PDF Security FAQS – DRM PDF Protection without Passwords
How does DRM differ from encryption?
It can be very confusing to understand how encryption differs from DRM and the role that each technology plays in document protection.
Encryption is used to prevent anyone who does not have the right key from decrypting information. It may also be used to indicate the source of the encrypted file and provide proof that the encrypted file has not been altered since it left its source. BUT what it does not do is control subsequent use of the information once it is decrypted.
That is where DRM controls come into play. They act as an additional layer of access controls that come into play before decryption is started. So it is the DRM controls that check that the user is authorized to use the document, which controls are to be applied, does the activity need to be logged, is the document valid and still available, and so on. So only if the DRM controls are met does the document become available for decryption, and then only offering the access that has been given to the authorized user.
So encryption is a very powerful tool for preventing unauthorized access, but it does not stop those who are authorized from doing what they want with the information. DRM uses encryption as a tool to enable it to enforce the controls set on protected documents. Locklizard systems deliver a powerful range of DRM controls to ensure the right level of protection is applied to PDF DRM documents.
How does Safeguard PDF Security differ from Enterprise PDF DRM?
Safeguard PDF Security is for the smaller publisher or small-medium business looking to protect their PDF documents. It does not have all the functionality of Enterprise PDF DRM such as document auditing, reports, batch changes, configurable messages, backup & restore, license transfer, IP restriction, user groups, administrator hierarchy, LDAP integration, etc.
For a complete list of differences see the PDF security comparison chart.
How does Safeguard PDF Security differ from Adobe Acrobat PDF security for the protection of PDF files?
Unlike the Adobe approach, Safeguard PDF Security uses state of the art web based licensing to control who can install and register decryption keys that are required to view your secure PDF documents.
This ensures that before someone can view your protected PDF documents they must have first purchased a license from you so they can install the free Secure PDF Viewer software and register it in order to receive their decryption keys. The licenses you issue are one-time use (unless you specify otherwise) so once someone has registered with you they cannot do it again. This prevents sharing of the license information or installing and registering the viewer on another computer. The keys used to decrypt the secure PDF files cannot be extracted from the system, and therefore they cannot be given to others.
With Acrobat PDF security, there is nothing to prevent users from sharing the keys used to decrypt protected PDF files. This is true for both PKI keys and for passwords. If PKI keys have been used then users can give their key pair to others. If passwords have been used then it is a simple matter of telling someone else what the password is so that they can use it and you cannot prevent or detect either situation.
Adobe have also been criticized for their weak implementation of security controls. Any company that uses the Acrobat plug-in also uses the Adobe implementation to ‘protect’ your PDF documents. Read this article published by Bryan Guignard, an Adobe Certified expert on why we don’t use Adobe’s implementation / Acrobat plug-in for protection of your PDF documents.
How does Safeguard PDF Security differ from competing products?
Safeguard PDF Security advantages vs competitors
Cost / ROI
All other solutions we have come across have significant implementation costs. You have to use and maintain your own server that hosts a licensing system, and configure it in-house or pay top dollar consultancy costs. In addition, some competitors start their pricing at $25,000 or limit you to the number of customers you can manage or the number of documents you can protect. Other less pricey systems force you to upload unprotected documents to their servers and use insecure methods to protect documents. And most PDF DRM companies force you to pay for their system for a minimum of 1 year.
We host the licensing / administration system on our own servers so there are no extra implementation or consultancy costs. Or you can host it on your own servers. We let you protect as many documents as you like and manage as many customers as you like without any additional charge and the minimum tie-in is just 1 month. So you know your costs are fixed instead of us charging for your success.
Zero installation Viewers
Our Secure USB Viewer provides exactly the same DRM security as our desktop viewer but does not have to be installed by the user. Users don’t have to connect to a licensing server to register or verify access, or even have an Internet connection available. It therefore avoids issues with firewalls and situations where Windows admin rights or Internet access are not allowed. Our Secure USB Viewer enables users to use protected PDF documents instantly on any computer wherever they are.
Our Web Viewer can be accessed via a browser on any Operating System. Whilst less secure than our installed Viewers it gives users extra flexibility for accessing files on the move.
