4th Mar 2003 [SBWID-6039]
COMMAND
	Implementation flaws in Adobe Document Server for Reader Extensions
SYSTEMS AFFECTED
	Free Adobe Acrobat Reader (version 5.1 or later)
PROBLEM
	
	Summary
	===============================================================================
	
	Free Adobe Acrobat Reader (version 5.1 or later)  has  ability  to:  add
	notes and attachments, add and  check  digital  signatures,  save  forms
	locally, fill them out online,  distribute  to  others  for  review  and
	commenting, and submit forms via e-mail or the Web directly from  within
	Acrobat Reader. But actions listed above  available  for  rights-enabled
	documents only (i.e. documents processed by Adobe  Document  Server  for
	Reader Extensions). Improper usage of cryptography  in  server  software
	allows anyone  to  produce  reader-enabled  documents  without  Document
	Server for Reader Extensions.
	
	Contact information
	===============================================================================
	Name   : ElcomSoft Co.Ltd.
	E-mail : [email protected]
	Fax    : +1 866 448-2703 (US/Canada, toll-free)
	
	The  problem  has  been  reported  to  vendor  (Adobe  Systems  Inc)  on
	02/24/2003; vendor has not replied.
	
	Technical info
	===============================================================================
	Adobe Document Server for Reader Extensions
	-------------------------------------------------------------------------------
	
	With this server, customers can assign custom usage rights  to  specific
	Adobe Portable Document Format (PDF) forms  and  documents,  so  Acrobat
	Reader 5.1 users can get access to  additional  features  while  working
	with the document. The server can enable four types of usage  rights  on
	a PDF form:
	
	- Commenting tools, including sticky notes, highlights, stamps, and
	  strikethroughs;
	- The ability to save a form to a desktop for offline completion or archiving,
	  without loosing any forms data;
	- Digital signatures, including support for Public Key Infrastructure systems
	  for third-party validation (VeriSign, Entrust, and others);
	- Advanced form features, including the ability to submit a form offline or via
	  email, import or export forms data and attached files.
	
	Description of Adobe Document Server for Reader Extensions  features  is
	available                                                             at
	http://www.adobe.com/products/server/readerextensions/main.html.
	The implementation of Document Server for  Reader  Extensions  does  not
	seem to be very complicated. The Server just gets the PDF  file  (to  be
	reader-enabled)  together  with  the  list  of  enabling  options,   and
	produces  new  document  that  contains  one  additional  dictionary   -
	actually, simply by adding an additional block of data.
	Note: for  details  of  PDF  structure,  see  Portable  Document  Format
	Specification
	 http://partners.adobe.com/asn/developer/acrosdk/docs/filefmtspecs/PDFReference.pdf
	
	New  dictionary  is  named  "ViewerPreferences"   and   resides   within
	document's "Root" dictionary.  For  now,  only  one  element  is  placed
	inside "ViewerPreferences" dictionary - "Rights" Dictionary. Content  of
	the "Rights" Dictionary can be described as follows (key name, type  and
	description):
	
	"Version" (number): A number specifying the version of Rights dictionary.
	Currently only version 1 is supported.
	"Document" (array of names): List of flags related to Document operations.
	Currently only one flag is supported: FullSave.
	"Form" (array of names): List of flags related to Form processing. Supported
	flags: Import, Export, SubmitStandalone, SpawnTemplate.
	"Annots" (array of names): List of flags related to Annotations. Supported
	flags: Create, Delete, Modify, Copy, Import, Export.
	"Signature" (array of names): List of flags related to Digital Signature
	handling. Currently only one flag is supported: Modify.
	"Msg" (text string): Arbitrary string to be displayed in "Instructions" box
	when reader-enabled document is opened in Acrobat Reader 5.1.
	"TimeOfUbiquitization" (date): The date and time when document was processed
	by Document Server for Reader Extensions.
	"RightsID" or "ADBE_RightsID" (array): List of RSA-based digital signatures
	for checking integrity of reader-enabling attributes.
	
