We increase our premium twice, or how to hack documents signed with a reinforced qualified signature

In the wake of the chip-apocalypse news of 2018, when almost everything was hacked, and world brand sites, without knowing it, minting cryptocurrency in our browsers, we decided to encroach on the holy of holies and hack documents signed with an enhanced qualified electronic signature. And that's what came of it.

As you know, enhanced qualified electronic signature (ES) allows you to identify the person who signed the document and detect the fact of making changes to the document (see Art. 5, p. 3 of Federal Law No. 63 “On Electronic Signature”). The hash function collision generation algorithm is not needed this time. For hacking, it is necessary to find ways to make changes to the electronic document after its signing, so that these changes are not detected when checking the ES. Let's start.

DWG script, attack vector - external links

Hereinafter, it is assumed that the system has already installed a certificate of qualified electronic signature:

• Create a document HVAC.dwg, which refers to the file nothing.dwg, located on the ball in the local network of the enterprise. The file nothing.dwg contains notes for the equipment of Supplier A;
• We send HVAC.dwg for approval to the responsible person;
• Using Autodesk → AutoCAD → Add Digital Signatures, the person in charge signs the HVAC.dwg. Now this is an electronic script:

We realize attack:

• It is necessary to replace the equipment of Supplier A with the equipment of Supplier B with a change of nothing.dwg located on the network resource;
• The supply department receives an electronic script HVAC.dwg, the head of the department checks the integrity of the electronic signature, it is not broken, and AutoCAD dispel the last shadow of doubt with the soothing “Drawing has not changed since signing”, so instead of Supplier A, the order for equipment goes to Supplier B

DOC / DOCX script, attack vector font

This time we will use the most advanced CryptoPro CSP 4.0 information security complex, which corresponds to the standard GOST R 34.10-2012:

• We create an order on awarding prikaz.docx employees. The main text is typed in Arial. For premium size, we use a similar font, for example, the free Google Noto Sans Regular . We introduce the premium amount agreed with the director of 150,000 rubles;
• We send the order for the signature to the director;
• The director signs prikaz.docx with enhanced qualified electronic signature using CryptoPro Office Signature 2.0. We receive the electronic script:

We realize attack:

• Using the free program FontForge, we modify the NotoSans-Regular.ttf font file, replacing the vector image of glyph 1 with the image of glyph 2

• The modified NotoSans-Regular.ttf file is installed on the accountant’s computer (administrative rights will be required);
• Having received the original order signed by the director, the accountant opens it and sees a valid signature. But the amount of the premium increased from 150,000 rubles. up to 250,000 rubles.

These are effective, but not the only ways to attack. There are also macros, calculated field values, styles. Neither the use of a data management system (PDM), unfastened signatures, or the use of specialized cryptographic complexes such as CryptoPro CSP will protect against them.

How to provide protection against such attacks? The most effective way is to publish documents in an uneditable format or fixed markup format. These formats are aimed at preserving the original form of the document on any device, anywhere in the world. Here are the most common representatives of fixed markup formats:

• PDF (Portable Document Format) - developed by Adobe. ISO 32000 standard;
• XPS (XML Paper Specification) - developed by Microsoft. ECMA-388 ;
• DWFx - developed by Autodesk. Based on XPS.

But here is not so simple. Let's try to attack through a font on a signed PDF document:

• Document prikaz.docx publish in PDF, for example, using a virtual printer PDF-XChange. The received file prikaz.pdf is sent for signature to the director;
• The director opens the document prikaz.pdf in the Adobe Acrobat Reader DC program;
• Signs with the "Sign Digital Signature" command in the "Certificates" section.
• The signed PDF is sent to the accountant.

We realize attack:

• As well as in the script with the DOCX format, we set an accountant’s modified font NotoSans-Regular.ttf;
• Having received the signed prikaz.pdf, the accountant opens it in Adobe Reader and sees a premium of 250,000 rubles, the signature integrity is not compromised.

For PDF, it was possible to implement this type of attack because this format allows the use of fonts by reference, so it is not suitable for creating originals. There is a PDF / A standard (a subset of PDF) that provides the necessary protection. Therefore, before signing each PDF, you must make sure that the document conforms to the PDF / A standard or that there are no dependencies on fonts.

The DWFx and XPS formats are not subject to such attacks, since at the level of the ECMA-388 standard the storage of resources within the content of documents is regulated (F.3.1 M2.6). But DWFx is not suitable for creating multi-page text documents, so the most versatile option is XPS.

Let's try, by analogy with PDF, to conduct an attack through a font on a signed XPS document:

• Document prikaz.docx publish in XPS using the built-in Windows virtual printer Microsoft XPS Document Writer. The received file prikaz.xps is sent for signature to the director;
• The director opens the document prikaz.xps in Pilot-ICE or Pilot-XPS . Signs with the "Sign" command via CryptoPro CSP;
• The signed XPS is sent to the accountant.

We realize attack:

• Install the modified NotoSans-Regular.ttf font for the accountant;
• Having received the signed prikaz.xps, the accountant opens it in Pilot-ICE, checks the integrity of the EA and sees the same premium amount as at the time of signing the document - 150,000 rubles. The attack on XPS failed.

Results

Reinforced qualified electronic signature is still a reliable technology for detecting changes to a document. But we must comprehensively evaluate the effectiveness of its application. The experiment showed that the editable formats DWG, DOC, DOCX are not suitable for creating electronic scripts, since they can be easily compromised. PDF / A and XPS formats are more secure and versatile for creating originals, since they contain all the necessary information inside the file in order to display the document unchanged each time.

Dmitry Poskrebyshev