Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.

PDF Security... yet another inquiry

Avatar

Level 4

I'm not so much concerned with the content of the form I'm creating but with the underlying javascript used in creating the dynamic functionality of this product.

I've been researching security of PDF's, and I'm a bit worried. PDF Locker, Elcomsoft PDF Recovery Software, code obfuscators.... the list of possibilities goes on and on.

It seems that my intellectual property is certainly going to be easy-pickin's for anyone with a modicum of software knowledge and more than passive curiosity.

It also seems that top level security of a PDF document is easily broken. But what about the next level, the PDF infrastructure? Is that secure?

Graham

PS. Please don't sugar coat it... if it's relatively easy to access, I'd like to know.

8 Replies

Avatar

Level 7

Hi Graham,

What do you mean by PDF infrastructure? I'm trying to learn a bit more about security myself and this is a term I've not come across. As far as completely shutting down a PDF, I'm not sure it's possible. We had some PDF's here at work that have been locked out by previous employees and I've always been able to find ways to use the previous content to update or recreate the forms. In my case it's a legitimate reason for circumventing security but everything I've seen to this point makes me think your PDF's will never be as secure as you'd like.

Avatar

Level 4

DJ,

I admit "infrastructure" is a less than useful term. What I mean is the editable forms and subforms accessed through LC. How this form is structured and the underlying Javascript is the intellectual property I'd like to make sure stays secure, if possible.

Graham

Avatar

Level 7

I've looked into trusted functions and the security settings available in Acrobat, other than that there doesn't seem to be any magic pill that would allow the form to be distributed and functional and still leave the form completely secure. Maybe Niall or Paul can shed some more light on this. Anything I could offer you could find in the help section.

Avatar

Former Community Member

There are three ways to encrypt (secure) PDF documents and forms.  Here is a high level view of the differences...

1) Password based encryption (requires Acrobat, OR Designer OR LiveCycle ES to be applied to the document)
Not very secure, there are tools available on the internet that can crack password encryption
“Global” permissions, there is no way to assign different permission to different users

2) Encrypt with Certificates (requires Acrobat, OR LiveCycle ES to be applied to the document)
Encrypt for individual users
No support for “Groups”
Access to each user’s public key that you will be encrypting the document for is required
Protection is not dynamic
If permission changes are required the source must be re-encrypted
No way to revoke documents
Need a PKI, or some source of Digital Certificates
Certificates must have “Encryption” Key Usage2)

3)  LiveCycle Rights Management ES (requires Acrobat, AND LiveCycle Rights Management ES to be applied to the document)

Encrypt for individual users and\or Groups
Protection is dynamic (controlled from server)
If permission changes are required the source need not  be re-encrypted, thee changes can be made to the policy on the server
Protected documents can be revoked

Regards

Steve

Avatar

Level 4

SF,

Your second level sounds interesting to me.

What do you mean by" Protection is not dynamic"

Thanks,

Graham

Avatar

Former Community Member

It sounds to me like you are trying to protect your Javascript that is in the form. I do not know of a way to get it other than in Designer. If you put an Open password on the PDF then when a user tries to open the file in Designer they will be required to enter the password. Is this sufficient?

Paul

Avatar

Former Community Member

By dynamic, I mean that changes to the document protection policy (i.e. user permissions (print, change, copy), user access to the document) can be changed on the server, and those changes are reflected in the document the next time it is opened, without havinbg to re-apply the policy or send out a new version of the protected document.

Rights Management offers "dynamic" protection.  You can even "revoke" a document so it can no longer be opened by anyone (regardless of where the document is stored or how many copies of the document were destributed)

When you protect (encrypt) a document using digital certificates, there is no way to change the actual users or their permissions once they have been applied to the document.  You have to create a new "version" of the protected document by taking the source and applying the certificate protection to it.  There is also no way to revoke the original version of that protected document.

Does this clear things up?

Regards

Steve

Avatar

Level 4

Steve, yes thank you for your reply.

Paul: "If you put an Open password on the PDF then when a user tries to open the file in Designer they will be required to enter the password. Is this sufficient?"

It would be sufficient if it actually secures the document. That is what I'm writing about. There seem to be a lot of "utilities" (read: hacks) which disable the security of PDFs to varying degrees. I'm trying to ascertain if the efficacy of the built in security is sufficient.

Graham