f



password-protected PDFs no longer possible on linux (rc4 cracked)

Given that RC4 is finally definitively broken(*), there are apparently
no linux tools to password-protect PDF documents.  The /pdftk/ tool
can only produce password-protected PDFs using RC-4, which obviously
must be scrapped.

We have /jsignpdf/, which can encrypt using an AES cipher-- but not
with a password, only a key.  The jsignpdf tool also lacks the ability
encrypt without signing.

Does this mean linux users can no longer share a secret phrase with
someone, and use that to protect a PDF in a way that can be opened
using a typical PDF reader (thus not imposing extra tools on
recipients)?  Is there a tool I'm overlooking?

This is cross-posted to comp.text.tex, because I would like to know
what LaTeX users do, and if any LaTeX packages can encrypt a document.

(*) ref: http://www.rc4nomore.com/

0
Fritz
7/28/2015 3:14:14 PM
comp.text.pdf 5600 articles. 0 followers. ramon (1518) is leader. Post Follow

3 Replies
840 Views

Similar Articles

[PageSpeed] 38

The attack you reference requires monitoring an immense amount of web traff=
ic continuously for hours. It's really not very feasible for its intended t=
arget (cracking an https connection), but more importantly I don't see how =
it can be applied to a pdf. A pdf file has a fixed amount of data and not h=
ours of continuously streaming data.=20

The attacks will only get better over time, so everyone should collectively=
 move away from RC-4, but it's really not urgent.
0
Richard
7/31/2015 11:36:33 PM
> The attack you reference requires monitoring an immense amount of web traff=
> ic continuously for hours. It's really not very feasible for its intended t=
> arget (cracking an https connection), but more importantly I don't see how =
> it can be applied to a pdf. A pdf file has a fixed amount of data and not h=
> ours of continuously streaming data.=20
> 
> The attacks will only get better over time, so everyone should collectively=
>  move away from RC-4, but it's really not urgent.

Suppose Bob sends rc-4-encrypted invoices to Alice weekly, for years
on end, always encrypted with the same shared key.  Every invoice is
generated from the same tool and contains lots of the same
information, apart from dollar amounts.  An adversary may even have a
copy of a past invoice, for example, and thus know a lot of the
underlying plaintext that never changes.

Are you saying that's not vulnerable?

I'm not convinced that you've made a strong argument for staying with
RC-4, because PDFs aren't really constrained by size, so I'm not
following what you're saying about volume of data.  Bob could even use
an rc-4-encrypted PDF container to send Alice a 2 hour movie.
Wouldn't that be enough data?

0
Anonymous
8/1/2015 9:37:23 AM
On Saturday, August 1, 2015 at 4:37:26 AM UTC-5, Anonymous wrote:
> Suppose Bob sends rc-4-encrypted invoices to Alice weekly, for years
> on end, always encrypted with the same shared key.

Just read the OP's linked article.  It says:
"To successfully decrypt a 16-character cookie with a success 
probability of 94%, roughly 9x2^27 encryptions of the cookie need 
to be captured."

This is 1207959552 encryptions of the same cookie against different
portions of an RC4 stream.  It's hard to imagine how to perform a 
similar attack against one or more PDF files.  

Even taking liberties and saying that we can find a way to apply the
attack to Alice's invoices:  The attacker would need to intercept these 
weekly transmissions for 23.2 million years to get a 94% accurate 
attack.

> Are you saying that's not vulnerable?

That's more vulnerable than AES, but practically speaking, Alice's 
invoices are safe for now. These attacks against RC4 are probabilistic 
and getting stronger, so it's better to move on. Nevertheless, it's very 
premature to claim that RC4 is "definitively cracked."


> I'm not convinced that you've made a strong argument for staying with
> RC-4, because PDFs aren't really constrained by size, so I'm not
> following what you're saying about volume of data.  Bob could even use
> an rc-4-encrypted PDF container to send Alice a 2 hour movie.
> Wouldn't that be enough data?

If you knew in advance that the movie had 9*2^27 copies of the same
frame in it, you might succeed in using an attack like this.  At 30 frames
per second, that's about 11,000 hours of movie time.

