Colin van Oosterhout - Adobe Inc. · 2006. 6. 30. · Adobe’s intelligent document platform The importance of document security Overview of the security methods in Adobe Acrobat

2005 Adobe Systems Incorporated. All Rights Reserved.1

Document security

Colin van Oosterhout

Solution Expert/Business development manager

Adobe Systems Benelux


Provide an overview of the security features in Adobe Acrobat so that you have the right knowledge to start protecting your PDFdocuments. This will ultimately lead to a secure document exchange workflow in your organization.

Goal of this seminar


What it is not about today…

MD4, MD5 SHA-1, DES

SSO – Single Sign On

PKI – Private/Public key

Symmetric/Asymmetric

FIPS 140-1 level 3 validation

MSCAPI

HSM

Credential, Certificate

OCSP vs. CRL

PKCS #7, #10, #11

X.509 v3

Time stamping


Agenda for this seminar

Introduction of Adobe

Adobe’s intelligent document platform

The importance of document security

Overview of the security methods in Adobe Acrobat

Throwing obstacles in the PDF document

Working with password security

Working with digital signatures

Working with DRM (Guest appearance Bart Vossen)

Wrap up

Q&A


Adobe Systems Incorporated

62005 Adobe Systems Incorporated. All Rights Reserved.

Adobe Timeline and Innovations

1982

Technology Foundation Desktop Publishing Revolution The Internet Revolution Begins Cross-Media Publishing The Next Wave

1985 1986 1987 1990 1995 1999 2000 2002 2005

Company founded by

John Warnock

and Chuck Geschke

First Adobe®PostScript®

Printer & Imagesetter

Initial Public Offering

AdobeIllustrator®

2 EMPLOYEES

5,000EMPLOYEES

Flash®

AdobePhotoshop®

Aldus Acquisition

Adobe Acrobat® ,

Adobe PDF, and Adobe

Reader®

Bruce ChizenPromoted to

President & CEO

Shantanu Narayen Promoted to

President & COO

2004

MacromediaAcquisition

Adobe Intelligent Document Platform

AccelioAcquisition

Stephen ElopNamed President of

WW Field Operations

Adobe Products


600 millionPCs and devices

Widest Reach in the World

89%of PCs

97%of PCs


PartnersPartners

Adobe’s Customers

Knowledge Workers ConsumersCreatives DevelopersEnterprises


Adobe’s Framework:the intelligent document

platform

The intelligent document platform



Introducing Adobe LiveCycleTM

LiveCycle: Flexible and scalable

Adobe Document Services

Collaboration

Review, comment & approval

Permanent electronic records

Document Generation

Office applicationsVolume/ad hoc Document creationPaper>DigitalPrint stream ReformattingGraphics manipulation

Process Management

Online form integrationOffline form processingWorkflow

Authenticity, integrity, and confidentiality

Document Control & Security


Automated workflow processes

User driven workflow

Adobe documentservices and the role of Acrobat


The Adobe Acrobat® Product Family

Adobe®Reader®

Adobe Acrobat Elements

Create reliable and secure PDF documents

from MS office files.

Adobe Acrobat Standard

Quickly and easily create, organize and

share secure PDF documents.

Adobe Acrobat Professional

Advanced creation, control and exchange of

high quality PDF documents.

Adobe Acrobat 3D

Publish, share and mark-up of 3D content inside intelligent and rich PDF

documents.

View, Print and search Adobe PDF documents.

Powerful interaction with documents and

electronic forms.


The importance of document security


Documents and forms are important communication means

Court documents

Loans

Contracts

Research reports

Procedures

Confidential dossiers

Geographic images

Permits


Document security is a must…


Information Security Needs

Authenticity:

Where did this data come from?

Integrity:

Has it been tampered with?

Access Control:

Who can access it?

Authorization:

What can they do with it?

Auditing:

What have they done with it?


Demo: how can you see if a PDF document is

secured?


When a PDF document is not secured

The document can be edited

Data (text, images, 3D, multimedia) can be extracted

The document can be printed

The document can be used in other applications

There is no guarantee to prove if and where the document is changed

No security on a PDF document is a high risk!


