13 Replies Latest reply on Apr 28, 2015 4:58 PM by IsakTen

    Methods to secure PDF files against third part unlockers

    peterh92014343

      I haven't tested their claims, but www.pdfunlock.com and www.guapdf.com both claim to be able to bypass any and all Acrobat security up to 256-bit encryption in version 11. And I assume any new version yet to come out.

      Can Acrobat fully stop the ability to edit a PDF, or do I need something like a) LockLizard, or b) a converter to make my PDF file into a series of images if I want to secure my data?

        • 1. Re: Methods to secure PDF files against third part unlockers
          Test Screen Name Most Valuable Participant

          This is why Adobe gives a clear warning when you set security that third party tools may not respect it.


          The problem is that password security is part of the published ISO standard which everyone can follow, and some programmers choose to ignore the security rules.

           

          You could consider certificate based security. This works if you have done a secure certificate exchange with the recipient. Only the recipient than has the key to decrypt.

          • 2. Re: Methods to secure PDF files against third part unlockers
            peterh92014343 Level 1

            So password security is like locking your door but leaving the key under the front mat? I don't live in the right neighbourhood for that

            Certificate based security is not an option, but thanks for the suggestion.

            • 3. Re: Methods to secure PDF files against third part unlockers
              IsakTen Level 4

              This is a different warning for different security. This is for permissions security not for PDF open security.

              • 4. Re: Methods to secure PDF files against third part unlockers
                IsakTen Level 4

                Choose "Compatibility with Acrobat X and later". It gives you a very strong encryption which commercial products cannot crack.

                • 5. Re: Methods to secure PDF files against third part unlockers
                  Test Screen Name Most Valuable Participant

                  If it does, it's only a matter of time. The security, like the others, follows published standards, so people who want to write crackers will eventually read those standards.

                  • 6. Re: Methods to secure PDF files against third part unlockers
                    IsakTen Level 4

                    At issue here is not reading standards. At issue here is the computing power required to crack strong passwords with strong encryption (like 156-bit AES). In the future, when computing power will increase 10-fold, it will become possible, but right now regular folks do not have access to the levels of computing power required to do that. If you are worried about NSA, this is a different story.

                    • 7. Re: Methods to secure PDF files against third part unlockers
                      manishumarwadia

                      Hello,

                       

                      Even with "Compatibility with Acrobat X and later", 256-bit encryption and a strong password, 3rd party programs can unlock it in seconds like PDF UNLOCK etc. so password security is pretty much useless for restrictions. It's not practical to ask e.g. 100 attendees at a conference for their public keys either. Why would you want to store all of these one-time pubic keys anyway.

                       

                      There needs to be simple mechanism to prevent the restrictions from being circumvented so easily. An document expiration would be a bonus.

                       

                      I wonder how MS Office documents make it read only with a password (printing is still allowed). I have not seen a strong password cracked in those cases very easily.

                      • 8. Re: Methods to secure PDF files against third part unlockers
                        Test Screen Name Most Valuable Participant

                        Bear in mind that you have no protection at all if you do not have an OPEN password. If you have a control password, then there is a documented and public way to get at the file, which any third party tool can use.

                        1 person found this helpful
                        • 9. Re: Methods to secure PDF files against third part unlockers
                          manishumarwadia Level 1

                          Agree, but if you need copy/paste/print protection from the recipient of the PDF, what good does an OPEN password do? You would have to give it to them so that they can open the file and then it's all open from that point.

                          • 10. Re: Methods to secure PDF files against third part unlockers
                            Test Screen Name Most Valuable Participant

                            Certainly, if you send a password with a file there is no security - not with Word documents either. This is a fundamental principle of good security - separate passwords from files.

                             

                            Perhaps you should investigate DRM, e.g. Adobe's LiveCycle Policy Server. This may be unpopular with your user base, especially if they are academics, as they might not be able to run the necessary Adobe Reader software (e.g. Linux users). Access on tablets is also problematic.

                            • 11. Re: Methods to secure PDF files against third part unlockers
                              manishumarwadia Level 1

                              Sorry to belabor this point but there is a crucial difference. Assuming the objective is disseminate a document to a wide external audience for read only, with no copy/paste/print/edit capabilities: With Acrobat/PDF, the restrictions password is able to be stripped by 3rd party programs in seconds (not even sure how, since it can't be brute force since I have 20-character long gibberish passwords). With MS Powerpoint, I am able to set it to read only with the same 20-character password and the only way it can be "broken" is through brute force algorithms.

                              • 12. Re: Methods to secure PDF files against third part unlockers
                                Test Screen Name Most Valuable Participant

                                The restrictions password depends on software following the PDF specifications. As Adobe warn very clearly, some third party software does not respect this.

                                 

                                PDF is an open standard, the information on encryption is publicly available. Powerpoint is not an open standard.

                                 

                                But I suspect the main difference is that the market is not so attractive, so nobody has bothered to make a Powerpoint cracker.

                                • 13. Re: Methods to secure PDF files against third part unlockers
                                  IsakTen Level 4

                                  I got confused as to what you want to do. PDF specification defines two passwords for each PDF" an "Open" password, which is required to open PDF and "Permissions" password, which is required to change permissions. The first ("Open") password with 256 bit AES encryption in Acrobat is extremely difficult to crack. But you are talking about the "Permissions" password. This is a different story. If a PDF is not encrypted with the "Open" password then its content is just plain text. Any PDF-processing application can see everything in a PDF file. Permissions restrictions backed by a "Permissions" password are on an honor-based system. Well, some PDF Viewing applications are not honorable enough to honor these permission. There is no need to crack "Permissions" password to to that.

                                  I agree that permissions restrictions mechanism in PDF based on a "Permissions" password is very week. It made sense 15 years ago when Acrobat/Reader were the only game in town. Now that there are many alternatives (although IMO they are all far inferior to Adobe Reader) it does not work. If you want to really secure restrictions in your PDF documents you should consider a DRM solutions (like Adobe LiveCycle) but they are expensive.

                                  As to why MS Word honors permissions, this is because there are very few applications other than Word that process Word documents. As TSN noted PDF is an open standard. MS Office is not. As long as you stay with Adobe products, all restrictions are respected.