. Well,\Nyou might think maybe they didn't want any
Dialogue: 0,0:39:44.16,0:39:49.19,Default,,0000,0000,0000,,integrity in the encrypted files. Maybe\Nthat's the use case people have, I don't
Dialogue: 0,0:39:49.19,0:39:55.06,Default,,0000,0000,0000,,know. But we thought, maybe we can somehow\Nexfiltrate the plaintext this way. So
Dialogue: 0,0:39:55.06,0:40:00.04,Default,,0000,0000,0000,,again, we took a step back, and looked at\Nthe PDF specification. And the first thing
Dialogue: 0,0:40:00.04,0:40:06.08,Default,,0000,0000,0000,,we found were so-called submit-form\Nactions. And that's basically the same as
Dialogue: 0,0:40:06.08,0:40:10.55,Default,,0000,0000,0000,,a form on a website. You can put in data.\NYou might have seen this in a contract, in
Dialogue: 0,0:40:10.55,0:40:14.74,Default,,0000,0000,0000,,a PDF contract, where you can put in your\Nname, and your address, and so on, and so
Dialogue: 0,0:40:14.74,0:40:23.33,Default,,0000,0000,0000,,on, and the data that is saved inside of\Nthat is saved in strings and streams. And
Dialogue: 0,0:40:23.33,0:40:27.76,Default,,0000,0000,0000,,now remember that is everything that is\Nencrypted in a document. And, of course,
Dialogue: 0,0:40:27.76,0:40:32.10,Default,,0000,0000,0000,,you can also send that back to an\Nattacker, or well, to a legitimate use
Dialogue: 0,0:40:32.10,0:40:37.89,Default,,0000,0000,0000,,case, of course, via clicking a button,\Nbut clicking buttons is pretty lame. So we
Dialogue: 0,0:40:37.89,0:40:42.12,Default,,0000,0000,0000,,again looked at the standard and found the\Nso-called open action. And that is an
Dialogue: 0,0:40:42.12,0:40:47.19,Default,,0000,0000,0000,,action, for example, submitting a form\Nthat can be performed upon opening a
Dialogue: 0,0:40:47.19,0:40:54.98,Default,,0000,0000,0000,,document. So how might this look? This is\Nhow a PDF form looks, already with the
Dialogue: 0,0:40:54.98,0:41:01.39,Default,,0000,0000,0000,,attack applied. So, we've got an URL here\Nthat is unencrypted, because all strings
Dialogue: 0,0:41:01.39,0:41:07.40,Default,,0000,0000,0000,,in this document are unencrypted, and\Nwe've got the value object 2 O, where the
Dialogue: 0,0:41:07.40,0:41:13.34,Default,,0000,0000,0000,,actual encrypted data lives. So, that is\Nthe value of the form fields. And what
Dialogue: 0,0:41:13.34,0:41:17.12,Default,,0000,0000,0000,,will happen on the attacker side as soon\Nas this document is opened? Well, we'll
Dialogue: 0,0:41:17.12,0:41:24.54,Default,,0000,0000,0000,,get a post request with a confidential\Ncontent. Let's have a demo. Again, we have
Dialogue: 0,0:41:24.54,0:41:30.62,Default,,0000,0000,0000,,this document. We put in our password.\NIt's the original document you have
Dialogue: 0,0:41:30.62,0:41:36.16,Default,,0000,0000,0000,,already seen. We reopen it in a text\Nviewer, or a text editor, again see it's
Dialogue: 0,0:41:36.16,0:41:44.16,Default,,0000,0000,0000,,encrypted, and we decide to change all\Nstrings to the identity filter. So, no
Dialogue: 0,0:41:44.16,0:41:49.48,Default,,0000,0000,0000,,encryption is applied to strings from now\Non. And then we add a whole blob of
Dialogue: 0,0:41:49.48,0:41:55.94,Default,,0000,0000,0000,,information for the open action, and for\Nthe form. So this will be op- this will be
Dialogue: 0,0:41:55.94,0:42:00.35,Default,,0000,0000,0000,,performed, as soon as the document is\Nopened. There is a URL, p.df, and the
Dialogue: 0,0:42:00.35,0:42:07.54,Default,,0000,0000,0000,,value is the encrypted object 4 0. We\Nstart an HTTP server on the domain we
Dialogue: 0,0:42:07.54,0:42:12.97,Default,,0000,0000,0000,,specified, we open the document, put in\Nthe password again, and as soon as we open
Dialogue: 0,0:42:12.97,0:42:17.77,Default,,0000,0000,0000,,the document Adobe will helpfully show us\Na warning, but they will already click the
Dialogue: 0,0:42:17.77,0:42:22.17,Default,,0000,0000,0000,,button for remembering that for the\Nfuture. And if you accept that, you will
Dialogue: 0,0:42:22.17,0:42:29.39,Default,,0000,0000,0000,,see your secret message on the attacker\Nserver. And that is pretty bad already.
Dialogue: 0,0:42:29.39,0:42:36.48,Default,,0000,0000,0000,,OK. The same works for hyperlinks, so, of\Ncourse, there are links in PDF documents,
Dialogue: 0,0:42:36.48,0:42:43.60,Default,,0000,0000,0000,,and as on the Web, we can define a base\NURL for hyperlinks. So we can say all URLs
Dialogue: 0,0:42:43.60,0:42:49.94,Default,,0000,0000,0000,,from this document start with http://p.df.\NAnd of course we can define any object as
Dialogue: 0,0:42:49.94,0:42:57.26,Default,,0000,0000,0000,,a URL. So any object we prepared this way\Ncan be sent as a URL, and that will, of
Dialogue: 0,0:42:57.26,0:43:01.18,Default,,0000,0000,0000,,course, trigger a GET request upon opening\Nthe document again, if you defined an open
Dialogue: 0,0:43:01.18,0:43:08.75,Default,,0000,0000,0000,,action for the same object. So again,\Npretty bad and breaks confidentiality. And
Dialogue: 0,0:43:08.75,0:43:16.38,Default,,0000,0000,0000,,of course, everybody loves JavaScript in\NPDF files, and that works as well. Okay.
Dialogue: 0,0:43:16.38,0:43:21.35,Default,,0000,0000,0000,,Let's talk about ciphertext attacks, so\Nactual cryptographic attacks, no more not
Dialogue: 0,0:43:21.35,0:43:29.19,Default,,0000,0000,0000,,touching the crypto. So you might remember\Nthe efail attacks on OpenPGP and S/MIME,
Dialogue: 0,0:43:29.19,0:43:34.16,Default,,0000,0000,0000,,and those had basically three\Nprerequisites. 1: Well, ciphertext
Dialogue: 0,0:43:34.16,0:43:38.69,Default,,0000,0000,0000,,malleability, so it's called malleability\Ngadgets. That's why we need ciphertext
Dialogue: 0,0:43:38.69,0:43:43.85,Default,,0000,0000,0000,,malleability, and we've got no integrity\Nprotection, that's a plus. Then we need
Dialogue: 0,0:43:43.85,0:43:48.68,Default,,0000,0000,0000,,some known plaintext for actual targeted\Nmodifications. And we need an exfiltration
Dialogue: 0,0:43:48.68,0:43:53.07,Default,,0000,0000,0000,,channel to send the data back to an\Nattacker. Well, exfiltration channels are
Dialogue: 0,0:43:53.07,0:43:59.73,Default,,0000,0000,0000,,already dealt with as we have hyperlinks\Nand forms. So we can already check that.
Dialogue: 0,0:43:59.73,0:44:05.80,Default,,0000,0000,0000,,Nice. Let's talk about ciphertext\Nmalleability, or what we call gadgets. So,
Dialogue: 0,0:44:05.80,0:44:10.18,Default,,0000,0000,0000,,some of you might remember this from\Ncrypto 101, or whatever lecture you ever
Dialogue: 0,0:44:10.18,0:44:15.29,Default,,0000,0000,0000,,had on cryptography. This is the\Ndecryption function of CBC, so cipher
Dialogue: 0,0:44:15.29,0:44:24.03,Default,,0000,0000,0000,,block chaining. And it's basically, you've\Ngot your ciphertext up here, and your
Dialogue: 0,0:44:24.03,0:44:29.73,Default,,0000,0000,0000,,plaintext down here. And it works by\Nsimply decrypting a block of ciphertext,
Dialogue: 0,0:44:29.73,0:44:35.85,Default,,0000,0000,0000,,XORing the previous block of ciphertext\Nonto that, and you'll get the plaintext.