Much quicker to get up and running
Since we host the licensing system, you can get up and running in a matter of minutes. Some of our competitors quote that you can be up and running in a number of days!
Simpler to use, easier to manage
There are no passwords or certificates to worry about, manage or send to your customers. Decryption keys are transparently relayed to your user’s computers in a secure manner and stored in an encrypted keystore.
Protecting PDF files is easy – just right-click on them in Windows Explorer and select the appropriate PDF document protection rights. There are no complex document identifiers, encoding schemes or confusing policy choices.
We also provide the unique concept of publications, enabling you to group documents into publications for simpler document management and customer subscription services.
Whilst we use public key technology, no key management is required by you as the publisher or by your users or customers, as it is all handled transparently by the licensing system. There are no certificates to revoke when you want to terminate user access or any other PKI complexity. To sum up, our system is simple to administer compared to competitor offerings.
See what our customers have to say about us – DRM Security Testimonials.
Simple assigning of document access rights
Many of our competitors provide controls at the user level. This is fine if you are certain that all the PDF documents you ever send to a user require identical controls.
We provide controls at the document level. This means you can decide just how important the document is. This more closely matches the value of the information, rather than assuming that the user always has the same rights for every document you make available to them.
Of course, in our system, you can publish the same document more than once, applying different controls to each publication and expiry can be controlled at both the document and the user level.
Prevention of third party screen grabbers
At best, our competitors prevent the use of Windows print screen. Most users however have screen grabbing software installed on their computers that enables them to use any key combination or mouse click to grab screen shots of your protected PDF documents. Preventing just the use of Windows print screen is therefore practically useless. Safeguard PDF Security prevents screen grabbing software from taking screen shots of your protected PDF documents.
We don’t use insecure passwords, low strength encryption (128 bit) or plug-ins that are vulnerable to attack so you can be sure your PDF documents are protected using the best security available.
We don’t leave your documents in the Windows swap file in the clear so they can be easily copied by others. Nor do we create extra files on disk that can be copied to another computer along with the protected PDF files so they can be easily shared.
We don’t make you upload your source files to a web server in order to protect them (where they could be easily compromized). With us unprotected and protected PDF files remain in your control and ownership at all times and are never exposed.
How does Safeguard PDF Security differ from file encryption products?
Whilst file encryption products protect information whilst it is in transit or when stored on disk they do not provide protection for the entire lifecycle of an electronic document. Once a document reaches the recipient, the protection is lost (the recipient decrypts the document), and the document can be forwarded, copied and viewed by unauthorized recipients. In addition, encryption does not provide controls over document access rights – what a user can or cannot do with the document (print control, etc.) or document expiry.
Safeguard PDF Security dynamically protects PDF documents inside and outside the network, online and offline, with strong encryption, document expiry and access rights, to provide persistent end-to-end protection throughout a protected PDF document’s lifecycle.
How secure is Safeguard PDF Security?
Safeguard PDF Security uses US Government strength encryption – the AES algorithm. It would currently take todays fastest computer approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. Even with future advances in technology, AES has the potential to remain secure well beyond twenty years. For more information on AES see NIST’s AES fact sheet.
In addition, we don’t use third party plug-ins to control your secure document access. This ensures we are not open to weaknesses in the published APIs or security holes in the third party application. One of our competitors that uses this approach, has been compromised and found the only way to prevent hacking of their systems was via the legal system and a court writ!
We do not send decryption keys with the documents being protected. Such a technique is discredited, and is regarded as a fundamentally flawed approach.
PDF documents are only decrypted for viewing in a secure, controlled environment, and are never made accessible unprotected. If a user does not have a license they cannot view your protected PDF documents.
Is your PDF security application open to password attacks like Adobe Acrobat Security and similar password based products?
The keys required to decrypt protected PDF files are safely stored encrypted on the user’s computer.
There are no passwords to enter and therefore the system is not open to compromise or password attacks.
What is Locklizard’s stance on cracking programs? Are there any cracks available for PDC files?
Please see the following document – PDC Un-protect and other PDC cracking programs.
Can you convert PDC files to PDF format?
The only person that has access to PDF files is the publisher that protected them in the first place. Even they cannot convert PDC files to PDF format using the Writer software, but since they already have the source files, there would be no reason to do so.
