PDF 2.0 Extended with AES-GCM Support

The ISO Technical Specification newly published in June by the PDF Association extends PDF encryption with AES-GCM using 128-bit, 192-bit, and 256-bit cipher keys and a 128-bit block size.

Galois/Counter Mode (GCM) is a block cipher mode standardized by the US National Institute of Standards and Technology (NIST) in NIST SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, for use with the Advanced Encryption Standard (AES). AES-GCM provides high-speed encryption and data integrity and is a major improvement over earlier AES-CBC (Cipher Block Chaining) methods introduced in PDF 1.6 and deprecated in PDF 2.0.

AES-GCM is an authenticated encryption algorithm: it provides both confidentiality and ciphertext authentication. The two cryptographic primitives provided by AES-GCM are authenticated encryption and authenticated decryption. The authenticated encryption function encrypts sensitive data and computes an authentication tag for both the ciphertext and, optionally, additional authenticated data (AAD). The authenticated decryption function decrypts sensitive data after tag verification. Each function is relatively efficient and can be parallelized, enabling high-throughput implementations in both hardware and software.

In PDF encryption, encryption is always applied to individual streams and strings. Although AES-GCM authenticates each individual ciphertext, a separate mechanism is required to achieve document-level integrity guarantees. Such a mechanism is described in ISO/TS 32004, Document management - Portable document format - Integrity protection in encrypted documents in PDF 2.0.