Dialogue: 0,0:44:35.85,0:44:41.07,Default,,0000,0000,0000,,So what happens, if you decide to change a\Nsingle bit in the ciphertext, for example,
Dialogue: 0,0:44:41.07,0:44:47.53,Default,,0000,0000,0000,,the first bit of the initialization\Nvector? Well, that same bit will flip in
Dialogue: 0,0:44:47.53,0:44:53.11,Default,,0000,0000,0000,,the actual plaintext. Wait a second. What\Nhappens, if you happen to know a whole
Dialogue: 0,0:44:53.11,0:45:00.15,Default,,0000,0000,0000,,plaintext block? Well, we can XOR that\Nonto the first block, and basically get
Dialogue: 0,0:45:00.15,0:45:05.89,Default,,0000,0000,0000,,all zeros, or what we call a gadget, or a\Nblank sheet of paper, because we can write
Dialogue: 0,0:45:05.89,0:45:14.13,Default,,0000,0000,0000,,on that by taking a chosen plaintext and\NXORing that onto this results. And this
Dialogue: 0,0:45:14.13,0:45:18.74,Default,,0000,0000,0000,,way we can, for example, construct URLs in\Nthe actual ciphertext, or in the actual
Dialogue: 0,0:45:18.74,0:45:24.42,Default,,0000,0000,0000,,resulting plaintext. What we can also do\Nwith these gadget is, gadgets is moving
Dialogue: 0,0:45:24.42,0:45:28.58,Default,,0000,0000,0000,,them somewhere else in the document,\Ncloning them, so we can have multiple
Dialogue: 0,0:45:28.58,0:45:34.15,Default,,0000,0000,0000,,gadgets, at multiple places in the\Nciphertext. But remember, if you do that,
Dialogue: 0,0:45:34.15,0:45:37.80,Default,,0000,0000,0000,,there's always the avalanche effect of\NCBC, so you will have some random bytes in
Dialogue: 0,0:45:37.80,0:45:45.59,Default,,0000,0000,0000,,here, but the URL still remains in place.\NOkay. That's ciphertext malleability done.
Dialogue: 0,0:45:45.59,0:45:50.61,Default,,0000,0000,0000,,As I've said we need some plaintext. We\Nneed to have some known plaintext. And as
Dialogue: 0,0:45:50.61,0:45:54.46,Default,,0000,0000,0000,,the PDF standard has been pretty helpful\Nup until now, in breaking PDF encryption,
Dialogue: 0,0:45:54.46,0:46:02.07,Default,,0000,0000,0000,,let's take a look again. And what we found\Nhere: Permissions. So a PDF documents can
Dialogue: 0,0:46:02.07,0:46:08.04,Default,,0000,0000,0000,,have different permissions for the author,\Nand the user of the document. This
Dialogue: 0,0:46:08.04,0:46:11.02,Default,,0000,0000,0000,,basically means the author can edit the\Ndocument and the users might not be able
Dialogue: 0,0:46:11.02,0:46:16.06,Default,,0000,0000,0000,,to do that. And of course, people started\Nto change with that- started to tamper
Dialogue: 0,0:46:16.06,0:46:20.22,Default,,0000,0000,0000,,with that value, if it was left\Nunencrypted, so in the newest version, it
Dialogue: 0,0:46:20.22,0:46:27.31,Default,,0000,0000,0000,,was decided this should be encrypted as a\N16 byte value. So we've got 16 bytes. How
Dialogue: 0,0:46:27.31,0:46:30.89,Default,,0000,0000,0000,,do they look? Well, at first, we need room\Nfor extension. We need lots of
Dialogue: 0,0:46:30.89,0:46:36.10,Default,,0000,0000,0000,,permissions. Then we put 4 bytes of the\Nactual permission value - That is also in
Dialogue: 0,0:46:36.10,0:46:42.27,Default,,0000,0000,0000,,unencrypted form in document. Then we need\None byte for encrypted metadata, and for
Dialogue: 0,0:46:42.27,0:46:46.84,Default,,0000,0000,0000,,some reason we need some acronym, "adb",\NI'll leave it to you to figure out what
Dialogue: 0,0:46:46.84,0:46:52.70,Default,,0000,0000,0000,,that stands for. And finally, we've got\Nfour random bytes, because we have to fill
Dialogue: 0,0:46:52.70,0:47:00.26,Default,,0000,0000,0000,,up 16 bytes, and we have run out of ideas.\NOkay. We take all of that, encrypt it, and
Dialogue: 0,0:47:00.26,0:47:05.98,Default,,0000,0000,0000,,oh well, we know a lot of that, and that\Nis basically known plaintext by design.
