Content protection and encryption in PDF

From
Revision as of 16:15, 4 April 2018 by Adminko (talk | contribs) (Certificate Encryption)
Jump to: navigation, search

The PDF specification describes several techniques that allow the content creator to protect the document's content from unauthorized access and usage, e.g. it's possible to set owner's password limiting the access to the encrypted content and assign usage permissions which the conforming reader should respect while opening the document. But encryption and content protection in PDF go beyond than just that, and there are advanced techniques which make it even more protected and secure. Below you can find an overwiew of all available approaches which are illustrated with the code samples created using the Apitron PDF Kit and its API.

Standard Encryption

Allows the document's author to set owner and user passwords as well as define which actions would be allowed for the document. Expand to check the code sample below.

//Static class that wraps the enryption code.
public static class StandardEncryption
{
    /// <summary>
    /// Creates the pdf file using Standard Encryption.
    /// </summary>
    /// <param name="fileName">Name of the file.</param>
    /// <param name="ownerPassword">The owner's password.</param>
    /// <param name="userPassword">The user's password.</param>
    public static void CreateEncryptedFile(string fileName, string userPassword, string ownerPassword)
    {
        using (Stream stream = new FileStream(fileName, FileMode.Create, FileAccess.ReadWrite))
        {
            using (FixedDocument document = new FixedDocument())
            {
                // Create Standard Security settings, disallow actions on this document
                document.SecuritySettings = new StandardSecurity(userPassword, ownerPassword, 
                    Permissions.DisallowAllPermissions, 
                    EncryptionSpecialization.EncryptionSpecialization.AllDocumentExceptMetadata);

                // Create page and add simple content
                Page page = new Page();
                document.Pages.Add(page);

                page.Content.SetTranslate(100, 750);
                TextObject text = new TextObject(StandardFonts.HelveticaBold, 20);
                text.AppendText("This document uses Standard Encryption");

                page.Content.AppendText(text);

                // Save the document
                document.Save(stream);
            }
        }
    }
}
 

This code creates a password-protected PDF document with all usage permissions disabled. Check the screenshot below.

Password-protected PDF document with custom usage permissions

Certificate Encryption

It is possible to encrypt the document's content using the custom certificate(so-called public key encryption), in this case you provide the certificate and will only be able to read the document if the same certiticate can be presented to the conforming PDF reader application. Expand to see the code below.

// This class wraps the cert encryption code
public static class CertificateEncryption
{
    /// <summary>
    /// Creates the pdf file using certificate encryption.
    /// </summary>
    /// <param name="fileName">Name of the file.</param>
    /// <param name="certificateFileName">Name of the certificate file.</param>
    /// <param name="certificatePassword">The certificate password.</param>
    public static void CreateFile(string fileName, string certificateFileName, string certificatePassword)
    {         
        using (Stream stream = new FileStream(fileName, FileMode.Create, FileAccess.ReadWrite))
        {
            using (FixedDocument document = new FixedDocument())
            {
                // Create Standard Security
                CertificateSecurity certificateSecurity = new CertificateSecurity(
                    new RecipientsGroup[] 
                        {
                            new RecipientsGroup(Permissions.AllowAllPermissions, 
                            new string[] { certificateFileName }, 
                            new string[] { certificatePassword }) 
                        });
                certificateSecurity.EncryptionLevel = EncryptionLevel.AES_256bit;
                document.SecuritySettings = certificateSecurity;

                // Create page and add simple content
                Page page = new Page();
                document.Pages.Add(page);

                page.Content.SetTranslate(40, 750);
                TextObject text = new TextObject(StandardFonts.HelveticaBold, 20);
                text.AppendText("This document uses Public-Key(Certificate) Encryption");

                page.Content.AppendText(text);

                // Save the document
                document.Save(stream);
            }
        }
    }
}
 

The resulting document will encrypted using the given certificate and you'll be asked to provide it on opening.

Custom Encryption

If standard or certificate security are not enough, it is possible to implement a custom encryption scheme making the use of the custom security handlers for both encrypting and decrypting the data. This way you'll be able to control the exact way of how the user gets authorized and how the data is processed. This API is already released, code sample and description are coming soon.

Unecrypted Wrapper

It's not possible to open the documents protected using the custom encryption handlers unless the reader application has the same implementation or module supporting the algorithm the data was encrypted with. While generally an attempt to open such document would produce an error message in conventional PDF readers, there is a way to avoid that and display the informative message to the person trying to open the document, so that he or she would be aware of the right way to open it.

This feature is called Unencrypted wrapper and this way the encrypted content gets "wrapped" by the readable non-encrypted PDF document and in case of decoding error the non-encrypted "stub" gets displayed to the user.