Didier Stevens

Wednesday 15 May 2013

Quickpost: Signed PDF Stego

Filed under: Encryption,Hacking,PDF,Quickpost — Didier Stevens @ 14:08

A signed PDF file is just like all signed files with embedded signatures: the signature itself is excluded from the hash calculation.

Open a signed PDF document in a hex editor and search for string /ByteRange. You’ll find something like this:

36 0 obj
<</ByteRange[0 227012 248956 23362 ]            /Contents<308226e106092a864886f7

This indicates which byte sequences  are used for the hash calculation (position and length of each sequence). So in this example, byte sequence 227013-248955 is excluded, because it contains the signature in hex format padded with 0×00 bytes. This padding is not part of the DER signature, you can change it without changing or invalidating the signature.


Quickpost info

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 222 other followers

%d bloggers like this: