9

I've googled the internet for answers regarding secured pdf/cracking them and found huge amount of stuff. But most of it is quite old. So could someone confirm the following is still valid in modern days.

pdf can have two password: the master one which prevents people from doing certain operation like printing,editing. This one is 'easily' hackable because it is based on the document reader software (hence if I wrote my own reader, I could bypass all the security checks in the document).

The second password is the user password (or open password) which is used to encrypt the document itself and enables you to open and read it. Without it you have no access at all. It's fairly hard to crack (need big amount of cpu).

I am correct?

LINKS: Following are some of the links that I found intersting

The following White paper “How Secure Is PDF ?” by Bryan Guignard http://www.cs.cmu.edu/~dst/Adobe/Gallery/PDFsecurity.pdf sums it up the best. However it’s states pdf v1.3 which dates back to 2000.

The issue were still alive in 2008 with Adobe Acrobat 9

LockLizard also has a link to this paper in its general issues section http://www.locklizard.com/pdf_security_news/ and they seem to keep the page up to date.

Finally this paper http://www.besthackingtricks.com/how-to-open-password-protected-pdf-documents-pdf-password-remover/ says roughly the same thing but only dates back to august 2015.

user1909791
  • 191
  • 1
  • 1
  • 3

2 Answers2

3

What you have said about the "permissions" password is correct. Certain readers (mainly those custom made) can simply choose to ignore it, and not enforce permissions.

As for the "master" password... Adobe Acrobat XI supports both the use of a password or certificate to encrypt the PDF document itself. Use of a plain password is defaulted at a 128-bit AES encryption level. This algorithm is strong, but obviously requires a key that is strong as well. 128-bit AES is supported from Acrobat 7 and later. If you were to look at Acrobat X or later, the algorithm support is 256-bit AES.

The certificate option allows for "all document contents", "contents besides metadata", or "only file attachments". Here the algorithms are 6.0 at 128-RC4, 7.0 128-AES, 9.0 256-AES.

You should also note there is LifeCycle permissions management in XI, but I haven't had time to look into that.

dark_st3alth
  • 3,032
  • 10
  • 23
1

As Steve commented, this is a very broad topic. I'll touch on a couple of the areas to help answer your question and let me know what to expand on. I saw that you mentioned "secure". Now, do you mean secure in terms of username / password authentication or in terms of a PDF containing malicious code?

Username / password authentication on any data such as the user password in securing PDF files, can be targeted by brute-force attacks. Your security in this realm depends on circumstances such as not using dictionary words, short passwords, etc. On the same note, you can have the most secure password in the world, but if the same attacker that wants access to that PDF has a key-logger on your computer, consider it compromised.

Now if you meant security in terms of the PDF file potentially containing malicious code: There are a few methods. A lot of email services have built-in AV, some work better than others. There are multiple ways to bypass AV.

On both levels,

Henry F
  • 626
  • 1
  • 7
  • 14
  • I wasn't refering to PDF containing malicious code, eventhough I totally agree it is a security issue.

    I was going on the line that I'd like to send a confidential document to someone, and don't want people unauthorised to be able to read it.

    So is encrypting it with a LONG password enough to keep unintented eyes from reading it in the next minute or so? I do understand that brute force will crack any password if you have the right equipment and patience, but I would still expect it to take a number of days

     – user1909791 Feb 09 '16 at 09:41