1

My organization has some Confidential (as in statutory requirements confidential) documents that go out to certain people and committee groups prior to their release into public domain. These documents need to be accounted for during this timeframe to prevent their "early" release. This has been done historically, by all the interested parties holding a meeting in a closed room, the documents passed out, the meeting held, and then they are collected as everyone leaves the room. I have been tasked with duplicating the same kind of policy mechanism using our publically facing web server (Debian 5.0.6 on Xen HVM running Apache2).

I immediately dislike the idea of keeping confidential material on a web server that is accessible by the entire world just on principle alone but we will put that concern aside for a minute. These documents need to be 1) accessible to only the interested parties, 2) the content of the documents protected somehow, 3) not able to be printed by the people that view it, 4) not able to be saved for re-distribution later.

I think using .PDFs is the best solution for this. I can constrain the ability to print, and edit the documents. Judicious use of .htaccess and SSL can prevent the whole world from downloading them. It's the single use, non-distribution part that I cannot think of a decent way to implement. Once they're downloaded, they're downloaded. And nothing I can think of, can prevent someone from passing the document to someone who shouldn't have it along with the password to read it. What I need is a single-use policy mechanism, like a one-time password for .PDFs. Use the password once and then we just rely on Adobe's encryption (for better or for worse).

Anyway, I'm kind of at an end on how to accomplish this, and I was hoping some of the good folks here could help me generate some ideas so I can present the pros and cons of this project to the boss.

Thank you kindly.

EDIT: It's been noted numerous times that any technical system to do this is easily circumnavigated by things like dictating the information out of the document to someone, taking a picture or screenshot or something like that. This threat already exists in the "closed room" model, although it's certainly much smaller. We can more or less trust the people on the other end, just not their computers.

  • 1
    Regarding your edit: If you can't trust their computers, you can't trust *any* system installed on that computer purporting to provide confidentiality, and so you should not permit viewing of such material on those computers, directly or indirectly. – Andrew Barber Dec 04 '10 at 05:48
  • +10 if I could, @Andrew Barber. No amount of gyrations (DRM, VPN, etc) is going to change that, if it's viewable on the screen somebody (either the user or a malicious attacker running software on their box) can compromise the confidentiality of the data. – Evan Anderson Dec 05 '10 at 00:51

5 Answers5

11

Relying on any kind of "DRM" protections in PDF files (or any other kind of file) assumes that the reader software and computers where the reading is occurring are "trusted". This is a bad idea.

You can use authentication and encryption to limit "use" to authorized parties, but that only works when the authorized parties keep their passwords and keys secure. If you're not disseminating hardware tokens then, odds are, passwords or keys can be fairly easily compromised.

Setting all that technical stuff aside, if the confidentiality data is so important that it's traditionally disseminated in closed-door meetings with copies being collected after the meeting is over then it's not appropriate to protect it with "DRM". You cannot (and never will be able to) replicate that kind of functionality, with respect to confidentiality, with "DRM".

I'd make it clear to your supervisors that any "solution" that involves sending the data out of your control is going to result in breaches of confidentiality, period. It doesn't matter how many DRM controls you put on the documents in an electronic form, that won't stop somebody from taking pictures of their screen with a camera, dictating the content out loud, etc.

If the closed-door meetings are just an old formality and the level of confidentiality isn't really that critical then you might get by w/ an encryption solution. I'd think hard about using hardware tokens to keep the private keys secure in such a situation. The PCs of your end user consumers should be considered untrusted and not a safe place to store key material.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • All very true. Even with the solution I posted, encryption can still be broken, and methods like taking a screenshot or a picture can easily be used to workaround your security measures. You cannot ensure the same level of security as in your closed-room meetings. – Rafiq Maniar Dec 03 '10 at 19:53
  • 2
    I am in complete agreement. The situation is mostly just that I need to be able to explain the technical limitations of this "solution", and let me supervisors decide whether or not the benefits (allowing people who would not normally be party to these meetings the ability to participate) out weigh the costs (the loss of a good mechanism for controlling the confidential material once its released to an untrusted area). One-time passwords, or something similar, seem to be an OK "80% solution"... so I will look around the provided links. Thanks. –  Dec 03 '10 at 20:22
  • I +1'd this answer because it's the correct one. If an 'OK solution' is really OK, then your requirements go too far. But if your requirements really are your requirements, you need to keep this information away from untrusted technology. – Andrew Barber Dec 05 '10 at 01:06
  • This is the *right* answer.. but there are numerous "OK" solutions here as well... I particularly like the idea of using a VPN/RPN (we actually already have Citrix farm that could do this), but as pointed out there is no way to build anything that comes close to the "closed-room" mechanism used for hard copies. If the decision was up to me, we wouldn't even need to have this conversation but I'll see what management wants to do... it's their data after all. –  Dec 06 '10 at 18:41
3