	Most elements listed in the table above are  self-descriptive.  Name  of
	the last key could be  either  RightsID  or  ADBE_RightsID  -  they  are
	equivalent in Reader 5.1. Values in RightsID  (or  ADBE_RightsID)  array
	are 512-bit RSA-encrypted  values,  and  could  be  decrypted  with  RSA
	Public Key, which is hard-coded (in encrypted form)  within  Reader  5.1
	executable.  Those  values  are  used  as  digital  signatures  of  some
	critical document parts to make sure that  document  was  reader-enabled
	with Adobe Document Server for Reader Extensions.
	Sample form with additional usage rights could be downloaded from
	 http://www.adobe.com/products/server/readerextensions/pdfs/sample_docserver_readerext.pdf
	
	According to press release from October 21, 2002, available at
	 http://www.adobe.com/aboutadobe/pressroom/pressreleases/pdfs/200210/20021021Ubiquity.pdf,
	
	pricing of  Adobe  Document  Server  for  Reader  Extensions  starts  at
	US$75,000.
	
	Adobe Acrobat Reader
	-------------------------------------------------------------------------------
	
	Adobe Acrobat Reader is the most popular part of Adobe  Acrobat  product
	family. Acrobat Reader is free and can be downloaded from Adobe  Systems
	Incorporated web site
	
	 http://www.adobe.com/products/acrobat/readermain.html.
	
	Other most interesting (for this statement) products from Adobe  Acrobat
	family are commercial Adobe Acrobat ($249) and  Adobe  Acrobat  Approval
	($39). Comparison of the free Acrobat Reader 5.1 with  Acrobat  5.0  and
	Acrobat Approval could be found at Planet PDF web site:
	
	 http://www.planetpdf.com/mainpage.asp?webpageid=2413.
	
	For a long time Acrobat Reader was just "the reader" -  its  ability  of
	editing was limited to form  filling,  but  there  was  no  way  to  get
	altered copy of the document  on  disk.  Acrobat  Reader  5.1,  however,
	includes some new functions, that extend Reader functionality, and  make
	it very close to  commercial  Acrobat  Approval.  In  other  words,  new
	Acrobat Reader 5.1 is  something  like  a  limited  version  of  Acrobat
	Approval with functional restrictions applied to  all  documents  except
	reader-enabled ones.
	When the document is opened in Acrobat  Reader  5.1,  the  Reader  looks
	inside ViewerPreferences/Rights dictionary,  and  based  on  information
	found there, enables some editing features (or keep them disabled).
	
	The problem
	-------------------------------------------------------------------------------
	
