0

I am trying to implement "Algorithm 2.A" from the PDF-2.0 spec (pages 81-82 of ISO 32000-2:2020(E)). The purpose of the algorithm is to retrieve the "file encryption key" of an encrypted PDF document, using a user-supplied password. Step f of the algorithm starts with the following sentence:

f) Decrypt the 16-byte Perms string using AES-256 in ECB mode with an initialization vector of zero and the file encryption key as the key. ...

My understanding is that ECB mode does not use an initialisation vector, so I am not sure what this means. Is this a mistake in the spec? How should I implement this step?

Many thanks, Jochen

jochen
  • 3,728
  • 2
  • 39
  • 49
  • 1
    Having checked my code for this, It looks like you are right. The mistake is also in 7.6.4.4.12 (Algorithm 13). You can report it here: https://github.com/pdf-association/pdf-issues – johnwhitington Apr 27 '23 at 09:22
  • Yeah, ECB mode doesn't use an IV. It shouldn't be used for message confidentiality either of course. I agree that *some* bad frameworks always require an IV (any CPA *secure* mode of operation require an IV or nonce, assuming the key may be reused) , however that doesn't mean that any specification should indicate one. – Maarten Bodewes Apr 27 '23 at 23:18

1 Answers1

1

I agree with @johnwhitington's comment (this is confusing and should be fixed in the spec), but also passing an "initialization vector of zero" (either as a single NULL value, or as a block of 16 zeros) is a common way to call cryptographic functions that support ECB in many frameworks. It is ignored by those functions, which is what you should do here.

Rob Napier
  • 286,113
  • 34
  • 456
  • 610