How to protect password protected PDF file from being cracked

Hi,
This is Eliza.i think the following link might be helpful.

http://luxsci.com/blog/how-secure-are-password-protected-files.php

In short...longer more complex passwords.

I would also refer you to our Security Matters blog entry on the topic:

"Acrobat 9 now supports pass-phrases of 127 Roman characters in length for 256-bit AES encryption and added support for unicode characters. In the permutation with repetitions formula used to calculate how many unique pass-phrases are possible, XY, Adobe has increased both X and Y in Acrobat 9. Pass-phrases can now be up to 4 times as long and support a greater number of international characters and symbols to be entered by keyboards around the world, which can greatly increase document protection when used properly."

http://blogs.adobe.com/security/2008/12/acrobat_9_and_password_encrypt.php

Hi Eliza,

Thanks for the info.

Lee

Hi jbharris,

The utility that I tested was able to crack password encryption of more than 50 characters of mix of all kind of symbols, numbers and character...

The simple answer is there isn't. Brute force cracks of long passwords take ages, but are possible (and depending on how you use your passwords, can be made a great deal easier).

If the PDF has a permissions password but not an open password, it's meaningless. You can remove it in 5 seconds.

Hi UVSAR,

Is there any work around for situation without the open password?

Thanks.

No - the PDF document structure isn't blind-encrypted if only the permissions password is set, so by processing the bit-level file data you can always change the permissions flag to none, or read the content out and dump it into a new PDF.

When digitaly signing a PDF one can apply permissions to the file, and those can't be cracked in 5 seconds…

;-)

Adobe.PSK certificate security may not be as easy to remove, but you're then stuck with all the problems of distributing keys and specifying recipients for the file. If someone has legitimate "open" access to the document they can extract the contents from it.

Hi UVSAR,

Yes. You are right. Having to distributing keys will not be a solution that is feasible when the forms are meant for public use.

Adding an open password will also not be feasible as that password can be easily circulated.

Still can not find a viable solution for those who uses Acrobat or LiveCycle to develop custom made forms for others and need to protect the form design and the JavaScript that is incorporated in the case of a dynamic form.

Afraid that's the price you pay for using PDF - it's an open document standard, and although you're targeting Adobe Reader etc with your forms, PDFs can be opened in non-Adobe software that may or may not choose to respect any permissions settings it finds.

Forcing an Adobe-only security method (certificates or DRM through something like Adobe Document Center) makes sure these third-party apps can't open the file, but also forces you to individually process recipients or forces them to register with the DRM service. It also only protects off-page content, as anyone who can read something on their screen can copy it. Even some of the video assets are up for grabs, though with the 9.3 updates the affected documents won't open anymore.

Being able to obfuscate your carefully-written Javascript may sound a good idea, but it's a terrible one in practice. All the security alerts you've been seeing lately are the result of malicious code inside a PDF, and if that code can't be scanned by anti-virus software you can't protect against it (other than by turning it off, which ruins your document).

Try with this sample file, it's protected (Acrobat 7 level) AND signed.
And you can't easily unprotect it (as if it wasn't signed) since this require NSA or CIA computers…

You don't need any certificate to be able to open it, there is just an annoying alert about "At least one signature has problems", but you can be unaware of it.

Download it here :
https://acrobat.com/#d=J6qKouHozOBYyI6YufsadQ

Here you go:

http://www.uvsar.com/downloads/unencrypted.pdf

Sorry my friend to show your method doesn't work - it's a nice try, but I do this for a living (the NSA have bigger budgets, but we have better coffee).

I just needed to close or minimize the comment.

Even Phillip Zimmerman and PGP could not stand up to the Mighty MAC! Or thousands of MacIntosh computers in a parrallel arrangement.

Waow !
Very impressive.

Did you unprotect it easily or not ?
Did you used a particular software ?
Do you think that anyone can do it ?

;-)

It took about two minutes and one computer - first removing the signature, then the permissions flags. We use proprietary methods to rewrite sections of the file but it's nothing that can't be worked out by someone who reads the PDF specification carefully enough, and doesn't involve buying any software (we use Java). IT forensics / law enforcement agencies all have the same abilities we do, as there are many legitimate reasons to want to do it (though yes, there are many that aren't).

The important thing to remember is the permissions flags are just that - a byte in the header saying "please don't print/change this document". The fact we can see the PDF on screen without needing any extra permission shows all the underlying data is available to the interpreter, and it's just the electronic morality of Acrobat that stops the menu items working.


Before people start asking:

1) It was only that easy because there's no "open" certificate applied. See my post above.
2) No, I'm not offering to crack files for anyone who asks/pays/begs, nor to explain how to do it yourself. If you search the web for long enough you'll probably find all the answers you need, but this is not a service we offer to the public, period.

OK, but I'm not afraid, I can always send my "strong protected" PDFs to my customers since they don't have enought knowledge to do that.

But I must agree : my better "strong protection" is my customer's knowledge, not the PDF itself…

;-)))

Agreed - I expect 99% of "casual" users won't have a clue how to remove your certificates (which is why I'm not going to tell anyone how!), but if the PDF contains something they really want to steal then they can find someone who can help them do it, or search out some tools on the Web and have a go themselves. It all depends if the content is worth the time - if you sent out a preview copy of the next Harry Potter novel, lots of people would be prepared to spend all week and hundreds of dollars cracking it. If I'm sending something really valuable, I'll use document-open certificate security with named recipients, as that stops all but the professionals *and* limits their ability to pass the file around. It annoys them as they need to make their digital IDs and share them with me, but it's all part of the contract. Play by our rules or you don't get the file until the check clears!


Simple permissions passwords are much more easily-removable as you just need to Google for "remove pdf password" and pay someone a few bucks for their software. Some will remove open passwords too, but they take a very long time unless you have a basement full of computers (on one PC it may take several years to break a long password if you don't know how many characters it contains).

From my point of view the important thing for PDF creators to understand is that permissions security is only as good as your recipients are stupid. If they believe their million-dollar document is ultra-secure just because they applied a password, they will be in for a shock when someone steals it! Same is true of passworded Office documents, ZIP files, etc. - they can all be unlocked if you really want to.

Hi you can try to use LoginTrap.It’s prog can capture every login events by using iSight.It really good prog.But only for Mac.

Some really strong protection for PDFs are available : see this one :
http://abracadabrapdf.net/articles.php?lng=fr&pg=622;-)

(Clic the yellow link to download).

Just tried LoginTrap. Thanks for advice!