Hack 52 Encrypt and Decrypt PDF (Even Without Acrobat)

 < Day Day Up > 

figs/moderate.gif figs/hack52.gif

Restrict who can view your PDF and how they can use it .

You can use PDF encryption to lock a file's content behind a password, but more often it is used to enforce lighter restrictions imposed by the author. For example, the author might permit printing pages but prohibit making changes to the document. Here, we continue from [Hack #2] and explain how pdftk [Hack #79] can encrypt and decrypt PDF documents. We'll begin by describing the Acrobat Standard Security model (called Password Security in Acrobat 6) and the permissions you can grant or revoke.

PDF file attachments get encrypted, too. After opening an encrypted PDF, document file attachments can be opened, changed, or deleted only if the owner granted ModifyAnnotations permission.

Page file attachments behave differently than document file attachments. Once you open an encrypted document, you can open files attached to PDF pages regardless of the permissions. Changing or deleting one of these attachments requires the ModifyAnnotations permission. Of course, if you have the owner password, you can do anything you want.


5.3.1 PDF Passwords

Acrobat Standard Security enables you to set two passwords on a PDF: the user password and the owner password. In Acrobat 6, these are also called the Open password and the Permissions password, respectively.

The user password, if set, is necessary for viewing the document pages. The PDF encryption key is derived from the user password, so it really is required. When a PDF viewer tries to open a PDF that was secured with a user password, it will prompt the reader to supply the correct password.

The owner password, if set, is necessary for changing the document security settings. A PDF with both its user and owner passwords set can be opened with either password, so you should choose both with equal care.

An owner password by itself does not provide any real PDF security. The content is encrypted, but the key, which is derived from the (empty) user password, is known. By itself, an owner password is a polite but firm request to respect the author's wishes. A rogue program could strip this security in a second. See [Hack #66] for additional rights management options.

5.3.2 Standard Security Encryption Strength

If your PDF must be compatible with Acrobat 3 or 4, you must use the weaker, 40-bit encryption strength. Otherwise, use the stronger, 128-bit strength. In both cases, the encryption key is created from the user password, so a good, long, random password helps improve your security against brute force attacks. The longest possible PDF password is 32 characters .

5.3.3 Standard Security Permissions

Set the user password if you don't want people to see your PDF. If they don't have the user password, it simply won't open.

You also have some control over what people can do with your document once they have it open. The permissions associated with 128-bit security (Acrobat 5 and 6) are more precise than those associated with 40-bit security (Acrobat 3 and 4). Tables Table 5-1 and Table 5-2 list all available permissions for each security model, and Figure 5-2 shows the permissions as seen through Acrobat. The tables also show the corresponding pdftk flags to use.

Table 5-1. Permissions available under 40-bit security

To allow readers to . . .

Apply this pdftk permission

Printpages are top quality

Printing

Modify page or document contents,insert or remove pages, rotate pages or add bookmarks

ModifyContents

Copy text and graphics from pages, extract text and graphics data for use by accessibility devices

CopyContents

Change or add annotations or fill form fields with data

ModifyAnnotations

Reconfigure or add form fields

ModifyContents and ModifyAnnotations

All of the above

AllFeatures


Table 5-2. Permissions available under 128-bit security

To allow readers to . . .

Apply this pdftk permission

Printpages are top quality

Printing

Printpages are of lower quality

DegradedPrinting

Modify page or document contents, insert or remove pages, rotate pages or add bookmarks

ModifyContents

Insert or remove pages, rotate pages or add bookmarks

Assembly

Copy text and graphics from pages

CopyContents

Extract text and graphics data for use by accessibility devices

ScreenReaders

Change or add annotations or fill form fields with data

ModifyAnnotations

Fill form fields with data

FillIn

Reconfigure or add form fields

ModifyContents and ModifyAnnotations

All of the above, and top-quality printing

AllFeatures


Figure 5-2. PDF Standard Security features, which help you control how readers use your document
figs/pdfh_0502.gif

Comparing these two tables, you can see that Assembly is a weaker version ofModifyContents and FillIn is a weaker version of ModifyAnnotations.

DegradedPrinting sends pages to the printer as rasterized images, whereas Printing sends pages as PostScript. A PostScript stream can be intercepted and turned back into (unsecured) PDF, so the Printing permission is a security risk. However, DegradedPrinting reduces the clarity of printed pages, so you should test your document to make sure DegradedPrinting yields acceptable, printed pages.

After setting these permissions and/or a user password, changing them requires the owner password, if it is set.

5.3.4 pdftk and Encrypted Input

When using pdftk on encrypted PDF documents, the owner password must be supplied. If an encrypted PDF has no owner password, the user password must be given instead. If an encrypted PDF has neither password set, no password should be associated with this document when calling pdftk.

Input PDF passwords are listed right after the input filenames, like so:

  pdftk    <input PDF files>    input_pw    <input file passwords>     ... 

The file handles assigned in <input PDF files> are used to associate files with passwords in <input file passwords> like so:

   <input PDF handle>    =    <input PDF password>   

For example:

 A=foopass 

Adding this parameter to our example in [Hack #51] produces:

 pdftk A=in1.pdf B=in2.pdf C=in3.pdf \ input_pw A=foopass cat A1 B1-end C5 output out.pdf 

5.3.5 Use pdftk to Encrypt Output

You can encrypt any PDF created with pdftk by simply adding encryption parameters after the output filename, like so:

 ...  output    <output filename>    \   [encrypt_40bit  encrypt_128bit] [allow    <permissions>    ] \   [owner_pw    <owner password>    ] [user_pw    <user password>    ]  

Here are the details:


[encrypt_40bit encrypt_128bit]

Specify an encryption strength. If this strength is not given along with other encryption parameters, it defaults to encrypt_128bit .


[allow <permissions>]

List the permissions to grant users. If this section is omitted, no permissions are granted. See Tables Table 5-1 and Table 5-2 for a complete list of available permissions.


[owner_pw <owner password>]

Use this combination to set the owner password. It can be omitted; in which case no owner password is set.


[user_pw <user password>]

Use this parameter to set the user password. It can be omitted; in which case no user password is set.

Adding these parameters to our example in [Hack #51] yields this:

 pdftk A=in1.pdf B=in2.pdf C=in3.pdf \ cat A1 B1-end C5 output out.pdf \ encrypt_128bit allow CopyContents Printing \ owner_pw ownpass 

5.3.6 Simply Encrypting or Decrypting a File

The previous examples were in the context of [Hack #51] . Here are examples of simply adding or removing encryption from a single file:


Encrypting a single file
 pdftk A=input.pdf output encrypted.pdf \ encrypt_128bit allow CopyContents \ owner_pw foopass 


Decrypting a single file
 pdftk A=encrypted.pdf input_pw A=foopass output decrypted.pdf 

 < Day Day Up > 


PDF Hacks.
PDF Hacks: 100 Industrial-Strength Tips & Tools
ISBN: 0596006551
EAN: 2147483647
Year: N/A
Pages: 158
Authors: Sid Steward

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net