7.6 加密¶
Encryption
7.6.1 概述¶
General
PDF文档可以进行加密(PDF 1.1),以防止未授权访问其内容。加密适用于文档PDF文件中的所有字符串和流,但以下情况除外:
- 尾部中ID条目的值
- Encrypt字典中的任何字符串
- 流中的任何字符串,例如内容流和压缩对象流,它们本身被加密
加密不适用于其他对象类型,如整数和布尔值,它们主要用于传达有关文档结构而非内容的信息。保留这些值的未加密状态允许对文档内的对象进行随机访问,而加密字符串和流则保护了文档的内容。
当PDF流对象(见7.3.8,“流对象”)引用外部文件时,流的内容不应被加密,因为它们不是PDF文件本身的一部分。然而,如果流的内容嵌入在PDF文件中(见7.11.4,“嵌入式文件流”),它们应像文件中的任何其他流一样被加密。从PDF 1.5开始,即使在未加密的文档中也可以加密嵌入的文件(见7.6.5,“Crypt Filters”)。
与加密相关的信息应存储在文档的加密字典中,该字典应为文档尾部字典中Encrypt条目的值(见表15)。如果尾部字典中没有这个条目,则符合规范的阅读器应认为文档未加密。表20中显示的条目适用于所有加密字典。
加密字典的Filter条目标识文件的安全处理器,这是一个软件模块,实现了加密过程的各个方面,并控制对加密文档内容的访问。PDF规定了一个标准基于密码的安全处理器,所有符合规范的阅读器都应支持,但阅读器也可以选择提供自己的额外安全处理器。
SubFilter条目指定了加密字典内容的语法。它允许处理器之间的互操作性;即,如果它们都支持由SubFilter指定的格式,文档可以由首选处理器(Filter条目)之外的处理程序解密。
V条目通过指定要使用的算法,确定了加密密钥的长度,PDF文件中数据的加密(和解密)将基于此。对于V值2和3,Length条目指定了加密密钥的确切长度。在PDF 1.5中,V的值4允许安全处理器使用自己的加密和解密算法,并指定在特定流上使用的crypt过滤器(见7.6.5,“Crypt Filters”)。
加密字典的其余内容由安全处理器确定,可能因处理器而异。标准安全处理器的条目在7.6.3,“Standard Security Handler”中描述。公钥安全处理器的条目在7.6.4,“Public-Key Security Handlers”中描述。
| Key | Type | Value |
|---|---|---|
| Filter | name | (Required) 此文档的首选安全处理器的名称。它应该是用来加密文档的安全处理器的名称。如果未出现SubFilter,则在打开文档时仅使用此安全处理器。如果存在,符合规范的阅读器可以使用任何实现了由SubFilter指定格式的安全处理器。 Standard 应该是内置基于密码的安全处理器的名称。其他安全处理器的名称可以通过使用附录E中描述的程序进行注册。 |
| SubFilter | name | (Optional; PDF 1.3) 一个名称,完全指定了加密字典内容的格式和解释。它允许除了由Filter指定的安全处理器之外的其他安全处理器来解密文档。如果这个条目不存在,其他安全处理器将不解密文档。
NOTE 此条目在PDF 1.3中引入,以支持在PDF文件中使用公钥密码学(见7.6.4,“公钥安全处理器”);然而,它直到第四版(PDF 1.5)才被纳入PDF参考手册。 |
| V | number | (Optional) 指定用于加密和解密文档的算法的代码: 0 一个未记录的算法。这个值不应用于加密。 1 7.6.2中描述的“算法 1:使用 RC4 或 AES 算法加密数据”,使用 40 位的加密密钥长度;见下文。 2 (PDF 1.4)7.6.2中描述的“算法 1:使用 RC4 或 AES 算法加密数据”,但允许使用超过 40 位的加密密钥长度。 3 (PDF 1.4)一个未公开的算法,允许 40 到 128 位的加密密钥长度范围。这个值不应用于符合规范的 PDF 文件中。 4 (PDF 1.5)安全处理器根据 CF、StmF 和 StrF 条目的规则定义在文档中使用加密和解密。 如果省略这个条目,默认值应为 0,但当存在时应该是 1 或更大的值。 |
| Length | integer | (Optional; PDF 1.4; only if V is 2 or 3) 加密密钥的长度,以位为单位。该值应为8的倍数,范围在40到128之间。默认值:40。 |
| CF | dictionary | (Optional; 当V的值为4时才有意义。; PDF 1.5) 一个字典,其键应为加密过滤器名称,值应为相应的加密过滤器字典(见表25)。文档中使用的每个加密过滤器都应在该字典中有一个条目,标准加密过滤器名称除外(见表26)。 符合规范的阅读器应忽略CF字典中与表26中列出的键相同的条目,并使用相应标准加密过滤器的属性。 |
| StmF | name | (Optional; 当V的值为4时才有意义。; PDF 1.5) 加密过滤器的名称,它将被默认用于解密流。名称应在CF字典中作为一个键,或在表26中指定的标准加密过滤器名称。文档中的所有流,除了交叉引用流(见7.5.8,“交叉引用流”)或在其Filter数组中有Crypt条目的流(见表6),都将由安全处理器使用此加密过滤器进行解密。 默认值:Identity。 |
| StrF | name | (Optional; 当V的值为4时才有意义。; PDF 1.5) 加密过滤器的名称,它将被用于解密文档中的所有字符串。名称应在CF字典中作为一个键,或在表26中指定的标准加密过滤器名称。 默认值:Identity。 |
| EFF | name | (Optional; 当V的值为4时才有意义。; PDF 1.6) 加密过滤器的名称,它将被用于加密没有自己的加密过滤器指定器的嵌入式文件流;它应与CF字典中的一个键或表26中指定的标准加密过滤器名称相对应。 此条目应由安全处理器提供。符合规范的编写器在加密嵌入式文件时应遵守这个值,除非嵌入式文件流有自己的加密过滤器指定器。如果这个条目不存在,并且嵌入式文件流没有包含加密过滤器指定器,则应使用StmF指定的默认流加密过滤器对流进行加密。 |
在PDF文档主体中的字符串与加密字典中的字符串不同,加密字典中的字符串应为直接对象。加密字典的内容不应被加密(由V条目指定的算法)。安全处理器负责加密它们需要保护的加密字典中的任何数据。
NOTE
如果PDF提供的加密方法和语法不符合需求,符合规范的编写器有两个选择:他们可以提供替代的安全处理器,或者他们可以自己加密整个PDF文档,不使用PDF安全功能。
A PDF document can be encrypted (PDF 1.1) to protect its contents from unauthorized access. Encryption applies to all strings and streams in the document's PDF file, with the following exceptions:
- The values for the ID entry in the trailer
- Any strings in an Encrypt dictionary
- Any strings that are inside streams such as content streams and compressed object streams, which themselves are encrypted
Encryption is not applied to other object types such as integers and boolean values, which are used primarily to convey information about the document's structure rather than its contents. Leaving these values unencrypted allows random access to the objects within a document, whereas encrypting the strings and streams protects the document's contents.
When a PDF stream object (see 7.3.8, "Stream Objects") refers to an external file, the stream’s contents shall not be encrypted, since they are not part of the PDF file itself. However, if the contents of the stream are embedded within the PDF file (see 7.11.4, "Embedded File Streams"), they shall be encrypted like any other stream in the file. Beginning with PDF 1.5, embedded files can be encrypted in an otherwise unencrypted document (see 7.6.5, "Crypt Filters").
Encryption-related information shall be stored in a document’s encryption dictionary, which shall be the value of the Encrypt entry in the document’s trailer dictionary (see Table 15). The absence of this entry from the trailer dictionary means that a conforming reader shall consider the document to be not encrypted. The entries shown in Table 20 are common to all encryption dictionaries.
The encryption dictionary’s Filter entry identifies the file’s security handler, a software module that implements various aspects of the encryption process and controls access to the contents of the encrypted document. PDF specifies a standard password-based security handler that all conforming readers shall support, but conforming readers can optionally provide additional security handlers of their own.
The SubFilter entry specifies the syntax of the encryption dictionary contents. It allows interoperability between handlers; that is, a document can be decrypted by a handler other than the preferred one (the Filter entry) if they both support the format specified by SubFilter.
The V entry, in specifying which algorithm to use, determines the length of the encryption key, on which the encryption (and decryption) of data in a PDF file shall be based. For V values 2 and 3, the Length entry specifies the exact length of the encryption key. In PDF 1.5, a value of 4 for V permits the security handler to use its own encryption and decryption algorithms and to specify crypt filters to use on specific streams (see 7.6.5, "Crypt Filters").
The remaining contents of the encryption dictionary shall be determined by the security handler and may vary from one handler to another. Entries for the standard security handler are described in 7.6.3, "Standard Security Handler." Entries for public-key security handlers are described in 7.6.4, "Public-Key Security Handlers."
| Key | Type | Value |
|---|---|---|
| Filter | name | (Required) The name of the preferred security handler for this document. It shall be the name of the security handler that was used to encrypt the document. If SubFilter is not present, only this security handler shall be used when opening the document. If it is present, a conforming reader can use any security handler that implements the format specified by SubFilter. Standard shall be the name of the built-in password-based security handler. Names for other security handlers may be registered by using the procedure described in Annex E. |
| SubFilter | name | (Optional; PDF 1.3) A name that completely specifies the format and interpretation of the contents of the encryption dictionary. It allows security handlers other than the one specified by Filter to decrypt the document. If this entry is absent, other security handlers shall not decrypt the document.
