Acrobat User Community Forums

In short...longer more complex passwords.

I would also refer you to our Security Matters blog entry on the topic:

"Acrobat 9 now supports pass-phrases of 127 Roman characters in length for 256-bit AES encryption and added support for unicode characters.  In the permutation with repetitions formula used to calculate how many unique pass-phrases are possible, XY, Adobe has increased both X and Y in Acrobat 9. Pass-phrases can now be up to 4 times as long and support a greater number of international characters and symbols to be entered by keyboards around the world, which can greatly increase document protection when used properly."

http://blogs.adobe.com/security/2008/12 … crypt.html

Hi jbharris,

The utility that I tested was able to crack password encryption of more than 50 characters of mix of all kind of symbols, numbers and character...

Hi UVSAR,

Is there any work around for situation without the open password?

Thanks.

KHLee wrote:

Is there any work around for situation without the open password?

When digitaly signing a PDF one can apply permissions to the file, and those can't be cracked in 5 seconds…

;-)

Hi UVSAR,

Yes. You are right. Having to distributing keys will not be a solution that is feasible when the forms are meant for public use.

Adding an open password will also not be feasible as that password can be easily circulated.

Still can not find a viable solution for those who uses Acrobat or LiveCycle to develop custom made forms for others and need to protect the form design and the JavaScript that is incorporated in the case of a dynamic form.

Try with this sample file, it's protected (Acrobat 7 level) AND signed.
And you can't easily unprotect it (as if it wasn't signed) since this require NSA or CIA computers…

You don't need any certificate to be able to open it, there is just an annoying alert about "At least one signature has problems", but you can be unaware of it.

Download it here :
https://acrobat.com/#d=J6qKouHozOBYyI6YufsadQ

I just needed to close or minimize the comment.

Even Phillip Zimmerman and PGP could not stand up to the Mighty MAC! Or thousands of MacIntosh computers in a parrallel arrangement.

Last edited by gkaiseril (2010-01-25 15:29:54)

It took about two minutes and one computer - first removing the signature, then the permissions flags. We use proprietary methods to rewrite sections of the file but it's nothing that can't be worked out by someone who reads the PDF specification carefully enough, and doesn't involve buying any software (we use Java). IT forensics / law enforcement agencies all have the same abilities we do, as there are many legitimate reasons to want to do it (though yes, there are many that aren't).

The important thing to remember is the permissions flags are just that - a byte in the header saying "please don't print/change this document". The fact we can see the PDF on screen without needing any extra permission shows all the underlying data is available to the interpreter, and it's just the electronic morality of Acrobat that stops the menu items working.


Before people start asking:

1) It was only that easy because there's no "open" certificate applied. See my post above.
2) No, I'm not offering to crack files for anyone who asks/pays/begs, nor to explain how to do it yourself. If you search the web for long enough you'll probably find all the answers you need, but this is not a service we offer to the public, period.

Merlin wrote:

Waow !
Very impressive.

Did you unprotect it easily or not ?
Did you used a particular software ?
Do you think that anyone can do it ?

;-)

Agreed - I expect 99% of "casual" users won't have a clue how to remove your certificates (which is why I'm not going to tell anyone how!), but if the PDF contains something they really want to steal then they can find someone who can help them do it, or search out some tools on the Web and have a go themselves. It all depends if the content is worth the time - if you sent out a preview copy of the next Harry Potter novel, lots of people would be prepared to spend all week and hundreds of dollars cracking it. If I'm sending something really valuable, I'll use document-open certificate security with named recipients, as that stops all but the professionals *and* limits their ability to pass the file around. It annoys them as they need to make their digital IDs and share them with me, but it's all part of the contract. Play by our rules or you don't get the file until the check clears!


Simple permissions passwords are much more easily-removable as you just need to Google for "remove pdf password" and pay someone a few bucks for their software. Some will remove open passwords too, but they take a very long time unless you have a basement full of computers (on one PC it may take several years to break a long password if you don't know how many characters it contains).

From my point of view the important thing for PDF creators to understand is that permissions security is only as good as your recipients are stupid. If they believe their million-dollar document is ultra-secure just because they applied a password, they will be in for a shock when someone steals it! Same is true of passworded Office documents, ZIP files, etc. - they can all be unlocked if you really want to.

Merlin wrote:

OK, but I'm not afraid, I can always send my "strong protected" PDFs to my customers since they don't have enought knowledge to do that.

But I must agree : my better "strong protection" is my customer's knowledge, not the PDF itself…

;-)))

Some really strong protection for PDFs are available : see this one :
http://abracadabrapdf.net/articles.php? … amp;pg=622

;-)

(Clic the yellow link to download).