Previous Next

                                                   120
      CHAPTER 3                                                                             Syntax



         4.   Use the first (n + 5) bytes, up to a maximum of 16, of the output from the MD5
              hash as the key for the RC4 or AES symmetric key algorithms, along with the
              string or stream data to be encrypted.
              If using the AES algorithm, the Cipher Block Chaining (CBC) mode, which re-
              quires an initialization vector, is used. The block size parameter is set to 16 bytes,
              and the initialization vector is a 16-byte random number that is stored as the first
              16 bytes of the encrypted stream or string.
              The output is the encrypted data to be stored in the PDF file.

      Stream data is encrypted after applying all stream encoding filters and is
      decrypted before applying any stream decoding filters. The number of bytes to be
      encrypted or decrypted is given by the Length entry in the stream dictionary.
      Decryption of strings (other than those in the encryption dictionary) is done
      after escape-sequence processing and hexadecimal decoding as appropriate to the
      string representation described in Section 3.2.3, “String Objects.”


3.5.2 Standard Security Handler

      PDF’s standard security handler allows access permissions and up to two
      passwords to be specified for a document: an owner password and a user
      password. An application’s decision to encrypt a document is based on whether
      the user creating the document specifies any passwords or access restrictions (for
      example, in a security settings dialog box that the user can invoke before saving
      the PDF file). If so, the document is encrypted, and the permissions and
      information required to validate the passwords are stored in the encryption
      dictionary. (An application may also create an encrypted document without any
      user interaction if it has some other source of information about what passwords
      and permissions to use.)

      If a user attempts to open an encrypted document that has a user password, the
      application should prompt for a password. Correctly supplying either password
      enables the user to open the document, decrypt it, and display it on the screen. If
      the document does not have a user password, no password is requested; the
      application can simply open, decrypt, and display the document. Whether
      additional operations are allowed on a decrypted document depends on which
      password (if any) was supplied when the document was opened and on any
      access restrictions that were specified when the document was created:

      • Opening the document with the correct owner password (assuming it is not the
        same as the user password) allows full (owner) access to the document. This

Previous Next