Dialogue: 0,0:47:05.98,0:47:12.94,Default,,0000,0000,0000,,Which is bad. Let's look at how this looks\Nin a document. So, you see the perms
Dialogue: 0,0:47:12.94,0:47:16.41,Default,,0000,0000,0000,,value, I've marked it down here. That is\Nthe actual extended value I've shown you
Dialogue: 0,0:47:16.41,0:47:22.75,Default,,0000,0000,0000,,on the last slide. And above that you'll\Nsee the unencrypted value that's inside
Dialogue: 0,0:47:22.75,0:47:28.03,Default,,0000,0000,0000,,this perms value, so the minus 4 in this\Ncase, it's basically a bit field. On the
Dialogue: 0,0:47:28.03,0:47:33.61,Default,,0000,0000,0000,,right side you see the actual encrypted\Ncontents, and helpfully, all of this is
Dialogue: 0,0:47:33.61,0:47:37.75,Default,,0000,0000,0000,,encrypted under the same document-wide key\Nin the newest version of the
Dialogue: 0,0:47:37.75,0:47:43.51,Default,,0000,0000,0000,,specification. And that means we can you\Nreuse this plaintext anywhere in the
Dialogue: 0,0:47:43.51,0:47:48.93,Default,,0000,0000,0000,,document we want, and we can reuse this\Nto build gadgets. To sum that last point
Dialogue: 0,0:47:48.93,0:47:53.19,Default,,0000,0000,0000,,up for you: Adobe decided to add\Npermissions to the PDF format, and people
Dialogue: 0,0:47:53.19,0:47:56.95,Default,,0000,0000,0000,,thought of tampering with them. So they\Ndecided to encrypt these permissions to
Dialogue: 0,0:47:56.95,0:48:06.36,Default,,0000,0000,0000,,prevent tampering, and now known plaintext\Nis available to attackers. All right. So
Dialogue: 0,0:48:06.36,0:48:14.33,Default,,0000,0000,0000,,that's basically all of the prerequisites\Ndone, and let's again have a demo. So, we
Dialogue: 0,0:48:14.33,0:48:20.18,Default,,0000,0000,0000,,again open this document, put in our\Npassword, well, as soon as Chrome decides
Dialogue: 0,0:48:20.18,0:48:26.74,Default,,0000,0000,0000,,to open this document, we put in our\Npassword. It's the same as before. Now,
Dialogue: 0,0:48:26.74,0:48:31.63,Default,,0000,0000,0000,,I've prepared a script for you, because I\Nreally can't do this live, and it
Dialogue: 0,0:48:31.63,0:48:35.40,Default,,0000,0000,0000,,basically does what I've told you. It's\Ngetting a blank gadget from the perms
Dialogue: 0,0:48:35.40,0:48:39.67,Default,,0000,0000,0000,,value. It's generating a URL from that.\NIt's generating a field name, so that it
Dialogue: 0,0:48:39.67,0:48:45.41,Default,,0000,0000,0000,,will look nice on the server side, we\Nregenerate this document and put a form in
Dialogue: 0,0:48:45.41,0:48:50.08,Default,,0000,0000,0000,,there. We start a web server, open this\Nmodified document, put in the password
Dialogue: 0,0:48:50.08,0:48:55.54,Default,,0000,0000,0000,,again and oh well, Chrome doesn't even\Nask. So as soon as this document is opened
Dialogue: 0,0:48:55.54,0:48:59.16,Default,,0000,0000,0000,,in Chrome and the password is put in,\Nwe'll get our secret message delivered to
Dialogue: 0,0:48:59.16,0:49:07.08,Default,,0000,0000,0000,,the attacker.\N{\i1}Applause{\i0}
Dialogue: 0,0:49:07.08,0:49:13.51,Default,,0000,0000,0000,,So we took a look at 27 viewers and found\Nall of them vulnerable to at least one of
Dialogue: 0,0:49:13.51,0:49:18.39,Default,,0000,0000,0000,,our attacks. So some of them work with no\Nuser interaction as we have seen in
Dialogue: 0,0:49:18.39,0:49:22.73,Default,,0000,0000,0000,,Chrome. Some work with user interaction in\Nspecific cases, as you've seen with Adobe
Dialogue: 0,0:49:22.73,0:49:30.66,Default,,0000,0000,0000,,with a warning, but generally all of these\Nwere attackable in one way or the other.
