Chapter 3. PDF Security

A PDF file can be encrypted to prevent access of unauthorized users. When a PDF file is encrypted, all string and stream objects are encrypted using a symmetric-key algorithm, either RC4 or AES. PDF starts with RC4 40 bit at version 1.2, and at version 1.6, it supports 40-bit RC4, 128-bit RC4 and 128-bit AES. The encryption method and key length combined is referred as Encryption Level. Symmetric-key encryption uses the same key to encode and decode data, often called File Key or Master Key.

The access method to the file key is available in a number of ways, called Security Handler. Two security handlers are defined in the PDF standard: password security and public key security (also called certificate security). There are other proprietary security handlers available, such as Adobe Policy Server security, which requires a live proprietary server at presence. Due to obvious reasons, PDFLeo does not support those proprietary handlers.

PDF standard also defines access permission which a document author can specify the desired access of users with certain credentials when encryption is applied. Unfortunately, access permission is not enforced at cryptographic level. Once a PDF is decrypted, the program has access to all the document objects. It is up to the client program to honor the permission.

The permission settings varies by PDF version. The complete list can be found at Section 3.3.2, “Permissions”.

The metadata stream in the document can be optionally marked as clear text, in order for other software (such as a search engine) to retrieve the data without requiring credentials. Clear text metadata support is available at PDF version 1.5, and requires 128-bit encryption level (RC4-128 or AES).

3.1. Compatibility Levels

Encryption setting selection may affect the PDF version. As indicated previously, pdfleo automatically increases PDF version of the output file if a feature selected requires so.

Occasionally user may want to limit the PDF version, in order to ensure that results are compatible with existing software. In order to do so user needs to know which encryption settings are supported at that PDF version. This manual groups encryption settings into Compatibility Level.

A higher PDF version can utilize lower compatibility level. For example a PDF file marked version 1.6 can be encrypted with 40-bit RC4 (requiring 1.2). However under this settings metadata stream can't be marked as clear text. In order for the metadata to be marked as clear text, 128-bit RC4 or AES must be used.

To select encryption options based on specified PDF version, first determine the highest compatibility level. For example, suppose that the resulted PDF should have a version no higher than 1.5 (Acrobat 6.0). From the list below, 128-bit AES can't be selected, but 40-bit RC4 (with metadata always encrypted) is a candidate.

  • Acrobat 3.0 (PDF version 1.2). Encryption level is 40-bit RC4. Metadata is always encrypted.

  • Acrobat 5.0 (PDF version 1.4). 128bit-RC4. Metadata is always encrypted.

  • Acrobat 6.0 (PDF version 1.5). 128bit-RC4. Metadata can be marked as clear text.

  • Acrobat 7.0 (PDF version 1.6). 128bit-AES Metadata can be marked as clear text.

Warning

PDFLeo does not currently support AES-256 encryption settings per PDF 1.7 Adobe Extension Level 3/ Acrobat 9.

3.2. Security Handlers

3.2.1. Password Security

Password security features two passwords: user password, which is given to the viewer of the document, and owner password, which is reserved by the author. In theory, without owner password, the user can only perform operations allowed by the author, such as printing, extracting pages and so on. The author, while retaining the owner passwords, has the full access to the document. However, as pointed out previously, the permission is only enforced by the application, not by cryptographic technology. Anyone with user password can convert the document to unencrypted mode. Some authors choose to set user password to blank and distribute the documents with expectation that anybody can view the document, but can't modify it. This expectation is not correct.

3.2.2. Public Key Security

Although password security protects the encryption key to authorized users, the passwords must be known to authorized users prior to viewing the document. In many times it is difficult to pass the password in a secured manner. public key security solves the problem in a nice way - the authorized users give their certificates to the author, and encryption key is encrypted with the certificate. The certificate can be passed over unsecured media because the decryption requires the private key, which is not transferred.

The two security handlers are mutually exclusive. If public key security is chosen, the document can't be encrypted with a password, and vice versa.

Similar to the password security, the author can set permission for each user, referred as recipient. Multiple recipients can share the same permission, called recipient set. A PDF document can have multiple permission set. Like passwords security, the permission is only enforced by the application.

3.3. Specifying Encryption Settings

PDFLeo supports two types of security handlers - password security and public key security. Both share common encryption settings - such as encryption level, key length and if metadata is encrypted. The common settings are specified through --encrypt switch. After this is specified, you use --password-security to specify parameters for password security, or --recipient to specify parameters for public key security.

