NORTH AMERICA:  
800 707 4492
UK & EUROPE:  
+44 (0) 1292 430290
sales@locklizard.com
Locklizard
  • Products
    • Our DRM software
      • Product Overview
        • Restrict PDF use
        • Watermark PDF
        • Expire PDF
        • Revoke PDF
        • Disable Print
        • Track PDF
      • Safeguard PDF Security
      • Safeguard Enterprise
    • Secure PDF Viewers
      • Viewer Overview
      • Viewer Demo
      • Web Viewer
      • USB Viewer
    • Add-ons
      • All Add-ons
      • Web Publisher
      • Safeguard Portable USB
      • Ecommerce API
      • Command Line
      • Own Branding
      • Custom Email
    • Purchase
    • Book a Demo
  • Solutions
    • Industry sectors
      • All Industries
      • Auctions
      • Engineering
      • Government
      • Healthcare
      • Libraries
      • Mergers & Acquisitions
      • Publishing Ebooks
      • Publishing Media
      • Publishing Standards
      • Membership Associations
      • Reports & Analysis
      • Tax Advisors
      • Training & Education
    • Vertical sectors
      • All Sectors
      • Board Documents
      • Internal Company Use
      • Large Publishers
      • Small Publishers
    • Business processes
      • Processes Overview
      • Secure Document Sharing
      • Sell Documents Securely
      • Document Retention
      • Prevent Document Leakage
      • Internal Document Control
      • Regulatory Compliance
      • Secure PDF Forms
      • Secure Data Rooms
      • Data Room Security
      • Application Integration
    • Business benefits
    • Regulatory compliance
      • Compliance Overview
      • NIST & DFAR Compliance
  • Downloads
    • Free 15 day trial
    • Viewers
      • Windows Viewer
      • Mac Viewer
      • iOS Viewer
      • Android Viewer
    • Writers
    • Manuals
  • Support
    • Support
    • FAQs
    • Guides
    • Videos
    • White papers
  • About Us
    • Contact us
    • Our customers
      • Customer Overiew
      • Case Studies
      • Testimonials
    • Our technology
    • Blog
    • Why Locklizard?
      • Competitors
      • PDF DRM protection
      • Password protect PDF
      • Product Awards
  • Search
  • Menu Menu

How secure is Adobe PDF encryption?

in Blog, Document Security, DRM, PDF Security

Why Adobe Encrypted PDF files are not secure & superior protection alternatives.

For a long time, encryption has been a staple in the security landscape, but it has always been clear that not all encryption is equal.  This blog post will explore the various issues with Adobe Encrypted PDF files and what you can do about them.

  Adobe PDF exfiltration attacks

When you password protect a PDF file using Adobe, it is encrypted with 256-bit AES encryption in Cipher Block Chaining Encryption (CBC) mode.  Cryptographically, this is fine, but it’s worth remembering that encrypting a PDF only encrypts the contents of the file.  Other information about the PDF, such as the size of its pages, the number of objects, links, etc. are not, which gives attackers a route to circumvent the encryption.  CBC also has a known drawback – it does not have integrity control.

Direct exfiltration attack

Researchers across several German universities found that it is possible to exploit this by adding content to an encrypted PDF document.  As there are no integrity checks, the user would not be alerted to these changes, which could include a submit form function/JavaScript that sends the contents of the PDF to the attacker once it is opened.

Malleability attack

Alternatively, an attacker can exploit the lack of integrity control to change the contents of a cipher block, provided they know part of the plain-text information that was encrypted.  Unfortunately, because Adobe both encrypts editing permissions with the file and stores them in the file in an unencrypted plaintext form, attackers always know what some bytes of the file are.  They can use this information to manipulate encrypted data to send the contents of a file to a third-party site, etc.

Of course, there are many other malicious things you could do with this power, but we’ll leave that to your imagination.

