Here at IDRSolutions, we’ve been hard at work improving the security in our products. Here are a couple of features we’ve added recently to our Java PDF library:
Support for PDF files encrypted using AES-256
Amongst the cool new features that arrived in the PDF 2.0 Spec at the end of July last year, all types of encryption have been deprecated in favour of the stronger, more modern AES-256 (as well as supporting Unicode passwords!).
Using 256 bit keys as opposed to 192 / 128 provides more resistance against brute force attacks, as there are 2^256 possible key combinations. Of course, encryption strength is also greatly affected by the choice of the password. For example, using a password that contains names and other words would be more susceptible to dictionary attacks, where the hacker would attempt to guess the password using common words / patterns. If your password is ‘password123’ or something similar, no encryption is going to protect your data if someone can just guess it!
Support for encryption of transient data
First of all – what exactly is it?
Transient data is temporary data that is created by a specific application when it runs. Most programs do this to reduce memory usage and to ensure they have copies of data available. In our software, large images are cached to disk until needed and PDF files supplied as a URL or input stream have to be fully read and stored locally (PDF uses random access which is not supported in these cases so we need to store a copy and access that).
We do actually have options for clients to hold all data in memory for maximum security, but this can substantially increase the memory usage and is excessive for many use cases.
When the program stops running the data is not stored, but deleted or reset to default values – unlike persistent data. For example, when you open up a document with Microsoft Word it creates a temporary copy of a file for you to edit, which is then deleted when you close Word. Any saved changes are written to the original document, which is persistent.
So what are we changing?
PDF files can be encrypted (which provides some security). In future releases, if you supply a password, we will also use it to encrypt any transient data using AES encryption, providing extra security. This will be transparent to our customers in use. It will be implemented across the next few releases – it is a substantial task.
Recent changes have made it increasingly important to be able to ensure that all customer data is held as securely as possible.