NOTE This entry was introduced in PDF 1.3 to support the use of public-key cryptography in PDF files (see 7.6.4, "Public-Key Security Handlers"); however, it was not incorporated into the PDF Reference until the fourth edition (PDF 1.5). |
| V | number | (Optional) A code specifying the algorithm to be used in encrypting and decrypting the document: 0 An algorithm that is undocumented. This value shall not be used. 1 "Algorithm 1: Encryption of data using the RC4 or AES algorithms" in 7.6.2, "General Encryption Algorithm," with an encryption key length of 40 bits; see below. 2 (PDF 1.4) "Algorithm 1: Encryption of data using the RC4 or AES algorithms" in 7.6.2, "General Encryption Algorithm," but permitting encryption key lengths greater than 40 bits. 3 (PDF 1.4) An unpublished algorithm that permits encryption key lengths ranging from 40 to 128 bits. This value shall not appear in a conforming PDF file. 4 (PDF 1.5) The security handler defines the use of encryption and decryption in the document, using the rules specified by the CF, StmF, and StrF entries. The default value if this entry is omitted shall be 0, but when present should be a value of 1 or greater. |
| Length | integer | (Optional; PDF 1.4; only if V is 2 or 3) The length of the encryption key, in bits. The value shall be a multiple of 8, in the range 40 to 128. Default value: 40. |
| CF | dictionary | (Optional; meaningful only when the value of V is 4; PDF 1.5) A dictionary whose keys shall be crypt filter names and whose values shall be the corresponding crypt filter dictionaries (see Table 25). Every crypt filter used in the document shall have an entry in this dictionary, except for the standard crypt filter names (see Table 26). The conforming reader shall ignore entries in CF dictionary with the keys equal to those listed in Table 26 and use properties of the respective standard crypt filters. |
| StmF | name | (Optional; meaningful only when the value of V is 4; PDF 1.5) The name of the crypt filter that shall be used by default when decrypting streams. The name shall be a key in the CF dictionary or a standard crypt filter name specified in Table 26. All streams in the document, except for cross-reference streams (see 7.5.8, "Cross-Reference Streams") or streams that have a Crypt entry in their Filter array (see Table 6), shall be decrypted by the security handler, using this crypt filter. Default value: Identity. |
| StrF | name | (Optional; meaningful only when the value of V is 4; PDF 1.5) The name of the crypt filter that shall be used when decrypting all strings in the document. The name shall be a key in the CF dictionary or a standard crypt filter name specified in Table 26. Default value: Identity. |
| EFF | name | (Optional; meaningful only when the value of V is 4; PDF 1.6) The name of the crypt filter that shall be used when encrypting embedded file streams that do not have their own crypt filter specifier; it shall correspond to a key in the CF dictionary or a standard crypt filter name specified in Table 26. This entry shall be provided by the security handler. Conforming writers shall respect this value when encrypting embedded files, except for embedded file streams that have their own crypt filter specifier. If this entry is not present, and the embedded file stream does not contain a crypt filter specifier, the stream shall be encrypted using the default stream crypt filter specified by StmF. |
Unlike strings within the body of the document, those in the encryption dictionary shall be direct objects. The contents of the encryption dictionary shall not be encrypted (the algorithm specified by the V entry). Security handlers shall be responsible for encrypting any data in the encryption dictionary that they need to protect.
NOTE
Conforming writers have two choices if the encryption methods and syntax provided by PDF are not sufficient for their needs: they can provide an alternate security handler or they can encrypt whole PDF documents themselves, not making use of PDF security.
7.6.2 常规加密算法¶
General Encryption Algorithm
在加密 PDF 文件中的数据时,应使用以下算法之一:
- 一种称为 RC4 的专有加密算法。RC4 是一种对称流密码:相同的算法应同时用于加密和解密,并且该算法不会改变数据的长度。RC4 是 RSA Security, Inc. 的版权专有算法。独立软件供应商可能需要获得 RC4 的许可,才能开发加密或解密 PDF 文档的软件。更多信息,请访问 RSA 网站 http://www.rsasecurity.com 或发送电子邮件至 products@rsasecurity.com。
- AES(高级加密标准)算法(从 PDF 1.6 开始)。AES 是一种对称块密码:相同的算法应同时用于加密和解密,并且加密后的数据长度四舍五入为块大小的倍数,该块大小始终为 16 字节,如 FIPS 197 中所规定的那样,高级加密标准 (AES);见参考文献。
使用 AES 加密的字符串和流应使用 Internet RFC 2898 中描述的填充方案,PKCS #5:基于密码的密码术规范版本 2.0;见参考文献。对于长度为 M 的原始消息,填充应包括 16 - (M mod 16) 个字节,其值也应为 16 - (M mod 16)。
EXAMPLE
一个 9 字节的消息有 7 个字节的填充,每个字节的值为 0x07。解密时可以明确地移除填充以确定原始消息长度。注意,当消息长度可以被 16 整除时,填充为 16 个字节,值为 0x10。
PDF 的标准加密方法还使用 MD5 消息摘要算法进行密钥生成(详见 Internet RFC 1321,MD5 消息摘要算法;见参考文献)。
PDF 文件中数据的加密应基于由安全处理器计算的加密密钥。不同的安全处理器使用自己的机制计算加密密钥。无论密钥如何计算,其在数据加密中的使用方式始终相同(参见"算法 1:使用 RC4 或 AES 算法加密数据")。由于 RC4 算法和 AES 算法是对称的,因此同样的步骤应同时用于加密和解密数据。
在7.6“加密”中的算法在该条款内按唯一编号排列,以保持与以前文档的兼容性。
算法 1:使用 RC4 或 AES 算法加密数据
- 从要加密的字符串或流的对象标识符中获取对象号和生成号(参见7.3.10,“间接对象”)。如果字符串是直接对象,则使用包含该字符串的间接对象的标识符。
- 对于没有加密过滤器说明符的所有字符串和流,将对象号和生成号视为二进制整数,通过按顺序附加对象号的低 3 字节和生成号的低 2 字节(先附加低字节),将原始 n 字节加密密钥扩展为 n + 5 字节。(n 为 5,除非加密字典中的 V 值大于 1,在这种情况下,n 为 Length 的值除以 8。)
如果使用 AES 算法,通过添加值 “sAlT”(对应于十六进制值 0x73, 0x41, 0x6C, 0x54),将加密密钥额外扩展 4 个字节。(此添加是为了向后兼容,并不旨在提供额外的安全性。) - 初始化 MD5 哈希函数,并将步骤 (b) 的结果作为此函数的输入。
- 使用 MD5 哈希输出的前 (n + 5) 字节(最多 16 字节)作为 RC4 或 AES 对称密钥算法的密钥,同时使用要加密的字符串或流数据。
如果使用 AES 算法,则使用需要初始化向量的密码块链接(CBC)模式。块大小参数设置为 16 字节,初始化向量是一个 16 字节的随机数,存储为加密流或字符串的前 16 字节。
输出是要存储在 PDF 文件中的加密数据。
流数据应在应用所有流编码过滤器之后进行加密,并在应用任何流解码过滤器之前进行解密。要加密或解密的字节数应由流字典中的 Length 项给出。字符串(加密字典中的字符串除外)的解密应在按字符串表示描述的转义序列处理和十六进制解码之后进行(参见7.3.4,“字符串对象”)。
One of the following algorithms shall be used when encrypting data in a PDF file:
- A proprietary encryption algorithm known as RC4. RC4 is a symmetric stream cipher: the same algorithm shall be used for both encryption and decryption, and the algorithm does not change the length of the data. RC4 is a copyrighted, proprietary algorithm of RSA Security, Inc. Independent software vendors may be required to license RC4 to develop software that encrypts or decrypts PDF documents. For further information, visit the RSA Web site at <http://www.rsasecurity.com> or send e-mail to <products@rsasecurity.com>.
-
The AES (Advanced Encryption Standard) algorithm (beginning with PDF 1.6). AES is a symmetric block cipher: the same algorithm shall be used for both encryption and decryption, and the length of the data when encrypted is rounded up to a multiple of the block size, which is fixed to always be 16 bytes, as
specified in FIPS 197, Advanced Encryption Standard (AES); see the Bibliography). Strings and streams encrypted with AES shall use a padding scheme that is described in Internet RFC 2898, PKCS #5: Password-Based Cryptography Specification Version 2.0; see the Bibliography. For an original message length of M, the pad shall consist of 16 - (M mod 16) bytes whose value shall also be 16 - (M mod 16).
EXAMPLE
A 9-byte message has a pad of 7 bytes, each with the value 0x07. The pad can be unambiguousl removed to determine the original message length when decrypting. Note that the pad is present when is evenly divisible by 16; it contains 16 bytes of 0x10.
PDF’s standard encryption methods also make use of the MD5 message-digest algorithm for key generation purposes (described in Internet RFC 1321, The MD5 Message-Digest Algorithm; see the Bibliography).
The encryption of data in a PDF file shall be based on the use of an encryption key computed by the security handler. Different security handlers compute the encryption key using their own mechanisms. Regardless of how the key is computed, its use in the encryption of data shall always be the same (see "Algorithm 1:Encryption of data using the RC4 or AES algorithms"). Because the RC4 algorithm and AES algorithms are symmetric, this same sequence of steps shall be used both to encrypt and to decrypt data.
Algorithms in 7.6, “Encryption” are uniquely numbered within that clause in a manner that maintains compatibility with previous documentation.
Algorithm 1: Encryption of data using the RC4 or AES algorithms
- Obtain the object number and generation number from the object identifier of the string or stream to be encrypted (see 7.3.10, "Indirect Objects"). If the string is a direct object, use the identifier of the indirect object containing it.
- For all strings and streams without crypt filter specifier; treating the object number and generation number as binary integers, extend the original n-byte encryption key to n + 5 bytes by appending the low-order 3 bytes of the object number and the low-order 2 bytes of the generation number in that order, low-order byte first. (n is 5 unless the value of V in the encryption dictionary is greater than 1, in which case n is the value of Length divided by 8.)
If using the AES algorithm, extend the encryption key an additional 4 bytes by adding the value “sAlT”, which corresponds to the hexadecimal values 0x73, 0x41, 0x6C, 0x54. (This addition is done for backward compatibility and is not intended to provide additional security.) - Initialize the MD5 hash function and pass the result of step (b) as input to this function.
- Use the first (n + 5) bytes, up to a maximum of 16, of the output from the MD5 hash as the key for the RC4 or AES symmetric key algorithms, along with the string or stream data to be encrypted.
