Do Not Rely on PDF Document Security

Home > Blogs > Security > Do Not Rely on PDF Document Security

Do Not Rely on PDF Document Security

Like This Blog 6Mike Danseglio
Added by July 16, 2014

The scenario is simple enough. You need to share some information, a document, with a friend or coworker. You want them to read the document, but not alter or print it. You don’t want them to copy the text or graphics to another file. You want to enforce the concept of “eyes only” on the document. Even if the document gets forwarded in its entirety, you want the security to remain intact.

So to limit the access to the data you decide to use an application that builds content-centric security into its files. Microsoft Word does this with document protection features like read-only and track changes enabled that you see in Figure 1.

001-MS-Word-PDF-Document-Security

Figure 1. Document protection features in Microsoft Word 2013.

Microsoft Word even has password-protection for both opening and writing documents! But that’s not strong enough for you and requires that all recipients have an appropriate version of Microsoft Word on their system.

You turn your attention to the Adobe PDF format and Adobe Acrobat, the de facto standard for creating and managing PDF files. The PDF format is ubiquitous across devices and platforms. Security is built right in, so you know that your document will be protected everywhere.

In fact, here’s a list of security options that you can configure in Adobe Acrobat, courtesy of Adobe’s website: Securing documents with passwords.

Compatibility

Sets the type of encryption for opening a password-protected document. If you choose Acrobat 3.0 And Later (PDF 1.3) option, a low-encryption-level security (40-bit RC4) is used. If you choose Acrobat 5.0 And Later (PDF 1.4) or Acrobat 6.0 And Later (PDF 1.5), a high encryption level (128‑bit RC4) is used. Choosing Acrobat 7.0 And Later (PDF 1.6) encrypts the document using the AES encryption algorithm with a 128-bit key size. Acrobat X And Later (PDF 1.7) encrypts the document using 256-bit AES.

Note: Select Acrobat X And Later to apply 256-bit AES encryption to Acrobat 8 and 9 documents.

Be aware that anyone using an earlier version of Acrobat cannot open a PDF document with a higher compatibility setting. For example, if you select the Acrobat X and later option, the document cannot be opened in Acrobat 7 or earlier.

Encrypt All Document Contents (Acrobat)

Select this option to encrypt the document and the document metadata. If this option is selected, search engines cannot access the document metadata.

Encrypt All Document Contents Except Metadata (Acrobat)

Select this option to encrypt the contents of a document but still allow search engines access to the document metadata.

Encrypt Only File Attachments (Acrobat)

Select this option to require a password for opening file attachments. However, users can open the document without a password.

Require A Password To Open The Document

Select this option to require users to type the password you specify to open the document. This option is unavailable if Encrypt Only File Attachments is selected.

Document Open Password

Specify the password that users must type to open the PDF file.

Note: If you forget a password, there is no way to recover it from the document. It’s a good idea to store passwords in a separate secure location in case you forget them.

You may also like:  CompTIA Security+ SY0-501

Restrict Editing And Printing Of The Document

Restricts access to the PDF file’s security settings. If the file is opened in Adobe Acrobat, the user can view the file but must enter the specified Permissions password in order to change the file’s Security and Permissions settings. If the file is opened in Illustrator, Photoshop, or InDesign, the user must enter the Permissions password, since it is not possible to open the file in a view‑only mode.

Change Permissions Password

Specify a password that is required to change the permissions settings. This option is available only if the previous option is selected.

Printing Allowed

Specifies the level of printing that users are allowed for the PDF document.

None

Prevents users from printing the document.

Low Resolution (150 dpi)

Lets users print at no higher than 150‑dpi resolution. Printing may be slower because each page is printed as a bitmap image. This option is available only if the Compatibility option is set to Acrobat 5 (PDF 1.4) or later.

High Resolution

Lets users print at any resolution, directing high-quality vector output to PostScript and other printers that support advanced high-quality printing features.

Changes Allowed

Defines which editing actions are allowed in the PDF document.

None

Prevents users from making any changes to the document that are listed in the Changes Allowed menu, such as filling in form fields and adding comments.

Inserting, Deleting, And Rotating Pages

Lets users insert, delete, and rotate pages, and create bookmarks and thumbnails. This option is only available for high (128‑bit RC4 or AES) encryption.

Filling In Form Fields And Signing Existing Signature Fields

Lets users fill in forms and add digital signatures. This option doesn’t allow them to add comments or create form fields. This option is only available for high (128‑bit RC4 or AES) encryption.

Commenting, Filling In Form Fields, And Signing Existing Signature Fields

Lets users add comments and digital signatures, and fill in forms. This option doesn’t allow users to move page objects or create form fields.

Page Layout, Filling In Form Fields, And Signing

Lets users insert, rotate, or delete pages and create bookmarks or thumbnail images, fill out forms, and add digital signatures. This option doesn’t allow them to create form fields. This option is only available for low (40‑bit RC4) encryption.

Any Except Extracting Pages

Lets users edit the document, create and fill in form fields, and add comments and digital signatures.

Enable Copying Of Text, Images, And Other Content 

Lets users select and copy the contents of a PDF.