See convert PDC to PDF.
Do users have to have Adobe Acrobat PDF Reader installed in order to view secure PDF documents?
Safeguard PDF Security is totally independent from Adobe Acrobat.
We realize that there are a lot of people who do not have Acrobat installed and who don’t want to download a 20MB file just for the privilege of viewing a protected PDF document.
Do you integrate with Adobe Acrobat in any way for the security of PDF documents?
Safeguard’s Secure PDF Viewer does not use Adobe Acrobat for the rendering of PDF files. We feel that Adobe Acrobat was just not built with security in mind and could potentially compromize the security of our system.
Your security is not compromised by plug-in failures or conflicts. In fact, we think that plug-ins are potentially so insecure that we prevent them from loading so they can’t compromise security. See Adobe PDF plug-in vulnerabilities.
We take the position that we should not require users to reduce their effective security in order to accommodate our requirements. See PDF security issues.
Do I have to upload my PDF files to your web server to protect them?
We would strongly advise against using any system that employed this approach.
With Safeguard PDF Security you protect your PDF files on your local computer, so that they are not exposed to any potential compromise in their unprotected form on a web server or whilst being transferred. You also have peace of mind that you own those files at all times.
Do you host my secure PDF documents on your server?
No. You host them on your server, web site or network, or you can send them by email, CD, DVD, etc., just like any other file. You are free to choose whatever distribution method is best for your business.
For both security and legal liability reasons we never have access to either your unprotected or protected PDF files. In a professional environment that should not be a requirement and we recommend that you obtain legally enforceable indemnity where a supplier insists that they have access to your IPR at any time.
What we host is the licensing system where you can issue users with licenses and control who can access your secure PDF documents and publications. And if you are not happy with that you can host it yourself.
Where can I publish my protected PDF documents?
You can publish your secure PDF documents to the web, on CD-ROM, DVD, USB token, etc., or send them by email just like any other files.
Can I stop PDF documents from being copied if they can be downloaded?
No, but since the documents are encrypted and the decryption keys are not exposed to the user (so that they cannot be shared) then it does not matter if protected PDF documents are copied and given to others as they will not be useable.
Locklizard only ever decrypts content in memory so that there are no temporary files left lying around with unprotected information in them. Decryption keys are securely and transparently relayed to a keystore that is locked to individual computers and will not work if copied to another computer along with the documents. So whilst you cannot stop protected PDF documents from being copied, they are of no use to anyone but the authorized user.
Can users change my security settings?
Once security settings have been applied to a document they cannot be changed by anyone. The settings become part of the document and remain in force at all times, even when users are using your protected PDF documents off-line (i.e. they are not connected to the Internet).
If you as the publisher want to issue the same PDF document with different security settings (copying, printing, etc.) then you just protect the PDF file again with the new settings. You can then send this newly protected PDF document to users.
How can I control document expiration and revocation once a document has been published?
Post publication document control is maintained through the use of expiry dates and the ability to revoke access to a document or user. For example, you can publish a protected PDF document that will expire in a month’s time, so that your customers will not be able to view it once the expiration date has passed.
Or, you can automatically revoke a user if they leave a project, department or company or fail to maintain payments for a subscription. Or revoke access to a protected document that is no longer valid.
You can also change the expiry date of a protected PDF document after it has been published.
Why would I want to set users to expire rather than documents?
The system is flexible so that you can actually do both.
You may want users to expire rather than documents because if a user has subscribed to your service for a year then they are entitled to carry on viewing those documents after their subscription has expired. The system prevents them from viewing documents with dates outside their subscription period. Also, you might publish documents that are available to all users (not individually allocated or part of a publication) and you want to control how long individual users can access them.
On the other hand, you may want to issue your customers or prospects with time sensitive trials or samples of documents because you do not want them to carry on viewing a document that has passed it’s expiration date. In this case once the expiry date has been reached the protected PDF document is no longer viewable.
How can I manage subscription services when users subscribe to more than one publication?
Safeguard PDF Security enables you to expire access to publications on a user basis, so expiry for every publication is unique to each user. This is useful for subscription services where the same user may subscribe to more than one of your publications but for different periods.