If using the AES algorithm, the Cipher Block Chaining (CBC) mode, which requires an initialization vector, is used. The block size parameter is set to 16 bytes, and the initialization vector is a 16-byte random number that is stored as the first 16 bytes of the encrypted stream or string.
The output is the encrypted data to be stored in the PDF file.
Stream data shall be encrypted after applying all stream encoding filters and shall be decrypted before applying any stream decoding filters. The number of bytes to be encrypted or decrypted shall be given by the Length entry in the stream dictionary. Decryption of strings (other than those in the encryption dictionary) shall be done after escape-sequence processing and hexadecimal decoding as appropriate to the string representation described in 7.3.4, "String Objects."
7.6.3 标准安全处理程序¶
Standard Security Handler
7.6.3.1 概述¶
General
PDF 的标准安全处理程序应允许为文档指定访问权限和最多两个密码:一个所有者密码和一个用户密码。应用程序是否对文档进行加密取决于创建文档的用户是否指定了任何密码或访问限制。
EXAMPLE
一个符合标准的编写器可能在用户保存 PDF 文件之前提供一个安全设置对话框,供用户调用。
如果指定了密码或访问限制,文档应被加密,并且用于验证密码的权限和信息应存储在加密字典中。仅加密文件附件的文档应使用与用户和所有者密码相同的密码。
NOTE 1
如果符合标准的编写器拥有关于使用哪些密码和权限的其他信息,也可以在没有任何用户交互的情况下创建加密文档。
如果用户尝试打开有用户密码的加密文档,符合标准的阅读器应首先尝试使用在7.6.3.3“加密密钥算法”中定义的填充字符串(默认用户密码)来认证加密文档:
- 如果认证尝试成功,符合标准的阅读器可以打开、解密并在屏幕上显示该文档。
- 如果认证尝试失败,应用程序应提示输入密码。正确提供任一密码(所有者或用户密码)应允许用户打开、解密并在屏幕上显示文档。
对解密文档是否允许额外操作取决于打开文档时提供的密码(如果有的话)以及创建文档时指定的任何访问限制:
- 使用正确的所有者密码打开文档应允许对文档进行完整的(所有者)访问。这种无限制访问包括更改文档密码和访问权限的能力。
- 使用正确的用户密码(或使用默认密码)打开文档应允许根据文档加密字典中指定的用户访问权限执行其他操作。
访问权限应以对应各种操作的标志形式指定,并且它们对应的操作集应取决于安全处理程序的修订号(也存储在加密字典中)。如果安全处理程序的修订号为2或更高,用户访问可以控制的操作如下:
- 修改文档内容
- 复制或以其他方式提取文档中的文本和图形,包括出于辅助功能的目的进行提取(即,使文档内容通过辅助技术如屏幕阅读器或盲文输出设备可以访问;参见 14.9,"辅助功能支持")。
- 添加或修改文本注解(参见 12.5.6.4,"文本注解")和交互式表单域(参见 12.7,"交互式表单")
- 打印文档
如果安全处理程序的修订号为3或更高,用户对以下操作的访问应得到更有选择性的控制:
- 填写表单(即,填写现有的交互式表单域)和签署文档(相当于填写现有的签名域,这是一种交互式表单域)。
- 组装文档:插入、旋转或删除页面并创建导航元素如书签或缩略图(参见 12.3,"文档级导航")。
- 打印生成可以忠实复制PDF内容的数字副本的表示。禁止这种打印可能会导致输出质量的下降。
此外,修订3及以上的安全处理程序应能够分别控制文本和图形的提取(以支持残障用户的可访问性或其他目的)。
如果指定了修订4的安全处理程序,标准安全处理程序应支持加密过滤器(参见 7.6.5,"加密过滤器")。支持应限于 Identity 加密过滤器(参见 表26)和包含 CFM 值为 V2 或 AESV2 以及 AuthEvent 值为 DocOpen 的字典中的加密过滤器 StdCF。在这种情况下,公共密钥安全处理程序应在所有文档内容加密时使用名为 DefaultCryptFilter 的加密过滤器,并在仅加密文件附件时使用名为 DefEmbeddedFile 的加密过滤器替代 StdCF 名称。这种命名法不应被用作指示安全处理程序或加密类型的指示器。
一旦文档成功打开并解密,符合标准的阅读器技术上可以访问文档的全部内容。在PDF加密中没有什么固有的机制能强制执行加密字典中指定的文档权限。符合标准的阅读器应尊重文档创建者的意图,根据文件中包含的权限限制用户对加密PDF文件的访问。
NOTE 2
PDF 1.5 引入了一套不需要文档加密的访问权限(参见 12.8.4,"权限")。这使得在用户不能响应密码提示时对文档进行有限访问成为可能。例如,可能存在没有人员操作的符合标准的阅读器,如离线打印或在服务器上打印。
PDF’s standard security handler shall allow access permissions and up to two passwords to be specified for a document: an owner password and a user password. An application’s decision to encrypt a document shall be based on whether the user creating the document specifies any passwords or access restrictions.
EXAMPLE
A conforming writer may have a security settings dialog box that the user can invoke before saving the PDF file.
If passwords or access restrictions are specified, the document shall be encrypted, and the permissions and information required to validate the passwords shall be stored in the encryption dictionary. Documents in which only file attachments are encrypted shall use the same password as the user and owner password.
NOTE 1
A conforming writer may also create an encrypted document without any user interaction if it has some other source of information about what passwords and permissions to use.
If a user attempts to open an encrypted document that has a user password, the conforming reader shall first try to authenticate the encrypted document using the padding string defined in 7.6.3.3, "Encryption Key Algorithm" (default user password):
- If this authentication attempt is successful, the conforming reader may open, decrypt and display the document on the screen.
- If this authentication attempt fails, the application should prompt for a password. Correctly supplying either password (owner or user password) should enable the user to open the document, decrypt it, and display it on the screen.
Whether additional operations shall be allowed on a decrypted document depends on which password (if any) was supplied when the document was opened and on any access restrictions that were specified when the document was created:
- Opening the document with the correct owner password should allow full (owner) access to the document. This unlimited access includes the ability to change the document’s passwords and access permissions.
- Opening the document with the correct user password (or opening a document with the default password) should allow additional operations to be performed according to the user access permissions specified in the document’s encryption dictionary.
Access permissions shall be specified in the form of flags corresponding to the various operations, and the set of operations to which they correspond shall depend on the security handler’s revision number (also stored in the encryption dictionary). If the security handler’s revision number is 2 or greater, the operations to which user access can be controlled shall be as follows:
- Modifying the document’s contents
- Copying or otherwise extracting text and graphics from the document, including extraction for accessibility purposes (that is, to make the contents of the document accessible through assistive technologies such as screen readers or Braille output devices; see 14.9, "Accessibility Support".
- Adding or modifying text annotations (see 12.5.6.4, "Text Annotations") and interactive form fields (see 12.7, "Interactive Forms")
- Printing the document
If the security handler’s revision number is 3 or greater, user access to the following operations shall be controlled more selectively:
- Filling in forms (that is, filling in existing interactive form fields) and signing the document (which amount to filling in existing signature fields, a type of interactive form field).
- Assembling the document: inserting, rotating, or deleting pages and creating navigation elements such as bookmarks or thumbnail images (see 12.3, "Document-Level Navigation").
- Printing to a representation from which a faithful digital copy of the PDF content could be generated. Disallowing such printing may result in degradation of output quality.
In addition, security handlers of revisions 3 and greater shall enable the extraction of text and graphics (in support of accessibility to users with disabilities or for other purposes) to be controlled separately.
If a security handler of revision 4 is specified, the standard security handler shall support crypt filters (see 7.6.5, "Crypt Filters"). The support shall be limited to the Identity crypt filter (see Table 26) and crypt filters named StdCF whose dictionaries contain a CFM value of V2 or AESV2 and an AuthEvent value of DocOpen. Public-Key security handlers in this case shall use crypt filters named DefaultCryptFilter when all document content is encrypted, and shall use crypt filters named DefEmbeddedFile when file attachments only are encrypted in place of StdCF name. This nomenclature shall not be used as indicator of the type of the security handler or encryption.
Once the document has been opened and decrypted successfully, a conforming reader technically has access to the entire contents of the document. There is nothing inherent in PDF encryption that enforces the document permissions specified in the encryption dictionary. Conforming readers shall respect the intent of the document creator by restricting user access to an encrypted PDF file according to the permissions contained in the file.
NOTE 2
PDF 1.5 introduces a set of access permissions that do not require the document to be encrypted (see 12.8.4, "Permissions"). This enables limited access to a document when a user is not be able to respond to a prompt for a password. For example, there may be conforming readers that do not have a person running them such as printing off-line or on a server.
