Today we’ll be going over PDF encryption and protection options, which also cover what Adobe calls ‘Rights management’. We’ll explain what kind of different options there are, what they are intended to do and how they are used in our HTML to PDF API services.
There are three basic components of PDF security.
- Password protection
- Rights management
We’ll cover these one by one in this order, because it should be noted that you can only have password protection and rights management if you encrypt the PDF as well. Well of course that kind of makes sense, cause why would you protect a PDF with a password if the contents remain readable in the same manner?
So what exactly is PDF encryption, what are the consequences and what are the options or flavours?
PDF encryption is done with a key of either 40, 128 or 256 bits. It causes the contents of the file to be encrypted so that anyone, who wants to access the contents needs the user (or document open) password to access it. An important side effect of this is that search engines can not read the contents of the PDF either (as you may know a lot of them, the almighty Google included, index PDFs as well).
The key length and algorithm type determines the strength of the encryption and the resulting security of the PDF. 40-bit RC4 encryption is the weakest form of encryption and 256-bit AES the strongest, which is currently supported. Adobe reader X is needed to open documents encrypted with 256-AES.
If you want to know how safe these encryptions are – 40-bit RC4 is known to be susceptible to brute force attacks and currently it is thought that brute force attacks on 256-AES are not possible. So the longer the better and AES is better than RC4: 40-bit RC4 < 128-bit RC4 < 128-bit AES < 256-bit AES.
An encrypted PDF can have two passwords: an owner password and a user (or document open) password.The owner password doesn’t actually do anything in terms of encryption, but is used to control rights management (see the section about that below). The user password (or document open password) is the password that matters. It makes sure the file is properly encrypted and your users will need it to open the file. You’re advised to use this and forget about using an owner’s password. For more information check Wikipedia on this.
Rights management is a great idea by Adobe. The idea is that the owner of the PDF can determine if others are allowed to modify the document, can make annotations, can print the PDF and/or can copy from the document. All these settings can be controlled and set individually.
Although this idea in itself is great – it only works in controlled environments where everyone is using Adobe Reader. This is because other PDF reading programs can choose to ignore these settings. You see – the PDF standard is open and this means anybody can write a program reading PDFs and choose what to interpret when they read a PDF file and how to deal with what they read. Hence – PDF readers exist that ignore these settings.
Options supported by our HTML to PDF API services
As you know by now, we have two HTML to PDF API services – a so-called ‘simple API‘ and an ‘advanced API‘. The simple API supports all different encryption keys, both the owner & user password and the possibility of determining whether a file can be printed, modified or content copied. The advanced API supports all options, so that means the full scala of rights management as well instead of the scaled down version.