Quantcast
Channel: Encryption – Didier Stevens
Viewing all articles
Browse latest Browse all 78

Quickpost: Signed PDF Stego

$
0
0

A signed PDF file is just like all signed files with embedded signatures: the signature itself is excluded from the hash calculation.

Open a signed PDF document in a hex editor and search for string /ByteRange. You’ll find something like this:

36 0 obj
<</ByteRange[0 227012 248956 23362 ]            /Contents<308226e106092a864886f7

This indicates which byte sequences  are used for the hash calculation (position and length of each sequence). So in this example, byte sequence 227013-248955 is excluded, because it contains the signature in hex format padded with 0×00 bytes. This padding is not part of the DER signature, you can change it without changing or invalidating the signature.


Quickpost info



Viewing all articles
Browse latest Browse all 78

Trending Articles