Web site editor illustrates how Mac OS X can circumvent PDF security
Says he's discussed findings with Adobe Systems -- 'fix in the works'
20 March 2002
By Kurt Foss, Planet PDF Editor
Early this month Marc Hoffman, Editor and Webmaster of the OS Emulation HomePage, reported on the site -- ironically in a secured PDF file -- that he'd "discovered a very *BIG*
security flaw in Adobe Acrobat's PDF encryption model." He also said his concerns initially "fell on deaf ears" at Adobe, although when subsequently asked by Planet PDF to clarify which steps he'd taken to notify the company, Hoffman himself didn't respond to several requests. In an updated report on his site, Hoffman says he recently talked with Kathi Rauth, Senior Product Manager with
His allegation -- that "the encryption settings in Adobe Acrobat files can be disabled completely with relative ease, destroying the ability to protect intellectual property" -- is illustrated within the PDF file posted on his site. The document is secured with both a User (or "Open") password and a Master (or "Owner") password; Hoffman posts the User password needed to open the PDF.
He describes the method by which Apple's OS X circumvents the security settings of a PDF file, explaining that "all that is needed is Mac OS X and Mac OS X's Preview application." He created an example using Acrobat
Distiller 5.0.5 "running on Mac OS 9.2.2 to create a PDF file with very high security settings" -- setting a Master password and disabling separate permissions to print, copy, change or extract content from the PDF.
"Mac OS X's Preview program is able to ignore the security settings in an Acrobat encrypted file and do whatever it wants with the file. And if OS X's Preview can do this, then any program can be written to exploit this security hole. ... The process of destroying the security settings in an encrypted PDF document is surprisingly easy and straightforward."
Hoffman outlines the steps that lead to circumventing the file's security:
- Open the encrypted file in Mac OS X Preview
- Select Print from the File menu
- Select Output Options in the drop-down menu
- Select "Save as File," and choose 'Postscript' in the Format
Then the new .ps file is re-distilled -- a process some refer to as "re-frying" -- to create a new PDF file, but one without the original security settings.
The concept of printing a PDF file to create a new .ps file for re-distilling has been around since Acrobat 1.0. But typically that method comes into play when a document owner disables most permissions, but allows printing. The technique also has a number of shortcomings, such as losing hyperlinks, bookmarks, etc. In Hoffman's example, the ability to print had -- in theory, at least -- been disabled. But OS X's Print Preview appears to have ignored that.
Hoffman reports that Adobe's Rauth assured him the company has been in discussion with Apple on this issue "for some time," and that both parties are working to fix it. Apple implements PDF as defined by Adobe Systems, but in this case, apparently does not enforce the security settings present on a PDF file.
There are some significant differences in PDF files created with Apple's OS X and the current Acrobat 5 software. [See Leonard Rosenthol's "Mac OS X and PDF: The Real Story" presentation from MacWorld 2002, which explores and explains Apple's adoption of PDF as the graphics standard for its newest operating system.]
According to Hoffman's account of the discussion, Rauth explained that "Adobe has based their security model as such that the secured PDF
file trusts the program viewing it to follow certain guidelines. [See "PDF Security Overview," a presentation given last year by Thomas Merz of PDFLib at the PDF Conference.] If
these guidelines are not followed, then security can be compromised."
"Note: Once the document has been opened and decrypted successfully,
the viewer application has access to the entire contents of the
document. There is nothing inherent in PDF encryption that enforces
the document permissions specified in the encryption dictionary. It is
up to the implementors of PDF viewer applications to respect the
intent of the document creator by restricting user access to an
encrypted PDF file according to the permissions contained in the file."
-- Page 71 of the Adobe Systems PDF Reference 1.4
Hoffman says he asked: "What if some other programmer or company comes up with a similar program that does the same thing?"
In fact, there already are several commercially available software programs, services or utilities for recovering -- or "cracking," as some call it -- lost or forgotten passwords for Adobe Acrobat PDF files (as well as for many other common software products). Even in the case of Hoffman's secured PDF -- the one with both a User and Master password set, together offering the best available level of protection with Adobe's Standard Security Handler -- all permissions can still be easily removed using one of these recovery programs. Again using Hoffman's file as an example, once he provides the User password to someone else so they can open and view his PDF, a password recovery program can decipher the Master password and thus allow the removal of all permissions set by the original owner.
Hoffman says Rauth explained that Adobe "has inserted some legal 'entries' into the PDF specifications," so that theoretically "all PDF viewers stick to the proper specifications for viewing PDF files." Further, he says he "pointed out that hackers are not going to pay attention to legal entries," putting "authors× intellectual property at risk of being altered or
redistributed/printed without their permission."
Surprisingly, the recounting of the discussion makes no mention of the Digital Millennium Copyright Act (DMCA), the controversial U.S. law that can come into play -- and already has -- if anyone 'not paying attention' infringes the rights of content owners or publishers. While to date there have been no legal challenges to password recovery type programs -- which do have legitimate uses, as well as at least the potential for mischief -- a criminal case involving the alleged illegal circumvention of the security of Adobe PDF-based eBooks is still being litigated in the Northern District Court in California. ElcomSoft Ltd., a Russia-based software company, is facing charges of violating the DMCA by creating a software product that could be used to remove the security settings of eBooks protected with Adobe technology.
The technique of properly setting security to protect PDF files appears to be one of the more confusing aspects of the program, based on various online discussions and on random inspections of PDF files from a wide range of sources -- including Adobe Systems.
In "Adobe Acrobat 5 Classroom in a Book," written by Adobe staff and recommended reading for those seeking product certification, there's a brief explanation in Chapter 3 that emphasizes one of the most oft-forgotten steps: Saving and closing the file again after making changes to the security settings. Unless the file is saved, closed and re-opened, settings that were intended to have been added have not actually been applied. Probably the other most commonly seen mistake is to disable certain permissions, but then fail to set (and Save) a Master password. Anyone can then open that file's Security Settings window and turn off all security (or add their own settings).
Setting Security in a PDF File
After choosing specific security settings in a PDF file, the document must be saved, closed and re-opened to see the true effect of the added security.
There are, of course, other options for securing PDF files if Adobe's standard security handler and encryption methods
are deemed inadequate. Users can take advantage of (purchase) other PDF security products that utilize an alternate, more secure security handler, or they can encrypt whole PDF documents with other non-PDF-oriented tools.