Do Not Rely on PDF Document Security

Like This Blog 6

Added by Mike Danseglio July 16, 2014

The scenario is simple enough. You need to share some information, a document, with a friend or coworker. You want them to read the document, but not alter or print it. You don’t want them to copy the text or graphics to another file. You want to enforce the concept of “eyes only” on the document. Even if the document gets forwarded in its entirety, you want the security to remain intact.

So to limit the access to the data you decide to use an application that builds content-centric security into its files. Microsoft Word does this with document protection features like read-only and track changes enabled that you see in Figure 1.

Figure 1. Document protection features in Microsoft Word 2013.

Microsoft Word even has password-protection for both opening and writing documents! But that’s not strong enough for you and requires that all recipients have an appropriate version of Microsoft Word on their system.

You turn your attention to the Adobe PDF format and Adobe Acrobat, the de facto standard for creating and managing PDF files. The PDF format is ubiquitous across devices and platforms. Security is built right in, so you know that your document will be protected everywhere.

In fact, here’s a list of security options that you can configure in Adobe Acrobat, courtesy of Adobe’s website: Securing documents with passwords.

Compatibility

Sets the type of encryption for opening a password-protected document. If you choose Acrobat 3.0 And Later (PDF 1.3) option, a low-encryption-level security (40-bit RC4) is used. If you choose Acrobat 5.0 And Later (PDF 1.4) or Acrobat 6.0 And Later (PDF 1.5), a high encryption level (128‑bit RC4) is used. Choosing Acrobat 7.0 And Later (PDF 1.6) encrypts the document using the AES encryption algorithm with a 128-bit key size. Acrobat X And Later (PDF 1.7) encrypts the document using 256-bit AES.

Note: Select Acrobat X And Later to apply 256-bit AES encryption to Acrobat 8 and 9 documents.

Be aware that anyone using an earlier version of Acrobat cannot open a PDF document with a higher compatibility setting. For example, if you select the Acrobat X and later option, the document cannot be opened in Acrobat 7 or earlier.

Encrypt All Document Contents (Acrobat)

Select this option to encrypt the document and the document metadata. If this option is selected, search engines cannot access the document metadata.

Encrypt All Document Contents Except Metadata (Acrobat)

Select this option to encrypt the contents of a document but still allow search engines access to the document metadata.

Encrypt Only File Attachments (Acrobat)

Select this option to require a password for opening file attachments. However, users can open the document without a password.

Require A Password To Open The Document

Select this option to require users to type the password you specify to open the document. This option is unavailable if Encrypt Only File Attachments is selected.

Document Open Password

Specify the password that users must type to open the PDF file.

Note: If you forget a password, there is no way to recover it from the document. It’s a good idea to store passwords in a separate secure location in case you forget them.

Restrict Editing And Printing Of The Document

Restricts access to the PDF file’s security settings. If the file is opened in Adobe Acrobat, the user can view the file but must enter the specified Permissions password in order to change the file’s Security and Permissions settings. If the file is opened in Illustrator, Photoshop, or InDesign, the user must enter the Permissions password, since it is not possible to open the file in a view‑only mode.

Change Permissions Password

Specify a password that is required to change the permissions settings. This option is available only if the previous option is selected.

Printing Allowed

Specifies the level of printing that users are allowed for the PDF document.

None

Prevents users from printing the document.

Low Resolution (150 dpi)

Lets users print at no higher than 150‑dpi resolution. Printing may be slower because each page is printed as a bitmap image. This option is available only if the Compatibility option is set to Acrobat 5 (PDF 1.4) or later.

High Resolution

Lets users print at any resolution, directing high-quality vector output to PostScript and other printers that support advanced high-quality printing features.

Changes Allowed

Defines which editing actions are allowed in the PDF document.

None

Prevents users from making any changes to the document that are listed in the Changes Allowed menu, such as filling in form fields and adding comments.

Inserting, Deleting, And Rotating Pages

Lets users insert, delete, and rotate pages, and create bookmarks and thumbnails. This option is only available for high (128‑bit RC4 or AES) encryption.

Filling In Form Fields And Signing Existing Signature Fields

Lets users fill in forms and add digital signatures. This option doesn’t allow them to add comments or create form fields. This option is only available for high (128‑bit RC4 or AES) encryption.

Commenting, Filling In Form Fields, And Signing Existing Signature Fields

Lets users add comments and digital signatures, and fill in forms. This option doesn’t allow users to move page objects or create form fields.

Page Layout, Filling In Form Fields, And Signing

Lets users insert, rotate, or delete pages and create bookmarks or thumbnail images, fill out forms, and add digital signatures. This option doesn’t allow them to create form fields. This option is only available for low (40‑bit RC4) encryption.

Any Except Extracting Pages

Lets users edit the document, create and fill in form fields, and add comments and digital signatures.

Enable Copying Of Text, Images, And Other Content 

Lets users select and copy the contents of a PDF.

Enable Text Access For Screen Reader Devices For The Visually Impaired

Lets visually impaired users read the document with screen readers, but doesn’t allow users to copy or extract the document’s contents. This option is available only for high (128‑bit RC4 or AES) encryption.

Enable Plaintext Metadata

Encrypts the contents of a document but still allows search engines access to the document metadata.

This level of security configuration is really impressive. Or, more correctly, impressive-looking. If you’re like most users you’ll put your faith in Adobe’s security controls, protect your PDF document, and send it on its way.

So What’s The Problem With PDF Security?

Security concerns often arise from the conflict between security and functionality. We need to explore two facets of this conflict.

First, at its core, a PDF document is designed to allow the recipient to do something with it. Even a heavily protected PDF allows some access to someone. This always provides an opportunity for compromise.

Second, a PDF is a digital file accessed on a computer. It doesn’t matter if the computer is Windows, OSX, Android, iOS, or Linux, the file must be stored and managed on a computer of some type. Because all modern computers are multi-function devices, other tasks can be taking place on the same system while the PDF is also being accessed.

When you combine some access and multiple tasks on the same computer, the result is the opportunity for unauthorized access.

What Are Some Examples of Compromising PDF Security?

There are plenty of applications that will remove PDF passwords, extract data into an insecure file, grab page images, etc. I won’t list any PDF-specific attack techniques here as that’s not my intent. But I’ll show a very low-tech PDF compromise to illustrate my point.

This is a screenshot of a protected PDF I created.

Figure 2. A screenshot of a secured PDF.

Notice the (SECURED) in the title bar. The PDF is protected as shown in this next screenshot.

Figure 3. Only printing is allowed on this PDF.

You might already see the flaw in the security. I was able to take a screenshot of the PDF for Figure 2. I used the built-in Windows 7 Snipping Tool.

The opportunity for compromise in this way comes from the need to display the information on a screen that other applications can access. And while this low-brow pedestrian attack grabs the information as images, a bit more sophistication allows text conversion and element separation.

Conclusion

Simply put: when you distribute a sensitive document, you should take reasonable precautions to prevent unauthorized access and use. You should not assume that the content will be fully protected. Faith in PDF security should be tempered with the realization that any content, of any type, can be compromised.

Mike Danseglio -CISSP / CEH
Interface Technical Training – Technical Director and Instructor

Mike Danseglio teaches Security classes at Interface Technical Training. His classes can be attended in Phoenix, Arizona or online from anywhere in the world with RemoteLive.

• CISSP (Certified Information Systems Security Professional)
• Certified Ethical Hacking and Countermeasures v8
• CompTIA Security + Certification Skills