PDF DRM: 10 Features to look out for in PDF DRM software
Is the PDF security software you are looking to purchase really secure?
If the PDF DRM protection software you are evaluating can be simply broken then you might as well save your money.
What PDF Security and PDF DRM companies are not telling you about their products and solutions, and what questions you should be asking.
Think carefully about the tool that is used to render your PDF to the screen. Are there published cracks for it, or is the implementation insecure?
Go and check that password recovery expert companies like Elcomsoft (www.elcomsoft.com) don’t list the program you are rendering in their ‘password recovery’ list. Basically it means that they have found a way in, and for a small fee, so can anyone else. So if you are protecting a $6k bucks file and the crack costs $80 then you figure it out for yourself. Some companies even provide FREE on-line PDF password removal programs – see FreeMyPDF.
Don’t be fooled by companies that have been around for a while or are affiliated with big names. Dimitry Sklyarov, a cryptanalyst from Elcomsoft says:
“FileOpen was chosen as an Adobe ‘security partner’, which leads me to wonder how closely Adobe examines the cryptography used by its partners. The code can be broken instantly. FileOpen software, puts key information in the encrypted document, which is sort of like leaving your car with the keys in the ignition. Surprisingly, many of it’s users seem to be scientific and technical journals.”
“The $197 Ebook Pro e-book protection software is advertised as 100% burglarproof and claims a list of Fortune 500 companies as its customers. The software “encrypts” e-books by mixing each byte of the text with a constant byte. This is a technique so weak that it probably shouldn’t even be called cryptography.”
Checkout the latest information on poor PDF security implementations and flaws here.
Does your PDF Security or PDF DRM provider force you to use technology that puts users computers at risk?
- Self-extracting EXE files have proved very popular with some PDF DRM companies, however, they increase risks and may also decrease the actual security of systems.
More information on these vulnerabilities can be found at PDF security issues.
If the PDF Security or PDF DRM technology you use therefore forces users to use unsafe methods that expose their computers to risk, where does the responsibility lie if compromize occurs?
Plug in Dangers
Be careful about arguments that plug-ins are a lot safer than executable programs.
If the PDF DRM software relies on plug-ins for its security then your documents may not be as secure as you think. Because a plug-in inherits all the power and authority of the program it is loaded into, then you have to be just as confident about the provenance of the plug-in as you do about an executable. But your testing could be a whole lot harder because you can’t evaluate a plug-in unless you load it into its host program and then you don’t know if you are observing the actions of the plug-in or the host.
Make sure that people absolutely cannot load their own plug-ins into the master program. Because if they can, then they can get around the security that is being applied. Plug-ins run on the honor system. But, unfortunately, it seems that whilst people love honor, they love money more.
Plug-ins are exe files that need Windows administration rights to install. There are therefore no benefits of using plug-ins against standalone viewers – only disadvantages.
Plug-ins can also conflict with each other. There is no verification system in the host program that sorts out conflicts and reports lack of interoperability. Even Microsoft Windows does a better job of identifying ahead of time when systems simply won’t ‘plug and play’ than the plug-in system. The approach to plug-ins is load and go. And it is down to the person installing the plug-in to sort out if there are any conflicts between the plug-ins they already have and the new one they are trying to introduce.
Read more information on PDF Security plug-in vulnerabilities here.
IT Security background
Does your PDF security or PDF DRM supplier have a background in content security or are you purchasing from a one man band or affiliate scheme?
A lot of companies out there claim their products are secure yet use weak encryption or don’t publish their security mechanisms. The majority have no data or content security experience. A lot of ebook ‘security’ software on the market is affiliate software that is re-branded for different organizations to sell as their own.
If the company you are considering does not demonstrate any security credentials, then ask yourself whether you can really be certain that your content will be kept secure – you might want to look elsewhere.
Locklizard’s key employees have over 50 years experience in data, PDF DRM software, and content security solutions using encryption and public key technology.
There are systems and services that, for operational reasons, are perfectly valid, but they act in a way that can compromise PDF DRM controls.
Facilities like Citrix or Windows Terminal Server allow the implementation of a license on a single PC to be replicated across an entire installation. So a company can purchase just one copy of your protected document (ebook, report, etc.) and use it on every computer in their organization.
Make sure you check if the PDF DRM supplier can control these environments, because if they can’t then you do not have the DRM control that you first thought.
Does your PDF Security or PDF DRM provider prevent screen grabbers?
There are many popular screen grabbing programs available on the Internet, such as Snagit, or photo processing programs, that provide the ability to capture the screen image and save it as a file, or, even, OCR it and save the result.
Be aware that plug-in systems and browser environments are easy to screen grab since they are totally dependent upon what the host program is willing to do because they are not in charge of the environment.
If the PDF DRM provider you are looking at only prevents Windows print screen or cannot prevent remote screen grabs then you might want to look elsewhere.
Balancing security against usability
If you want to talk about security or DRM for PDF documents then you have to understand what you are trying to achieve.
It is all about objectives.
- How difficult to do want to make it for the IPR pirate to do their job?
- How feasible is it that you can stop them in their tracks?
- At the baseline, does the security stop screen print or copy and paste?
These are the simplest attacks to allow pirating of documents.
So does the PDF DRM software or PDF Security system that you have selected actually stop these features on demand? Be aware that proper DRM controls should allow you to switch this control on or off, not just off.
It’s a commonly held view that security systems are difficult to set up, and the more secure you want them to be the harder they are to use. It’s also wrong.
Locklizard have made full use of their significant background in the design of easy-to-use systems, and in the implementation of encryption and security technologies, to provide realistic, granular and effective PDF document protection and document management controls.
Our PDF DRM software is easy to use AND secure.
Why Locklizard for PDF DRM Security?
US Gov Strength PDF Security – Secure PDF files without passwords or plugins
Locklizard takes your PDF file protection seriously.
Our DRM PDF Security products enable you to share documents securely without insecure passwords or plug-ins, and enforce access, location, expiry, and usage controls. Revoke PDFs at any time regardless of where they are.
Our DRM technology ensures your secured PDF files remain safe no matter where your documents reside.