7.6.3.2 标准加密字典¶
Standard Encryption Dictionary
表 21 显示了标准安全处理程序的加密字典条目(除了 表 20 中的条目)。
| 键 | 类型 | 值 |
|---|---|---|
| R | number | (必需) 一个数字,指定用于解释此字典的标准安全处理程序的修订版本: 2 如果文档使用小于 2 的 V 值加密(参见表 20),并且没有任何访问权限设置为 0(通过下文中的 P 条目)在 表 22 中指定的“修订版本为 3 或更高的安全处理程序” 3 如果文档使用 V 值为 2 或 3 加密,或有任何“修订版本为 3 或更高的安全处理程序”访问权限设置为 0 4 如果文档使用 V 值为 4 加密 |
| Length | integer | (可选;PDF 1.4;仅当 V 为 2 或 3 时) 加密密钥的长度,以位为单位。该值应为 8 的倍数,范围为 40 到 128。默认值:40。 |
| O | string | (必需) 一个 32 字节的字符串,基于所有者和用户密码,用于计算加密密钥并确定是否输入了有效的所有者密码。更多信息,参见 7.6.3.3,"加密密钥算法",和 7.6.3.4,"密码算法"。 |
| U | string | (必需) 一个 32 字节的字符串,基于用户密码,用于确定是否提示用户输入密码,如果提示,是否输入了有效的用户或所有者密码。更多信息,参见 7.6.3.4,"密码算法"。 |
| P | integer | (必需) 一组标志,指定当文档以用户访问权限打开时允许进行的操作(参见 表 22)。 |
| EncryptMetadata | boolean | (可选;仅当 V 的值为 4 时有意义;PDF 1.5) 指示文档级元数据流(参见 14.3.2,"元数据流")是否应加密。符合标准的产品应遵循此值。 默认值:true。 |
此字典中 O 和 U 条目的值应用于确定在打开文档时输入的密码是正确的所有者密码、用户密码还是都不是。
P 条目的值应解释为一个无符号的 32 位数量,包含一组标志,指定当文档以用户访问权限打开时应授予的访问权限。表 22 显示了这些标志的含义。标志字中的位位置应从 1(低位)到 32(高位)编号。任何位置上的 1 位应启用相应的访问权限。哪些位有意义,在某些情况下它们的解释方式应取决于加密字典的 R 条目中指定的安全处理程序的修订版本。
符合标准的阅读器应忽略位位置为 3、4、5、6、9、10、11 和 12 之外的所有标志。
NOTE
PDF 整数对象可以解释为以签名二进制补码形式的二进制值。由于加密字典中 P 值中的所有保留高位标志位都必须为 1,因此整数值 P 应指定为负整数。例如,假设使用修订版 2 的安全处理程序,值 -44 允许打印和复制,但不允许修改内容和注释。
| 位位置 | 含义 |
|---|---|
| 3 | (修订版 2 的安全处理程序) 打印文档。 (修订版 3 或更高的安全处理程序) 打印文档(可能不是最高质量级别,具体取决于是否也设置了第 12 位)。 |
| 4 | 通过位 6、9 和 11 不控制的操作修改文档内容。 |
| 5 | (修订版 2 的安全处理程序) 从文档中复制或以其他方式提取文本和图形,包括提取文本和图形(以支持残疾用户的无障碍访问或其他目的)。 (修订版 3 或更高的安全处理程序) 通过位 10 不控制的操作从文档中复制或以其他方式提取文本和图形。 |
| 6 | 添加或修改文本注释,填写交互式表单字段,如果第 4 位也设置,则创建或修改交互式表单字段(包括签名字段)。 |
| 9 | (修订版 3 或更高的安全处理程序) 填写现有的交互式表单字段(包括签名字段),即使第 6 位未设置。 |
| 10 | (修订版 3 或更高的安全处理程序) 提取文本和图形(以支持残疾用户的无障碍访问或其他目的)。 |
| 11 | (修订版 3 或更高的安全处理程序) 组装文档(插入、旋转或删除页面并创建书签或缩略图),即使第 4 位未设置。 |
| 12 | (修订版 3 或更高的安全处理程序) 将文档打印为可以生成 PDF 内容的准确数字副本的表示形式。当该位未设置(且第 3 位设置)时,打印仅限于外观的低级表示形式,质量可能会下降。 |
Table 21 shows the encryption dictionary entries for the standard security handler (in addition to those in Table 20).
| Key | Type | Value |
|---|---|---|
| R | number | (Required) A number specifying which revision of the standard security handler shall be used to interpret this dictionary: 2 if the document is encrypted with a V value less than 2 (see Table 20) and does not have any of the access permissions set to 0 (by means of the P entry, below) that are designated “Security handlers of revision 3 or greater” in Table 22 3 if the document is encrypted with a V value of 2 or 3, or has any “Security handlers of revision 3 or greater” access permissions set to 0 4 if the document is encrypted with a V value of 4 |
| Length | integer | (Optional; PDF 1.4; only if V is 2 or 3) The length of the encryption key, in bits. The value shall be a multiple of 8, in the range 40 to 128. Default value: 40. |
| O | string | (Required) A 32-byte string, based on both the owner and user passwords, that shall be used in computing the encryption key and in determining whether a valid owner password was entered. For more information, see 7.6.3.3, "Encryption Key Algorithm," and 7.6.3.4, "Password Algorithms." |
| U | string | (Required) A 32-byte string, based on the user password, that shall be used in determining whether to prompt the user for a password and, if so, whether a valid user or owner password was entered. For more information, see 7.6.3.4, "Password Algorithms." |
| P | integer | (Required) A set of flags specifying which operations shall be permitted when the document is opened with user access (see Table 22). |
| EncryptMetadata | boolean | (Optional; meaningful only when the value of V is 4; PDF 1.5) Indicate whether the document-level metadata stream (see 14.3.2, "Metadat Streams") shall be encrypted. Conforming products should respect thi value. Default value: true. |
The values of the O and U entries in this dictionary shall be used to determine whether a password entered when the document is opened is the correct owner password, user password, or neither.
The value of the P entry shall be interpreted as an unsigned 32-bit quantity containing a set of flags specifying which access permissions shall be granted when the document is opened with user access. Table 22 shows the meanings of these flags. Bit positions within the flag word shall be numbered from 1 (low-order) to 32 (high- order). A 1 bit in any position shall enable the corresponding access permission. Which bits shall be meaningful, and in some cases how they shall be interpreted, shall depend on the security handler’s revision number (specified in the encryption dictionary’s R entry).
Conforming readers shall ignore all flags other than those at bit positions 3, 4, 5, 6, 9, 10, 11, and 12.
NOTE
PDF integer objects can be interpreted as binary values in a signed twos-complement form. Since all the reserved high-order flag bits in the encryption dictionary’s P value are required to be 1, the integer value P shall be specified as a negative integer. For example, assuming revision 2 of the security handler, the value - 44 permits printing and copying but disallows modifying the contents and annotations.
| Bit position | Meaning |
|---|---|
| 3 | (Security handlers of revision 2) Print the document. (Security handlers of revision 3 or greater) Print the document (possibly not at the highest quality level, depending on whether bit 12 is also set). |
| 4 | Modify the contents of the document by operations other than those controlled by bits 6, 9, and 11. |
| 5 | (Security handlers of revision 2) Copy or otherwise extract text and graphics from the document, including extracting text and graphics (in support of accessibility to users with disabilities or for other purposes). (Security handlers of revision 3 or greater) Copy or otherwise extract text and graphics from the document by operations other than that controlled by bit 10. |
| 6 | Add or modify text annotations, fill in interactive form fields, and, if bit 4 is also set, create or modify interactive form fields (including signature fields). |
| 9 | (Security handlers of revision 3 or greater) Fill in existing interactive form fields (including signature fields), even if bit 6 is clear. |
| 10 | (Security handlers of revision 3 or greater) Extract text and graphics (in support of accessibility to users with disabilities or for other purposes). |
| 11 | (Security handlers of revision 3 or greater) Assemble the document (insert, rotate, or delete pages and create bookmarks or thumbnail images), even if bit 4 is clear. |
| 12 | (Security handlers of revision 3 or greater) Print the document to a representation from which a faithful digital copy of the PDF content could be generated. When this bit is clear (and bit 3 is set), printing is limited to a low-level representation of the appearance, possibly of degraded quality. |
7.6.3.3 加密密钥算法¶
Encryption Key Algorithm
正如前面提到的,安全处理程序的一个功能是生成用于加密和解密文档内容的加密密钥。给定一个密码字符串,标准安全处理程序按 "算法 2:计算加密密钥" 中所示计算加密密钥。
算法 2:计算加密密钥
-
将密码字符串填充或截断至恰好 32 个字节。如果密码字符串超过 32 个字节,仅使用其前 32 个字节;如果密码字符串少于 32 个字节,则通过附加所需数量的填充字符串开头的字节来填充它:
< 28 BF 4E 5E 4E 75 8A 41 64 00 4E 56 FF FA 01 08
2E 2E 00 B6 D0 68 3E 80 2F 0C A9 FE 64 53 69 7A >
也就是说,如果密码字符串的长度为 n 字节,则将填充字符串的前 32 - n 字节附加到密码字符串的末尾。如果密码字符串为空(零长度),意味着没有用户密码,则用整个填充字符串替代。 - 初始化 MD5 哈希函数,并将步骤 (a) 的结果作为输入传递给该函数。
- 将加密字典的 O 条目的值传递给 MD5 哈希函数。O 值的计算方式参见 "算法 3:计算加密字典的 O(所有者密码)值"。
- 将 P 条目的整数值转换为 32 位无符号二进制数,并将这些字节传递给 MD5 哈希函数,低位字节优先。
- 将文件标识符数组的第一个元素(文档拖尾字典中 ID 条目的值;参见 表 15)传递给 MD5 哈希函数。
NOTE
对于给定的文档,ID 数组的第一个元素通常保持不变。然而,在某些情况下,如果创建了文档的新版本,符合标准的编写器可能会重新生成 ID 数组。建议安全处理程序在计算加密密钥时不要依赖于 ID。
- (修订版 4 或更高版本的安全处理程序) 如果文档元数据未被加密,则将值为 0xFFFFFFFF 的 4 个字节传递给 MD5 哈希函数。
- 完成哈希计算。
- (修订版 3 或更高版本的安全处理程序) 重复 50 次:取前一次 MD5 哈希的输出,并将输出的前 n 字节作为新 MD5 哈希的输入,其中 n 是加密字典 Length 条目定义的加密密钥字节数。
- 将最终 MD5 哈希输出的前 n 个字节设置为加密密钥,对于修订版 2 的安全处理程序,n 始终为 5,但对于修订版 3 或更高版本的安全处理程序,n 取决于加密字典 Length 条目的值。
此算法应用于用户密码字符串时,生成用于根据 7.6.2 "常规加密算法" 中的 "算法 1:使用 RC4 或 AES 算法加密数据" 加密或解密字符串和流数据的加密密钥。此算法的部分内容也用于以下描述的算法中。
As noted earlier, one function of a security handler is to generate an encryption key for use in encrypting and decrypting the contents of a document. Given a password string, the standard security handler computes an encryption key as shown in "Algorithm 2: Computing an encryption key".
