Previous Next
131
SECTION 3.5 Encryption
• When SubFilter is adbe.pkcs7.s3, the relevant permissions are restricted to
those specified for revision 2 of the standard security handler.
• For adbe.pkcs7.s4, revision 3 permissions apply.
• For adbe.pkcs7.s5, which supports the use of crypt filters, the permissions
are the same as adbe.pkcs7.s4 when the crypt filter is referenced from the
StmF or StrF entries of the encryption dictionary. When referenced from the
Crypt filter decode parameter dictionary of a stream object (see Table 3.12),
the 4 bytes of permissions are absent from the enveloped data.
The algorithms that may be used to encrypt the enveloped data in the PKCS#7
object are: RC4 with key lengths up to 256-bits, DES, Triple DES, RC2 with key
lengths up to 128 bits, 128-bit AES in Cipher Block Chaining (CBC) mode, 192-
bit AES in CBC mode, 256-bit AES in CBC mode. Acrobat products have used
Triple DES to encrypt the enveloped data, and support all of these listed
algorithms when decrypting the enveloped data. The PKCS#7 specification is in
Internet RFC 2315, PKCS #7: Cryptographic Message Syntax, Version 1.5 (see the
Bibliography).
The encryption key that is used by Algorithm 3.1 is calculated by means of an
SHA-1 message digest operation that digests the following data, in order:
1. The 20 bytes of seed
2. The bytes of each item in the Recipients array of PKCS#7 objects in the order
in which they appear in the array
3. 4 bytes with the value 0xFF if the key being generated is intended for use in
document-level encryption and the document metadata is being left as plain-
text
The first n/8 bytes of the resulting digest is used as the encryption key, where n is
the bit length of the RC4 key.
3.5.4 Crypt Filters
PDF 1.5 introduces crypt filters, which provide finer granularity control of
encryption within a PDF file. The use of crypt filters involves the following
structures:
• The encryption dictionary (see Table 3.18) contains entries that enumerate the
crypt filters in the document (CF) and specify which ones are used by default to
Previous Next