Dialogue: 0,0:49:30.66,0:49:35.67,Default,,0000,0000,0000,,So what can be done about all of this?\NWell, you might think signatures might
Dialogue: 0,0:49:35.67,0:49:40.25,Default,,0000,0000,0000,,help. That's usually the first point\Npeople bring up: "A signature on the
Dialogue: 0,0:49:40.25,0:49:46.55,Default,,0000,0000,0000,,encrypted file will help." Well, no, not\Nreally. Why is that? Well, for one, a
Dialogue: 0,0:49:46.55,0:49:50.33,Default,,0000,0000,0000,,broken signature does not prevent opening\Nthe document. So we'll still be able to
Dialogue: 0,0:49:50.33,0:49:54.36,Default,,0000,0000,0000,,exfiltrate as soon as a password is put\Nin. Signatures can be stripped because
Dialogue: 0,0:49:54.36,0:49:57.70,Default,,0000,0000,0000,,they're not encrypted. And as you have\Nseen before, they can also be forged in
Dialogue: 0,0:49:57.70,0:50:02.96,Default,,0000,0000,0000,,most viewers. Signatures are not the\Nanswer. Closing exfiltration channels is
Dialogue: 0,0:50:02.96,0:50:08.36,Default,,0000,0000,0000,,also not the answer because for one, it's\Nhard to do. And how would you even find
Dialogue: 0,0:50:08.36,0:50:14.69,Default,,0000,0000,0000,,all exfiltrations channels in an 800 pages\Nstandard? And I mean, we have barely
Dialogue: 0,0:50:14.69,0:50:18.43,Default,,0000,0000,0000,,scratched the surface of exfiltration\Nchannels. And should we really remove
Dialogue: 0,0:50:18.43,0:50:24.29,Default,,0000,0000,0000,,forms and hyperlinks from documents? And\Nshould we remove JavaScript? OK, maybe we
Dialogue: 0,0:50:24.29,0:50:28.70,Default,,0000,0000,0000,,should. And finally, if you have to do\Nthat, please ask the user before
Dialogue: 0,0:50:28.70,0:50:34.30,Default,,0000,0000,0000,,connecting to a web server. So let's look\Nat some vendor reactions. Apple decided to
Dialogue: 0,0:50:34.30,0:50:38.68,Default,,0000,0000,0000,,do exactly what I've told you: to add a\Ndialog to warn the user and even show the
Dialogue: 0,0:50:38.68,0:50:44.46,Default,,0000,0000,0000,,whole URL with the encrypted plaintext.\NAnd Google decided to stop trying to fix
Dialogue: 0,0:50:44.46,0:50:49.83,Default,,0000,0000,0000,,the unfixable in Chrome. They fixed the\Nautomatic exfiltration, but there's really
Dialogue: 0,0:50:49.83,0:50:54.29,Default,,0000,0000,0000,,nothing they can do about the standard. So\Nthis is a problem that has to be done in
Dialogue: 0,0:50:54.29,0:51:00.23,Default,,0000,0000,0000,,the standard. And that is basically that.\NFor mitigating wrapping attacks, we have
Dialogue: 0,0:51:00.23,0:51:04.11,Default,,0000,0000,0000,,to deprecate partial encryption and\Ndisallow access from unencrypted to
Dialogue: 0,0:51:04.11,0:51:08.45,Default,,0000,0000,0000,,encrypted objects. And against the gadget\Nattacks, we have to use authenticated
Dialogue: 0,0:51:08.45,0:51:16.22,Default,,0000,0000,0000,,encryption like AES-GCM. OK. And Adobe has\Ntold us that they were escalating this to
Dialogue: 0,0:51:16.22,0:51:19.98,Default,,0000,0000,0000,,the ISO working group that's now\Nresponsible for the PDF standard and this
Dialogue: 0,0:51:19.98,0:51:24.71,Default,,0000,0000,0000,,will be taken up in the next revision. So\Nthat's a win in my book.