Results

Okay, so PDF encryption is exploitable, but what is the impact in the real world?  Is this limited to a few third-party PDF viewers that nobody has heard of?  Unfortunately, not.  Every mainstream PDF reader out there can have data exfiltrated with one or both of the methods above.  Here are the research’s results:

Source: Müller et al.

As you can see, many PDF readers are vulnerable to direct exfiltration without user input, including Adobe’s flagship Acrobat Reader DC.  Every PDF reader is vulnerable to malleability attacks in one form or another, however, making Adobe Encrypted PDF files not very secure at all.

If you rely on encryption to protect your PDF’s contents when it’s in transit or at rest, it’s time to think again.

  Password sharing and removal

Perhaps of even bigger concern is how easy it is for somebody who is authorized to open your PDF to give access to somebody else.  Adobe Acrobat files are decrypted when the user provides the correct password.  No further checks are performed to determine whether the user should have the password – where they are opening it from, whether it is from a recognized device/network, etc.  As a result, anybody who has the password can pass it along with the PDF file to anybody they like (intentionally or via social engineering/phishing).  Most PDF readers have no tracking, so you won’t even know that it has happened.

Alternatively, an authorized user can just remove the PDF password from the file. Anybody that has the open password can remove it using the security panel in Adobe Acrobat or any number of free PDF password remover tools.  They can then share the file as if it were never protected in the first place.

   Password cracking

All passwords are vulnerable to cracking, and it’s no different when they are used in combination with PDF encryption.  The important thing to realize is that password cracking is a matter of when and not if depending entirely on password strength.  With a complex enough password, you can make that millions of years on current computers with brute force attacks.  Use a weak password, however, and that time can be in the milliseconds due to quick dictionary attacks.

If you just use a password that’s, say, 11 random characters with numbers, upper and lowercase letters, and symbols this problem is solved, right?  Well, unfortunately, it’s not as easy as that.  You also need to worry about:

  1. Password management:  Different PDFs need different passwords, otherwise you have a single point of failure. When you consider the hundreds of documents businesses process each day and the need for secure storage and fallbacks, this quickly becomes cumbersome and expensive.
  2. Poor password hygiene:  The more complex a password is, the harder time users have remembering it and therefore the more likely they are to note it down insecurely.  It’s not uncommon to see post-it notes with passwords scattered around desks, PDFs shared with the password in an email, or a plaintext file with a password list on a user’s desktop.  If you do put a “forgot password” system in place, that means more strain on your IT department and the potential for that system to be exploited, too.
  3. Phishing and social engineering:  Brute-forcing isn’t the only way to get a password.  Users can be tricked into giving even the most secure password via social engineering or phishing attacks.  It’s better if the user has no password they can share so that the attacker has nothing to steal.

What about the PDF permissions password?


Though it’s not made explicitly clear, the Adobe PDF permissions password does not utilize encryption.  Rather, it’s a set of controls that informs the PDF viewing application which options it should grey out.

There are two major problems with this approach.  Firstly, as the permissions are not backed up by cryptography, they are trivial to remove.  There are numerous online and offline applications that will remove Adobe PDF permissions in seconds.  Editing and printing are quickly restored.

The second issue is with enforcement.  For Adobe permissions to work, the PDF reader application needs to have a mechanism through which it can disable certain functions.  Adobe’s system naively trusts that third-party PDF reader developers will take the time to implement its controls.  You can see the results for yourself: just open a permission-protected PDF in Mac Preview or Google Docs.  No restrictions at all and minimal effort is required.

   Are certificates more secure than password security?


Encrypting a PDF with a certificate is more secure than password protection (especially if you want to send a PDF securely) since the recipient must have a private key to decrypt it.  Unlike the sharing of passwords, users won’t be as keen on sharing their private keys.  However, permissions to restrict editing, etc. can just as easily be removed, so users can print to PDF to create an unprotected copy.

Our blog on PDF password or certificate encryption covers which is the best security method.

  The bottom line: How secure is Adobe PDF encryption?