Algorithm 2: Computing an encryption key
-
Pad or truncate the password string to exactly 32 bytes. If the password string is more than 32 bytes long, use only its first 32 bytes; if it is less than 32 bytes long, pad it by appending the required number of additional bytes from the beginning of the following padding string:
< 28 BF 4E 5E 4E 75 8A 41 64 00 4E 56 FF FA 01 08
2E 2E 00 B6 D0 68 3E 80 2F 0C A9 FE 64 53 69 7A >
That is, if the password string is n bytes long, append the first 32 - n bytes of the padding string to the end of the password string. If the password string is empty (zero-length), meaning there is no user password, substitute the entire padding string in its place. - Initialize the MD5 hash function and pass the result of step (a) as input to this function.
- Pass the value of the encryption dictionary’s O entry to the MD5 hash function. ("Algorithm 3: Computing the encryption dictionary’s O (owner password) value" shows how the O value is computed.)
- Convert the integer value of the P entry to a 32-bit unsigned binary number and pass these bytes to the MD5 hash function, low-order byte first.
- Pass the first element of the file’s file identifier array (the value of the ID entry in the document’s trailer dictionary; see Table 15) to the MD5 hash function.
NOTE
The first element of the ID array generally remains the same for a given document. However, in some situations, conforming writers may regenerate the ID array if a new generation of a document is created. Security handlers are encouraged not to rely on the ID in the encryption key computation.
- (Security handlers of revision 4 or greater) If document metadata is not being encrypted, pass 4 bytes with the value 0xFFFFFFFF to the MD5 hash function.
- Finish the hash.
- (Security handlers of revision 3 or greater) Do the following 50 times: Take the output from the previous MD5 hash and pass the first n bytes of the output as input into a new MD5 hash, where n is the number of bytes of the encryption key as defined by the value of the encryption dictionary’s Length entry.
- Set the encryption key to the first n bytes of the output from the final MD5 hash, where n shall always be 5 for security handlers of revision 2 but, for security handlers of revision 3 or greater, shall depend on the value of the encryption dictionary’s Length entry.
This algorithm, when applied to the user password string, produces the encryption key used to encrypt or decrypt string and stream data according to "Algorithm 1: Encryption of data using the RC4 or AES algorithms" in 7.6.2, "General Encryption Algorithm." Parts of this algorithm are also used in the algorithms described below.
7.6.3.4 密码算法¶
Password Algorithms
除了加密密钥外,标准安全处理程序还应提供加密字典的内容(表 20 和 表 21)。Filter、V、Length、R 和 P 条目的值是直观的,但 O(所有者密码)和 U(用户密码)条目的计算需要进一步解释。以下算法 3 到 7 展示了如何计算所有者密码和用户密码条目的值(后者根据安全处理程序的修订版本有不同版本)。
算法 3:计算加密字典的 O(所有者密码)值
- 按 "算法 2:计算加密密钥" 步骤 (a) 中描述的方式填充或截断所有者密码字符串。如果没有所有者密码,请使用用户密码。
- 初始化 MD5 哈希函数,并将步骤 (a) 的结果作为输入传递给该函数。
- (修订版 3 或更高版本的安全处理程序) 重复 50 次:取前一次 MD5 哈希的输出,并将其作为新 MD5 哈希的输入。
- 使用最终 MD5 哈希输出的前 n 字节创建 RC4 加密密钥,对于修订版 2 的安全处理程序,n 始终为 5,但对于修订版 3 或更高版本的安全处理程序,n 取决于加密字典 Length 条目的值。
- 按 "算法 2:计算加密密钥" 步骤 (a) 中描述的方式填充或截断用户密码字符串。
- 使用步骤 (d) 中获得的加密密钥,通过 RC4 加密函数加密步骤 (e) 的结果。
- (修订版 3 或更高版本的安全处理程序) 重复 19 次:取前一次 RC4 函数调用的输出,并将其作为新函数调用的输入;使用通过对步骤 (d) 中获得的加密密钥的每个字节与迭代计数器(从 1 到 19)的单字节值进行异或(XOR)操作生成的加密密钥。
- 将 RC4 函数最终调用的输出存储为加密字典中 O 条目的值。
算法 4:计算加密字典的 U(用户密码)值(修订版 2 的安全处理程序)
- 基于用户密码字符串创建加密密钥,如 "算法 2:计算加密密钥" 所述。
- 使用前一步的加密密钥,通过 RC4 加密函数加密 "算法 2:计算加密密钥" 步骤 (a) 中显示的 32 字节填充字符串。
- 将步骤 (b) 的结果存储为加密字典中的 U 条目的值。
算法 5:计算加密字典的 U(用户密码)值(修订版 3 或更高版本的安全处理程序)
- 基于用户密码字符串创建加密密钥,如 "算法 2:计算加密密钥" 所述。
- 初始化 MD5 哈希函数,并将 "算法 2:计算加密密钥" 步骤 (a) 中显示的 32 字节填充字符串作为输入传递给该函数。
- 将文件文件标识符数组的第一个元素(文档的尾部字典中 ID 条目的值;见 表 15)传递给哈希函数,并完成哈希计算。
- 使用步骤 (a) 中的加密密钥,通过 RC4 加密函数加密哈希的 16 字节结果。
- 重复以下操作 19 次:取前一次 RC4 函数调用的输出,并将其作为新函数调用的输入;使用通过对步骤 (a) 中获得的原始加密密钥的每个字节与迭代计数器(从 1 到 19)的单字节值进行异或(XOR)操作生成的加密密钥。
- 将 RC4 函数最终调用的输出附加 16 字节的任意填充,并将 32 字节的结果存储为加密字典中的 U 条目的值。
NOTE
标准安全处理程序使用以下算法 6 和 7 来确定提供的密码字符串是否为正确的用户或所有者密码。还需注意,算法 6 可用于确定文档的用户密码是否为空字符串,因此在打开文档时是否抑制密码提示。
算法 6:验证用户密码
- 使用提供的密码字符串执行 "算法 4:计算加密字典的 U(用户密码)值(修订版 2 的安全处理程序)" 或 "算法 5:计算加密字典的 U(用户密码)值(修订版 3 或更高版本的安全处理程序)" 的所有步骤,但最后一步除外。
- 如果步骤 (a) 的结果与加密字典的 U 条目的值相等(在修订版 3 或更高版本的安全处理程序的情况下,仅比较前 16 字节),则提供的密码是正确的用户密码。步骤 (a) 中获得的密钥(即,在 "算法 4:计算加密字典的 U(用户密码)值(修订版 2 的安全处理程序)" 或 "算法 5:计算加密字典的 U(用户密码)值(修订版 3 或更高版本的安全处理程序)" 的第一步中获得的密钥)应用于解密文档。
算法 7:验证所有者密码
- 从提供的密码字符串计算加密密钥,如 "算法 3:计算加密字典的 O(所有者密码)值" 的步骤 (a) 到 (d) 所述。
- (仅适用于修订版 2 的安全处理程序) 使用步骤 (a) 中计算的加密密钥,通过 RC4 加密函数解密加密字典的 O 条目的值。
(修订版 3 或更高版本的安全处理程序) 执行以下操作 20 次:解密加密字典的 O 条目(第一次迭代)或前一次迭代的输出(所有后续迭代),每次迭代使用不同的加密密钥。该密钥应通过获取原始密钥(在步骤 (a) 中获得)并对每个字节与迭代计数器(从 19 到 0)的单字节值进行异或(XOR)操作生成。 - 步骤 (b) 的结果假定为用户密码。使用 "算法 6:验证用户密码" 验证此用户密码。如果正确,则提供的密码是正确的所有者密码。
In addition to the encryption key, the standard security handler shall provide the contents of the encryption dictionary (Table 20 and Table 21). The values of the Filter, V, Length, R, and P entries are straightforward, but the computation of the O (owner password) and U (user password) entries requires further explanation. The algorithms 3 through 7 that follow show how the values of the owner password and user password entries shall be computed (with separate versions of the latter depending on the revision of the security handler).
Algorithm 3: Computing the encryption dictionary’s O (owner password) value
- Pad or truncate the owner password string as described in step (a) of "Algorithm 2: Computing an encryption key". If there is no owner password, use the user password instead.
- Initialize the MD5 hash function and pass the result of step (a) as input to this function.
- (Security handlers of revision 3 or greater) Do the following 50 times: Take the output from the previous MD5 hash and pass it as input into a new MD5 hash.
- Create an RC4 encryption key using the first n bytes of the output from the final MD5 hash, where n shall always be 5 for security handlers of revision 2 but, for security handlers of revision 3 or greater, shall depend on the value of the encryption dictionary’s Length entry.
- Pad or truncate the user password string as described in step (a) of "Algorithm 2: Computing an encryption key".
- Encrypt the result of step (e), using an RC4 encryption function with the encryption key obtained in step (d).
- (Security handlers of revision 3 or greater) Do the following 19 times: Take the output from the previous invocation of the RC4 function and pass it as input to a new invocation of the function; use an encryption key generated by taking each byte of the encryption key obtained in step (d) and performing an XOR (exclusive or) operation between that byte and the single-byte value of the iteration counter (from 1 to 19).
- Store the output from the final invocation of the RC4 function as the value of the O entry in the encryption dictionary.
Algorithm 4: Computing the encryption dictionary’s U (user password) value (Security handlers of revision 2)
- Create an encryption key based on the user password string, as described in "Algorithm 2: Computing an encryption key".
- Encrypt the 32-byte padding string shown in step (a) of "Algorithm 2: Computing an encryption key", using an RC4 encryption function with the encryption key from the preceding step.
- Store the result of step (b) as the value of the U entry in the encryption dictionary.
Algorithm 5: Computing the encryption dictionary’s U (user password) value (Security handlers of revision 3 or greater)
- Create an encryption key based on the user password string, as described in "Algorithm 2: Computing an encryption key".
- Initialize the MD5 hash function and pass the 32-byte padding string shown in step (a) of "Algorithm 2: Computing an encryption key" as input to this function.
- Pass the first element of the file’s file identifier array (the value of the ID entry in the document’s trailer dictionary; see Table 15) to the hash function and finish the hash.
- Encrypt the 16-byte result of the hash, using an RC4 encryption function with the encryption key from step (a).
- Do the following 19 times: Take the output from the previous invocation of the RC4 function and pass it as input to a new invocation of the function; use an encryption key generated by taking each byte of the original encryption key obtained in step (a) and performing an XOR (exclusive or) operation between that byte and the single-byte value of the iteration counter (from 1 to 19).