Dialogue: 0,0:51:24.71,0:51:30.95,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:51:30.95,0:51:36.33,Default,,0000,0000,0000,,Herald: Thank you so much, guys. That was\Nreally awesome. Please queue up by the
Dialogue: 0,0:51:36.33,0:51:41.29,Default,,0000,0000,0000,,microphones if you have any questions, we\Nstill have some time left for Q and A. But
Dialogue: 0,0:51:41.29,0:51:45.18,Default,,0000,0000,0000,,I think your research is really, really\Ninteresting because it opens my mind to
Dialogue: 0,0:51:45.18,0:51:51.49,Default,,0000,0000,0000,,like how would this actually be able to be\Nmisused in practice? Like, and I don't
Dialogue: 0,0:51:51.49,0:51:54.76,Default,,0000,0000,0000,,know, like, what's your take? I guess\Nsince you've been working so much with
Dialogue: 0,0:51:54.76,0:51:59.02,Default,,0000,0000,0000,,this, you must have some kind of idea as\Nto what devious things you could come up
Dialogue: 0,0:51:59.02,0:52:02.68,Default,,0000,0000,0000,,with.\NFabian: I mean, it's still an attacker
Dialogue: 0,0:52:02.68,0:52:08.08,Default,,0000,0000,0000,,scenario that requires a lot of resources\Nand a very motivated attacker. So this
Dialogue: 0,0:52:08.08,0:52:13.68,Default,,0000,0000,0000,,might not be very important to the normal\Nuser. Let's be real here. So most of us
Dialogue: 0,0:52:13.68,0:52:19.10,Default,,0000,0000,0000,,are not targeted by the NSA, I guess. So\Nyou need an active attacker, an active man
Dialogue: 0,0:52:19.10,0:52:21.07,Default,,0000,0000,0000,,in the middle to actually perform these\Nattacks.
Dialogue: 0,0:52:21.07,0:52:25.80,Default,,0000,0000,0000,,Herald: Great. Thank you. And then I think\Nwe have a question from microphone number
Dialogue: 0,0:52:25.80,0:52:28.85,Default,,0000,0000,0000,,four, please.\NMicrophone 4: Yes. You'll said that the
Dialogue: 0,0:52:28.85,0:52:32.70,Default,,0000,0000,0000,,next standard might have a fix.\NDo you know a time frame on how long it
Dialogue: 0,0:52:32.70,0:52:41.45,Default,,0000,0000,0000,,takes to build such a standard?\NFabian: Well, no, we don't really know. We
Dialogue: 0,0:52:41.45,0:52:44.64,Default,,0000,0000,0000,,have talked with Adobe and they told us\Nthey will show the next version of the
Dialogue: 0,0:52:44.64,0:52:48.95,Default,,0000,0000,0000,,standard to us before actually releasing\Nthat, but we have no time frame at all
Dialogue: 0,0:52:48.95,0:52:51.95,Default,,0000,0000,0000,,from them.\NMicrophone 4: OK. Thank you.
Dialogue: 0,0:52:51.95,0:52:57.40,Default,,0000,0000,0000,,Herald: Thank you.\NMicrophone number five, please.
Dialogue: 0,0:52:57.40,0:53:02.30,Default,,0000,0000,0000,,Microphone 5: Thank you for a very\Ninteresting talk. You showed in the first
Dialogue: 0,0:53:02.30,0:53:09.14,Default,,0000,0000,0000,,part that the signature has like these\Nfour numbers with the byte range. And why
Dialogue: 0,0:53:09.14,0:53:15.58,Default,,0000,0000,0000,,is this, like four numbers, not part of a\Nsignature? Is there a technical reason for
Dialogue: 0,0:53:15.58,0:53:18.48,Default,,0000,0000,0000,,that? Because the byte offset is\Npredictable.
Dialogue: 0,0:53:18.48,0:53:24.47,Default,,0000,0000,0000,,Vladi: It is! The bytes ranges protected\Nby the signature. But we just defined the
Dialogue: 0,0:53:24.47,0:53:31.71,Default,,0000,0000,0000,,second one and just moved the signed one\Nto be validated later. So there are two
Dialogue: 0,0:53:31.71,0:53:37.53,Default,,0000,0000,0000,,byte ranges. But only the first one, the\Nmanipulated one, will be processed.
