Categories: Document

Document Protection

Intellectual property comes in all shapes and sizes. Software is just one of them. If you want to protect your software, Protection Suite is the ideal choice: You encrypt the executable file, and it can only be run with the right license. The decryption mechanism is integrated into the file itself, and the decryption is started automatically. But what if your intellectual property is not a software application, but a digital document? Unlike with software applications, you cannot simply add the decryption mechanism to the file, because the document file is not executed itself, but opened by another application.

There are four basic scenarios for protecting documents:

  1. The documents take the form of PDF files that are displayed with a PDF viewer.
  2. The documents are opened and saved with one of your own applications or the application of one of your partners.
  3. The documents come in a standard format and are opened and saved with a standard application.
  4. The documents come in a different standard format and can only be viewed with a standard document viewer application.

Protecting PDF files

One typical case of PDF files that need to be protected are handbooks, technical manuals, guidelines, or service instructions. Service documents in particular often contain very sensitive technical details. Their authors might not want them to get in the hands of competitors, unauthorized service personnel, or even media outlets. Since the PDF file type as such has become a global standard, passing on the files themselves is extremely easy.

Adobe already offers a password-based solution for encrypting PDF files. It allows special settings to prevent e.g. printing, copying, or changing the files. This standard solution, however, has three major drawbacks:

  • Passwords are often too short and weak, allowing a straightforward dictionary attack.
  • The user of the file needs to know the password, and might disclose it to others.
  • Nothing stops screenshot applications from capturing the data.

This is where SmartShelter|PDF comes in. SmartShelter|PDF is an official Adobe-certified plugin for Adobe Acrobat and Adobe Acrobat Reader. It starts where the standard protections stop: The password for the document is created automatically under the hood, away from the eyes of the user. It will will be strong and no unwitting or dishonest user could share it with others. The password is created with a CodeMeter license entry.

With CodeMeter, you as the publisher decide whether the license is to be stored on secure hardware, the CmDongle, or in a computer-bound license file, a CmActLicense. The document could only be opened by users who possess the license on the CmDongle or in the CmActLicense file. SmartShelter|PDF includes an author plugin and a reader plugin. The Author plugin creates the password with a master dongle, the Firm Security Box, which you also use to create the users’ licenses. The reader plugin creates the password with the assigned license on the CmDongle or in the CmActLicense and passes it on to Acrobat Reader without the user’s knowledge. As long as the user has a valid license, he or she can open the file and use it to the extent allowed by your chosen settings.

SmartShelter|PDF uses another Protection Suite technology to identify disallowed applications. It immediately closes protected documents when it notices that a screenshot application is running.

With CodeMeter as licensing system, all CodeMeter licensing options can be used, including time-bound licenses or licenses with a usage counter.

Proprietary documents

Your documents might come in a proprietary format, like settings files, construction blueprints, design patterns, or audio and video files. Your reasons for protecting them might be just as diverse. Common use cases include:

  • Your software needs custom settings that you adjust specifically for each user. Different users should not be able to share these settings.
  • You sell documents as an additional revenue source on top of your software. These should only be used by the people who actually bought them.
  • Your software produces certain types of data, like live recordings of concerts. This has to work anytime and anywhere. Artists like Peter Gabriel will not sit and wait backstage, because you have to go and get your license. However, back in the studio, the resulting recording should only be readable and editable with the right license. Or more generally: A license is needed to open the document.
  • Your software processes data, e.g. by cutting sheet metal based on a specific design pattern. Your software should only process data coming from somebody with the right entitlements, be it for financial reasons or for reasons of liability. Again put more generally: A license is needed to save the document.

These use cases can be combined as preferred with the legitimate protection needs of your partners. For instance, a partner should also have the right to produce documents that your software can open.

CodeMeter can handle all four use cases and their many combinations. With the CodeMeter Core API, you have a powerful API for encrypting, decrypting, and signing data. The toolkit is versatile enough to cover all of the above scenarios.

Individual settings can be encrypted with a unique key that is created for each client. Protected in this manner, the data cannot simply be shared anymore.

Companies in the business of selling documents can use the same concept that is used to sell software features on demand. Each individual package is given its own product code for encryption, which is accomplished either by AxProtector or by another custom tool. Just like software features, the licenses are activated in CodeMeter License Central. Again, all license options are available.

When it comes to managing the rights for saving or opening files, CodeMeter Core API offers asymmetric methods. Data can be signed with a private key that requires a valid license, and the data can only be read if the signature is present and correct. In this scenario, the author of the file needs to have a license. In asymmetric encryption, the data is encrypted with a public key and can only be opened again with the right license and the right private key. Now, it is the user that needs to have a license to open the document.

Our Professional Services Team is available to help you choose the optimum concept for your specific use case and to assist you, if you wish, with implementing your chosen solution.

Standard documents

When you are working with your own type of document, you can integrate cryptographic capabilities in your software. But what happens if you are using standard files that a user can access with a run-of-the-mill viewer or other standard application? In these cases, SmartShelter|SDL is the solution. SDL stands for Secure Data Layer. SmartShelter|SDL slips a layer of insulation between the operating system and the application handling the protected document.

SmartShelter|SDL can configure which operations are allowed and which are prohibited. This is easily done for viewer applications. Encrypted documents can be decrypted if the right license is available. Unencrypted documents can be loaded into the application, but saving is prohibited. It gets more complex if the application in question should also be able to save data. You can define whether saving is allowed at all and whether saved files have to be encrypted or can be unencrypted. This is where it gets challenging: Let’s imagine a user opening a protected document. He then creates a new document in the same application. SmartShelter|SDL cannot recognize whether the new document is a copy of the protected file (which can only be saved in encrypted form) or a completely different file that should stay unencrypted. This is why using SmartShelter|PDF in a write mode is technically possible, but limited to very specific use cases. By contrast, a read-only mode in a viewer application is always and easily enforceable.


Protecting documents is a far more complex task than protecting software applications, because the question always comes down to the specific application that is using the documents. CodeMeter can shield PDF files from prying eyes in a simple, safe, and fully conformant manner. It is also easy to protect other standard document types with a read-only mode in a viewer application. Whether write modes are possible often depends on the specific procedures and use cases in question. If you are using proprietary formats with proprietary software, CodeMeter gives you a powerful API to cover all use cases imaginable: Licenses for opening files only, licenses for saving files, or licenses for any type of access. The level of flexibility offered by CodeMeter is without rival.


KEYnote 33 – Edition Spring 2017

To top