How does iText handle PDF encryption?

Out-of-the-box, iText provides multiple encryption and decryption methods, so it can be hard to decide which one is better suited for a particular case. This article is designed to tell you about these security measures in a simple and easily digestible format.

PDF Embedded Encryption vs Binary Data Encryption

PDF embedded encryption refers to the process of encrypting the content within a PDF file, rather than encrypting the file itself as binary data. iText focuses on providing encryption as a high-level PDF feature since we consider it easier and more convenient for our customers. There are a few advantages to this approach:

• Access Control: PDF encryption can enforce specific permissions, such as restricting printing, copying, or editing.

• Document Integrity: Embedded encryption ensures that the document's integrity is maintained, so tampering can be detected.

• Interoperability: Most PDF viewers support the embedded encryption features, ensuring that users can access encrypted content without needing specialized software.

• Metadata Handling: Encrypted PDFs can still contain metadata (if not encrypted), which can provide information about the document without revealing its content.

iText doesn’t have any option to directly encrypt a PDF as binary data, so for this purpose other tools may be used.

Encryption Methods

We’ll start with the oldest supported encryption algorithm – RC4 or Rivest Cipher 4 (it is also referenced as the standard encryption algorithm in iText). RC4 is a fast stream cipher which is mostly used with key lengths of 40-bits or 128-bits (hereinafter called RC4-40 and RC4-128). RC4 was added in PDF 1.1 and as of version 1.7 of the specification it became fully deprecated due to being outdated and having significant vulnerabilities.

Despite the fact that iText still supports RC4-40 and RC4-128 for backwards compatibility purposes, we strongly advise against using this encryption methods as there are more modern algorithms that can provide much better security.

Moving on to AES or the Advanced Encryption Standard, this is a symmetric block cipher. AES-CBC (Cipher Block Chaining) was added in PDF 1.5 and became the primary way to encrypt documents. iText supports the use of AES with 128 and 256 bit keys and these are suitable for most cases. However, since AES with 128-bit keys is inherently less secure, we recommend using AES-256 instead.

Note that AES-CBC 128-bit encryption was deprecated in the initial PDF 2.0 specification in 2017, with 256-bit becoming the recommended minimum for PDF 2.0-conforming documents. Therefore, reading 256-bit AES encrypted documents requires iText Core 7.1 or newer. See https://itextpdf.com/blog/technical-notes/how-solve-unknown-encryption-type-r-6-errorsfor more information.

The ISO/TS 32003 extension to the PDF 2.0 specification introduced a new mode – AES-GCM (Galois/Counter Mode) for enhanced security. AES-GCM is considered to be more secure than AES-CBC due to its integrated authentication and resistance to padding attacks.

A public key system can also be used in iText with any of the algorithms mentioned above. This system uses a pair of keys: a public key for encryption and a private key for decryption. Public-key cryptography is a common and preferred way to encrypt a document, providing even better security measures.

MAC Protection

The ISO/TS 32004 extension to the PDF 2.0 specification brought another way to protect PDFs – Message Authentication Code (MAC) protection. A MAC is a type of keyed information, computed over the ciphertext to ensure document level integrity protection. In some cases it can be used as a lightweight alternative to signatures. The PDF Association has two excellent articles https://pdfa.org/iso-32004-an-overview/ and https://pdfa.org/macs-vs-signatures-in-pdf/ which go into more detail on this.

Support for the ISO/TS 32003 and 32004 extensions was added with the iText Core 9.0.0 release. See the following release examples for more information:

• AES-GCM Encryption Support

• Support for Message Authentication Code (MAC) integrity protection

TL;DR: Applying this with iText

If you are targeting compatibility with the majority of PDF viewers, use PDF 1.7 with AES 256-bit encryption:

• Password-based: https://github.com/itext/itext-publications-examples-java/blob/develop/src/main/java/com/itextpdf/samples/sandbox/security/EncryptPdf.java

• Certificate-based: https://github.com/itext/itext-publications-examples-java/blob/develop/src/main/java/com/itextpdf/samples/sandbox/security/EncryptWithCertificate.java

For the best security, use modern PDF 2.0 with AES-GCM and MAC protection:

• https://github.com/itext/itext-publications-examples-java/blob/develop/src/main/java/com/itextpdf/samples/sandbox/security/EncryptPdfWithGCM.java
  MAC protection will be enabled by default.