[Discuss] Password-protected PDF file?
Edward Ned Harvey (blu)
blu at nedharvey.com
Sun Feb 17 10:34:12 EST 2013
> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> bounces+blu=nedharvey.com at blu.org] On Behalf Of Scott Ehrlich
>
> How safe is a password-protected PDF file sent via email?
>
> I've never run a sniffer to see what could be learned from doing this.
It varies according to the application that creates / encrypts the pdf. But that's probably not very significant. Most of all, there's basically no way to generate a strong enough password to withstand a brute force attack ... Because if you have some secure channel to securely communicate a 43-char long random alphanumeric string with 256bits of binary degrees of freedom, you would probably just use that channel to send the pdf directly.
Later versions of Acrobat support S/MIME keys, which are strong enough. You do a key exchange with some recipient and then encrypt, it'll be pretty secure. But complexity is a bit too high for most people.
But I see a lot of VPN's out there, and other stuff, configured by people who just don't care about that. So assuming you're not afraid of a brute force attack...
In acrobat 3, they supported 40-bit RC4. Not considered secure today.
acrobat 6, 128-bit RC4. Still not secure.
acrobat 7, 128-bit AES. Maybe secure today, depending on your needs
acrobat 9, 256-bit AES. Generally considered secure today as long as you have a sufficiently strong key (on the order of 256 bits effective entropy)
More information about the Discuss
mailing list