SECTION 3.5
127
Encryption
Algorithm 3.5
Computing the encryption dictionary’s U (user password) value (Revision 3
or greater)
1.
2.
3.
Create an encryption key based on the user password string, as described in Algo-
Initialize the MD5 hash function and pass the 32-byte padding string shown in
Pass the first element of the file’s file identifier array (the value of the
ID
entry in
the document’s trailer dictionary; see Table 3.13 on page 97) to the hash function
and finish the hash. (See implementation note 26 in Appendix H.)
Encrypt the 16-byte result of the hash, using an RC4 encryption function with the
encryption key from step 1.
Do the following 19 times: Take the output from the previous invocation of the
RC4 function and pass it as input to a new invocation of the function; use an en-
cryption key generated by taking each byte of the original encryption key (ob-
tained in step 1) and performing an XOR (exclusive or) operation between that
byte and the single-byte value of the iteration counter (from 1 to 19).
Append 16 bytes of arbitrary padding to the output from the final invocation of
the RC4 function and store the 32-byte result as the value of the
U
entry in the en-
cryption dictionary.
4.
5.
6.
The standard security handler uses Algorithms 3.6 and 3.7 to determine whether
a supplied password string is the correct user or owner password. Note too that
the empty string, and therefore whether to suppress prompting for a password
when the document is opened.
Algorithm 3.6
Authenticating the user password
1.
2.
Perform all but the last step of Algorithm 3.4
(Revision 2)
or Algorithm 3.5
(Revi-
sion 3 or greater)
using the supplied password string.
If the result of step 1 is equal to the value of the encryption dictionary’s
U
entry
(comparing on the first 16 bytes in the case of Revision 3 or greater), the password
supplied is the correct user password. The key obtained in step 1 (that is, in the
first step of Algorithm 3.4 or 3.5) can be used to decrypt the document using Al-