Previous Next


                                                  128
      CHAPTER 3                                                                            Syntax



      Algorithm 3.7 Authenticating the owner password

         1.   Compute an encryption key from the supplied password string, as described in
              steps 1 to 4 of Algorithm 3.3.
         2.   (Revision 2 only) Decrypt the value of the encryption dictionary’s O entry, using
              an RC4 encryption function with the encryption key computed in step 1.
              (Revision 3 or greater) Do the following 20 times: Decrypt the value of the encryp-
              tion dictionary’s O entry (first iteration) or the output from the previous iteration
              (all subsequent iterations), using an RC4 encryption function with a different en-
              cryption key at each iteration. The key is generated by taking the original key (ob-
              tained in step 1) and performing an XOR (exclusive or) operation between each
              byte of the key and the single-byte value of the iteration counter (from 19 to 0).
         3.   The result of step 2 purports to be the user password. Authenticate this user pass-
              word using Algorithm 3.6. If it is correct, the password supplied is the correct
              owner password.

3.5.3 Public-Key Security Handlers

      Security handlers may use public-key encryption technology to encrypt a
      document (or strings and streams within a document). When doing so, it is
      possible to specify one or more lists of recipients, where each list has its own
      unique access permissions. Only specified recipients can open the encrypted
      document or content, unlike the standard security handler, where a password
      determines access. The permissions defined for public-key security handlers are
      identical to those defined for the standard security handler (see Section 3.5.2,
      “Standard Security Handler”).

      Public-key security handlers use the industry standard Public Key Cryptographic
      Standard Number 7 (PKCS#7) binary encoding syntax to encode recipient list,
      decryption key, and access permission information. The PKCS#7 specification is
      in Internet RFC 2315, PKCS #7: Cryptographic Message Syntax, Version 1.5 (see
      the Bibliography).

      When encrypting the data, each recipient’s X.509 public key certificate (as
      described in ITU-T Recommendation X.509; see the Bibliography) must be
      available. When decrypting the data, the application scans the recipient list for
      which the content is encrypted and attempts to find a match with a certificate that
      belongs to the user. If a match is found, the user requires access to the
      corresponding private key, which may require authentication, possibly using a
      password. Once access is obtained, the private key is used to decrypt the
      encrypted data.

Previous Next