Sunday, August 30, 2009

Make that PDF secure: Toy Security

Make that PDF secure! That is one of the funniest requests I have received from a boss at one of my jobs… I answered by asking: “Secure? How secure?” and my boss told me: well, I want the user to be unable to modify it, copy it or print it.

Why do I say that this request is funny? Well, because this was a web application, the typical HTML+JavaScript+JSON/XML+Choose-the-Server-Side-Tech-You-Like application. Now, of course you can not really “display” a PDF with that technology, you need to have a PDF viewer like Acrobat Reader so that your user can “see” the PDF, and, of course, all the indented users for this intranet web applications had it installed.

My boss had read that Acrobat had an option to make a PDF read-only with a password, and that it was even possible to “protect” the document so that it could not be printed… sounds like the solution… no? well, first of all , if you can see it, it means that the structure of the document is available to the reader, which means that the document is not really encrypted, and that means the any tool capable of reading and writing .pdf will be able to remove the password without even worrying about trying to guess it using a brute force (or even an heuristic) attack.

What can you do then? Well you can actually encrypt it… that will prevent the user from modifying it… but it will also prevent it from being seen… unless the user has the password… which also means he/she can un-encrypt the document and remove the protection.

There is no thing that can be done then? well, if security of this document is actually a priority, you could create a custom reader unable to print… that should work should it? Well, not exactly, the user can always just press the “printscreen” key that is available in all keyboards and get a copy of the document… I have read that it is possible to install some DRM level protections in some OSes that could detect that, but when you take it to that level, a new questions is brought in to the table: is it worth the cost? does the document actually needs that kind of security? if not, it means this is a case of toy security, your boss just wants this feature because it sounds like a feature that “would impress the user” but not something that is really required by the application, he/she has not really give this features (and its implications) some thought.

Lets say that at my boss says: “Yes, that level of security is really needed” (very unlikely, but could happen), well, that brings in the next question: what if the user just goes, takes one of then great modern digital cameras, and takes the picture from the screen monitor? (and then spends a few days retouching it in the Gimp or Photoshop).That means it will be able to steal the information, and even be able to print it. How can you prevent that from happening? How can you make a document that is actually secure even after that?

Well, the answer is that if what you want to prevent is the theft of information, the only way is to not allow the user to see the document, if the user can see it, the user can copy it, one way of another (there is even the possibility that the user has photographic memory) and there is no way you can make the user “forget” that he saw the document.

But lets say that what you want to do is detect if a document is a forgery that is, right at the moment that you see it printed on a paper, you want to be able to know if it came from your system (and it was altered by someone after it was copied or not)… the only way to do that, is embedding the same information that the document has in a 2D barcode (including something that uniquely identifies the document), and also embed in another barcode a digital signature that is able to validate the data. That is the only way I know you can demonstrate that the document is a forgery… obviously, by the time you have explained this to you boss (if he/she has managed to make sense from it) the most likely thing is that he/she is unwilling to ask you to do all that it is needed to achieve this goal, mostly because it is nothing like what he/she wanted in the first place: it something much more abstract, and requires a barcode reader to verify the document.

No comments: