How we are improving security in our products

Security

Security has made some big headlines recently, with the Spectre and Meltdown issues affecting processors being the most notable ones.

Here at IDRSolutions, we’ve been hard at work improving the security in our products. Here are a couple of features we’ve added recently to our Java PDF library:

Support for PDF files encrypted using AES-256

Amongst the cool new features that arrived in the PDF 2.0 Spec at the end of July last year, all types of encryption have been deprecated in favour of the stronger, more modern AES-256 (as well as supporting Unicode passwords!).

Using 256 bit keys as opposed to 192 / 128 provides more resistance against brute force attacks, as there are 2^256 possible key combinations. Of course, encryption strength is also greatly affected by the choice of the password. For example, using a password that contains names and other words would be more susceptible to dictionary attacks, where the hacker would attempt to guess the password using common words / patterns. If your password is ‘password123’ or something similar, no encryption is going to protect your data if someone can just guess it!

Support for encryption of transient data

First of all – what exactly is it?

Transient data is temporary data that is created by a specific application when it runs. Most programs do this to reduce memory usage and to ensure they have copies of data available. In our software, large images are cached to disk until needed and PDF files supplied as a URL or input stream have to be fully read and stored locally (PDF uses random access which is not supported in these cases so we need to store a copy and access that).

We do actually have options for clients to hold all data in memory for maximum security, but this can substantially increase the memory usage and is excessive for many use cases.

When the program stops running the data is not stored, but deleted or reset to default values – unlike persistent data. For example, when you open up a document with Microsoft Word it creates a temporary copy of a file for you to edit, which is then deleted when you close Word. Any saved changes are written to the original document, which is persistent.

So what are we changing?

PDF files can be encrypted (which provides some security). In future releases, if you supply a password, we will also use it to encrypt any transient data using AES encryption, providing extra security. This will be transparent to our customers in use. It will be implemented across the next few releases – it is a substantial task.

Recent changes have made it increasingly important to be able to ensure that all customer data is held as securely as possible.

If you’re a first-time reader, or simply want to be notified when we post new articles and updates, you can keep up to date by social media (Twitter, Facebook and Google+) or the Blog RSS.

Related Posts:

  • No Related Posts
The following two tabs change content below.

Rob

Software Engineer at IDRSolutions
Rob is a developer at IDRSolutions, currently working on JPedal and the microservice examples. In his spare time he enjoys riding his motorcycle, playing guitar in his band and studying languages that don't require a semicolon at the end of each line (including Bulgarian and Solidity).
Rob

About Rob

Rob is a developer at IDRSolutions, currently working on JPedal and the microservice examples.
In his spare time he enjoys riding his motorcycle, playing guitar in his band and studying languages that don’t require a semicolon at the end of each line (including Bulgarian and Solidity).

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>