When people think of PDF Security they are often referring to the password security facility available in Adobe Acrobat and other third party PDF Writers.
Using these applications you can apply two different types of password security to a PDF file.
1) The first is a document open password, which controls who has access to a PDF (who can open the document). This is also known as a user password, as users must type in the password you specify to open the PDF.
Evidently the downside of using a document open password is that once you have given the document and password to one person they can then give this to others. It is therefore not a very secure approach, especially if confidentiality of a document is required.
2) The second is a permissions password which is used to prevent users from changing or removing the controls placed on a document. These generally cover copying and editing text, and printing a PDF.
Unfortunately, there are many freely available and purchasable password cracking tools on the web that can remove these passwords in seconds – see http://www.elcomsoft.co.uk/apdfpr.html as an example who quote on their web site “Get access to password-protected PDF files quickly and efficiently! Instantly unlock restricted PDF documents by removing printing, editing and copying restrictions! Advanced PDF Password Recovery recovers or instantly removes passwords protecting or locking PDF documents created with all versions of Adobe Acrobat or any other PDF application.”.
What these applications do not is enable you to set a PDF expiry date, apply dynamic watermarks, revoke access, or prevent screen grabbing.
Some of this functionality however is provided with Adobe Content Server for a large initial and pay per transaction fees. However the Adobe Digital Editions app required to view the protected content has been comprehensively cracked. Adobe Livecycle ES4 extends the security functionality and price! with the use of online/offline use, document tracking, dynamic watermarks, and document revocation. You can encrypt a PDF document with either a password or a certificate, but if you use the stronger certificate approach then you must know BEFORE you protect the document who you want to send it to. Evidently this would not work in a situation where you were selling say PDF reports or ebooks from your web site.
PKI (Public Key Technology) & Digital Signatures
Adobe also supports the use of digital signatures. These were invented as a method of being able to ‘identify’ someone online and prevent falsifications. But they have several problems. People could generate their own ‘identities’ unless you made them buy their ‘digital identity’ or signature from a ‘Trusted Third Party’ (TTP) who likes to charge them every year for the privilege, as well as making them jump through hoops to prove who they are. So the TTP ones are pricey, painful and not very useful, and the self-generated ones prove nothing. Worse, users can give the signature away to anyone they like because there is no penalty for doing that, and no cost.
So whilst passwords have major security weaknesses, so does PKI.
If you are looking for a secure alternative to PDF Security, then check out companies such as LockLizard who use public key technology and secure transparent key exchange to ensure your documents remain protected no matter where they reside.