Demo: the risks of a not secured PDF document


Document compare functions

Compare documents

textual changes

Visual changes

Compare versions of documents (based on digital signatures)

Create a report

Side by side report

Consolidated report


Demo: compare documents


Zooming in on PDF


PDF: the intelligent document

Forms

Validation &

Calculation

Dynamic structure

Security

WorkflowIntegration

XML, SOAPWeb-Services:

Sharing, archiving

Text, images, video, audio 2D drawings3D Models


PDF is an open file format specification with over 1800 supporting vendors

Enables XML data integration

Adobe® Reader® is ubiquitous (500M+ distributed) on virtually every operating system and is an excellent security client

Security resides persistently within the document, independent of the network or distribution mechanism

PDF: the intelligent document


PDF based standards

Under consideration

PDF/Accessibility

PDF/Engineering

PDF/Finance

PDF/is—IEEE—Image-StreamableInternet Fax Transmission

Fax- and internet standard

PDF/A—NWI ISO/TC171/SC2 N226 E

Long term preservation of electronic documents

PDF/X—ISO 15929, 15930-1, 15930-3 15929:

Exchange of digital advertisement materials

15930-1: Use of CMYK

15930-3: Complete exchange of color managed workflows

PDF/x-2: Under development –replacing images and XMP


The security methods in Adobe Acrobat


Phases of Document Control and Security

1

2

3

4

Controlled electronic access with hard-copy distribution

Electronic distribution with password protection or read-only protection

Encryption and digital signatures

Dynamic encryption and user-specific rights and revocation


The security methods in Adobe Acrobat

Document control (password security)

Certificate security (working with digital signatures)

DRM (Adobe LiveCycle Policy Server)

Start at the beginning: throwing obstacles in a PDF document

Adapting the interface of Adobe Acrobat

Create alert messages

Wrap a PDF inside another PDF

Hidden messages in Optional Content Groups (OCG)

Working with watermarks

Working with hiddenfields


Throwing obstacles Demo 1: adapting the interface

of Adobe Acrobat


Throwing obstacles Demo 2: the use of watermarks

in a PDF file


Throwing obstacles Demo 3: “alert messages”


ConfidentialityRights ManagementAccess Control

Document ControlSince Adobe Acrobat 2.0 - 1994

Digital SignaturesSince Adobe Acrobat 4.0 - 1999

AuthenticityIntegrityNon-repudiation

The Evolution of Effective Electronic Document Protection


Document Control

Standards–based encryptionShared password (symmetric RC4)

Individual PKI certificates (asymmetric RSA)

LDAP client for real-time lookups and local address book for offline

Permissions controlPrinting

Content modification, including form fields

Copying of content


Demo: password security


Useful tips for choosing a password

Do not use short words that are very common in your language

“Dog” can be guessed in 2,425 attempts with “brute force”

Remember a sentence: I like to walk with my dog

Use the first letter of each word:: I L T W W M D

Change a letter based on the application that you work with and use mixed capitals

Acrobat = ACrowbT7 (26+26+10)^6= 56,800,235,584 combinations


When a PDF document is not secured

The document can be edited

Data (text, images, 3D, multimedia) can be extracted

The document can be printed

The document can be used in other applications

There is no guarantee to prove if and where the document is changed

No security on a PDF document is a high risk!


Demo: how other applications “respect”

security in a PDF document


Setting security policies in Adobe Acrobat

To prevent the repetitive tasks of setting security for each new document, you can work with security policies in Adobe Acrobat.

Security policies can be used per document(type), but…

Security can also be set with the batch processing options of Adobe Acrobat.

Secure large volumes PDF with one single click


Demo: setting security policies with Adobe

Acrobat


Setting security policies in Adobe Acrobat

To prevent the repetitive tasks of setting security for each new document, you can work with security policies in Adobe Acrobat.

Security policies can be used per document(type), but…

Security can also be set with the batch processing options of Adobe Acrobat.

Secure large volumes PDF with one single click


Demo: batch secure PDF documents


Other options to set security

The Acrobat Distiller

The PDFMaker

Word

Excel

Powerpoint

Etc.