Dialogue: 0,0:53:37.53,0:53:42.58,Default,,0000,0000,0000,,Microphone 5: Thank you.\NHerald: Thank you so much. Microphone
Dialogue: 0,0:53:42.58,0:53:47.94,Default,,0000,0000,0000,,number four, please.\NMicrophone 4: Oh, this is way too high for
Dialogue: 0,0:53:47.94,0:53:53.87,Default,,0000,0000,0000,,me. OK. I have an answer and a question\Nfor you. You mentioned during the talk
Dialogue: 0,0:53:53.87,0:53:58.69,Default,,0000,0000,0000,,that you weren't sure how the Department\Nof Justice did distributes the passwords
Dialogue: 0,0:53:58.69,0:54:07.94,Default,,0000,0000,0000,,for encrypting PDFs. The answer is: in\Nplain text, in a separate email or as the
Dialogue: 0,0:54:07.94,0:54:14.30,Default,,0000,0000,0000,,password of the week, which is distributed\Nthrough various means. That is also what
Dialogue: 0,0:54:14.30,0:54:20.37,Default,,0000,0000,0000,,the Department of Homeland Security does,\Nand the military is somewhat less stupid.
Dialogue: 0,0:54:20.37,0:54:27.03,Default,,0000,0000,0000,,As a question: I have roughly a half\Nterabyte of sensitive PDFs that I would
Dialogue: 0,0:54:27.03,0:54:36.91,Default,,0000,0000,0000,,like to scan for your attack and also for\Nredaction failures. Do you know of any
Dialogue: 0,0:54:36.91,0:54:45.56,Default,,0000,0000,0000,,fast, feasible ways to scan documents for\Nthe presence of this kind of attack?
Dialogue: 0,0:54:45.56,0:54:51.97,Default,,0000,0000,0000,,Fabian: I don't know of any tools, but I\Nmean, scanning for the gadget attacks is
Dialogue: 0,0:54:51.97,0:54:58.39,Default,,0000,0000,0000,,actually possible if you tried to do some\Nentropy detection. So, because you reuse
Dialogue: 0,0:54:58.39,0:55:01.87,Default,,0000,0000,0000,,ciphertext, you will have less entropy in\Nyour ciphertext, but that's pretty hard to
Dialogue: 0,0:55:01.87,0:55:07.35,Default,,0000,0000,0000,,do. Direct exfiltration should probably be\Ndetectable by scanning simply for words
Dialogue: 0,0:55:07.35,0:55:12.30,Default,,0000,0000,0000,,like "identity". Well, beyond that, 18\Ndifferent techniques that we provided in
Dialogue: 0,0:55:12.30,0:55:15.98,Default,,0000,0000,0000,,the paper. But I don't know of any tools\Nto do that automatically.
Dialogue: 0,0:55:15.98,0:55:21.56,Default,,0000,0000,0000,,Microphone 4: Thank you.\NHerald: Great. Thank you. And microphone
Dialogue: 0,0:55:21.56,0:55:24.20,Default,,0000,0000,0000,,number two, please. Microphone 2: Thank\Nyou for your very interesting
Dialogue: 0,0:55:24.20,0:55:30.22,Default,,0000,0000,0000,,presentation. I have one suggestion and\None question for the mitigation scheme. If
Dialogue: 0,0:55:30.22,0:55:33.81,Default,,0000,0000,0000,,you simply run your PDF reader in a\Nvirtual machine, that is firewalled away,
Dialogue: 0,0:55:33.81,0:55:38.66,Default,,0000,0000,0000,,so your firewall won't led you to anybody\Ngoing out. But for the signature
Dialogue: 0,0:55:38.66,0:55:43.02,Default,,0000,0000,0000,,forgeries, I had an idea. I'm not sure if\Nthis is actually a stupid idea, but did
Dialogue: 0,0:55:43.02,0:55:47.44,Default,,0000,0000,0000,,you consider faking the certificate?\NBecause presumably the signature is
Dialogue: 0,0:55:47.44,0:55:52.25,Default,,0000,0000,0000,,protected by the seller's certificate. You\Nmake up your own, signing with that. Does
Dialogue: 0,0:55:52.25,0:55:57.67,Default,,0000,0000,0000,,it catch it and how?\NVladi: We considered it but not in this
Dialogue: 0,0:55:57.67,0:56:04.90,Default,,0000,0000,0000,,paper. We assume that the certificate and\Nthe entire chain of trust for this path is
Dialogue: 0,0:56:04.90,0:56:11.75,Default,,0000,0000,0000,,totally secure. It was just an assumption\Nto just concentrate only on the attacks we
Dialogue: 0,0:56:11.75,0:56:19.60,Default,,0000,0000,0000,,already found. So, perhaps there will be\Nfurther research provided by us in the
Dialogue: 0,0:56:19.60,0:56:22.81,Default,,0000,0000,0000,,next months and years.\NHerald: We might just hear more from you
Dialogue: 0,0:56:22.81,0:56:27.89,Default,,0000,0000,0000,,in the future. Thank you so much. And now\Nquestions from the Internet, please.