- Append 16 bytes of arbitrary padding to the output from the final invocation of the RC4 function and store the 32-byte result as the value of the U entry in the encryption dictionary.
NOTE
The standard security handler uses the algorithms 6 and 7 that follow, to determine whether a supplied password string is the correct user or owner password. Note too that algorithm 6 can be used to determine whether a document’s user password is the empty string, and therefore whether to suppress prompting for a password when the document is opened.
Algorithm 6: Authenticating the user password
- Perform all but the last step of "Algorithm 4: Computing the encryption dictionary’s U (user password) value (Security handlers of revision 2)" or "Algorithm 5: Computing the encryption dictionary’s U (user password) value (Security handlers of revision 3 or greater)" using the supplied password string.
- If the result of step (a) is equal to the value of the encryption dictionary’s U entry (comparing on the first 16 bytes in the case of security handlers of revision 3 or greater), the password supplied is the correct user password. The key obtained in step (a) (that is, in the first step of "Algorithm 4: Computing the encryption dictionary’s U (user password) value (Security handlers of revision 2)" or "Algorithm 5: Computing the encryption dictionary’s U (user password) value (Security handlers of revision 3 or greater)") shall be used to decrypt the document.
Algorithm 7: Authenticating the owner password
- Compute an encryption key from the supplied password string, as described in steps (a) to (d) of "Algorithm 3: Computing the encryption dictionary’s O (owner password) value".
- (Security handlers of revision 2 only) Decrypt the value of the encryption dictionary’s O entry, using an RC4 encryption function with the encryption key computed in step (a).
(Security handlers of revision 3 or greater) Do the following 20 times: Decrypt the value of the encryption dictionary’s O entry (first iteration) or the output from the previous iteration (all subsequent iterations), using an RC4 encryption function with a different encryption key at each iteration. The key shall be generated by taking the original key (obtained in step (a)) and performing an XOR (exclusive or) operation between each byte of the key and the single-byte value of the iteration counter (from 19 to 0). - The result of step (b) purports to be the user password. Authenticate this user password using "Algorithm 6: Authenticating the user password". If it is correct, the password supplied is the correct owner password.
7.6.4 公钥安全处理器¶
Public-Key Security Handlers
7.6.4.1 概述¶
General
安全处理程序可以使用公钥加密技术来加密文档(或文档中的字符串和流)。在这样做时,可以指定一个或多个接收者列表,每个列表具有自己独特的访问权限。与标准安全处理程序不同,公钥安全处理程序中只有指定的接收者可以打开加密文档或内容,而不是通过密码来决定访问权限。公钥安全处理程序定义的权限见于 7.6.4.2 中的 表 24,标题为“公钥加密字典”。
公钥安全处理程序使用行业标准的公钥密码学标准第 7 号 (PKCS#7) 二进制编码语法来编码接收者列表、解密密钥和访问权限信息。PKCS#7 规范见于互联网 RFC 2315,标题为“PKCS #7: Cryptographic Message Syntax, Version 1.5”(参见参考书目)。
在加密数据时,每个接收者的 X.509 公钥证书(如 ITU-T 推荐 X.509 中所述;参见[参考书目](../bibliography.md)必须可用。在解密数据时,符合规范的读取器应扫描加密内容的接收者列表,并尝试找到与用户证书匹配的项。如果找到匹配项,用户需要访问对应的私钥,这可能需要认证,通常使用密码。一旦获得访问权限,就可以使用私钥来解密加密的数据。
Security handlers may use public-key encryption technology to encrypt a document (or strings and streams within a document). When doing so, specifying one or more lists of recipients, where each list has its own unique access permissions may be done. Only specified recipients shall open the encrypted document or content, unlike the standard security handler, where a password determines access. The permissions defined for public-key security handlers are shown in Table 24 in 7.6.4.2, "Public-Key Encryption Dictionary".
Public-key security handlers use the industry standard Public Key Cryptographic Standard Number 7 (PKCS#7) binary encoding syntax to encode recipient list, decryption key, and access permission information. The PKCS#7 specification is in Internet RFC 2315, PKCS #7: Cryptographic Message Syntax, Version 1.5 (see the Bibliography).
When encrypting the data, each recipient’s X.509 public key certificate (as described in ITU-T Recommendation X.509; see the Bibliography) shall be available. When decrypting the data, the conforming reader shall scan the recipient list for which the content is encrypted and shall attempt to find a match with a certificate that belongs to the user. If a match is found, the user requires access to the corresponding private key, which may require authentication, possibly using a password. Once access is obtained, the private key shall be used to decrypt the encrypted data.
7.6.4.2 公钥加密字典¶
Public-Key Encryption Dictionary
公钥安全处理程序的加密字典包含 表 20 中显示的通用条目,其值如上所述。此外,它们还可以包含 表 23 中显示的条目,如下所述。
Filter 条目应为公钥安全处理程序的名称。
NOTE
支持公钥加密的现有安全处理程序示例包括 Entrust.PPKEF、Adobe.PPKLite 和 Adobe.PubSec。在加密文档时,这些处理程序将是首选处理程序。
与符合规范的公钥安全处理程序一起使用的 SubFilter 条目允许的值包括 adbe.pkcs7.s3、adbe.pkcs7.s4,在不使用加密过滤器时应使用这些值(见 7.6.5,标题为“加密过滤器”),以及 adbe.pkcs7.s5,在使用加密过滤器时应使用此值。
当 SubFilter 为 adbe.pkcs7.s5 时,CF、StmF 和 StrF 条目可能存在。
| 键 | 类型 | 值 |
|---|---|---|
| Recipients | array | (当 SubFilter 为 adbe.pkcs7.s3 或 adbe.pkcs7.s4 时必需;PDF 1.3) 一个字节字符串数组,其中每个字符串是一个 PKCS#7 对象,列出已经被授予相同访问权限的接收者。PKCS#7 对象中包含的数据应包括用于解密加密数据的加密密钥以及适用于接收者列表的访问权限(见 表 24)。每个唯一的访问权限集应只有一个 PKCS#7 对象;如果一个接收者出现在多个列表中,使用的权限应为第一个匹配列表中的权限。 当 SubFilter 为 adbe.pkcs7.s5 时,接收者列表应在加密过滤器字典中指定;见 表 27。 |
| P | integer | (必需) 一组标志,指定在用户访问文档时允许哪些操作。如果位 2 设置为 1,则忽略所有其他位,允许所有操作。如果位 2 设置为 0,则操作权限基于 表 24 中定义的其余标志的值。 |
P 条目的值应被解释为一个无符号的 32 位数量,包含一组标志,指定在用户访问文档时授予哪些访问权限。 表 24 显示了这些标志的含义。标志字中的位位置应从 1(低位)到 32(高位)编号。任何位置上的 1 位都应启用相应的访问权限。
符合规范的读取器应忽略除位位置 2、3、4、5、6、9、10、11 和 12 之外的所有标志。
| 位(Bit)位置 | 含义 |
|---|---|
| 2 | 当设置时,允许更改加密并启用所有其他权限。 |
| 3 | 打印文档(可能不是最高质量级别,具体取决于是否同时设置了位 12)。 |
| 4 | 通过除位 6、9 和 11 控制的操作之外的操作修改文档内容。 |
| 5 | 通过除位 10 控制的操作之外的操作复制或提取文档中的文本和图形。 |
| 6 | 添加或修改文本注释,填写交互式表单字段,并且如果位 4 也被设置,创建或修改交互式表单字段(包括签名字段)。 |
| 9 | 填写现有的交互式表单字段(包括签名字段),即使位 6 未设置。 |
| 10 | 提取文本和图形(支持残障用户访问或其他目的)。 |
| 11 | 组装文档(插入、旋转或删除页面并创建书签或缩略图),即使位 4 未设置。 |
| 12 | 打印文档到一个可以生成 PDF 内容的忠实数字副本的表示形式。当该位未设置(且位 3 设置)时,打印限制为外观的低级表示形式,可能质量较差。 |
Encryption dictionaries for public-key security handlers contain the common entries shown in Table 20, whose values are described above. In addition, they may contain the entry shown in Table 23 as described below.
The Filter entry shall be the name of a public-key security handler.
NOTE
Examples of existing security handlers that support public-key encryption are Entrust.PPKEF, Adobe.PPKLite, and Adobe.PubSec. This handler will be the preferred handler when encrypting the document.
Permitted values of the SubFilter entry for use with conforming public-key security handlers are adbe.pkcs7.s3, adbe.pkcs7.s4, which shall be used when not using crypt filters (see 7.6.5, "Crypt Filters") and adbe.pkcs7.s5, which shall be used when using crypt filters.
The CF, StmF, and StrF entries may be present when SubFilter is adbe.pkcs7.s5.
| Key | Type | Value |
|---|---|---|
| Recipients | array | (Required when SubFilter is adbe.pkcs7.s3 or adbe.pkcs7.s4; PDF 1.3) An array of byte-strings, where each string is a PKCS#7 object listing recipients who have been granted equal access rights to the document. The data contained in the PKCS#7 object shall include both a cryptographic key that shall be used to decrypt the encrypted data and the access permissions (see Table 24) that apply to the recipient list. There shall be only one PKCS#7 object per unique set of access permissions; if a recipient appears in more than one list, the permissions used shall be those in the first matching list. When SubFilter is adbe.pkcs7.s5, recipient lists shall be specified in the crypt filter dictionary; see Table 27. |
| P | integer | (Required) A set of flags specifying which operations shall be permitted when the document is opened with user access. If bit 2 is set to 1, all other bits are ignored and all operations are permitted. If bit 2 is set to 0, permission for operations are based on the values of the remaining flags defined in Table 24. |
The value of the P entry shall be interpreted as an unsigned 32-bit quantity containing a set of flags specifying which access permissions shall be granted when the document is opened with user access. Table 24 shows the meanings of these flags. Bit positions within the flag word shall be numbered from 1 (low-order) to 32 (high- order). A 1 bit in any position shall enable the corresponding access permission.
