More secure protection of files

pma111
pma111 used Ask the Experts™
on
I am aware words password protection is pretty lame and can be easily circumvented?

How do adobe PDF's password protection options compare?

If both are weak, is there an alternative FREE way to perhaps protect these files before sending them off via email, perhaps utilities built within compression tools?

I need some solution whereby the recipient of the email which contains an attachment of either PDF or docx/xlsx doesnt need to install any special software to open and gain access to it, above and beyond the password.

I am also aware that zip fles may cause issues with mail filters - which may cause an issue?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dave HoweSoftware and Hardware Engineer

Commented:
Word documents past Office 97 or so are certainly not insecure - there is a big fuss over Rainbow Tables as though they were a magic bullet, but all they really are is a precalculated brute force table; by looking up the output of the brute force in a table (instead of trying each key in turn) you can rapidly get the key *provided it is in the table* - therefore, the key to secure word documents is to pick a key that isn't in the available rainbow tables (which in practice means 10 characters or more, and not made up of dictionary words) - PDF and many other encryption types are also subject to the same limitation.

For mail filters, password protected zipfiles are often blocked on sight - too many viruses have used this as a vector in the past. To a certain extent, office documents (which could contain macros) and pdf documents (which could contain scripts) are subject to scrutiny and may be blocked if they are encrypted, but less often than zipfiles are.

Author

Commented:
From a novice point of view, what changed post office 97 , and what algorithm is used for both word and PDF? Does their exist anywhere a site or list that lists all common encryption tools and features within software and what hashing algorithm they use. I searched a while back but nothing really showed up.

In a nutshell are we saying the passwords for docx and PDF if the user picks a strong password are good enough, and no 3rd party tool is required to add more protection to them? I was just going on hearsay that winzip has a stronger algorithm than office for passwords but maybe that is a myth....

Cheers
Software and Hardware Engineer
Commented:
PDF crypto varies, but provided you are 1.5 or above, the native crypto is multiple rounds of RC4 so is fine for anything but military use.  There is no "good" attack known on this code other than brute force.

post 97, microsoft went for a modified (but single round of) RC4.   Hongjun Wu found some serious flaws in how MS had implimented RC4 in 2005, but that relates only to multiple revisions of the same document (but is worth bearing in mind. essentially, if you have a document encrypted that contains xxxxx and then later edit it to contain yyyyy - without changing the password or disabling then re-enabling the encryption - then the same key is used for both versions. as RC4 is a stream cypher, then calculating the XOR of the encrypted versions is the same as calculating the XOR of the two plaintext versions - so you have effectively a demonstration of changes between the two documents (as identical sections will xor to bytes of 0)

Not sure there is a single site for much of this info - knowing you are using RC4 for both though and googling for that term plus the format (word or pdf) should give you plenty of hits.  note that prior to 1.5, PDF used 40 bit RC4 (still really hard to break, but within the capabilities of a dedicated FPGA based cracking computer costing around ten thousand dollars or so; probably cheaper for dedicated hardware, but you would then need your own fab plant like the NSA have)

PDF can also support plugins (and will pull the decryption tools into the reader client when needed as a on-demand download) which have varying levels of crypto. some are clear snakeoil, some are significantly better than most native products (AES@256 or better) but none are cheap.

WinZip has a *significantly* better algo than word or pdf - it uses AES@256 bit (as does the free package from www.7-zip.org) but windows cannot unprotect such zipfiles, so your recipient would also require a copy of winzip (and have to have a virus filter willing to accept password protected zipfiles) - 7z native is less offensive to filters (while still requiring custom software, albeit free) and WinRar's algo, while a hybrid, is around 168 bits - more than good enough, when you consider anything at 128 bit should remain infeasible to crack other than via guessing the password for our expected lifetimes at least)

So yes - there are better packages out there than word, by an order of magnitude or so - but in almost all cases, unless you think the NSA or another attacker is willing to devote a few months runtime on a machine that costs a million dollars a pop to cracking *your* messages, you are going to be safe enough :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial