PDF 2.0 modernizes cryptographic support
ISO TC 171 SC 2 is publishing new extensions and clarifications to PDF 2.0 in support of advanced cryptography.In order to more rapidly update PDF technology to address industry demands and advances in technology, ISO TC 171 SC 2 is publishing extensions and clarifications to PDF 2.0 as separate ISO Technical Specifications (TS). The first pair of ISO-approved PDF 2.0 extensions update the set of supported hash algorithms and extend PDF digital signatures to include modern elliptic curves. These short documents use well-known and widely-implemented existing cryptographic algorithms and are built on top of the digital signature and encryption frameworks that already exist in PDF.
An ISO TS follows the same rigorous development processes used for International Standards (IS), but works with an accelerated schedule better suited to the rapid rate of change in software, making it possible to bring new features to market far more quickly than updating and republishing a full new edition of ISO 32000.
These short ISO TS publications for PDF 2.0 are normative documents that are now part of PDF’s core specification; they are therefore as authoritative as ISO 32000 or any of the other ISO-standardized subsets of PDF such as PDF/A, PDF/X or PDF/UA. ISO TS publications are only available for a maximum of 6 years, with reviews by the ISO committee at 3 year intervals. It is expected that the content of ISO TS extension and clarification publications will be incorporated into the core PDF specification document itself within the 6 year period.
What are PDF 2.0’s new cryptographic extensions?
BUSINESS NOTE
Users can now choose the modern, up-to-date and secure cryptographic technologies for use with PDF 2.0 files, based on recent ISO extension specifications.
BUSINESS NOTE
Users can now choose the modern, up-to-date and secure cryptographic technologies for use with PDF 2.0 files, based on recent ISO extension specifications.
As listed on the PDF Association’s ISO status page, as of the end of 2022 there are four separate PDF 2.0 cryptographic related extensions:
- ISO/TS 32001 Document management - Portable Document Format - Encryption and Hash algorithm support in ISO 32000-2 (PDF 2.0) - published in 2022
- ISO/TS 32002 Document management - Portable Document Format - Extensions to Digital Signatures in ISO 32000-2 (PDF 2.0) - published in 2022
- ISO/TS 32003 Document management - Portable Document Format - Adding support of AES-GCM in PDF 2.0 - work in progress, expected to be published in 2023
- ISO/TS 32004 Document management - Portable Document Format - Integrity Protection in encrypted document in PDF 2.0 - work in progress, expected to be published in 2023
ISO/TS 32001:2022 Document management — Portable Document Format — Extensions to Hash Algorithm Support in ISO 32000-2 (PDF 2.0)
ISO/TS 32001 extends PDF 2.0 by adding “support for digitally signing PDF documents using the SHA3-256, SHA3-384, SHA3-512 and SHAKE256 hash algorithms in the secure hash algorithm 3 (SHA-3) hash algorithm family as defined in FIPS PUB 202”.
ISO/TS 32001:2022 can be purchased via the PDF Association.
ISO/TS 32002:2022 Document management — Portable Document Format — Extensions to Digital Signatures in ISO 32000-2 (PDF 2.0)
ISO/TS 32002 extends PDF 2.0 by adding support for the following modern elliptic curves for digital signatures:
- NIST P-curves family of elliptic curves;
- Brainpool family of elliptic curves;
- Edwards Curve (EdDSA) Ed448 and Ed25519 families of elliptic curves.
ISO/TS 32002:2022 can be purchased via the PDF Association.
ISO/TS 32003 Document management - Portable Document Format - Adding support of AES-GCM in PDF 2.0
Although not yet finalized and published, ISO/TS 32003 extends PDF 2.0 by adding support for AES-GCM (Advanced Encryption Standard - Galois/Counter Mode). Without going into the technical details of how AES encryption and its various modes of operation work, AES-GCM is a more modern algorithm that provides authenticated encryption (i.e. confidentiality as well as authentication).
Back in 2004 PDF 1.6 first introduced support for AES-CBC (Advanced Encryption Standard - Cipher Block Chaining) with various bit lengths up to 128 bit. In 2017, the first edition of PDF 2.0 (ISO 32000-2:2017) extended the bit lengths to include 256-bit AES-CBC, while also deprecating all shorter bit lengths. This was because in the intervening years shorter bit lengths had become susceptible to practical new attacks. ISO/TS 32003 goes further in enhancing document security to add 256-bit AES-GCM.