Enable Text Access For Screen Reader Devices For The Visually Impaired

Lets visually impaired users read the document with screen readers, but doesn’t allow users to copy or extract the document’s contents. This option is available only for high (128‑bit RC4 or AES) encryption.

Enable Plaintext Metadata

Encrypts the contents of a document but still allows search engines access to the document metadata.

You may also like:  Installing Synaptic Package Manager in Kali Linux

This level of security configuration is really impressive. Or, more correctly, impressive-looking. If you’re like most users you’ll put your faith in Adobe’s security controls, protect your PDF document, and send it on its way.

So What’s The Problem With PDF Security?

Security concerns often arise from the conflict between security and functionality. We need to explore two facets of this conflict.

First, at its core, a PDF document is designed to allow the recipient to do something with it. Even a heavily protected PDF allows some access to someone. This always provides an opportunity for compromise.

Second, a PDF is a digital file accessed on a computer. It doesn’t matter if the computer is Windows, OSX, Android, iOS, or Linux, the file must be stored and managed on a computer of some type. Because all modern computers are multi-function devices, other tasks can be taking place on the same system while the PDF is also being accessed.

When you combine some access and multiple tasks on the same computer, the result is the opportunity for unauthorized access.

What Are Some Examples of Compromising PDF Security?

There are plenty of applications that will remove PDF passwords, extract data into an insecure file, grab page images, etc. I won’t list any PDF-specific attack techniques here as that’s not my intent. But I’ll show a very low-tech PDF compromise to illustrate my point.

This is a screenshot of a protected PDF I created.

002-protected-PDF-Document-Security

Figure 2. A screenshot of a secured PDF.

Notice the (SECURED) in the title bar. The PDF is protected as shown in this next screenshot.

003-settings-protected-PDF-Document-Security

Figure 3. Only printing is allowed on this PDF.

You might already see the flaw in the security. I was able to take a screenshot of the PDF for Figure 2. I used the built-in Windows 7 Snipping Tool.

The opportunity for compromise in this way comes from the need to display the information on a screen that other applications can access. And while this low-brow pedestrian attack grabs the information as images, a bit more sophistication allows text conversion and element separation.

Conclusion

Simply put: when you distribute a sensitive document, you should take reasonable precautions to prevent unauthorized access and use. You should not assume that the content will be fully protected. Faith in PDF security should be tempered with the realization that any content, of any type, can be compromised.

Mike Danseglio -CISSP / CEH
Interface Technical Training – Technical Director and Instructor

Mike Danseglio teaches Security classes at Interface Technical Training. His classes can be attended in Phoenix, Arizona or online from anywhere in the world with RemoteLive.

Videos You May Like

Agile Methodology in Project Management

0 96 0

In this video, you will gain an understanding of Agile and Scrum Master Certification terminologies and concepts to help you make better decisions in your Project Management capabilities. Whether you’re a developer looking to obtain an Agile or Scrum Master Certification, or you’re a Project Manager/Product Owner who is attempting to get your product or … Continue reading Agile Methodology in Project Management

Creating Users and Managing Passwords in Microsoft Office 365

0 354 3

In this Office 365 training video, instructor Spike Xavier demonstrates how to create users and manage passwords in Office 365.

Detailed Forensic Investigation of Malware Infections – April 21, 2015

3 376 3

In this IT Security training video, Security expert Mike Danseglio (CISSP / CEH) will perform several malware investigations including rootkits, botnets, viruses, and browser toolbars.

Write a Comment

See what people are saying...

  1. Avatar Jenny Charlotte

    Nice Post ! I am very impressed to see it, whole blog is informative. Today I also want to talking about Free pdf unlocker, our remove pdf password security like printing, filling a form, commenting in the document, managing pages and bookmarks, modifying documents, copying content for access, extracting and signing the document contents.

  2. Avatar CanDo Jack

    while i appreciate the information well presented in your article,
    I do not find a general solution to my problems:
    1) people do not have to even open a file that contains say a novel of mine: if they sell it they are still stealing from me
    2) if encryption is a saviour in this arena I would have like more info on it.

    Thanks for the article.

  3. Avatar zoedtdt

    you can go here regarding on pahe http://www.pdfcoding.com/online/pdf/protect-edit-pdf-file-permission/ .This site has helped me a lot on pdf password encryption online.

  4. Avatar mike

    can i disable printing, highlighting as well as print screen, etc. so a person who gets to my pages can read them but not do anything else?
    If so, which version of MS Word will do this.

  5. Avatar Lars

    This is a good point, but it’s important not to conflate the different kinds of security. Protecting a publically-readable document from being copied, printed, etc. is unreliable, but encrypting a document so that it cannot even be read without the decryption key is a different story.

  6. Avatar S. Liguori

    question: we save pdf files to a shared folder on our network…if some bozo leaves that document open on their desktop and is m.i.a. for a while, we cannot delete or update the doc saved in that shared folder (from an original we have saved in another folder)…can you tell me how to secure the doc for the shared folder so that if someone leaves it open, I can still delete or save another version of it in that folder? I have writeable version of Acrobat (7.0)…thank you!!!!

Share your thoughts...

Please fill out the comment form below to post a reply.