SECTION 3.5
131
Encryption
•
When
SubFilter
is
adbe.pkcs7.s3
, the relevant permissions are restricted to
those specified for revision 2 of the standard security handler.
•
For
adbe.pkcs7.s4
, revision 3 permissions apply.
•
For
adbe.pkcs7.s5
, which supports the use of crypt filters, the permissions
are the same as
adbe.pkcs7.s4
when the crypt filter is referenced from the
StmF
or
StrF
entries of the encryption dictionary. When referenced from the
Crypt
filter decode parameter dictionary of a stream object (see Table 3.12),
the 4 bytes of permissions are absent from the enveloped data.
The algorithms that may be used to encrypt the enveloped data in the PKCS#7
object are: RC4 with key lengths up to 256-bits, DES, Triple DES, RC2 with key
lengths up to 128 bits, 128-bit AES in Cipher Block Chaining (CBC) mode, 192-
bit AES in CBC mode, 256-bit AES in CBC mode. Acrobat products have used
Triple DES to encrypt the enveloped data, and support all of these listed
algorithms when decrypting the enveloped data. The PKCS#7 specification is in
Internet RFC 2315,
PKCS #7: Cryptographic Message Syntax, Version 1.5
(see the
The encryption key that is used by Algorithm 3.1 is calculated by means of an
SHA-1 message digest operation that digests the following data, in order:
1. The 20 bytes of seed
2. The bytes of each item in the
Recipients
array of PKCS#7 objects in the order
in which they appear in the array
3. 4 bytes with the value 0xFF if the key being generated is intended for use in
document-level encryption and the document metadata is being left as plain-
text
The first
n
/8 bytes of the resulting digest is used as the encryption key, where
n
is
the bit length of the RC4 key.
3.5.4 Crypt Filters
PDF 1.5 introduces
crypt filters,
which provide finer granularity control of
encryption within a PDF file. The use of crypt filters involves the following
structures:
•
The encryption dictionary (see Table 3.18) contains entries that enumerate the
crypt filters in the document (
CF
) and specify which ones are used by default to