Previous Next
130
CHAPTER 3 Syntax
Public-Key Encryption Algorithms
Figure 3.4 illustrates how PKCS#7 objects are used when encrypting PDF files. A
PKCS#7 object is designed to encapsulate and encrypt what is referred to as the
enveloped data.
Plaintext byte array
PKCS#7 Object 20-byte seed Permissions*
* Permissions not present
when PKCS#7 object is ref-
Enveloped data erenced from Crypt filter
Decrypt
decode parameter dictio-
nary
Plaintext key
Used to generate
encryption key as
described on page
John Doe Decrypt 131
Encrypted key
Jeff Smith
Encrypted key
John Doe’s private key
FIGURE 3.4 Public-key encryption algorithm
The enveloped data in the PKCS#7 object contains keying material that must be
used to decrypt the document (or individual strings or streams in the document,
when crypt filters are used; see Section 3.5.4, “Crypt Filters”). A key is used to
encrypt (and decrypt) the enveloped data. This key (the plaintext key in Figure
3.4) is encrypted for each recipient, using that recipient’s public key, and is stored
in the PKCS#7 object (as the encrypted key for each recipient). To decrypt the
document, that key is decrypted using the recipient’s private key, which yields a
decrypted (plaintext) key. That key, in turn, is used to decrypt the enveloped data
in the PKCS#7 object, resulting in a byte array that includes the following
information:
• A 20-byte seed that is used to create the encryption key that is used by Algo-
rithm 3.1. The seed should be a unique random number generated by the secu-
rity handler that encrypted the document.
• A 4-byte value defining the permissions, least significant byte first. See
Table 3.20 for the possible permission values.
Previous Next