Previous | Next | (P-PDF) Acrobat 6.0
Topic: Re: Effective security in Acrobat 6 (Via Email)
Conf: (P-PDF) Acrobat 6.0, Msg: 109423
From: prodok
Date: 4/12/2004 11:03 PM
There have been PDF viewers out there which simply ignored the security
settings within a PDF document. And these security settings concerned
were essentially the base settings (no printing, no modification,
etc.). In order to circumvent these settings, you won't need much in
your software, as long as you can open the document.
However, in the meantime, there is apparently some understanding among
the third-party PDF viewer makers to respect these settings.
The Elcomsoft approach is essentially to modify an already open
document. In order to display a document, you will at one time have to
open, and to expose its contents. This means that this point is the
place where anything can be attacked (if that term is appropriate). In
order to prevent that, you would have to make write-only documents.
If the document has an opening password, the Elcomsoft software does
rely on the user to provide that password. Otherwise, it has to use the
brute-force approach, which takes more than exponentially more time the
longer the opening password is. And if you add some extra characters,
even the dictionary search approach (which is a considerable speedup)
will fail.
It gets even more extreme with a document which uses digital
signatures/certificates for protection. Without the private key, whose
public key has been used to encrypt the document, such documents can
not be opened. Period. Well, unless you apply the Brute Force method
... and considering the length of the keys, you will need some little
time to get beyond that. However, once the document is opened for
viewing, you do have access to it.
This also applies for any kind of third-party securing software. I know
of solutions which actually verify first if any known "protection
removing" software is installed on the user's machine, and, if so, they
simply refuse to work.
That said, it will depend a lot on what you want to secure. You will
have to make up your mind about the risks to your documents, which
includes the potential damage if the security is broken. And then, you
might notice that all of a sudden, the highest risks come from your
legitimate users... So, you have to do your homework, and then decide
what is the most appropriate approach. You always have to keep in mind
that any kind of security can be broken; it is simply a matter of
resources needed to do it.
Now, why does Adobe put that disclaimer on their website. This is easy
to understand. Considering the fact that Adobe is a
beancounter/lawyer-run, publicly traded USAn corporation, they simply
protect their asses with that disclaimer ... in order to prevent from
being sued by other greedy lawyers (and their even greedier clients)...
simple, isn't it... Ah, yeah, and it is of course always the others
which do not play fair...
Max Wyss
PRODOK Engineering
Low Paper workflows, Smart documents, PDF forms
CH-8906 Bonstetten, Switzerland
Fax: +41 1 700 20 37
or +1 815 425 6566
e-mail: mailto:max@prodok.com
http://www.prodok.com
[ Building Bridges for Information ]
______________________
Shameless Plug:
My next conference appearances and workshops:
? Conference presentations at the 2004 Symposium of the BFMA, May 23
to
27 in Reno, Nevada (http://www.bfma.org) and pre-/post-conference
workshop, May 22/23 and 27, organized by essociates Group
(http://www.essociatesgroup.com/AdvancedAcrobatForms.htm)
? And, as always, available for on-site
workshops/tutorials/consulting.
_________________________
> Given Adobe's comments that '3rd party products may not respect
> security...'
>
> Am I right in thinking that the only way to ensure that a PDFis e.g.
> not printable is to use both an Open and a Restrict password with the
> PDF (and thinking about that, would the Elcomsoft stuff even get round
> that if the user had the Open password?)
>
> Restriction by digital certificate recipient looked great - until I
> saw the disclaimer by Adobe on 3rd party stuff.
>
> Is the bottom line, you have to get a 3rd party product for securing
> PDFs effectively?
