SECTION 3.5
115
Encryption
might also be defined in the update table. Since they are part of the hidden sec-
tion, however, it makes sense to define them in the cross-reference stream.
•
The update cross-reference section must appear at the end of the file, but other-
wise, there are no ordering restrictions on any of the objects or on the main
cross-reference section. However, a file that uses both the hybrid-reference for-
mat and the linearized format has ordering requirements (see Appendix F,
3.5 Encryption
A PDF document can be
encrypted (PDF 1.1)
to protect its contents from un-
authorized access. Encryption applies to all strings and streams in the document’s
PDF file, but not to other object types such as integers and boolean values, which
are used primarily to convey information about the document’s structure rather
than its content. Leaving these values unencrypted allows random access to the
objects within a document, whereas encrypting the strings and streams protects
the document’s substantive contents.
Note:
When a PDF stream object (see Section 3.2.7, “Stream Objects”) refers to an
external file, the stream’s contents are not encrypted, since they are not part of the
PDF file itself. However, if the contents of the stream are embedded within the PDF
file (see Section 3.10.3, “Embedded File Streams”), they are encrypted like any other
stream in the file. Beginning with PDF 1.5, embedded files may be encrypted in an
otherwise unencrypted document (see Section 3.5.4, “Crypt Filters”).
Encryption-related information is stored in a document’s
encryption dictionary,
which is the value of the
Encrypt
entry in the document’s trailer dictionary (see
means that the document is not encrypted. The entries shown in Table 3.18 are
common to all encryption dictionaries.
The encryption dictionary’s
Filter
entry identifies the file’s
security handler,
a
software module that implements various aspects of the encryption process and
controls access to the contents of the encrypted document. PDF specifies a
standard password-based security handler that all consumer applications are
expected to support, but applications may optionally provide security handlers of
their own.