For users subscribing to single publications, it means that you don’t have to expire user accounts, since access to the publication will expire at the date you set. This is useful if you still want users to be able to access documents published outside of the publication (i.e. documents published for all users or those that are individually allocated).
We want to give prospects/customers free 30 day trials of our documents. Is this possible?
When you create a protected PDF document you can specify how long it will be before it expires – e.g. 30 days, 1 year, etc. When a customer registers they can then view your protected PDF documents for the time period you have allocated. Once this time period is reached either the protected PDF document will expire (if the document expires, it can no longer be viewed) and they will need to come back to you for a license to continue viewing the protected PDF document.
You can also set customer accounts to expire (say after a 30 day period). The difference here is that any protected PDF documents published during their subscription period that you have authorized them to view can still be viewed after their subscription period has expired – they just won’t be able to view any protected PDF documents published before or after their subscription period unless they come back to you for a license.
So to summarize you can either expire documents (and they are no longer viewable once they expire) or you can expire customers (and they can continue to view the documents that they were authorized to view during their subscription period). Of course, if you have forced your customers to connect to the administration server before they can view your protected PDF documents then you can instantly suspend their account and this prevents them from viewing your protected PDF documents.
Can authorized users distribute protected documents to others?
Users can send others your protected PDF documents but other users will not be able to view them unless they have purchased a license from you and registered with the administration server. For this reason, secured PDF documents can be freely distributed, emailed or published on the Internet without any unauthorized individual being able to access the content.
In addition, even existing users cannot necessarily view your protected PDF documents. You decide which users have access to what documents and what publications. You can assign documents to publications for simpler management so specific users can view all documents assigned to a particular publication (all documents in that publication are encrypted using the same key) or you can publish documents on their own (where each document is encrypted using an unique key). If users have not been licensed with the correct keys then they cannot view your protected PDF documents.
Do users have to be connected to the Internet in order to view my secure PDF documents?
You can allow secure PDF documents to be viewed off-line.
All document controls (preventing copying, printing, etc.) are retained within the document itself and therefore no Internet connection is required to enforce controls. Please bear in mind however that an initial connection to the Internet is required to validate the user license and obtain the appropriate decryption key(s) when users view your protected PDF documents for the first time (unless of course PDF documents are protected as part of a publication and then users only need to connect once to obtain the publication decryption key). Also, if you have specified a limited number of prints or views, or enabled auditing, an Internet connection will always be demanded to verify the control.
Won’t users be able to photocopy my protected PDF documents if I let them print?
However, you can add a watermark image and/or text to be displayed on the printed document. Using a moire image will ensure poor quality photocopies and adding user and system information will enable you as the publisher to identify the source of the document.
Can I customize Safeguard PDF Security with individual user names so I can identify where printed documents came from?
When protecting PDF documents you can apply watermark text with dynamic system variables (user name, email address, company name and date/time). This information is picked up from the Secure PDF Viewer application and automatically inserted into the protected PDF document at print and/or view time.
You therefore only ever have to protect a PDF document once (unlike competitor products that require you to protect the same PDF document multiple times to achieve the same result).
I want a watermark to be applied when the document is printed but not viewed. Is this possible?
You can choose to have watermarks applied only when the document is viewed, only when the document is printed, or when the document is viewed and printed.
You can have different watermarks applied to viewed and printed content.
How is the licensing system managed?
The licensing system is web based and is extremely simple to use.
To issue users with a license all you have to do is enter their name and email address on the user account creation page and they are automatically sent a license file and download link for the free secure PDF Viewer software.
You can view all registered and unregistered users, see when users viewed your documents for the first time, how many times they have attempted to register and from which IP address, allocate additional licenses and delete users from the system.
Is there a limit to the number of documents I can protect or the number of customers that can receive protected PDF documents?
You can protect as many PDF documents as you want at no extra charge. There is no limit on the number of users you can add to the administration system or who can view your protected PDF documents.
The Secure PDF Viewer users download to view your secure PDF files is totally free of charge.
Can I add existing users to future secured PDF documents or publications?
It is a simple matter of assigning the new publication or documents to existing users.
What software do users need on their computers in order to view my secure PDF documents?
They need to download and install our free viewer software – Safeguard Secure PDF Viewer.
