Google Answers Logo
View Question
 
Q: Security of Documents ( Answered 5 out of 5 stars,   4 Comments )
Question  
Subject: Security of Documents
Category: Miscellaneous
Asked by: 4me2no-ga
List Price: $30.00
Posted: 17 Jun 2004 12:33 PDT
Expires: 17 Jul 2004 12:33 PDT
Question ID: 362583
I am required, by law, to give out confidential documents, such as
business financial statements and business plans, to prospective
investors/purchasers.
The standard non-disclosure, non-dissemination, non-copying agreements
are in place but I am concerned that the information will still find
its way into the public domain. I am considering delivering the
documents on CD and I am looking for suggestions and information on
what types of security are available using that method e.g. read only,
printing prohibited, time limit before the disc erases  or any other
suggestions which you may have.
I know that all methods can be compromised but what I want to do is to
make copying and dissemination as difficult as possible and also to be
able to know when it has been attempted.
This is your mission should you ...etc.
Answer  
Subject: Re: Security of Documents
Answered By: larre-ga on 17 Jun 2004 14:17 PDT
Rated:5 out of 5 stars
 
Thanks for asking.

CD-R means that a disc can only be -written- to once, however, the
disc may be played, and files copied, multiple times.

"CD-R discs can only be written to once. Recording is performed by a
laser which heats one of the disc layers to the melting point. This 
forms a pit that represents the digital bit being recorded. The
substrate becomes visible in the pit and effectively records the bit
in that the reflection pattern of the disc has now changed so the bit
can be detected on playback." [1] At the operating system level,
changing write permissions is a relatively simple way of defeating
this copy protection method.

Limited use can be somewhat effective, however, CDs may be copied
-before- use, to bypass that method entirely. Most digital document
management solutions today rely upon file encryption of one sort or
another.

I've gathered the following references to digital document security
procedures, methods, and products. All are appropriate for the type of
document distribution you describe.


IBM and Adobe Put a Padlock on Digital Documents
---------------------------------------------------------------------

"Combining IBM PC-based encryption with new Acrobat 6.0 capabilities
will help businesses maintain the authenticity, integrity and
confidentiality of documents in an increasingly paperless environment.
Leveraging the IBM security chip for personal computers, Adobe's
recently announced Acrobat 6.0 enables users of Adobe Portable
Document Format (PDF) files to add digital signatures and document
control using a cryptography system known as Public Key Infrastructure
(PKI). The IBM Embedded Security Subsystem uses a hardware-based
security chip and downloadable security software to take this PKI
capability to another level. This combination of software and hardware
provides some of the most secure protection available, authentication
that the document originated from the actual person who sent it, and
that the content of the document has not been altered, manipulated, or
shared inappropriately."

Carolina Newswire | 7-10-2003
http://carolinanewswire.com/news/News.cgi?database=topstories.db&command=viewone&id=167&op=t

Adobe Acrobat
-------------

"Using Adobe® Acrobat® 6.0 Professional or Adobe Acrobat 6.0 Standard
software, any organization can assign rights and implement controls
that keep electronic documents private and more secure. Both Adobe
Acrobat 6.0 Professional and Standard provide a fully customizable
security environment that enables you to:

-- Provide rights management capabilities to control access to a
   protected Adobe PDF document 
-- Ensure information security for regulatory compliance 
-- Maintain document control inside and outside the network, online 
   and offline 
-- Efficiently protect and distribute confidential information 
-- Assign shared passwords with embedded access permissions that 
   define precisely what a particular individual can and cannot do 
   with a document"

Adobe Acrobat Document Security
http://www.adobe.com/security/main.html

Adobe Acrobat Family
http://www.adobe.com/products/acrobat/main.html

Adobe also offers a free 30 day tryout of Acrobat Professional:
http://www.adobe.com/products/acrobatpro/tryout.html



An Up and Comer? MARX PDF Protection
---------------------------------------------------------------------

"MARX PDF Protection allows secure distribution of digital documents
in PDF format. It provides information rights management (IRM)
functionality as part of a DRM strategy to protect and have control
over digital information. Only the user who has the appropriate
CRYPTO-BOX can open, edit or print the PDF document. Multiple
authorization levels and implementation of an expiration date are
available.This provides real security compared to just a password
based solution ? a password can be known by many persons or may have
been already compromised.

Documents are protected with 128 bit encryption (compatible with Adobe
Acrobat 5/6); the encryption key is stored safely inside the
CRYPTO-BOX."

Marx CRYPTO-BOX - Information Rights Management
http://www.marx.com/products/digital_publishing/index.php

Marx CRYPTO-BOX Evaluation Kit
http://www.marx.com/order/index.php



StarForce CD-R
---------------------------------------------------------------------

"StarForce CD-R 3.0 is a powerful multi-level CD-R copy protection
system designed for developers and publishers who wish to protect
their applications and files against professional piracy."

StarForce Software Protection Solutions
http://www.star-force.com/index.phtml?category=66&type=5

A StarForce White Paper explains implementation
http://www.star-force.com/solutions/papers/WPaper_CDR3.0_eng.pdf



Encryptx Shared Data Solutions
---------------------------------------------------------------------

"SecurDataStor protects information whether it's stored or shared.
Enclosing sensitive data in an "intelligent security wrapper,"
encryptX defines detailed access rights and determines how the
information can be used by recipients."

Encryptx File Encryption and File Sharing (SecurDataStor)
http://www.encryptx.com/products/securdatastor.asp

Encryptx "SecurMedia is ideal for sharing or storing all types of
sensitive information in encrypted form and assigning detailed
permission rights: You decide who is allowed to read, copy, write or
share the sensitive documents you have encrypted on CD/DVD, or other
storage media."

Secure File Sharing
http://www.encryptx.com/products/SecurMedia.asp


"Double layer" protection is also a possibility. Adobe .pdf secured
documents can be again encrypted by the other methods described. The
solution that's right for your situation depends upon the degree/cost
of harm if your confidential information is misused.


Search Strategy | Google Search Terms
---------------------------------------------------------------------

"digital documents" security
CD ROM security OR "file protection"


I hope you find this information helpful. Should you have questions
about the material or links provided, please, feel free to ask.

---larre


References
---------------------------------------------------------------------

[1] Compact Disc Recordable CKnow
    http://www.cknow.com/ckinfo/acro_c/cdr_1.shtml
4me2no-ga rated this answer:5 out of 5 stars
Speedy response. I'll check these out. Thanks.
... and thanks to rajjesh for the comment

Comments  
Subject: Re: Security of Documents
From: rajjesh-ga on 17 Jun 2004 22:15 PDT
 
I had mentioned this before, and I guess it would work here too :)

If you could convert your file into an HTML, and protect the same
through TimeHASP (Hardware Lock), your problem would be solved :)

The vendor gives you a browser, and the encrypted HTML would
de-encrypt in the browser and only if the Hardware lock is present.

You could specify the time, after which the application and the data
becomes useless :)
Subject: Re: Security of Documents
From: summer95-ga on 20 Jun 2004 21:59 PDT
 
A couple of years ago I met with someone who was working on a
self-destructing CD. I?m not sure how far this project has gotten.
Basically, the CD is in an airtight liner with some sort of inert gas.
Once the liner has been opened and the CD removed, the normal
atmosphere begins to degrade the CD. After about 48 ? 72 hours the CD
cannot be read. This used in conjunction with some of the other
encryption technologies might be a solution.
Subject: Re: Security of Documents
From: linkdatasecurity-ga on 11 Aug 2004 00:57 PDT
 
The answer misses a reference to our PDF-Cops product, that is being
used by major companies. Encrypted PDF files can be tied to original
CD-R/CD-ROM/DVD-ROM or machine locked via the web.

Please see: http://www.linkdata.com/pdfcops.htm
Subject: Re: Security of Documents
From: wwg-ga on 12 Aug 2004 08:53 PDT
 
Your concern is somewhat unclear. Are you interested in a 'reasonable
person' standard of confidentiality under current circumstances? Or
are you interested in best practical security currently available,
regardless of what some court at some later time might determine to
have been 'reasonable' and 'acceptable'? These are two very different
perspectives.

In the first case, any of the 'solutions' noted by other responders
might be adequate for your purposes. I'm familiar with none of them in
detail, and such familiarity is _required_ to make any sort of
evaluation, including a 'reasonable person' due diligence evaluation.

In the second case, you will probably have less prospective court mind
reading to do, but rather more actual cryptographic evaluation. I can
suggest a couple of places to start. I provided a comment to a
question here about 128-bit encryption not too long ago and it's a
reasonable starting place. (Search for a question including
'128-bit'). And the article Snake Oil (cryptography) at the Wikipedia
(www.wikipedia.org) has some pointers to telltales of bogus crypto (of
which there is much). Further, the article PGP describes an excellent
crypto system (if installed, configured, and used properly) and there
is a very thought provoking external link on practical attacks against
PGP. Please note that PGP is about as good as you can get as
cryptosystems go, and essentially all of the attacks discussed will
apply at least as well to every other crypto system you will likely
encounter.

This is a subject for which there are NO short answers, which is most
likely quite annoying. Anyone supplying them can be (and almost
certainly should be) regarded with considerable suspicion. There are
no off the shelf solutions which require only installation and use to
achieve a satisfactory result. Bruce Schneier's web site includes his
Crypto-Gram, monthly review of issues relevant to crypto, and various
other essays and commentary he's written. His 'Why Crypto is Hard'
essay should be read carefully. His 'Secrets and Lies' is also useful.
Another reliable author in the field (there are many of the opposite
sort) is R J Anderson, a Professor at Cambridge. His book, 'Security
Engineering', is worth looking through, as is his web site. He is a
vivid and entertaining writer -- quite rare in a mathematical and
abstract subject area.

Best wishes.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy