In a recent article, my favorite electronic evidence blogger, Sharon D. Nelson, Esq., in {ride the lightning} blog writes about how to properly secure a PDF document.
In order to properly secure an Adobe document, John [Simek, Vice President of Sensei Enterprises Inc.] advises a ‘two-step’ test.
The first step is to apply a password to the Adobe document that restricts any changes to the document (a “Change Permissions Password”). The second step is to apply an “Open Document” password. When both of these are applied, the PDF password cracker programs cannot get ‘at’ the flag that controls the editing of the document.
You provide your client with the “Open Document” password but not the “Change Permissions Password”. This way they can view the contents of the document, but they have no ability to edit the document.
Using this dual password method, the software that is used to ‘crack’ the Adobe document password cannot get at the ‘flag’ and therefore cannot be used to break the security of the document (at least at this time).
This is very good advice, and as Sharon points out in a followup post, it will cost you nothing as your PDF generation software is already capable of doing this.
Turns out that the folks at Adobe, who know quite a bit about PDF documents provide a document (in PDF format!) all about securing PDF files. In addition to providing step-by-step instructions of the processes described in the previously mentioned blog entry [in sections entitled "Adding a document password" and "Restricting printing or changes to a document"] there are also the following sections.
Creating a Digital ID – A Digital ID is required whenever you certify or sign a PDF. A digital ID contains your signature information. If you don’t already have a Digital ID, you can obtain one from a third-party signature handler, or you can create a self-signed digital ID.
Sharing certificate information – To verify your digital signature or to enable others to encrypt documents for you, other users need to access your digital ID certificate. If you have created a self-signed digital ID, or if others can’t access your certificate, you can send it to them.
Signing a document – Make sure you have finished making changes to the document.
Creating a certified document – When you create a certified document, you indicate to others that you approve of its content. You can also specify the types of changes permitted for the document to remain certified. Detection of unwanted changes will be provided when the user signs the document. Therefore in order to protect the document, only the changes you wish to allow will be included.
You get confidentiality (when users encrypt using your cert) and well as integrity (if you lock down the document as suggested) and your recipients get non-repudiation (if you digitally sign the document). Nobody gets plausible deniability.
[...] last post was all about how to secure PDF documents. So it’s only fair that I point you to information to undermine that good advice. To be fair [...]
[...] friend of mine pointed me to a good article on securing PDF documents. http://secforall.info/2009/06/29/securing-pdfs/ It’s a good tutorial on how to password protect, digitally sign and certify PDF documents. [...]
[...] friend pointed me to a good article with references on securing PDF’s. http://secforall.info/2009/06/29/securing-pdfs/ Its a good tutorial on digitally signing, password protecting and certifying a PDF document. Now if [...]