Conforming readers shall ignore all flags other than those at bit positions 2, 3, 4, 5, 6, 9, 10, 11, and 12.
| Bit position | Meaning |
|---|---|
| 2 | When set permits change of encryption and enables all other permissions. |
| 3 | Print the document (possibly not at the highest quality level, depending on whether bit 12 is also set). |
| 4 | Modify the contents of the document by operations other than those controlled by bits 6, 9, and 11. |
| 5 | Copy or otherwise extract text and graphics from the document by operations other than that controlled by bit 10. |
| 6 | Add or modify text annotations, fill in interactive form fields, and, if bit 4 is also set, create or modify interactive form fields (including signature fields). |
| 9 | Fill in existing interactive form fields (including signature fields), even if bit 6 is clear. |
| 10 | Extract text and graphics (in support of accessibility to users with disabilities or for other purposes). |
| 11 | Assemble the document (insert, rotate, or delete pages and create bookmarks or thumbnail images), even if bit 4 is clear. |
| 12 | Print the document to a representation from which a faithful digital copy of the PDF content could be generated. When this bit is clear (and bit 3 is set), printing is limited to a low-level representation of the appearance, possibly of degraded quality. |
7.6.4.3 公钥加密算法¶
Public-Key Encryption Algorithms
图 4 说明了在加密 PDF 文件时如何使用 PKCS#7 对象。 PKCS#7 对象旨在封装和加密所谓的封装数据。
PKCS#7 对象中的封装数据包含用于解密文档(或文档中的单个字符串或流,当使用加密过滤器时;见 7.6.5,"加密过滤器")的密钥材料。这个密钥(图 4 中的明文密钥)将为每个接收者使用该接收者的公钥进行加密,并存储在 PKCS#7 对象中(作为每个接收者的加密密钥)。要解密文档,该密钥必须使用接收者的私钥进行解密,从而得到一个解密的(明文)密钥。这个密钥反过来将用于解密 PKCS#7 对象中的封装数据,结果是一个字节数组,其中包括以下信息:
- 一个 20 字节的种子,用于创建由 "算法 1:使用 RC4 或 AES 算法的数据加密" 规定的加密密钥。该种子应为加密文档的安全处理程序生成的唯一随机数。
- 一个 4 字节的值定义权限,最低有效字节在前。请参见 表 24 以了解可能的权限值。
- 当 SubFilter 为 adbe.pkcs7.s3 时,相关权限应仅为标准安全处理程序修订版 2 中指定的权限。
- 对于 adbe.pkcs7.s4,适用修订版 3 的安全处理程序权限。
- 对于 adbe.pkcs7.s5,支持使用加密过滤器,当加密过滤器从加密字典的 StmF 或 StrF 条目引用时,权限应与 adbe.pkcs7.s4 相同。当从流对象的 Crypt 过滤器解码参数字典引用(见 表 14)时,封装数据中应不存在 4 字节的权限。
加密 PKCS#7 对象中的封装数据时使用的算法包括:RC4(密钥长度最高为 256 位)、DES、Triple DES、RC2(密钥长度最高为 128 位)、128 位 AES 的密码块链(CBC)模式、192 位 AES 的 CBC 模式、256 位 AES 的 CBC 模式。PKCS#7 规范在 Internet RFC 2315 中,PKCS #7: Cryptographic Message Syntax, Version 1.5(见参考文献)。
用于 "算法 1:使用 RC4 或 AES 算法的数据加密" 的加密密钥应通过 SHA-1 消息摘要操作计算,该操作依次对以下数据进行摘要:
- 20 字节的种子
- PKCS#7 对象 Recipients 数组中每个项目的字节,按数组中出现的顺序
- 如果生成的密钥用于文档级别的加密且文档元数据保持为明文,则添加 4 字节的值 0xFF
结果摘要的前 n/8 字节应作为加密密钥,其中 n 为加密密钥的位长度。
Figure 4 illustrates how PKCS#7 objects shall be used when encrypting PDF files. A PKCS#7 object is designed to encapsulate and encrypt what is referred to as the enveloped data.
The enveloped data in the PKCS#7 object contains keying material that shall be used to decrypt the document (or individual strings or streams in the document, when crypt filters are used; see 7.6.5, "Crypt Filters"). A key shall be used to encrypt (and decrypt) the enveloped data. This key (the plaintext key in Figure 4) shall be encrypted for each recipient, using that recipient’s public key, and shall be stored in the PKCS#7 object (as the encrypted key for each recipient). To decrypt the document, that key shall be decrypted using the recipient’s private key, which yields a decrypted (plaintext) key. That key, in turn, shall be used to decrypt the enveloped data in the PKCS#7 object, resulting in a byte array that includes the following information:
- A 20-byte seed that shall be used to create the encryption key that is used by "Algorithm 1: Encryption of data using the RC4 or AES algorithms". The seed shall be a unique random number generated by the security handler that encrypted the document.
- A 4-byte value defining the permissions, least significant byte first. See Table 24 for the possible permission values.
- When SubFilter is adbe.pkcs7.s3, the relevant permissions shall be only those specified for revision 2 of the standard security handler.
- For adbe.pkcs7.s4, security handlers of revision 3 permissions shall apply.
- For adbe.pkcs7.s5, which supports the use of crypt filters, the permissions shall be the same as adbe.pkcs7.s4 when the crypt filter is referenced from the StmF or StrF entries of the encryption dictionary. When referenced from the Crypt filter decode parameter dictionary of a stream object (see Table 14), the 4 bytes of permissions shall be absent from the enveloped data.
The algorithms that shall be used to encrypt the enveloped data in the PKCS#7 object are: RC4 with key lengths up to 256-bits, DES, Triple DES, RC2 with key lengths up to 128 bits, 128-bit AES in Cipher Block Chaining (CBC) mode, 192-bit AES in CBC mode, 256-bit AES in CBC mode. The PKCS#7 specification is in Internet RFC 2315, PKCS #7: Cryptographic Message Syntax, Version 1.5 (see the Bibliography).
The encryption key used by "Algorithm 1: Encryption of data using the RC4 or AES algorithms" shall be calculated by means of an SHA-1 message digest operation that digests the following data, in order:
- The 20 bytes of seed
- The bytes of each item in the Recipients array of PKCS#7 objects in the order in which they appear in the array
- 4 bytes with the value 0xFF if the key being generated is intended for use in document-level encryption and the document metadata is being left as plaintext
The first n/8 bytes of the resulting digest shall be used as the encryption key, where n is the bit length of the encryption key.
7.6.5 加密过滤器¶
Crypt Filters
PDF 1.5 引入了 加密过滤器,提供了在 PDF 文件内更细粒度的加密控制。加密过滤器的使用涉及以下结构:
- 加密字典(见表 20)包含枚举文档中的加密过滤器 (CF) 的条目,并指定默认用于解密文档中所有流 (StmF) 和字符串 (StrF) 的过滤器。此外,V 条目的值必须为 4 才能使用加密过滤器。
- 加密字典的 CF 条目中指定的每个加密过滤器必须由加密过滤器字典表示,其条目如表 25 所示。
- 可以为文档中的任何流指定一种流过滤器类型,即 Crypt 过滤器(见7.4.10,“Crypt 过滤器”),以覆盖流的默认过滤器。符合标准的阅读器必须提供一个标准的 Identity 过滤器,该过滤器应保持数据不变(见表 26),以允许在加密的文档中使特定流(如文档元数据)未加密。流的 DecodeParms 条目必须包含一个 Crypt 过滤器解码参数字典(见表 14),其 Name 条目指定要使用的特定加密过滤器(如果缺失,则使用 Identity)。不同的流可以指定不同的加密过滤器。
在访问流之前,必须始终获得解密流的授权。这通常在文档打开时发生,如加密过滤器字典中 AuthEvent 条目值为 DocOpen 所指定的那样。符合标准的阅读器和安全处理程序应将任何尝试访问授权失败的流的行为视为错误。AuthEvent 还可以是 EFOpen,这表示存在一个使用与文档中默认用于加密字符串和流的加密过滤器不同的加密过滤器加密的嵌入文件。
在文件规范词典(见7.11.3,“文件规范词典”)中,相关文件 (RF) 应使用与嵌入文件 (EF) 相同的加密过滤器。
加密过滤器字典中 CFM 条目的值为 None 允许安全处理程序自行解密。这允许处理程序严格控制密钥管理并使用任何首选的对称密钥加密算法。
| Key | Type | Value |
|---|---|---|
| Type | name | (Optional) 如果存在,应为 CryptFilter 表示一个加密过滤器字典。 |
| CFM | name | (Optional) 符合标准的阅读器用来解密数据的方法。应支持以下值::
仅支持此处列出的值。遇到其他值的应用程序应报告文件使用不支持的算法进行加密。 默认值: None. |
| AuthEvent | name | (Optional) 用于触发访问此过滤器使用的加密密钥所需授权的事件。如果授权失败,则事件失败。有效值应为:
如果此过滤器用作加密字典中的 StrF 或 StmF 的值(见[表20](#table20),符合标准的阅读器应忽略此键,并按 DocOpen 的值行为。 |
| Length | integer | (Optional) 加密密钥的位长度。应为 40 至 128 范围内的 8 的倍数。 安全处理程序可以定义其自己的 Length 条目使用方法,并应使用它来定义加密密钥的位长度。标准安全处理程序以 8 的倍数表示长度(16 表示 128),而公钥安全处理程序按原样表示(128 表示 128)。 |
安全处理程序可以向加密过滤器字典添加自己的私有数据。私有数据条目的名称应符合 PDF 名称注册表 (见 附录 E).