	As noted earlier, 512-bit  RSA  encryption  is  being  used  to  prevent
	creating reader-enabled documents  without  Adobe  Document  Server  for
	Reader Extensions. 512-bit RSA keys are not considered to be  absolutely
	non-breakable  -  in  1999  a  group  of   researchers   completed   the
	factorization of the 512-bit RSA Challenge Number  in  5.2  months  (see
	http://www.rsasecurity.com/rsalabs/challenges/factoring/rsa155.html  for
	details). But it seems that building a system for  breaking  RSA-512  is
	more expensive than obtaining  Document  Server  for  Reader  Extensions
	from Adobe. So, 512-bit RSA is sufficient for such application. But,  as
	it often happens, implementation corrupts the idea.
	"RightsID" key from "Rights" Dictionary usually contains  three  values.
	First  value  is  a  signature  for  the  "Rights"  Dictionary   content
	(excluding  "RightsID"/"ADBE_RightsID"  key   itself),   "CreationDate",
	"Producer" and "Creator" keys from PDF Info Dictionary, and Document  ID
	from PDF Trailer Dictionary. Second and  third  values  from  "RightsID"
	key are signatures of the first and  the  last  pages  of  PDF  document
	content, respectively.
	The document  is  considered  to  be  enabled  properly  only  when  the
	"Rights" Dictionary signature and at least one  Page  Content  signature
	are correct.
	Let's starts the research with page content signature calculation.
	At the first stage, every byte of decompressed  page  content  (but  not
	more than 1024 bytes) is passed through the hash function. Hash  is  not
	too complicated - some non-printable characters  (such  as  Space,  Tab,
	CR, LF) are ignored, and ASCII-codes of  all  remaining  characters  are
	added to 32-bit counter, initially set to zero.
	At the second stage, the 32-bit  value  calculated  as  described  above
	(actually, the largest  possible  value  contains  only  18  significant
	bits) is converted to 8-byte  hexadecimal  representation,  and  "PaGeS"
	string is appended to the end. Resulting 13-byte sequence  is  processed
	with  MD5  hash  function,  which  produces   128-bit   (16-byte)   page
	fingerprint.
	At the last stage, 512-bit RSA Private Key (stored somewhere in  Server)
	is used to encrypt  page  fingerprint.  Encrypted  value  is  stored  in
	"RightsID"  array.  To  verify  Page  Content  signature,   the   Reader
	calculates page fingerprint and compares it  with  the  value  decrypted
	using RSA Public Key.
	Obviously, the signature calculation procedure described  above  is  not
	perfect. Adding "PaGeS" string does not affect the reliability  at  all.
	But it is looks like a sort  of  tradition  in  Adobe:  in  undocumented
	version of key calculation algorithm (V3),  used  by  Standard  Security
	Handler in Adobe Acrobat 5, string "sAlT" has been used in the same  way
	- instead of the real "salt" value, that should be totally random.
	But  the  most  significant  problem   with   Page   Content   signature
	calculation  is:  it  is  very  easy  to  build  1024-byte  sequence  of
	characters, treated as comments by PDF interpreter, so the  sum  of  all
	characters in that sequence will be the same as the sum  of  first  1024
	characters in any reader-enabled document. So,  inserting  such  comment
	before any page will  produce  a  new  page,  interpreted  exactly  like
	original one,  with  fixed  (known)  signature  value.  Let's  pay  some
	attention to the "Rights" Dictionary signature calculation.
	During that operation, some 32-bit hash (not cryptographic  one,  but  a
	little bit more complicated than just addition) is calculated  from  all
	keys of the "Rights" Dictionary excluding "RightsID" array.  Hash  value
	is converted to hexadecimal representation and passed through  MD5  hash
	function along  with  the  values  from  PDF  Info  Dictionary  such  as
	"CreationDate", "Producer" and "Creator",  and  constant  string  "Adobe
	Acrobat". First five bytes of MD5 output are treated as a  key  for  RC4
	symmetric stream cipher, which is used to encrypt Document ID  from  PDF
	Trailer Dictionary. Encrypted ID is encrypted  again  with  RSA  Private
	Key to produce "Rights" Dictionary signature that should  be  stored  as
	the first element of the "RightsID" array.
	This procedure looks  not  too  bad  in  comparison  with  Page  Content
	signature calculation, but not perfect too. Now, the problem is  related
	to Document ID and RC4. It is well  known  that  RC4  (like  many  other
	stream  ciphers)  is  just  a  pseudo-random  sequence  generator,   and
	generated stream is combined  with  source  data  by  XOR  operation  to
	produce  encrypted  data.  Therefore,  if  we  need  to  force  "Rights"
	Dictionary  signature  to  be  equal  to  some  predefined  value,   the
	following approach should work:
	
	- Decrypt signature (from any reader-enabled document) by RSA Public Key to
	  obtain RC4-encrypted Document ID;
	- Calculate "Rights" Dictionary and Info Dictionary hash (from document to be
	  reader-enabled) to obtain RC4 key;
	- Decrypt Document ID value by RC4 and assign it to the new document.
	
	It is necessary  to  note  that  Document  ID  consists  of  two  parts:
	permanent identifier and variable identifier. Only permanent  identifier
	is involved in the signature calculation. The Document  ID  is  used  to
	resolve external references by ID, and almost  useless  in  "standalone"
	documents. So, assigning the new Document ID is not a big issue.
	
	Impact
	===============================================================================
	
	As it was shown above, all 512-bit RSA-based signature checks  could  be
	easily bypassed - it is very difficult to break  RSA-512  cipher  itself
	and calculate signature values for arbitrary document, but  it  is  much
	easier to modify document to match  a  fixed  (known)  signature  values
	without noticeable  changes  in  the  document's  content,  and  without
	breaking, stealing or purchasing RSA private key.
	It is looks like the only party negatively affected  by  such  facts  is
	Adobe Systems Incorporated itself. But if some  U.S.  government  agency
	will  decide  to  spend  $75K  for  Adobe  Document  Server  for  Reader
	Extensions, all U.S. taxpayers will be affected by indirection, too.
SOLUTION
	?