The encryption algorithm – AES vs RSA, and key size – 128-bit vs 256-bit, etc. is important, but so too is the way it is implemented in apps and services.  Adobe PDF encryption is one example where poor implementation can lead to disastrous results.

Adobe encrypted PDF files just have too many flaws to be used for the protection of sensitive or confidential data.  They are of limited use when a PDF is in transit and at rest due to exfiltration attacks and they don’t stop sharing, editing, or printing because passwords can easily be shared and permissions removed in seconds.

Ultimately, the PDF format was not built with security in mind.  Indeed, it wasn’t until after its initial release that Adobe tacked on some half-hearted controls.  The focus from the beginning has been on convenience and shareability, and despite Adobe’s best efforts, protected PDFs are still very shareable.

Instead of relying on Adobe encryption, businesses should look to purpose-made software to protect their PDF files.

  Safeguard PDF DRM – the best way to encrypt PDF files


Locklizard Safeguard DRM protects files without passwords or certificates, instead locking PDFs to specific devices using a combination of AES 256-bit encryption, licensing, and a secure viewer application.  In doing so, it prevents:

  • Unauthorized users from opening files: Users can only open a PDF if they have a valid license file activated on their PC or mobile device. A license file can only be installed on one device (unless otherwise configured).
  • Authorized users from sharing file’s encryption key: The keystore is encrypted and does not function if moved or copied to another device.
  • Content extraction: Copy and paste, screenshotting (first or third-party), and PDF printing are disabled by default.  Physical printing can also be disabled or limited.
  • Editing: The Safeguard PDF viewer application does not have editing functionality built-in. Users cannot open PDFs protected with Safeguard in any other application, nor can they extract the content, and therefore they cannot edit the file.
  • Printing: Prevent printing or limit prints to a certain number of copies, black and white, or grayscale.
  • Use after a defined period: Safeguard PDF allows you to expire documents after a certain date, number of days from first open, number of prints, or number of opens.  You can also revoke PDF access manually at any point.
  • The sharing of phone pictures and printed copies: Locklizard Safeguard comes with a dynamic watermarking system. You can protect a document with a watermark and add variables like name and email address.  These variables will then be automatically adjusted to match the user when they open the document.  They won’t be able to share any version of it without having their name and email address clearly on show.  Unlike Adobe watermarks that can be simply removed, Locklizard’s are permanent.
  • Untraceable usage: Monitoring tools allow you to see how many times your document was opened and printed, by whom, and where from.

Locklizard provides the ultimate in PDF protection, ensuring your PDF documents are secured both online and offline in any location.

You can read more about Safeguard and its features here.  Or, to add security to your PDF without passwords and protect your royalties or sensitive information, take a 15-day free trial of our DRM software.

Tags: acrobat encryption, adobe acrobat security, adobe encryption, adobe password protection, document drm, document encryption, drm, encrypt pdf, encryption, how to protect a pdf, password encryption, password protect pdf, password protected pdf, pdf drm, pdf encryption, pdf protection, pdf security, pdf security restrctions, protect pdf
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on WhatsApp
  • Share on Pinterest
  • Share on LinkedIn
  • Share on Tumblr
  • Share on Reddit
  • Share by Mail
https://www.locklizard.com/wp-content/uploads/2022/10/Adobe-PDF-encryption.png 288 479 Ryan Maskell /wp-content/uploads/2015/02/logo.png Ryan Maskell2022-10-19 17:00:142023-02-02 15:21:56How secure is Adobe PDF encryption?

Free Trial

“Fantastic product… outstanding support.”

“We would recommend Locklizard to others”

“The clear leader for PDF DRM protection”

“Our ebook sales have gone through the roof”

“Simple & secure – protects IPR from theft”

Trusted by:

Protect IPR

See why thousands of companies use Locklizard to safeguard their documents and increase revenue streams.