How about a terminal server behind a VPN? They can view the documents while in the session but have no way of transferring a local copy. You can enforce a one time use password for login. You might be able to control copy/paste but print screen could still be a risk to consider.

Aaron Copley
  • 12,525
  • 5
  • 47
  • 68
  • So, a VPN will stop me from dictating it aloud or taking pictures of the screen with my cell phone camera? If human eyes can see it then it can be copied. – Evan Anderson Dec 03 '10 at 23:40
  • I like this idea but it's probably beyond my skills to setup and probably would require too much work on the client side of things (as the parties that needs these documents all belong to separate entities outside of my area of operations.) Also: the screen capture, cell phone picture, dictation, etc threat already exists with the closed room model. We trust the people on the other end... just not their computers. –  Dec 04 '10 at 01:11
  • A terminal server setup really shouldn't be that hard. I am not sure you would even need a VPN, a TS gateway may be enough since SSL is used as a transport. A RDP client is available for most operating systems. – Zoredache Dec 04 '10 at 01:34
  • @Evan - I made no claims that VPN would prevents these methods of leak. VPN was suggested due to the data confidentiality and needing to be accessed over the public Internet. I actually wasn't sure if TS was end-to-end SSL. Thanks @Zoredache for filling me in on that. – Aaron Copley Dec 06 '10 at 19:01
2

It's the single use, non-distribution part that I cannot think of a decent way to implement. Once they're downloaded, they're downloaded. And nothing I can think of, can prevent someone from passing the document to someone who shouldn't have it along with the password to read it.

Adobe LiveCycle can enforce these sorts of policies. The rights management add-on is the one that will be doing this sort of lockdown. This stuff is expensive, as in "very nice house" expensive.

These documents need to be 1) accessible to only the interested parties, 2) the content of the documents protected somehow, 3) not able to be printed by the people that view it, 4) not able to be saved for re-distribution later.

Items 2 and 3 can be taken care of by document security inside the PDF, although that does not take into account folks pressing "print screen" when they have the PDF open. Items 1 and 4 will take extra DRM that cannot be addressed without spending lots more money. While it is possible to make add-ins/plug-ins that run inside Adobe Reader, they require a digital key from Adobe. The licensing (the digital cert to allow your add-in to run in Reader) for non-DRM based add-ins runs about $1k. The licensing for DRM based add-ins runs about $25k/year. Plug-ins must be written in a subset of C++ using the Adobe Acrobat SDK.

Tangurena
  • 326
  • 1
  • 4
  • 13
1

What about print screen or copy/paste. Even if you are able to restrict you document to single use it can still be duplicated by means of print screen/copy+paste.

This is a tough situation and I am not sure if there are third party software that exists for this purpose. You need is to show your content as a plain image in an overlay, kind of like video or 3d game. There are some 3d browser plugins available out there. Plus there is HD video that should be suitable for text. How about having user download a small 3d application that can only be run once and self deletes after you close it.

Take a look at this topic for some print screen prevention details https://stackoverflow.com/questions/448106/how-do-i-prevent-print-screen

Basically I don't think you can implement single use scenario with PDFs. Once information is on the screen it can be copied, even with 3d overlay but its harder.

Community
  • 1
xsaero00
  • 255
  • 3
  • 10
0

It's a bit of a problematic situation, as you've already found out. One thing I can think of is using public/private key encryption in order to restrict who can view the document. It won't stop copying and it won't enforce a one-time use, but it will stop unauthorised parties from reading the document.

I've never implemented this feature before (I've digitally signed PDF documents but not restricted access), but there's an official Adobe blog here that may be of some use. Of course, you're likely to have to use Acrobat Professional to accomplish this, but I think that might have been the case for you already, to do things like restrict printing.

Rafiq Maniar
  • 1,120
  • 9
  • 15