The Secure PDF Viewer software can also be freely distributed and published on your own web site if you prefer.
In addition, you need to set users up with an account on the administration / licensing server, so the system can email them their license file. The registration of the license gives them access to the protected PDF document(s) you have licensed them to use.
Can I tell people where to buy a license from if they have not got one?
When you protect a PDF file you can add a free format text message to it. You might want to enter information on how to purchase if you are selling PDF documents or give details on contacting your administrator if the system is used for internal document control.
This text is shown when a customer opens an unlicensed document. The text is also visible at the top of the protected PDF document if they try to open it with a text editor or a similar application such as Notepad or MS-Word.
I sell ebooks and want customer records to be automatically created on the Administration system so that there is no delay in customers receiving their license emails after purchase. How can this be achieved?
You need to purchase our eCommerce API to achieve this.
The system integrates with your existing eCommerce or shopping cart system and works by acting on HTTP PUT commands sent to the Locklizard licensing server. This creates the user account and specifies what publications and or files they are allowed to access.
I need to encrypt PDF documents on the fly for integration with my web based application. Is this possible?
Safeguard PDF Security Command Line PDF encryption utility automates the protection of multiple PDF files on the command line or through a batch interface.
Batch files can be called from your existing applications providing and quick and simple solution without the need to use an API. All of the functionality available in the Safeguard Writer GUI can be accessed using the command line utility.
You may also prefer to use this feature rather than manually protecting PDF files so you can maintain an audit trail over the control settings that were applied.
Can I prevent the default document splashscreen from loading?
Yes. You decide whether you want a splashscreen displayed or not.
If you do decide to display a splashscreen you can choose what image is displayed, and how long it is displayed for.
Does the administration system keep a record of changes made to user, document and publication records?
The administration system logs all administrator activity including record additions, edits, and deletions.
In addition, logons, and backup and restore information is recorded.
Does Safeguard PDF Security work with Sharepoint?
Can I see which users have viewed/and or printed my protected PDF documents?
If you enable document view and print logs the administration system will record when users view and print your documents. You can even see which documents have been viewed/printed the most.
NOTE: This feature is only available in Safeguard Enterprise PDF DRM.
Can I restrict registration of licenses to only company employees?
You can restrict or allow various IP address ranges to ensure that only users from known locations can register.
NOTE: This feature is only available in Safeguard Enterprise PDF DRM.
Can I suspend licenses so that they are no longer availabe to re-use?
You can suspend individual licenses on a user’s account.
You may want to do this if a user tells you they are no longer using a computer they previously registered on and would like to transfer use of their license to a new computer.
NOTE: This feature is only available in Safeguard Enterprise PDF DRM.
Can I warn a user a document is about to expire?
You choose how many days before a document expires that the document expiry message (or redirection to a URL) is displayed, giving users ample time to renew their subscriptions.
NOTE: This feature is only available in Safeguard Enterprise PDF DRM.
Is it possible to grant all users access to a protected PDF document or a publication in one go?
Through the batch change facility you can grant access to ALL users to a publication or document in a single mouse click. You do not have to select individual users to do this.
NOTE: This feature is only available in Safeguard Enterprise PDF DRM.
Can I remotely securely delete files using Safeguard PDF Security?
No. Safeguard PDF Security does not provide remote file deletion or secure file deletion.
However, once a file expires it is unusable to the user as it can no longer be opened.
Remote secure file deletion products should be seen more as a marketing ploy than anything else. There is nothing to prevent the user making copies of files and store them on another device, or to set a file to ‘read only’. Some software products can get around read only controls, but they need code that gets around the operating system of the computer, and that is most definitely a ‘bad’ idea. That is what hackers and viruses set out to do.
Peter Gutmann, the noted computer scientist in New Zealand, points out about secure file deletion methods – “the 35 pass overwrite technique …. is a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques.” – and as Government agencies note the only way to prevent data recovery is to physically destroy a disk.
How do I revoke document access?
You can revoke document access by suspending or deleting a document, or by changing the date access range for a document. You can revoke document access for all users or selected users.
You can also revoke document access automatically:
- on a specific date
- after a certain number of days use
- after a number of views
- after a number of prints
More information can be found at Revoking Document Access & Document Expiry