How do PDF restrictions work?

PDF restrictions are a necessary part of conducting business for many organizations. It’s vital that companies can share documents without fearing that they’ll be used outside of their intended use case – whether that’s being printed, shared with unauthorized parties, or modified before they reach their final recipient.

Every protection method, however, has its drawbacks. These could be flaws in the protection methods themselves or issues of reduced usability. For businesses to accurately assess whether or not a PDF security solution is for them, they first need to understand how PDF restrictions work.

This isn’t as simple as you might expect. There are various solutions that use different protection mechanisms to enforce their restrictions. There are two main types, however: password-based encryption and DRM protection.


How do Adobe Acrobat PDF restrictions work?

Adobe is the biggest name in the PDF industry, and it deserves to be. After all, it invented the entire file format. It uses its Adobe Acrobat reader to create and enforce its protection, relying on a combination of encryption, password protection, and some other tricks.

Adobe PDF protection features two passwords: the open password and the permissions password. The open password determines whether a user can decrypt and open a document, while the permissions password lets users remove PDF editing and printing restrictions.

Adobe Acrobat uses varying levels of encryption depending on your version. The earliest versions used 40-bit encryption, but this was upgraded later to 128-bit encryption, and then 256-bit encryption in 2008 (however, due to changes in the algorithm, this is actually weaker than 128-bit).

This encryption turns the document into illegible strings of letters and numbers unless the user has a password. Much like the code words you see in spy movies, anybody who has the password can read the contents, regardless of whether they’re authorized to.

It’s important to note, though, that Adobe’s printing and editing restrictions don’t use the same methodology. When a PDF reader encounters an encrypted PDF file, Adobe’s Security handler checks it against a set of flags to determine what is allowed (viewing) and what isn’t (editing and printing).

However, there are weaknesses in this security handler. For one, the PDF format itself cannot enforce the restrictions that are specified in its encryption dictionary. Additionally, as there are more applications than just Adobe Reader, Adobe has to trust third-party developers to build security handlers into their PDF viewers that respect the restrictions a user added when creating the document with Acrobat. This is not something Adobe is able to enforce, and it even notes that applications other than Reader may implement alternate security handlers.

This, combined with other flaws in the Adobe Security handler, means that with minor effort a user can remove PDF restrictions by uploading the file to a third-party tool and providing the open password.  This fundamental flaw makes Adobe PDF restrictions only suitable if the document isn’t going to be shared.

How does PDF DRM work?

Like Acrobat, PDF DRM solutions use a combination of encryption and a PDF viewer to enforce restrictions, but the implementation is very different. They typically have a single, bespoke viewer application and their own file format. They also don’t use passwords, instead of relying on a licensing system and transparent key management.

To protect a PDF with DRM, you typically load an already-created PDF file into the DRM program, select the functions you want to allow to disallow (printing, editing, copy-pasting, screenshotting), and encrypt the file. The encrypted file is written in a separate format that cannot be opened by existing PDF applications such as Adobe Reader.

PDF DRM also functions differently when it comes to opening an encrypted document. Rather than relying on shareable passwords, a unique license file is generated for each user. This one-time use license must be registered along with the secure viewer application for the user to receive their decryption keys, which are unable to be extracted from the system and shared.

Once a user starts to open a document but before it is decrypted, the DRM controls come into play and check whether the user is authorized to open it, which controls are applied to them, whether the document is still valid, etc. The secure viewer can then enforce those controls, and because it doesn’t have the same flaws as Adobe’s security handler it can do so effectively.

Which PDF restrictions are better?

Dedicated PDF DRM provides a wider variety of restrictions, logging types, and watermark techniques. Crucially, publishers can also change these remotely after sharing, revoking documents where necessary or allowing printing if needs change. Critically, these controls can be enforced effectively when sharing, even when it’s to those outsides of your organization.

However, that’s not to say that Adobe PDF restrictions are completely useless. Combining an open password and permissions password does give some rudimentary protection against the non-technical (i.e. those that cannot perform a simple Google search!). It’s usually cheaper but is not suitable for use in an enterprise setting.

Overall, a fully-fledged PDF DRM is clearly better. You’ll pay more but get a lot more value out of it. The question really comes down to whether that level of protection is necessary for you and what you can afford. You can also learn more about free password managers for windows.

Scroll to Top