As soon as ISO/TS 32003 is published, it will be available for purchase from the PDF Association.
ISO/TS 32004 Document management - Portable Document Format - Integrity Protection in encrypted document in PDF 2.0
Although not yet published, ISO/TS 32004 has already been discussed in several PDF Association articles including ISO 32004: an overview and MACs vs. signatures in PDF.
As soon as ISO/TS 32004 is published, it will be available for purchase from the PDF Association.
What’s best practice for extensions?
As stated in ISO 32000-2, sub-clause 6.3.2 “Conformance of PDF processors”:
Each PDF processor chooses which subsets of PDF functionality to support. For each subset that the processor chooses to support, the processor shall comply with the applicable provisions in this document.
As with any feature defined in ISO 32000, PDF software vendors are free to choose which extensions and features are implemented. But if that software supports a new PDF 2.0 feature that support must fully comply with the appropriate ISO TS publication and ISO 32000-2 (PDF 2.0).
As digital signatures, modern hash algorithms and encryption are all vital for many workflows and documents, it is expected that mainstream PDF products (both PDF creators and PDF viewers) will implement all PDF 2.0 cryptographic extensions as soon as they are published.
Extensions defined by ISO TS publications are not supported by PDF 1.7 or earlier versions - they are specific to PDF 2.0 only.
How do I know if a PDF file is using a new cryptographic feature?
The PDF extension model was introduced with ISO’s first standardization of PDF: ISO 32000-1:2008 (PDF 1.7). The Document Catalog Extensions entry (a set of direct data structures specified in clause 7.12 “Extension Dictionary”) provides the means by which a PDF document can declare the extensions support that it requires beyond the core feature set of ISO 32000. As shown in the example below, a single PDF can depend on multiple extensions from multiple vendors:
%PDF-2.0 … 5 0 obj << /Type /Catalog /Pages … /Extensions << /Type /Extensions /ISO_ [ % Multiple extensions are registered with prefix “ISO_” << /Type /DeveloperExtensions /BaseVersion /2.0 /ExtensionLevel 32001 /ExtensionRevision (2022) /URL (https://www.iso.org/standard/45874.html) >> << /Type /DeveloperExtensions /BaseVersion /2.0 /ExtensionLevel 32002 /ExtensionRevision (2022) /URL (https://www.iso.org/standard/45875.html) >> ] … % Other extensions using different registered prefixes >> >> endobj …
Although the Extensions entry is required by all PDF files using ISO TS extensions, neither PDF 2.0 nor the ISO TS extension specifications mandate or describe how the data should be used by software. In addition to enabling support, the Extensions entry also provides sufficient data for software to present useful feedback to users who open a PDF file containing unsupported extensions. Similar information might also be presented in a File… | Properties dialog when listing the PDF version and other meta-information about a PDF file.
Support and implementations
A critical aspect of development for ISO TS extension publications is interoperability testing and practical confirmation that the document is unambiguous to all developers. As a result, some early technology is already available.
PDF Association members have access to sample ISO/TS 320001 and ISO/TS 32002 PDF files in GitHub that have been created and shared within the PDF Digital Signature Technical Working Group (TWG). Via the PDF Association liaison status with ISO, members can also get access to drafts of all ISO documents including ISO TS extensions and clarifications.
At the time of writing, the pyHanko library supports both ISO/TS 32001 and ISO/TS 32002 and is described in this article by its author. A contribution to iText to support both ISO/TS 32001 and ISO/TS 32002 is also pending.
Although the TS publications of ISO/TS 32003 and ISO/TS 32004 are not yet finalized by the ISO committee, interoperability testing means that some early technology already exists. FoxIt has a proof-of-concept implementation based on earlier drafts of ISO/TS 32003 and ISO/TS 32004, and this ZIP file contains example PDFs created using different technology. Note that unlike ISO/TS 32001 and ISO/TS 32002, the technical details of both ISO/TS 32003 and ISO/TS 32004 may change. and these technologies and samples are not definitive and should not be relied upon until the TSs are published.
The PDF Digital Signature TWG is the right forum for members to discuss and learn about these new cryptographic extensions.
Conclusion
Contact your vendor today to find out when support for these ISO cryptographic extensions for PDF 2.0 will be added to your PDF software. If you are interested in contributing new ideas or to learn more about PDF digital signatures, then become a member of the PDF Association and join the Digital Signature Technical Working Group.