Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEC: Switch to AES for encryption #1754

Closed
MartinThoma opened this issue Mar 28, 2023 · 2 comments · Fixed by #1938
Closed

SEC: Switch to AES for encryption #1754

MartinThoma opened this issue Mar 28, 2023 · 2 comments · Fixed by #1938
Labels
nf-security Non-functional change: Security

Comments

@MartinThoma
Copy link
Member

Currently, pypdf uses the security handler revision number 3 (R=3) and V=2. That means:

"Algorithm 1: Encryption of data using the RC4 or AES algorithms"
in 7.6.2, "General Encryption Algorithm," but permitting encryption key lengths
greater than 40 bits.

RC4 is not secure (source). At the very least we should issue a big warning + document this behavior. By default, we should use secure encryption methods

AES encryption is not implemented so far. Only decryption.
@MartinThoma MartinThoma added the nf-security Non-functional change: Security label Mar 28, 2023
MartinThoma added a commit that referenced this issue Mar 28, 2023
@MartinThoma
SEC: Warn about PDF encryption security
70e040b 
See #1754
@MartinThoma MartinThoma mentioned this issue Mar 28, 2023
Merged
MartinThoma added a commit that referenced this issue Mar 29, 2023
@MartinThoma
SEC: Warn about PDF encryption security (#1755)
0917dfc 
See #1754
@xilopaint
Copy link
Contributor

AES encryption is not implemented so far. Only decryption.

Is this mean pypdf can do AES decryption without external dependencies? If so, I thought even decryption would only be possible with PyCryptodome.

@MartinThoma
Copy link
Member Author

even decryption would only be possible with PyCryptodome

That is correct

@pubpub-zz pubpub-zz mentioned this issue May 20, 2023
Closed
MartinThoma added a commit that referenced this issue Jul 2, 2023
@MartinThoma
DOC: Update notes on cryptography
e49d0ad 
Closes #1754
@MartinThoma MartinThoma mentioned this issue Jul 2, 2023
Merged
MartinThoma added a commit that referenced this issue Jul 2, 2023
@MartinThoma
DOC: Update notes on cryptography (#1938)
e5ec4f2 
Closes #1754
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
nf-security Non-functional change: Security
Projects
None yet
Milestone
No milestone
2 participants
@MartinThoma @xilopaint