[BBLISA] Password-protected PDF file?
Edward Ned Harvey
bblisa4 at nedharvey.com
Sun Feb 17 12:35:19 EST 2013
> From: bblisa-bounces at bblisa.org [mailto:bblisa-bounces at bblisa.org] On
> Behalf Of Scott Ehrlich
>
> How safe is a password-protected PDF file sent via email?
>
> I've never run a sniffer to see what could be learned from doing this.
It varies according to the application that creates / encrypts the pdf. But
that's probably not very significant. Most of all, there's basically no way
to generate a strong enough password to withstand a brute force attack ...
Because if you have some secure channel to securely communicate a 43-char
long random alphanumeric string with 256bits of binary degrees of freedom,
you would probably just use that channel to send the pdf directly.
Later versions of Acrobat support S/MIME keys, which are strong enough. You
do a key exchange with some recipient and then encrypt, it'll be pretty
secure. But complexity is a bit too high for most people.
But I see a lot of VPN's out there, and other stuff, configured by people
who just don't know or don't care about that. So assuming you're not afraid
of a brute force attack...
In acrobat 3, they supported 40-bit RC4. Not considered secure today.
acrobat 6, 128-bit RC4. Still not secure.
acrobat 7, 128-bit AES. Maybe secure today, depending on your needs
acrobat 9, 256-bit AES. Generally considered secure today as long as you
have a sufficiently strong key (on the order of 256 bits effective entropy)
The above are maximums. The default selection is one behind for
compatibility reasons. In acrobat 9, you click on security to add
encryption to pdf ... the default selection is acrobat 7 128-bit AES.
More information about the bblisa
mailing list