| Name | Description |
|---|---|
| Identity | 输入数据应不经任何处理直接传递。 |
表 27 列出了公钥安全处理器使用的附加加密过滤器字典条目 (见 7.6.4, "公钥安全处理器"). 当这些条目存在时,CFM 的值应为 V2 或 AESV2。
| Key | Type | Value |
|---|---|---|
| Recipients | array or string | (Optional) 如果存在,对于加密过滤器字典应为CryptFilter。 |
| CFM | name | (Required) 如果加密过滤器从加密字典中的StmF或StrF引用,此条目应为一个字节串数组,每个字符串应为一个二进制编码的PKCS#7对象,该对象应列出被授予对文档同等访问权限的收件人。PKCS#7对象中包含的数据应包括一个用于计算加密密钥的20字节种子值(见7.6.4.3,“公钥加密算法”),随后是适用于收件人列表的4字节权限设置(见表22)。每种独特的访问权限集只能有一个对象。如果一个收件人出现在多个列表中,使用的权限应为第一个匹配列表中的权限。 如果加密过滤器从Crypt过滤器解码参数字典(见表14)引用,此条目应为一个字符串,该字符串应为一个二进制编码的PKCS#7对象,包含被允许访问相应加密流的所有收件人的列表。PKCS#7对象中包含的数据应是一个20字节的种子值,该值将用于创建加密密钥,该密钥将被用于“算法1:使用RC4或AES算法加密数据”中的算法。 |
| EncryptMetadata | boolean | (可选;仅由加密字典中从StmF引用的加密过滤器使用)表示是否应对文档级元数据流进行加密(见14.3.2,“元数据流”)。符合规范的阅读器在确定是否应对元数据进行加密时,应遵守此值。EncryptMetadata条目的值由安全处理器设置,而不是由符合规范的阅读器设置。 默认值: true. |
EXAMPLE
以下展示了在包含明文文档级元数据流的加密文档中使用加密过滤器的方法。通过应用Identity加密过滤器,元数据流保持不变。其余的流和字符串使用默认过滤器进行解密。
%PDF–1.5
1 0 obj % 文档目录
<< /Type /Catalog
/Pages 2 0 R
/Metadata 6 0 R
>>
endobj
2 0 obj % 页面树
<< /Type /Pages
/Kids [3 0 R]
/Count 1
>>
endobj
3 0 obj % 第一页
<< /Type /Page
/Parent 2 0 R
/MediaBox [0 0 612 792]
/Contents 4 0 R
>>
endobj
4 0 obj % 页面内容
<< /Length 35 >>
stream
*** 加密页面标记操作符 ***
endstream
endobj
5 0 obj
<< /Title ($#*#%*$#^&##) >> % 信息字典:加密的文本字符串。
endobj
6 0 obj
<< /Type /Metadata
/Subtype /XML
/Length 15
/Filter [/Crypt] % 使用加密过滤器。
/DecodeParms % 带有这些参数。
<< /Type /CryptFilterDecodeParms
/Name /Identity % 表示没有加密。
>>
>>
stream
XML metadata % 未加密的元数据。
endstream
endobj
8 0 obj % 加密字典
<< /Filter /MySecurityHandlerName
/V 4 % 版本4 4: 允许加密过滤器。
/CF % 加密过滤器列表
<< /MyFilter0
<< /Type /CryptFilter
/CFM V2 >> % 使用标准算法
>>
/StrF /MyFilter0 % 字符串使用 /MyFilter0 进行解密。
/StmF /MyFilter0 % 流使用 /MyFilter0 进行解密。
... % /MySecurityHandlerName 的私有数据。
/MyUnsecureKey (12345678)
/EncryptMetadata false
>>
endobj
xref
....
trailer
<< /Size 8
/Root 1 0 R
/Info 5 0 R
/Encrypt 8 0 R
>>
startxref
495
%%EOF
PDF 1.5 introduces crypt filters, which provide finer granularity control of encryption within a PDF file. The use of crypt filters involves the following structures:
- The encryption dictionary (see Table 20) contains entries that enumerate the crypt filters in the document (CF) and specify which ones are used by default to decrypt all the streams (StmF) and strings (StrF) in the document. In addition, the value of the V entry shall be 4 to use crypt filters.
- Each crypt filter specified in the CF entry of the encryption dictionary shall be represented by a crypt filter dictionary, whose entries are shown in Table 25.
- A stream filter type, the Crypt filter (see 7.4.10, "Crypt Filter") can be specified for any stream in the document to override the default filter for streams. A conforming reader shall provide a standard Identity filter which shall pass the data unchanged (see Table 26) to allow specific streams, such as document metadata, to be unencrypted in an otherwise encrypted document. The stream’s DecodeParms entry shall contain a Crypt filter decode parameters dictionary (see Table 14) whose Name entry specifies the particular crypt filter to be used (if missing, Identity is used). Different streams may specify different crypt filters.
Authorization to decrypt a stream shall always be obtained before the stream can be accessed. This typically occurs when the document is opened, as specified by a value of DocOpen for the AuthEvent entry in the crypt filter dictionary. Conforming readers and security handlers shall treat any attempt to access a stream for which authorization has failed as an error. AuthEvent can also be EFOpen, which indicates the presence of an embedded file that is encrypted with a crypt filter that may be different from the crypt filters used by default to encrypt strings and streams in the document.
In the file specification dictionary (see 7.11.3, "File Specification Dictionaries"), related files (RF) shall use the same crypt filter as the embedded file (EF).
A value of None for the CFM entry in the crypt filter dictionary allows the security handler to do its own decryption. This allows the handler to tightly control key management and use any preferred symmetric-key cryptographic algorithm.
| Key | Type | Value |
|---|---|---|
| Type | name | (Optional) If present, shall be CryptFilter for a crypt filter dictionary. |
| CFM | name | (Optional) The method used, if any, by the conforming reader to decrypt data. The following values shall be supported:
Only the values listed here shall be supported. Applications that encounter other values shall report that the file is encrypted with an unsupported algorithm. Default value: None. |
| AuthEvent | name | (Optional) The event to be used to trigger the authorization that is required to access encryption keys used by this filter. If authorization fails, the event shall fail. Valid values shall be:
If this filter is used as the value of StrF or StmF in the encryption dictionary (see Table 20), the conforming reader shall ignore this key and behave as if the value is DocOpen. |
| Length | integer | (Optional) The bit length of the encryption key. It shall be a multiple of 8 in the range of 40 to 128. Security handlers may define their own use of the Length entry and should use it to define the bit length of the encryption key. Standard security handler expresses the length in multiples of 8 (16 means 128) and public-key security handler expresses it as is (128 means 128). |
Security handlers may add their own private data to crypt filter dictionaries. Names for private data entries shall conform to the PDF name registry (see Annex E).
| Name | Description |
|---|---|
| Identity | Input data shall be passed through without any processing. |
Table 27 lists the additional crypt filter dictionary entries used by public-key security handlers (see 7.6.4, "Public-Key Security Handlers"). When these entries are present, the value of CFM shall be V2 or AESV2.
| Key | Type | Value |
|---|---|---|
| Recipients | array or string | (Optional) If present, shall be CryptFilter for a crypt filter dictionary. |
| CFM | name | (Required) If the crypt filter is referenced from StmF or StrF in the encryption dictionary, this entry shall be an array of byte strings, where each string shall be a binary-encoded PKCS#7 object that shall list recipients that have been granted equal access rights to the document. The enveloped data contained in the PKCS#7 object shall include both a 20-byte seed value that shall be used to compute the encryption key (see 7.6.4.3, "Public-Key Encryption Algorithms") followed by 4 bytes of permissions settings (see Table 22) that shall apply to the recipient list. There shall be only one object per unique set of access permissions. If a recipient appears in more than one list, the permissions used shall be those in the first matching list. If the crypt filter is referenced from a Crypt filter decode parameter dictionary (see Table 14), this entry shall be a string that shall be a binary-encoded PKCS#7 object shall contain a list of all recipients who are permitted to access the corresponding encrypted stream. The enveloped data contained in the PKCS#7 object shall be a 20-byte seed value that shall be used to create the encryption key that shall be used by the algorithm in "Algorithm 1: Encryption of data using the RC4 or AES algorithms". |
| EncryptMetadata | boolean | (Optional; used only by crypt filters that are referenced from StmF in an encryption dictionary) Indicates whether the document-level metadata stream (see 14.3.2, "Metadata Streams") shall be encrypted. Conforming readers shall respect this value when determining whether metadata shall be encrypted. The value of the EncryptMetadata entry is set by the security handler rather than the conforming reader. Default value: true. |
EXAMPLE
The following shows the use of crypt filters in an encrypted document containing a plaintext document- level metadata stream. The metadata stream is left as is by applying the Identity crypt filter. The remaining streams and strings are decrypted using the default filters.
%PDF–1.5
1 0 obj % Document catalog
<< /Type /Catalog
/Pages 2 0 R
/Metadata 6 0 R
>>
endobj
2 0 obj % Page tree
<< /Type /Pages
/Kids [3 0 R]
/Count 1
>>
endobj
3 0 obj % 1s t page
<< /Type /Page
/Parent 2 0 R
/MediaBox [0 0 612 792]
/Contents 4 0 R
>>
endobj
4 0 obj % Page contents
<< /Length 35 >>
stream
*** Encrypted Page-marking operators ***
endstream
endobj
5 0 obj
<< /Title ($#*#%*$#^&##) >> % Info dictionary: encrypted text string
endobj
6 0 obj
<< /Type /Metadata
/Subtype /XML
/Length 15
/Filter [/Crypt] % Uses a crypt filter
/DecodeParms % with these parameters
<< /Type /CryptFilterDecodeParms
/Name /Identity % Indicates no encryption
>>
>>
stream
XML metadata % Unencrypted metadata
endstream
endobj
8 0 obj % Encryption dictionary
<< /Filter /MySecurityHandlerName
/V 4 % Version 4: allow crypt filters
/CF % List of crypt filters
<< /MyFilter0
<< /Type /CryptFilter
/CFM V2 >> % Uses the standard algorithm
>>
/StrF /MyFilter0 % Strings are decrypted using /MyFilter0
/StmF /MyFilter0 % Streams are decrypted using /MyFilter0
... % Private data for /MySecurityHandlerName
/MyUnsecureKey (12345678)
/EncryptMetadata false
>>
endobj
xref
....
trailer
<< /Size 8
/Root 1 0 R
/Info 5 0 R
/Encrypt 8 0 R
>>
startxref
495
%%EOF