  • Our Customers
  • Customer Testimonials
  • Customer Case Studies
  • Locklizard vs Competitors

Latest Posts

  • Amazon DRM & Kindle publishing is penalizing authorsMarch 10, 2023 - 6:51 pm
  • Adobe Experience Manager & Cloud Document SecurityFebruary 28, 2023 - 7:38 pm
  • How to prevent users removing security from PDF filesFebruary 20, 2023 - 7:40 pm
  • How to protect a Word document without a passwordFebruary 10, 2023 - 6:25 pm
  • Using Dynamic Watermarks to Protect DocumentsJanuary 31, 2023 - 7:13 pm
PDF DRM Features
  • Protect PDF files
  • Stop PDF sharing
  • Stop PDF copying
  • Restrict PDF editing
  • Add PDF watermarks
  • Disable PDF printing
  • Stop screenshots
  • Expire PDF files
  • Revoke PDF files
  • Lock PDF to devices
  • Lock PDF to IP
  • Track PDF opens

How To Guides

Prevent PDF security removal
Protect Word without password
Add a dynamic watermark
Password protect Google Doc
Add a watermark in Word
Make a PDF non editable
How to create a stamped PDF
How to prevent ebook piracy
Password protect a Word doc
How to protect a PDF securely
How to revoke document access
Change PDF security settings
How to disable printing of PDFs
Sell online courses securely
How to add security to a PDF
Encrypt a PDF without Acrobat
Share documents securely
How to prevent PDF sharing
Protect confidential documents
How to publish ebooks securely
How to restrict PDF editing
How to password protect a PDF
How to protect ebooks
How to sell Reports securely
How to make a PDF read only
How to send a PDF securely
How to watermark a PDF
How to lock a PDF from editing
How to encrypt a PDF
How to make a PDF expire
How to password protect a PDF
How to protect online courses
How to email a PDF securely

Try Safeguard today

Start protecting your PDF files and documents from sharing & piracy

PRODUCTS

Product Overview
Safeguard
Safeguard Enterprise

Add-ons

  • eCommerce API
  • Command Line
  • USB Protect
  • Web Publisher
  • Own Branding
  • Custom Email

Secure PDF Viewers

  • Web Viewer
  • USB Viewer

SECURITY FEATURES

Stop copying, editing, saving
Disable PDF Prints
Block Screenshots
Disable Copy Paste
Dynamic Watermarks
Expiry & Self Destruct
Revoke Documents
Device Locking
Location Locking
Track PDF Use

PRICING

Purchase & Pricing
Instant Quote

RESOURCES

FAQs
Locklizard Blog
Knowledgebase
Security Guides
White Papers
Viewer Demo
Videos

DOWNLOADS

Secure Viewers

  • Windows
  • Mac OS X
  • iOS
  • Android

Writers
Product Manuals
FREE Trial

DOCUMENT SECURITY

Share Documents Securely
Protect Online Courses
Stop Ebook Piracy
Document Encryption
Secure PDF Distribution
Protect Confidential Documents
Ebook DRM

Protect PDF Files

  • PDF Copy Protection
  • Lock PDF files
  • Encrypt PDF
  • Secure PDF
  • PDF DRM

INDUSTRY SECTORS

Training & Elearning
Publishing Ebooks
Publishing Standards
Online Libraries
Membership Associations
Engineering
Government
Healthcare
Mergers & Acquisitions
Secure Reports From Theft

  ABOUT US

About Us
Our DRM Technology

Customers

  • Case Studies
  • Testimonials

Locklizard vs Competitors

  • Secure Data Rooms

Company Brochure

  CONTACT

sales@locklizard.com
support@locklizard.com

Business Hours:
Mon – Fri: 8AM to 5PM EST
Tel (US): +1 800 707 4492
Tel (UK): +44 (0)1292 430290

© Copyright 2004-2022 Locklizard Limited. All rights reserved.Privacy Policy|GDPR Policy|Cookie Policy|SITE MAP

Scroll to top