Adobe PDF security: is it really just an "honor code"?

2

When encrypting a PDF in Adobe Acrobat Pro XI, there's a message to the effect that some third-party programs which read PDFs may ignore the encryption password and open the PDF for viewing. Is Adobe PDF encryption really no more than a sign on a door that reads

This door is locked. The key is in the lock. But don't use it.

??

All Adobe products enforce the restrictions set by the Permissions Password. However, not all third-party products fully support and respect these settings. Recipients using such third-party products might be able to bypass some of the restrictions you have set.

TRomano

Posted 2016-08-13T10:40:43.613

Reputation: 197

This seems like a good question to ask in the chatroom. There are tools that can read a encrypted PDF file – Ramhound – 2016-08-13T10:42:08.553

Do they have to "break" the encryption, or is the password visible to them? – TRomano – 2016-08-13T10:43:05.043

1I believe that ignore the encryption password simply means that those applications will try to display the file and will end up displaying crap. So it's telling you that by using encryption you are effectively making the file impossible to use for applications that don't support encryption. – Bakuriu – 2016-08-13T10:43:38.977

@TRomano - Depends on the restrictions placed on the document by the program which created the document. A program can ignore the restrictions to print or copy the document. A program would have to brute force the password if its protecting it from being opened. – Ramhound – 2016-08-13T10:44:27.680

@Ramhound: So they could only print or copy the document after having "cracked" the security? The password is not visible to them? All they know at first glance, so to speak, is that the document has been encrypted? – TRomano – 2016-08-13T10:50:35.533

@Bakuriu: I have added the verbatim warning message. It talks about "respect" and "bypassing". – TRomano – 2016-08-13T10:51:25.253

1Note that you can have pdf files with a password but without encryption. In that case other applications can just ignore password. However if you encrypt the document, there is no way to open it without entering the decryption key (i.e. the password). There are also authorization passwords (e.g. ask a password to print the document etc) and those can be bypassed by 3rd party tools. – Bakuriu – 2016-08-13T12:39:30.440

Answers

3

If you add a password to view a PDF, then the file is actually encrypted. There is no "honor system" - any program will have to have the password, or somehow crack the security, to view the file and edit it in any way.

If you add a password to control any other functions, such as printing or editing, then the "honor system" is in effect - while Adobe products and most other big-name PDF readers will honor these restrictions, there is nothing preventing a program from just ignoring them, and nothing preventing the user from simply opening the PDF in a text editor and removing the "restrictions". Hence, the reference in the message to a "permissions password".

Brian Duddy

Posted 2016-08-13T10:40:43.613

Reputation: 364

AES-128 and 256 per https://security.stackexchange.com/a/113169/44181

– tbc0 – 2019-01-18T04:14:33.417

Asked: 2016-08-13T10:40:43.613

Viewed: 798 times

Active: 2016-08-14T01:12:38.677