How safe is an encrypted PDF? (no SSL certificate)

StackOverflow https://stackoverflow.com/questions/21671931

  •  09-10-2022
  •  | 
  •  

Question

Users of our website need to download a PDF that serves as proof that a transaction has been performed.

For security purposes I need to ensure that users cannot edit the PDF (i.e. edit the PDF, change some values, and send it back saying our system made a mistake).

I know signing the PDF is a good option, but would prefer to avoid doing this as we would need a dynamic signing certificate device from Adobe which I'm told is quite expensive.

So my question: using iTextSharp's SetEncryption method, is the PDF safe against user modification? Even if the user is a programmer? It appears to be but I would like to make sure.

My encryption code (pasted from another post on StackOverflow :) ):

Console.WriteLine("Creating...");
var file = File.CreateText(fileName);

using (Document document = new Document())
{
    PdfWriter writer = PdfWriter.GetInstance(
        document, file.BaseStream);
    writer.SetEncryption(
        null, //No user password
        System.Text.Encoding.UTF8.GetBytes("ownerPassword"),
        PdfWriter.ALLOW_PRINTING
            | PdfWriter.ALLOW_COPY
        ,
        PdfWriter.ENCRYPTION_AES_128
    );
    document.Open();
    document.Add(new Paragraph("hello world"));
}
Was it helpful?

Solution

In addition to all the comments pointing out that signing and announcing that only documents signed by you are valid is the way to go and does not depend on Adobe specific hardware (storing a hash - or a copy - locally won't help, though, you have no prove that what you have stored locally is what you sent the customer), here an answer to your original question:

using iTextSharp's SetEncryption method, is the PDF safe against user modification? Even if the user is a programmer? It appears to be but I would like to make sure.

No. Anyone who can open the PDF in a PDF Reader (i.e. the PDF is encrypted only by owner password or by owner password and a known user password), can circumvent encryption. And after the act that person can also re-encrypt. Probably he will use a different owner password, but how can you prove that the owner password you claim to use actually was used in the PDF sent to the user?

OTHER TIPS

I know this might be a bit spurious and long winded, but if you calculate the SHA hash before you send it, and store it in the database, you could provide support with a way to validate that the PDF output is the exact one the server generated. Certainly it is long winded, but could be used as a defence against fraud.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top