3.3.1. Common Settings

Common settings are specified through --encrypt switch. The value of this option has four fields, divided by semicolon:

  1. The first field is one of the three choices indicating how the current encryption setting is based: preserve, copy, and discard.

    preserve

    This is the default option when no --encrypt is present. The output PDF preserves all encryption settings, including passwords, permission and recipient sets. If the original PDF file is not encrypted, the output will not be encrypted either. Under this mode, no --password-security or --pubkey-recipient is allowed. The switch works as long as you have the credentials to open the input file.

    discard

    The output PDF will use encryption settings specified at the command line, without any inheritance from source file. Normally it is followed by encryption level, key length and metadata encryption flag. However, if none of them is present, the resulted PDF will have no encryption at all.

    copy

    The encryption setting is copied from source document, and subsequently modified by options specified at command line. The attributes copied include encryption level, key length, and permissions. Note that this option is used to establish the base line for encryption settings. They should not be used when the whole encryption attributes are preserved in the target document.

  2. Encryption Level: can be RC4, RC4-128, and AES-128. Encryption level affects the following key length parameter as some of them have fixed key length.

  3. Key Length. For RC4-128 encryption level, key length between 40 and 128 can be specified here. Note that the key length must be integral times of 8. For other encryption levels, this field is ignored. For RC4 cipher the key length is fixed at 40 bits. For AES-128, the key length is 128 bits.

  4. A word yes or no to indicate if meta data stream should be kept clear text. This setting is available when encryption level is RC4-128 or AES-128. The default value is yes.

Note

The difference between copy and discard is the encryption setting baseline. If copy is specified, the following settings are copied from the source PDF: encryption leve, key length, clear text metadata and permissions. If discard is specified, the default base line is in use: AES-128, clear text metadata, and full access permission. Subsequent parameters will modify those settings. If the source is not encrypted, the two modes produce the same result.

3.3.2. Permissions

Permission is specified inside --password-security or --pubkey-security. For public key encrypted PDFs, recipients are grouped into recipient set, with each set sharing the same permission.

Note that permission settings are based on encryption level.

If RC4 (40-bit) is specified, the following permissions are available.

print=[yes|no]

Determines whether or not to allow printing.

modify=[yes|no]

Determines whether or not to allow document modification.

extract=[yes|no]

Determines whether or not to allow text/image extraction.

annotate=[yes|no]

Determines whether or not to allow comments and form fill-in and signing.

If RC4-128 or AES-128 is specified as encryption level, the following permissions are applicable:

accessibility=[yes|no]

If yes, text access for screen reader devices for the visually impaired is allowed.

extract=[yes|no]

If yes, text and graphic extraction, such as copying of text, images and other content, is allowed.

print=[high|low|none]

This option specifies the print access, which can be one of the following:

  • high: allow high resolution printing.

  • low: allow degraded printing.

  • none: no printing is allowed.

modify=[all|annotate|form|assembly|none]

This option specifies the modify access, which can be one of the following, each of which implies all the options that follow it:

  • all: allow full document modification

  • annotate: allow comment authoring and form operations

  • form: allow form field fill-in and signing existing signature fields.

  • assembly: allow document assembly only (inserting, deleting and rotating pages).

  • none: allow no modifications.

Permissions are separated with semicolon. For example, the following code specifies permission that allow high resolution printing and no modification:

C:\>pdfleo --encrypt=copy; --password-security=pdf123;;print=high;modify=none

3.3.3. Password Security Parameters

Use --password-security switch to specify owner password, user password and permission. This switch can't be used with --encrypt=preserve.

The value of switch requires at least two fields - the first field containing the value of owner password, followed by user password. Permissions are optional, and start from the third field if they are present. Fields are separated by semicolon.

--password-security=<ownerpass>;<userpass>;<perm1>;<perm2>...

Empty passwords are allowed by leaving the field blank. You can also copy the password from the source file using asterisk (*). If source document is not encrypted, empty password is used for the output. For example,

C:\>pdfleo --encrypt=copy --password-security=pdf123;*;print=high;modify=none

The command above sets owner password to pdf123, and the user password to the one in the source document.

Note

Passwords are not always retrievable. If you opened the document using the owner password, pdfleo is able to derive the user password. However, the opposite is not true. If the document is opened by user password, pdfleo can't derive the owner password. If you specify to copy the owner password, pdfleo will print a warning and replace it with the default owner password, pdfleo.

Copy Encryption Settings and Set Passwords and Permission

the following example sets owner password to pdf123, user password set to empty. Print permission to high resolution and modify option to none. both permissions require encryption to set to RC4-128 or AES-128.

C:\>pdfleo --encrypt=copy; --password-security=pdf123;;print=high;modify=none

Note that permission is based on the one in the source document if --encrypt=copy is specified. Otherwise it starts with full access.

