Document Security Methods

Types of document security methods for protecting digital documents.

There are many different types of document security methods to choose from – password protection, public key technology, and tokens to name a few.  So what is best for digital document protection?

Although there are many document security methods to choose from, they all rely on how confident you are that they identify the user adequately enough for your purposes, and that you can then enforce the restrictions you want.  Locklizard PDF DRM provides a range of unobtrusive user authentication systems that do not commit you to design and enforce complex cryptographic architectures or require your users to subscribe to domain management or ‘foreign’ email services such as the Microsoft approach.  Locklizard provide a balanced compromise between security and usability that is highly suited to dealing with users both outside and inside the corporate structure.

Document Security & Cryptography

Although cryptography underpins document security, it is not a ‘magic bullet’.   To achieve your desired document security you need to implement a range of overlapping methods, including:

  • Identification of the user wishing to use a secured document
  • Identification of the location of the user
  • Ability to enforce the controls and restrictions defined for that user
  • Control of the environment that the user is working in

The control requirements have to be balanced against:

  • Making protected documents too difficult to create and use
  • Using personal data (as defined by regulation)
  • Avoiding collecting more personal data than are absolutely necessary

Protecting documents

How do you go about protecting documents, and what sorts of controls are you going to need to provide adequate document protection?

The first choice you have to make is to decide what mechanism(s) you are going use to authenticate users so you identify correctly who has been authorised to use which protected documents.

Password protection

Password access control has been with us since the beginning of computer controls (back in the 1970’s with RACF – see Wikipedia).  It is well established, and its weaknesses are legion.  But it is needed in situations where there is no infrastructure for stronger controls.

Password protection can be used to allow users to access protected documents or to allow them to remove controls.  Locklizard does not allow a recipient to change any content or remove or alter controls in protected documents.

To be effective passwords have to be long and complicated.  That means there are problems managing and distributing them, and they have to be protected when they are being used (strangely, most people’s passwords appear to be a number of asterisks!).

Locklizard use password access control authentication for web based viewing systems because the infrastructure is not favourable for implementing token based controls in a global context.  The Locklizard approach allows publishers to define the strength of passwords being selected and when passwords are reset, and to combine this with location locking to ensure password entry is only valid from authorized locations.

Can you make passwords stronger?

You can strengthen password protection by using additional techniques commonly called 2 or 3 factor authentication.  This comes from

  • A secret you know (the password)
  • A ‘token’ you hold (a credit or bank card or mobile phone)
  • Something personal to you that cannot be readily copied – this turns out to be rather difficult to achieve because many of your features (fingerprint, face, iris) can be copied.

The password is the secret.  And making it ‘strong’ so as to be unguessable, means making it long enough that is not easily subject to a ‘brute force attack’ (an app that will try every possible password value looking for the real password).  These requirements make passwords a pain to use because they cannot be remembered by a human being so they have to be somewhere on a computer so they can be copied and pasted or remembered automatically by a wallet system.

Tokens – what is on offer

PKI

The token was, back in the noughties, the Public Key Infrastructure (PKI) card identity – protected by a password, of course.  As the word Infrastructure implies, it was set up in a most complicated way, requiring recipients to be interviewed by their banks before they could use their PKI cards.  And any organization of any scale either had to purchase cards or manufacture and distribute their own, all in accordance with strict rules and liabilities.

Strangely enough, this was a project that did not fly.  If it had worked it would have allowed protected documents to be unique to each individual recipient regardless of the device(s) they used to process them because the PJI card ‘guaranteed’ their identity.  However, it was too complex and far too expensive to set up and there were arguments about how to administer it.  Something cheaper and easier had to be found.

ATM cards

Bank cards are a potential source of identification.  There are standards for how the cryptographic controls on the cards work, which is why your credit card works in ATM machines anywhere in the world.

But the banks do not disclose the identity of the user.  What they do is validate that the identity is genuine without disclosing the identity itself.  This is good from a data protection approach, but unless you are a financial institution you do not have access to this system, so it can’t be used by other organizations.

Mobile phones

According to studies, “From 1990 to 2011, the number of mobile subscribers on a global scale increased from 12.4 million to more than 3 billion subscribers.”  That number has grown significantly since then with estimates for 2018 of 4.6 billion users and still growing.

And strangely enough, people are unwilling to let their mobile phones out of their control, rather like their credit cards, which makes them reliable devices.

So the current popular ‘token’ is communication with a mobile phone.  Validation of the mobile phone number is done by the service provider (as it is with the landline).  Because the mobile phone is more personal, sending text message random verification codes that can be replayed by the authorized user is good enough for banks and governments, and almost as cheap as passwords.  The other thing about it is that there is no proprietary lock-in possible by the mobile providers so there is no barrier to entry for any organisation.

The Locklizard approach to document protection and authentication

Locklizard uses unique machine identities to identify users and their devices rather than passwords.  Machine identities are locked to user’s identities.  This is effective because machine identities cannot be readily changed and because manufacturers make them unique.  Users do not have the opportunity to change the identity when they register a Locklizard license.  This is essentially the token that does not need a password because it can verify the license to the machine identity.  This is neater than the PKI solution because you do not have to do all the user registration, they do it themselves in their own self-interest.  No passwords are needed and there is no complexity of having to have a mobile phone message as part of the interaction.

Once a user and their device are licensed, keys that are required to decrypt documents are transparently and securely relayed to a keystore (the container that holds the keys to open documents) so users can instantly open any documents they are authorized to view.  The keystore is stored encrypted and only works on a device that it is licensed to.

That is why the Locklizard approach is easy, effective and efficient in delivering document security with Digital Rights Management (DRM) controls.  There are no passwords for the document publisher or the user to enter or manage, and further controls can be applied to stop users taking protected documents home with them by locking document use to authorized locations (say the office only).  Locklizard therefore ensures protected documents can be simply managed but remain tightly under an organization’s control.