Zhang Ye

Greenhorn
+ Follow
since Feb 06, 2011
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
0
Received in last 30 days
0
Total given
0
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Zhang Ye

Bruno,

I read a little more here

http://elcomsoft.com/apdfpr.html

ElcomSoft clearly says that they use Dictionary and Brutal Force attack "If the PDF is protected with a strong 128-bit or 256-bit key"

It also says "If the password does not fall into any dictionary, Advanced PDF Password Recovery attempts all possible combinations of passwords by performing the brute force attack."

From there, I think PDF open-level password can not be broken without brutal force attack if you use a complex enough password.

Am I missing something obvious? Or, the "flawed" protection only exists in older version (prior to 9.x) of Adobe Reader?

Thanks.
Bruno,

Thanks a lot for your reply.

I am quite shocked (clearly, you are very knowledgeable on this) because I read a lot of companies are sending password-protected PDFs containing sensitive data such as Credit Card number. Yet you just said the whole user/owner password for PDF is flawed and cracking the password requires NO brutal force.

Here are two companies (one of them, Arcot, was just acquired by CA for $200Million) doing this:

http://arcot.com/saas/electronic-notification.html

http://www.striata.com/solutions/technical-overview/authentication-and-security.html

Do they do much more than the user/owner password protected PDF?
Both of them claim that the only thing needed for the recipient is the freely available Adobe PDF Reader.

Thanks.









Bruno,

I am working on a project that requires password-based encryption for PDF file. The PDF file contains sensitive data, and the requirement is to add a open-level password. I have been thinking that using PDF Password Protection (choose AES128) is the same as encrypting the file itself using AES128, until I saw your post here:

"Whoever is asking for PDF password protection should know that this concept is purely psychological, and that iText can't be blamed if somebody succeeds in decrypting a PDF that was password encrypted by iText."

Here is my question:

Option 1: Use a symmetric encryption (password already communicated and satisfies desired complexity rule) to encrypt a PDF file. This way, I would have to require the recipient install the same software I use to decrypt the file.
Option 2: Use the built-in PDF "user password" a.k.a. "open password" (password already communicated and satisfies desired complexity rule)

The only difference between option 1 and 2 may be the length of the password (Option 2 built-in PDF password has to be less than 32 chars - but 32 chars are plenty for me). So, are there any other difference between option 1 and option 2, from a security perspective?

If there is no difference, I think the concept of asking for PDF password protection is NOT purely psychological then because it is very hard to crack the password.

I bought your book (second edition), and read chapter 12.3 "Protecting your PDF". As far as I understand, the
"user password" is quite secure, as long as you have a strong password...

Thanks.