-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: J.Pietschmann [mailto:[EMAIL PROTECTED] > Sent: donderdag 10 juli 2003 19:33 > To: [EMAIL PROTECTED] > Subject: Re: PDF encryption > > > Chris Faulkner wrote: > > Thanks for that - it looks like the PDF decryption can only be > done if you > > have the owner password, although it apparently has tools to > > apply brute force to crack the password, mentioning dictionary > > attacks. > Seems like if > > you keep the password long and obscure, it isn't that easy. > Does anyone have > > any direct experience with these tools ?
I have used their Excel pw recovery a few times. Since you do not actually 'obtain' the password, but only a working alternative, it's hard to say whether the original passwords' simplicity was the cause of this pretty tool to be able to do the trick in less than a second ( Athlon XP+ 1500 ) ... although very likely. Problem with the standards is that someone always comes up with a possibility of reversing the process somehow - in fact this possibility is already there from the beginning, it's just a matter of optimizing the code to perform the extraction based upon the given hash and algorithm, possessing the knowledge to do so, and, of course, computing power. Fact remains that if some particular piece of information would need to be protected 'at all costs', it would probably also be worth the effort to design an algorithm yourself... ( or as it happens, a combination of the existing algorithms a la carte ) [ That's why I was playing with the idea of adding a PDF-object with a customizable signature ( - as a binary content stream? ) on top of the existing standard, but problem is that you would also need to draw heavily on the Acrobat SDK to ensure that you have a way of editing / saving the PDF without that supplemental sig being removed as an 'unused' object. - thx for pointing that out, jerry ;-) saved me hours of work ... ] Guess it all comes down to relying upon the standard Acrobat encryption to be enough to 'scare off' most people that might be interested in what the file contains, but if they really persist and possess the required skills and tools, they will eventually get to it anyway. Keeping the pw long & obscure will make a difference of minutes, maybe only seconds... > > No direct experience, but I don't think elcomsoft uses brute force > but rather a design flaw, which isn't fixed even in the most recent > PDF spec. That's why they can crack 128bit encrypted PDF. > > A long and obscure password, preferably containing unusual > characters, helps only against dictionary attacks. The password > isn't used directly but a 40bit respective 128bit hash of it > instead. Brute force works nicely against 40bit encryption, > regardless of the original password. It wont recover the original > password though. > Me neither for the PDF pw 'recovery', but their tool for MSOffice / Excel does indeed not actually 'recover' the pw. It simply offers you a string that does the trick. > J.Pietschmann > > > > -------------------------------------------------------------------- > - To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPw3MP9Bw/OvTa+XUEQLS1gCfdUfHTCq3s/p8cDatcZCjOx5rRg8AnjXn yFTlX4RwrJUjLD/Lac7dQdDI =svlL -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
