I have requirement to show the pdfs to the users via asp.net application. These pdfs are password protected using iTextSharp. The password is known within the application but not to the users. Lets say password is saved in a table for each file. I want to display the pdf to users without asking for the password from them or letting them to know the pdf. Is there anyway to do this?
UPDATE
My requirement is to protect those pdf files from others who has access to the destination folder (where pdfs are uploaded) by putting password protection.
If you want to give people access to these PDFs you either need to give the users the password or remove the password. That's the only two options. The last option can be implemented in several ways, however. For instance, you could JPG the PDFs which would obviously remove the password. You could also apply a NULL userPassword which would allow people to open but not edit the PDFs. Both of these things you could do on the fly and serve a dynamic PDF if needed.
If I'm not understanding you correctly explain a little more and we'll try to help you.
With the PDF format, there are two types of password: user and owner password.
You can use a tool like PDFTK to rebuild your PDF using only an owner password and disallowing any authoring operation.
Related
I have several PDF file stored in Salesforce, I need to send each PDF to each different external users (external users that don't have Salesforce access) in a secure way.
I see two ways:
Encrypt the PDF and send it encrypted to the user mail address, then send the password by SMS.
Allow the external users to access the PDF stored in Salesforce using a user-password but without having a Salesforce user.
Is there any solution for one of the two ways?
Thanks,
Jaime
Content Documents (the actual table name for what you see as Files / Chatter Files / Notes) might have an option for #2. The old school Documents and Attachments - unlikely.
You can password protect the links and / or make them expire after certain date. Read up https://help.salesforce.com/s/articleView?id=sf.content_delivery_create.htm&type=5
Here's ERD: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_erd_content.htm
Alternative could be the "sign" apps on AppExchange. Check Adobe Sign, Docusign (or whatever is the name). But I suspect they're just think integrations and docs are hosted in different cloud, your organisation might have security issues with that.
So, I have a few confidential PDF files that I need to open, but they are reading-protected (not sure if that's the term, I can't read them without the password). I don't know this password. Is there any way to either remove/bypass this password or are there any tools for brute-forcing it?
Is there a way to customise or change the message that gets displayed in the document open Password dialog box while trying to open a password protected PDF file.
Default message - "filename.pdf is protected. please enter a Document Open Password."
The message shown is completely up to the PDF viewer or processor in question.
In general you cannot prescribe it but you may create your own viewer showing the text you prefer.
PS: As the OP still hoped for a different answer (and asked essentially a duplicate question here):
The PDF specification in regard to opening password protected PDF files only rules:
If a user attempts to open an encrypted document that has a user password, the conforming reader shall first try to authenticate the encrypted document using the padding string defined in 7.6.3.3, "Encryption Key Algorithm" (default user password):
If this authentication attempt is successful, the conforming reader may open, decrypt and display the document on the screen.
If this authentication attempt fails, the application should prompt for a password. Correctly supplying either password (owner or user password) should enable the user to open the document, decrypt it, and display it on the screen.
(ISO 32000-1 section 7.6.3.1)
It does not present any mechanism to supply a message for prompting for the password.
Please note that the specification even makes prompting for a password merely a recommendation ("should", not "shall"). Completely in accord with the specification, therefore, other ways to retrieve a password might be tried instead, or such password protected documents might be ignored completely!
That been said specific PDF viewers might allow to provide a prompting message in a proprietary manner; after all the early signing mechanisms in Adobe Reader even allowed the PDF to provide appearances for successfully and for unsuccessfully verified signatures which made frauds possible! I doubt, though, that current versions of serious viewers allow providing password prompt messages even in a proprietary way.
I was looking at an app on blackberry app world to create pdf files and that app claims to be able to password protect the files. How does one password protect a file. Isn't the code to read the file available, thus the password will be useless if the program decides not to check the password?
In addition to the other answers (which focus on encryption of arbitrary files) here an answer focusing on encryption of PDFs which was the use case initially startling the OP:
The PDF standard (ISO 32000-1) describes in section 7.6 how PDFs shall be encrypted in a manner that keeps the file structure of a PDF while hiding the content. PDFs are built from numerous objects (numbers, strings, arrays, dictionaries, streams, references, ...) and the mechanism described by the specification essentially only encrypts strings and stream contents.
Just like in the generic case described e.g. by #Mark, these encrypted string and stream contents are merely a bunch of random-looking data and have to be decrypted before the PDF can be displayed, but the remaining objects are unencrypted allowing PDF viewers and editors to recognize the file as a PDF.
Furthermore the PDF specification allows for two basic encryption types, by
a user password which anyone has to enter who wants to use the PDF in any way, and
an owner password which only needs to be entered for a configurable set of uses of a PDF (e.g. printing or editing) but not for merely viewing it.
Encryption using the latter kind of password obviously can be circumvented: After all, if you can view the PDF, you can extract all the data and do essentially what you want with unless your software co-operates with the scheme and forbids you to. And, obviously, not all software does co-operate.
Essentially the owner password mechanism stores a value in the PDF derived from the password which is sufficient to decrypt the encrypted data but does not allow for easy calculation of the original password.
Assuming the app is competently written, the .pdf file is encrypted using the password to derive the encryption key -- that is, the file is not, properly speaking, a .pdf file until it gets decrypted. Before that, the file is merely a bunch of random-looking data, and the program does not know what the decryption key is until you enter the password.
If done correctly a password protected file will be encrypted with an algorithm that needs the original password to undo the encryption. The password is used to initialize the encryption/decryption process and is not stored in the file. If you give the wrong password the decryption will not work and there is no way for the program to know the correct decryption key (except doing a brute force attack).
i am currently trying to secure my Objective-c application with a password. What I want is a window(or similiar..) popping up whenever the application is launched. Only if the password is right shall the user be able to use the program.
How to encrypt the string properly? I don't want any user to be able to extract it from the content files. Even though the user should be able to change it once he "logged in".
Thanks in advance.
I am asking for a hint only :)
Whenever you want to store sensitive information such as passwords, use Keychain Services.
You can create an md5-hash of the password and store that in a file. If someone else opens this file and sees the hash, it almost impossible to reformat it back to the original password. Now when the user enters a password in your application, make an other md5 hash from that one, and compare if that hash is the same as you stored in the file.
man 3 md5 for creating md5 hashes on Mac with C code. I don't know any Objective-C wrapper for that, but it should be easy to create it yourself.
Hope it helps,
ief2
EDIT: Keychain Services is indeed the more "standard" solution