Encryption Management Server PDF Email Protection uses an insecure cipher

book

Article ID: 158257

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

Encryption Management Server PDF Email Protection uses the insecure 128-bit RC4 encryption cipher by default in releases prior to 3.4.2 MP1.  This can be changed to use 128-bit AES or 256-bit AES. However, AES encryption is not compatible with some older PDF document viewers.

The compatibility of some well known PDF viewers with the different encryption ciphers is listed below:

Cipher Compatible PDF Viewers
128-bit RC4

Preview - default viewer on OS X 10.5 and above.

Evince - default viewer on Linux Gnome.

Adobe Acrobat 7 and above. 

128-bit AES Adobe Acrobat 7 and above.
256-bit AES Adobe Acrobat 9 and above.

Environment

Symantec Encryption Management Server 3.3 and above.

Resolution

Note that in Encryption Management Server 3.4.2 MP1 and above the the default PDF cipher was changed to AES-128.

Accessing the Encryption Management Server command line for read-only purposes (such as to view settings, services, logs, processes, disk space, query the database, etc) is supported. However, performing configuration modifications or customizations via the command line may void your Symantec Support agreement unless the following procedures are followed.

Any changes made to the Encryption Management Server via the command line must be:

  • Authorized in writing by Symantec Support.
  • Implemented by a Symantec Partner, reseller or Symantec Technical Support.
  • Summarized and documented in a text file in /var/lib/ovid/customization on the Encryption Management Server itself.

Changes made through the command line may not persist through reboots and may be incompatible with future releases. Symantec Technical Support may also require reverting any custom configurations on the Encryption Management Server back to a default state when troubleshooting new issues.

To change the cipher used by PDF Email Protection, SSH to the Encryption Management Server bash shell and edit the /etc/ovid/prefs.xml file to change the pdf-cipher entry as follows:

  • RC4-128: <pdf-cipher>arc4</pdf-cipher>
  • AES-128: <pdf-cipher>aes</pdf-cipher>
  • AES-256: <pdf-cipher>aes256</pdf-cipher>

After saving the change, implement it by choosing System / Restart Services from the admin interface or enter the following at the command prompt:

pgpsysconf --restart pgpuniversal