Domain: ruhr-uni-bochum.de
Stories and comments across the archive that link to ruhr-uni-bochum.de.
Stories · 6
-
Researchers Break Digital Signatures For Most Desktop PDF Viewers (zdnet.com)
An anonymous reader quotes a report from ZDNet: A team of academics from the Ruhr-University Bochum in Germany say they've managed to break the digital signing system and create fake signatures on 21 of 22 desktop PDF viewer apps and five out of seven online PDF digital signing services. This includes apps such as Adobe Acrobat Reader, Foxit Reader, and LibreOffice, and online services like DocuSign and Evotrust --just to name the most recognizable names. The five-person research team has been working since early October 2018 together with experts from Germany's Computer Emergency Response Team (BSI-CERT) to notify impacted services. The team went public with their findings over the weekend after all affected app makers and commercial companies finished patching their products. In research published today, the Ruhr-University Bochum team described three vulnerabilities that they found in the digital signing process used by several desktop and web-based PDF signing services. Summarized, they are:
1. Universal Signature Forgery (USF) -- vulnerability lets attackers trick the signature verification process into showing users a fake panel/message that the signature is valid.
2. Incremental Saving Attack (ISA) -- vulnerability lets attackers add extra content to an already signed PDF document via the "incremental saving (incremental update)" mechanism, but without breaking the already-existing signature.
3. Signature Wrapping (SWA) -- vulnerability is similar to ISA, but the malicious code also contains extra logic to fool the signature validation process into "wrapping" around the attacker's extra content, effectively digitally signing the incremental update. Additional details about the three vulnerabilities are available in this PDF research paper [1, 2], this blog post, and this dedicated website. -
Researchers Break Digital Signatures For Most Desktop PDF Viewers (zdnet.com)
An anonymous reader quotes a report from ZDNet: A team of academics from the Ruhr-University Bochum in Germany say they've managed to break the digital signing system and create fake signatures on 21 of 22 desktop PDF viewer apps and five out of seven online PDF digital signing services. This includes apps such as Adobe Acrobat Reader, Foxit Reader, and LibreOffice, and online services like DocuSign and Evotrust --just to name the most recognizable names. The five-person research team has been working since early October 2018 together with experts from Germany's Computer Emergency Response Team (BSI-CERT) to notify impacted services. The team went public with their findings over the weekend after all affected app makers and commercial companies finished patching their products. In research published today, the Ruhr-University Bochum team described three vulnerabilities that they found in the digital signing process used by several desktop and web-based PDF signing services. Summarized, they are:
1. Universal Signature Forgery (USF) -- vulnerability lets attackers trick the signature verification process into showing users a fake panel/message that the signature is valid.
2. Incremental Saving Attack (ISA) -- vulnerability lets attackers add extra content to an already signed PDF document via the "incremental saving (incremental update)" mechanism, but without breaking the already-existing signature.
3. Signature Wrapping (SWA) -- vulnerability is similar to ISA, but the malicious code also contains extra logic to fool the signature validation process into "wrapping" around the attacker's extra content, effectively digitally signing the incremental update. Additional details about the three vulnerabilities are available in this PDF research paper [1, 2], this blog post, and this dedicated website. -
$350 Hardware Cracks HDMI Copy Protection
New submitter LBeee writes "German Researchers at the Ruhr University Bochum built an FPGA board-based man-in-the-middle attack against the HDCP copy protection used in HDMI connections. After the leak of an HDCP master key in 2010, Intel proclaimed that the copy protection was still secure, as it would be too expensive to build a system that could conduct a real-time decryption of the data stream. It has now been proven that a system can be built for around $350 (€200) to do the task. However, the solution is of no great practical use for pirates. It can easily be used to burn films from Blu-ray discs, but receivers which can deliver HDTV recordings are already available — and they provide the data in compressed form. In contrast, recording directly from an HDMI port results in a large amount of data." -
XML Encryption Broken, Need To Fix W3C Standard
gzipped_tar writes "Researchers from Ruhr University Bochum demonstrated the insecurity of XML encryption standard at ACM Conference on Computer and Communications Security in Chicago this week. 'Everything is insecure,' is the uncomfortable message from Bochum. As pointed out by the Ars Technica article, XML Encryption is used widely as part of server-to-server Web services connections to transmit secure information mixed with non-sensitive data, based on cipher-block chaining. But it is apparently too weak, as demonstrated by Juraj Somorovsky and Tibor Jager. They were able to decrypt data by sending modified ciphertexts to the server by gathering information from the received error messages. The attack was tested against a popular open source implementation of XML Encryption, and against the implementations of companies that responded to the responsible disclosure — in all cases the result was the same: the attack worked. Fixing the vulnerability will require a revision of the W3C XML encryption standard, Somorovsky said. The researchers informed all possibly affected companies through the mailing list of W3C, following a clear responsible disclosure process." -
Meaningful MD5 Collisions
mrogers writes "Researchers at Ruhr-Universität Bochum have found a way to produce MD5 collisions between human-meaningful documents. This could be used to obtain a digital signature on one document and then transfer it to another. The same technique is theoretically applicable to other hash functions based on the Merkle-Damgård structure, such as SHA-1." From the article: "Recently, the world of cryptographic hash functions has turned into a mess. A lot of researchers announced algorithms ("attacks") to find collisions for common hash functions such as MD5 and SHA-1 (see [B+, WFLY, WY, WYY-a, WYY-b]). For cryptographers, these results are exciting - but many so-called 'practitioners' turned them down as 'practically irrelevant'." -
DNA as Construction Equipment
vivekb writes "Scientists at Ruhr University in Germany are using DNA to assemble microscopic structures. They attached matched DNA strands to construction materials, and use the DNA as an highly selective bonding agent. So far, basic polyhedra have been manufactured using gold spheres. The BBC presents this article. The paper is entitled Self-Assembly of Trisoligonucleotidyls. "