Protecting PDF files without passwords or certificates
When it comes to securing PDF files, most people consider two options: password or certificate-based encryption. It’s easy to understand why. These are the options the most popular PDF applications in the world provide. They’re intuitive to apply, not too restrictive for the end-user, and give the appearance of good protection.
As we’ll discuss today, though, both come with some significant drawbacks. And, in the case of passwords, the “appearance” of protection may be all you’re getting. Let’s explain why:
Password-protected PDFs are fundamentally insecure
The password-based encryption you see in applications like Adobe Acrobat has some major security flaws. Though it may provide some protection in select circumstances, it shouldn’t be used in any serious capacity. In fact, the flaws are so wide-ranging that we won’t even cover them all today. Here are the main ones:
- Protections only apply until someone enters the password. As soon as somebody has the password to open and decrypt your document, they can easily remove any PDF restrictions or permissions that you apply, such as stopping printing, editing, and copying. This means that you need to have absolute trust that they won’t tamper with the document or send the unprotected PDF file to others.
- It’s hard to make passwords strong, yet easy to remember. A strong password requires lower case letters, uppercase letters, numbers, and symbols. To avoid dictionary attacks, ideally, it shouldn’t use real words or phrases, either. As you can imagine, these types of passwords can be quite challenging to remember. A person might be able to remember, one, two, or even five of them, but past that point you’re looking at trouble. And don’t forget — you should ideally have a different password for each document you encrypt, so you need to make a list of them.
- Insecure passwords can be brute-forced. If you don’t choose a strong password, freely available password crackers can guess it in minutes. As employees can remember strong passwords, their only real choice is to use weak ones or save all their passwords in a centralized place — which is probably a bad idea.
- You have to find a secure way to distribute passwords. You need to send the password to every user that you want to open the PDF. So you need to use secure email or something similar to distribute the password to others.
- Passwords can be shared. So let’s say you’ve found a way to create secure passwords that are memorable and stored/distributed safely. Unfortunately, a single person in the chain brings it all crashing down. To make matters worse, you won’t even know that they have shared it and therefore who has access to your documents.
Once you consider all of those flaws, you quickly realise that password-based PDF encryption is next to useless. But what about certificates?
Certificates are better…but not perfect
In certificate encryption, the certificate holds a user’s public key, as well as data about when it was generated and what it can be used for. They’re typically part of a Public Key Infrastructure (PKI), and can be distributed securely by an organization to ensure that only users with the right certificates can open the right documents.
Certificates are better than passwords in several ways. Firstly, you don’t have to worry about how you’re going to share the certificate without it being intercepted. The certificate only contains the sender’s public key. For the document to be decrypted, it must be unlocked with the recipient’s private key, which is unlikely to be shared. There are also currently no hacking applications to decrypt PDFs protected by certificates, and because PDF files are digitally signed you always know where they originated from, which is good for security.
The main disadvantage of certificate encryption, though, is shared with password encryption — once the document is decrypted, it can be freely shared with anybody. If it’s not paired with additional controls, there’s no guarantee that it will stay with the person you shared it with. And the controls standard PDF providers offer (PDF restrictions or permissions) are trivially bypassed.
There are other problems with PKI systems, too. They generally require a lot of management overhead, with organizations needing to set up a directory server to store key pairs and a system to revoke and generate certificates. Further, because you need a user’s certificate before you can encrypt a PDF to send them, they’re a struggle if you’re selling revenue-generating content.
A secure PDF alternative
So, we’ve established that both certificate and password protection for PDFs is ineffective. The question is, what should you use instead?
Well, you might be well-served by a solution that uses neither — PDF DRM protection. Locklizard for example uses a combination of encryption and licensing controls to securely transfer encryption keys to users’ devices and store them there safely. The document publisher protects the PDF before sending it and it can only be opened on an authorized user’s device by a dedicated secure viewer application. If the user doesn’t have the correct key on their device, the document won’t open.
PDF DRM also addresses a flaw the other two methods share: what happens after the document is opened. The secure viewer application can persistently enforce printing, screenshotting, expiry, copy/pasting, editing, and other controls in a way that cannot be easily bypassed.
As a result, PDF DRM is the best choice for businesses that want their protection to be more than just an illusion. By doing away with passwords and certificates entirely, they’re able to bypass many of their flaws while remaining user-friendly and suitable for revenue-generating content.