Dialogue: 0,0:56:27.89,0:56:34.80,Default,,0000,0000,0000,,Signal Angel: I have two questions to the\Nfirst part of your talk from the Internet.
Dialogue: 0,0:56:34.80,0:56:40.54,Default,,0000,0000,0000,,The first one is you mentioned a few\Nreactions, but can you give a bit more
Dialogue: 0,0:56:40.54,0:56:46.51,Default,,0000,0000,0000,,detail about your experience with vendors\Nwhile reporting these issues?
Dialogue: 0,0:56:46.51,0:56:58.48,Default,,0000,0000,0000,,Vladi: Yeah. We, ... for the first time we\Nstarted, we asked the CERT team from BSI,
Dialogue: 0,0:56:58.48,0:57:04.79,Default,,0000,0000,0000,,CERT-Bund, to help us because there were a\Nlot of affected vendors and we were not
Dialogue: 0,0:57:04.79,0:57:13.58,Default,,0000,0000,0000,,able to provide the support in a feasible\Nway. So they supported us the entire way.
Dialogue: 0,0:57:13.58,0:57:19.88,Default,,0000,0000,0000,,We first created the report with,\Ncontaining the exact description of the
Dialogue: 0,0:57:19.88,0:57:26.19,Default,,0000,0000,0000,,vulnerabilities and old exploits. Then, we\Ndistributed it to the BSI and they
Dialogue: 0,0:57:26.19,0:57:32.54,Default,,0000,0000,0000,,contacted the vendors and just proxied to\Nthe communication and there was a lot of
Dialogue: 0,0:57:32.54,0:57:36.68,Default,,0000,0000,0000,,communication. So I'm not aware of the\Nentire communication, but only about the
Dialogue: 0,0:57:36.68,0:57:45.93,Default,,0000,0000,0000,,technical stuff where we were asked to\Njust retest the fix and so on. So there
Dialogue: 0,0:57:45.93,0:57:52.81,Default,,0000,0000,0000,,was some reaction from Adobe, FoxIt and a\Nlot of viewers reacted on our attacks and
Dialogue: 0,0:57:52.81,0:57:58.21,Default,,0000,0000,0000,,contacted us, but not everybody.\NHerald: Thank you so much. Unfortunately,
Dialogue: 0,0:57:58.21,0:58:01.67,Default,,0000,0000,0000,,that's the only time that we have\Navailable for questions today. I think you
Dialogue: 0,0:58:01.67,0:58:06.08,Default,,0000,0000,0000,,guys might stay around for a couple of\Nminutes, just if someone has any more
Dialogue: 0,0:58:06.08,0:58:10.93,Default,,0000,0000,0000,,questions. Fabian, I thank ... and\NVladislav, not enough. Thank you so much.
Dialogue: 0,0:58:10.93,0:58:13.04,Default,,0000,0000,0000,,It was very interesting. Please give them\Na great round of applause.
Dialogue: 0,0:58:13.04,0:58:14.79,Default,,0000,0000,0000,,Valdi: Thank you.\N{\i1}Applause{\i0}
Dialogue: 0,0:58:14.79,0:58:20.30,Default,,0000,0000,0000,,{\i1}36c3 postroll music{\i0}
Dialogue: 0,0:58:20.30,0:58:43.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2019. Join, and help us!