Demo: set security with the PDFMaker


Provides intentAuthenticates the person who

signs the documentEnsures the integrity of the

signed document



signed document

The role of a “wet signature”


A digital signature is the electronic equivalent of a handwritten signature

Ensures that:

The document has not been changed

The person who signs is who he says he is.

Cryptographic software process based on the exchange of symmetrical/Asymmetrical keys.

Much more paper based processes can come online by using digital signatures.

What are digital signatures?


Working with digital signatures in Adobe Acrobat

Acrobat Self sign Certificates

Third party digital signatures

Entrust

Verisign

Geotrust

Etc.

SmartCard SmartCard Reader withSecure PIN-Entry

Software Applications for digital signatures.

All components must be evaluated – certified– and confirmed by legislation. Prefferably based onCommon Criteria (ISO 15408)


Workflows for digital signatures

Report, Statement, Press release

Round Trip

Typically a dynamic document that requires filling and/or authorization

Electronic bills customer forms HR documents, etc.

One way

Typically static documents for a broad recipient base


Demo: creating a self signed certificate


Self signed certifcates in Adobe Acrobat

Since version 4.0 (Reader 5.1)

Signature is placed directly in the document, ideal for document processes.

Ideal for internal workflows, based on trust.

but:

Not compliant with legislation

Not legally binding

Not certified

Not complete


Digital signature validation

Identity of the author– checked by Acrobat or a so called trusted third party (TTP)

Integrity of the content

Validation of the certificate – real time check when the PDF document is opened

Validity of the author is unknown

Invalid signature

Valid Signature


Wet signatures and digital signatures, how well do they match?



signed document



signed document


Client based and server based solutions for security

Client based:

The Adobe Acrobat Product family

Adobe Reader

Acrobat Elements

Acrobat Standard

Acrobat Professional

Acrobat 3D

Server based :

Adobe Livecycle Security Server

Adobe Livecycle Reader Extensions Server

Adobe Livecycle Policy Server


An enterprise server for: Managing document control policies, authentication, auditing

Integrating with 3rd-party enterprise systems for user administration and content management

Enforcing time-based access requirements

Enabling policy changes after distribution (revocation)

Uses Adobe Acrobat & Adobe Reader as clients for authoring & viewing protected documents on the desktop

Built on industry standardsHTTP/SOAP: Connection between client and server can proxy through firewalls using SSL

AES: Encryption from RSA toolkit

Adobe Policy Server : An Enterprise Level Security Server


Demo: Policy Server(Guest appearance Bart

Vossen)


Adobe Policy Server : Key Take Aways

Adobe Reader7/Acrobat7 on the Desktop

Dynamic Watermarks

Possibility to print in High or Low Resolution (Can’t scan) mode

Encryption of the:

Complete Document

Attachments

Metadata

DYNAMIC CENTRALISED Document Control

Policy definitions are stored in a Repository

Policy changes are reflected immediately

No definitions on the client / desktop

Users

Internal Users (LDAP Synchronised)

External Users

Anonymous users

Policy definitions can be overwritten for a specific user / group

Auditing

Fine-Grained auditing at Document Level (E.g. who changed, filled-out, printed, signed, etc.)

Offline auditing is supported

Based on Industry Standards

Developed in Java

Supports JBoss, BEA WebLogic, IBM WebSphere

Runs on Windows, Linux, Sun Solaris, IBM AIX

MySQL, SQL Server, Oracle, DB2 as Repository

LDAP Support: Sun, MS, Novell


For every security application there is a solution!

LiveCycle Security ServerLiveCycle Reader Extensions ServerLivecycle Policy Server


Wrap up: Adobe’s unique propositions with regards to document security

Dynamic permissions, even after publication/distribution

Change users, set expirations and revoke documents.

Ensure version control

Independent from a network or distribution mechanism

Online and offline

Gives access to documents inside and outside the firewall

Password security

Digital signatures

DRM

PDF and the Adobe Reader are everywhere!

Security is built in the PDF file specification

Works cross-platform: Windows, Mac, Linux


Questions?