I hope it's clearer to you now.  There is no rush. No one is reading your
RC4 PDFs. But yes, it's showing weaknesses, which make it prudent
to move away from it.  I just hate to see people worry about something
that's not an actual problem yet.
0
Richard
8/1/2015 6:57:30 PM
Reply:

Similar Artilces:

Converting 40 bit key to password? / Cracking PDF user password
All right so I used the demo version of Guapdf to obtain the 40 bit key (i don't have it with me right now) but the demo version can't decrypt the pdf file because it is too big. So then i used the demo version of APDFPR Pro to decrypt using the key i got from Guapdf and it worked but the demo limitations will only let me decrypt the first 10 pages. I don't know much about stuff like this so forgive me if this is a stupid question but is there anyway to convert the key i got to the actual password for the file? If not, is there someway i can decrypt the whole file without buying ...

Cracking a PDF Password?
I know how to set a PDF security, and I know there are cracking programs out there. How can I insure that someone with the password can't remove the password? For example, if I use 128bit encryption and a LONG password, will that help? Thanks! In article <Hv-dnSyREPdaTKfeRVn-3A@comcast.com>, Victor wrote: > How can I insure that someone with the password can't remove the password? > For example, if I use 128bit encryption and a LONG password, will that help? If you're using the standard encryption filter, then anyone who has either password can trivially re-writ...

PDF password crack
does anyone have an idea how i can remove a password from a pdf file so that i can copy text and print? thx On Mon, 31 May 2004 23:59:47 -0700, bluuurgh wrote: > does anyone have an idea how i can remove a password from a pdf file > so that i can copy text and print? > > thx That isn't relevant to this group. Go to comp.text.pdf and you will be more likely to get an answer. -- Mark J. Nenadov Python Byte Solutions http://www.pythonbyte.org/ bluuurgh wrote: > does anyone have an idea how i can remove a password from a pdf file > so that i can c...

Linux Password Cracking
I have some Linux systems and would like to check their passwords for strength etc. Is there a good program for this? Also I have a linux system that a co-worker fat-fingered the root password on and now we cannot get in. Is there a remote program to crack the box? Thanks! Crazy Coder wrote: > I have some Linux systems and would like to check their passwords for > strength etc. Is there a good program for this? Cracklib, IIRC. > Also I have a linux system that a co-worker fat-fingered the root password > on and now we cannot get in. Is there a remote progra...

pdf \ text (get rid of text in pdf)
Is there a way to remove all text from PDF? Will extract images work for you? If so, PDF-Tools by Tracker Software will do it. http://www.docu-track.com/ -- Don Vancouver, USA "MarosV" <maros.vranec@gmail.com> wrote in message news:ebb897e1-c8e3-4b3a-9274-dfd9d2c845c3@c4g2000hsg.googlegroups.com... > Is there a way to remove all text from PDF? ...

Crack, Crack! Crack Crack Crack !
Rainbow Tables for CAIN: - only for system account - up to 8 characters passwords; - 100 torrent files; - Total: 625 MB* 100; - success rate 100% - Maximum crack time: 5 seconds for each file; check CAIN for details; - generated by winrtgen parameters are given below: oracle_oracle#1-8_0_2400x40000000_system#000.rt oracle_oracle#1-8_0_2400x40000000_system#001.rt oracle_oracle#1-8_0_2400x40000000_system#002.rt ............................ oracle_oracle#1-8_0_2400x40000000_system#099.rt email for details, demo, and downloading url's! (Only system account) oracle hashes challenges ar...

Cracking password protected docs
Dear experts, I did something today, but now I'm having second thoughts. I'm off to a trip to Italy. I found a hotel. I told them that I'd call them with the number. But they emailed that they need the number in writing. I could fax it if I wanted. Odd. I opened an MS Word doc. I wrote the cc number in another doc, and took a snagit screen shot of that. Then, I embedded the graphic in the Word Doc, and password protected the Word Doc. I called and told them the password, and emailed the document to them. When I tried this before, I moved the file to Linu...

Password protected PDF files
Hi, Recently we've been having some problems with PDF files exported from InDesign CS2. When we try to RIP these files on our Brisque (4.1), an error message appears claiming that the PDF file is password protected. This is not the case with every PDF file. Just occasionally. We are 100% sure that there is no password protection on the files. We've tried pretty much everything. Different PDF versions, certifying the PDF, etc. Any ideas? Roel In article <dipdga$rip$1@azure.qinip.net>, Van Houten <roel@vanhouten.speedlinq.nl> wrote: > Recently we've been having...

