More secure than smartcard or cryptostick against remote attacks?

[vedaal at nym.hush.com]

On Wednesday, February 06, 2013 at 5:42 AM, "Hauke Laging" <mailinglisten at hauke-laging.de> wrote:

>The problem is not to forge a signature but the difficulty to 
>force that only data with checked integrity gets signed. How are you going to do 
>that with a PDF?


There is a bigger problem with a pdf, that if, once a hash algorithm becomes insecure enough that pre-image collisions are possible, it is possible to forge a signature.

Ordinarily, even if a collision is possible, a forgery of a signature over text, would instantly be detectable, as the collision forgery would have gibberish in the text.
i.e.

M1 has signature hash S1

M2 = (m3 + string),  where m3 is the forged text, and the string added, is a string additional characters that are varied until a collision is found for the same S1 hash.

The string stands out as gibberish and would be questioned, even if the signature verified.


But now, in pdf form, the string can easily be hidden in the pdf, by having the string embedded as white text instead of black, and not distinguishable from the white space background.

Example,

M1 is a pdf of a table, or spreadsheet, or has equations or different language special characters, where it is reasonable to be sent as a pdf.

M2 =  Pdf of (m3 + string),  where is m3 is the forged data in the table, or other visible area of the pdf, 
and the string is the found addition that produced a successful collision for the final pdf, 
after having the string rendered in 1 pt. font in white color embedded in any convenient place in the pdf.

M1 does not even have to be on a pdf, as long as it has a detached .sig S1.

If pre-image collisions are possible for a hash, then  a pdf can be constructed to have the same. sig S1.

(This could still be detected by examining the details of the metadata of the pdf and seeing what 'extra' material was embedded, but only if a habit is made of checking the metadata very carefully.)


vedaal