From Drumlin Security Wiki
Jump to navigation Jump to search

PDF files that are encrypted using the DrumlinPublisher software will have one of two selectable file formats and extensions: .drmz and .drmx. When a drmz or drmx file is created it is encrypted by the software (see further, below). This is a LOCAL operation, i.e. the source PDF file remains on the Windows device that the publisher is using - only metadata relating to the file is exchanged with the Drumlin DRM server, including the source filename, a description of the file (defaulted to its file location on the user's device), the date/time the file was created and/or updated, the owner's unique ID, document status information, encryption details etc. The DRM server assigns the encrypted file a unique DocumentID, which is stored in the DRM database. Javelin readers use the DocumentID of the file, not the filename itself, so any drmz or drmx file can be renamed (without changing its file extension naming) and will be unaffected by the change of name. For example, a file called "My special document.drmz" with DocumentID 123456 could be renamed to msd.drmz, the file would be unaffected and the DocumentID would remain as 123456.

Both DRMZ and DRMX file formats are of similar size to the source PDF - in each case the file format is a two part structure. The source PDF is encrypted, and then wrapped in an 'envelope' that contains the encrypted PDF plus a separately encrypted header block that contains document-specific metadata that defines its identity and controls its usage.

DRMZ files

DRMZ files are the mostly widely used by publishers as these will be viewable on a cross-platform basis using Javelin PDF readers. The file format uses an encryption algorithm that enables secured files to be displayed rapidly on lower-power devices including a wide range of mobile phones and tablets. In addition, re-generation of the file from the same named source PDF will result in a file that can be issued to existing users without the need for renewed authorization, making it very convenient for some document types, including regularly updated PDF files.

A special form of DRMZ file can be generated using DrumlinPublisher that does not require separate online authorization. This format is referred to as a pre-authorized DRMZ file, and can be read by Javelin readers without requiring online authorization. However, because no DRM checks are in place, the files can be copied to anyone with a Javelin PDF reader to open. Protection is thus limited to date expiry, watermarking and print controls.

DRMX files

DRMX files are high-security encrypted files. The encryption process utilises the AES algorithm in a split key structure with large randomly generated keys. This provides very high security for the encrypted PDF files, but this has some drawbacks. First, the files can only be viewed on Desktop and Laptop devices (PC and Mac computers) owing to the high power required for fast viewing of these files; and second, the randomized split-key structure means that a file cannot be updated and sent to existing users without renaming the source PDF and issuing new authorization codes or licenses for the file generated. This is because the keys are random and split, so the files can only be authorized and viewed if the two parts of the random key match (the part within the drmx file and the part stored on the DRM server). Whilst this is not a problem, it does require care when distributing updated versions of files.

DRM Legacy format

DRM files are (were) generated using the legacy (now discontinued) Drumlin program. Drumlin was a Windows-only PDF reader and publisher, and required user registration. A special filetype called DRM could be generated with an associated embedded "userlist". This identified all registered users who were permitted to view the file, and as such did not require separate authorization because it checked the userID of the Drumlin installation when opening a secured document. This (and some other earlier formats relating to the old Drumlin program, are no longer supported for new users.