HELP PDF Password protection
How to open PDF document with password protection ??? (I forget password :-)) You can use elcomsoft Advanced Pdf Passowrd Recovery. A trail version is available at www.elcomsoft.com "AxeMan" <pero_k@yahoo.com> ha scritto nel messaggio news:MPG.1ca7d33a30c0b7029896ba@news.htnet.hr... > How to open PDF document with password protection ??? > (I forget password :-)) ...

ANN: Fly Text to PDF
Hi All: Fly Text to PDF 1.3 is powerful tool which can convert your text files into PDF. This tool is powerful converter tool running on Microsoft Windows Operating System. You can use this tool to convert your text report, text documents and other text files into PDF quickly and easily. You also can set the PDF properties in each text files by using special tags, or set the default properties for every output PDF files. Please visit our website for more information: http://www.medafan.com/pdf-tools For the output sample, please click on: http://www.medafan.com/pdf-tools/license.pdf Key fea...

Crack, Crack, Crack, Crack !
Rainbow Tables for CAIN: - only for system account - up to 8 characters passwords; - 100 torrent files; - Total: 625 MB* 100; - success rate 100% - Maximum crack time: 5 seconds for each file; check CAIN for details; - generated by winrtgen parameters are given below: oracle_oracle#1-8_0_2400x40000000_system#000.rt oracle_oracle#1-8_0_2400x40000000_system#001.rt oracle_oracle#1-8_0_2400x40000000_system#002.rt ............................ oracle_oracle#1-8_0_2400x40000000_system#099.rt email for details, demo, and downloading url's! (Only system account) oracle hashes challenges ar...

Password Protect Eudora Possible??
Is it possible to password protect access to Eudora 6 ??? I have a family computer, but I would like to password may email. Thanks. Malam wrote: > > Is it possible to password protect access to Eudora 6 ??? I have a > family computer, but I would like to password may email. > Thanks. Have a look at Magic Folders or Encrypted Magic Folders. http://www.pc-magic.com/ No affiliation, just a happy customer. Larry -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 29 Jan 2004 05:24:57 GMT, Lawrence Glasser <lglasser@spamcop.net> wrote in post: ...

Protecting Files Against Password Cracks
After reading the recent discussion about tools for opening passworded files, I thought it would be good to come up with a method for preventing the use of cracks that replace an unknown password with a known one. I'd be interested in knowing whether the experts in this group felt it was worthwhile. This method is for a file in which there's only one full-access account, with the account name "Admin" and the password "Open Sesame" (just for the sake of discussion). The method could be adapted for additional accounts. My thought is that one account is e...

Web resources about - password-protected PDFs no longer possible on linux (rc4 cracked) - comp.text.pdf

The Library, Singapore: Password protected
When in the island city state remember not to judge a book by its cover, writes Robert Upe.

iWork for iOS and Mac updated with password-protected files, new Keynote transitions, and a lot more
... The Mac versions of Pages and Numbers have also received updates. Like the web versions, each app gained support for sharing password-protected ...

Cops can search mobile phones—only if they’re not password-protected
... mechanism, however, officers must get a warrant . “In this case, it is significant that the cell phone was apparently not password protected ...

Huge Android lockscreen vulnerability lets you unlock password-protected Lollipop devices
Just because your Android screen is protected by a password doesn’t mean is as safe as you thought it would be. In fact, if you chose a password ...

Evil Overlord List Addendum: 101. All super-secret web pages will be set to "noindex, nofollow, noarchive" ...
by Doctor Science Eric Lichtblau and Scott Shane of the NY Times reported yesterday:A wide-ranging surveillance operation by the Food and Drug ...

Even When Password-Protected, Anyone Can Access Your Samsung Galaxy Phone
In a video he posted to YouTube , security researcher Terence Eden reveals a way to bypass the lockscreen on Samsung phones and run applications. ...

Turn Any USB Memory Stick Into An Ultra-Secure, Password Protected Filestore
It’s time for me to sign off my tipster post here at Cult of Mac. For my final tip here’s one of my absolute favorite tips from my book . It ...

iWork updates let you share password-protected files through iCloud
Many fans of cloud services are used to sharing secure files with their friends, but that surprisingly hasn't been an option for iWork users ...

Apple’s iWork update brings password-protected shared documents and more
Apple on Thursday released a number of updates to its iWorks applications across all platforms including OS X, iOS and iCloud on the web, reports ...

So you think you're "password protected"...
... world becomes more and more complex, the need for deliberate, thorough security grows. Yes, we know, you?ve got everything ?password protected.? ...

Resources last updated: 1/25/2016 10:08:29 AM