Previous Next


                                           130
CHAPTER 3                                                                                Syntax



Public-Key Encryption Algorithms

Figure 3.4 illustrates how PKCS#7 objects are used when encrypting PDF files. A
PKCS#7 object is designed to encapsulate and encrypt what is referred to as the
enveloped data.

                                                      Plaintext byte array
PKCS#7 Object                                     20-byte seed Permissions*
                                                                       * Permissions not present
                                                                       when PKCS#7 object is ref-
        Enveloped data                                                 erenced from Crypt filter
                                        Decrypt
                                                                       decode parameter dictio-
                                                                       nary

                                         Plaintext key
                                                                   Used to generate
                                                                  encryption key as
                                                                  described on page
        John Doe                        Decrypt                          131
        Encrypted key
        Jeff Smith
        Encrypted key
                                              John Doe’s private key


                        FIGURE 3.4 Public-key encryption algorithm


The enveloped data in the PKCS#7 object contains keying material that must be
used to decrypt the document (or individual strings or streams in the document,
when crypt filters are used; see Section 3.5.4, “Crypt Filters”). A key is used to
encrypt (and decrypt) the enveloped data. This key (the plaintext key in Figure
3.4) is encrypted for each recipient, using that recipient’s public key, and is stored
in the PKCS#7 object (as the encrypted key for each recipient). To decrypt the
document, that key is decrypted using the recipient’s private key, which yields a
decrypted (plaintext) key. That key, in turn, is used to decrypt the enveloped data
in the PKCS#7 object, resulting in a byte array that includes the following
information:

• A 20-byte seed that is used to create the encryption key that is used by Algo-
  rithm 3.1. The seed should be a unique random number generated by the secu-
  rity handler that encrypted the document.
• A 4-byte value defining the permissions, least significant byte first. See
  Table 3.20 for the possible permission values.

Previous Next