3.3.4. Public key Recipients

This --pubkey-recipient switch specifies public key security options. Multiple switches can exist at the command line, with each specifying a recipient set. A recipient set comprises multiple recipients shared by the same permission flag. A recipient is identified by its X509 public key file.

C:\>pdfleo --encrypt=discard;AES-128 \
      --pubkey-recipient=thomas_tang.cer;joe_smith.cer;modify=none;print=low;extract=yes

The first part lists all certificate files, separated by semicolon. the second part specifies permission flags. The permission flag is based on source document if copy is specified at --encrypt switch, otherwise it starts with full access.

Hint: you can dump the list of recipients using --info switch after creating the document.

3.4. Extended Characters in Passwords

For maximum compatibility across applications, it is recommended to restrict password text to printable ASCII characters only. However if your existing PDF is encrypted with extended characters, or you plan to use extended characters in password, read this section. Extended characters are those not in the ASCII range (0x20~0x7e).

In PDF specification, password is interpreted as byte sequence. However, users often treat passwords text. Value of characters are subject to the interpretation of the code page. For example, Latin character Ä has value 0x80 under Mac Roman encoding, while on windows code page 1252 it is 0xC4. In order to uses to open encrypted files with the same password phrase across Windows and Mac, Acrobat converts the supplied password text into a special encoding native to PDF, called PdfDocEncoding. This encoding contains most characters in code page 1252 and MacRoman. Characters not in the encoding set are converted to spaces.

In order for users to have the same UI experience with Acrobat, pdfleo takes the same approach. Therefore you can encrypt PDFs with passwords containing Latin characters, and use the same password text in Adobe Reader. Note that other applications may take different approaches. Such applications may not be able to read PDFs encrypted in this manner.

The command below encrypts source PDF with owner password 123456, and user password DésoléÄe.

C:\>pdfleo --encrypt=discard;AES-128;;no \
    --password-security=123456;DésoléÄe;print=none test3.pdf test8.pdf

3.5. Sample Usage

The following section demonstrates how you can use pdfleo to encrypt or decrypt PDF documents. Remember that encryption can be used in conjunction with other transforms, such as linearization and compression.

Preserving Encryption

Under preserve mode, the encryption settings are preserved in the target PDF. If the source PDF is not encrypted, the output is not encrypted either. If the source is encrypted, the output PDF preserves all encryption settings, such as encryption level, permission, passwords and recipient sets.

C:\>pdfleo --encrypt=preserve source.pdf target.pdf

Preserveis the default encryption mode and it can be omitted. The command line below has the same effect:

C:\>pdfleo source.pdf target.pdf 
  

Stripping Encryption (Decryption)

By specifying discard without additional parameters, the encryption is removed from the PDF.

C:\>pdfleo --encrypt=discard source.pdf target.pdf

Encrypt with New Encryption Settings

If discard is followed by other parameters, the output PDF will be encrypted. When this is the case, security handler through --password-security or --pubkey-security is required. The discard mode sets encryption baseline to AES-128, 128 bits, clear text metadata and all access (permission). They can be modified by other command line parameters. The following statement encrypt the PDF with RC4-128, 80 bits, and metadata is encrypted. The following --password-security switch specifies the owner password as pdf128, user password empty; modify permission is set to none.

C:\>pdfleo --encrypt=discard;RC4-128;80;no \
  --password-security=pdf123;;modify=none \
  source.pdf target.pdf  
  

You do not need to set all parameters explicitly. For example, the following command will encrypt document using the default encryption level - AES-128, clear text metadata.

C:\>pdfleo --encrypt=discard; \
  --password-security=pdf123;;modify=none \
  source.pdf target.pdf
  

The semicolon after discard can't be skipped. It indicates that the encryption parameters followed use the default value.

Encrypting with Settings Based on Source PDF

The copy mode uses encryption settings from the source PDF as the base line.

C:\>pdfleo --password=pdf123 --encrypt=copy --password-security=*;*;print=full

It is possible to change security setting under copy mode:

C:\>pdfleo --password=pdf123 --encrypt=copy;AES-128 \
  --password-security=*;*;print=full \
  source.pdf target.pdf  
  

The command above changes encryption level to AES-128.

Encrypting with Public Key Security

By using --pubkey-security option, the output PDF can be encrypted with public key security.

  
C:\>pdfleo --encrypt=discard;AES-128 \
   --pubkey-security=john.smith.cer;jennifer.lopez.cer;modify=none;print=low \
   source.pdf target.pdf
   

The resulted document can only be opened by the persons who posses private keys of corresponding certificates: john.smith.cer and jennifer.lopez.cer. The permission is set to no modification and low resolution printing.

Do you know?

This manual is specific to PDFLeo 1.0.
The current version is 1.0.0.

This Manual is also available in the following format: PDF.