Encryption Algorithms and Key Lengths
PDF encryption makes use of the following encryption algorithms:
- RC4, a symmetric stream cipher (i.e. the same algorithm can be used to encrypt and decrypt). RC4 no longer offers adequate security and has been deprecated in PDF 2.0.
- AES (Advanced Encryption Standard) specified in the standard FIPS-197. AES is a modern block cipher which is used in a variety of applications.
Since the actual encryption keys are unwieldy binary sequences, they are derived from more user-friendly passwords which consist of plain characters. In the course of PDF and Acrobat development the PDF encryption methods have been enhanced to use stronger algorithms, longer encryption keys, and more sophisticated passwords.
Encryption algorithms, key length, and password length in PDF versions |
||
PDF and Acrobat version |
encryption algorithm and key length |
max. password length and password encoding |
PDF 1.1 – 1.3 (Acrobat 2-4) |
RC4 40-bit (weak, should not be used) |
32 characters (Latin-1) |
PDF 1.4 (Acrobat 5) |
RC4 128-bit(weak, should not be used) |
32 characters (Latin-1) |
PDF 1.5 (Acrobat 6) |
same as PDF 1.4, but different application of encryption method (weak, should not be used) |
32 characters (Latin-1) |
PDF 1.6 (Acrobat 7) and PDF 1.7 = ISO 32000-1 (Acrobat 8) |
AES-128 |
32 characters (Latin-1) |
PDF 1.7 Adobe Extension Level 3 (Acrobat 9) |
AES-256 with shortcomings in password handling (weak; deprecated in PDF 2.0) |
127 UTF-8 bytes (Unicode) |
PDF 1.7 Adobe Extension Level 8 (Acrobat X/XI/DC) and PDF 2.0 = ISO 32000-2 |
AES-256 with improved password handling |
127 UTF-8 bytes (Unicode) |
Note that AES-256 is not supported by the native PDF viewers on OS X/macOS (tested up to OS X 10.10.3) and iOS (tested up to iOS 8.1.3).
PDF encryption doesn’t apply the user or master password directly for encrypting the document contents, but calculates an encryption key from the password and other parameters including the permission settings. The length of the encryption key used for actually encrypting the document is independent from the length of the password (see table above).
Passwords
PDF encryption internally works with encryption keys of 40, 128, or 256 bit depending on the PDF version. The binary encryption key is derived from a password provided by the user. The password is subject to length and encoding constraints:
- Up to PDF 1.7 (ISO 32000-1) passwords were restricted to a maximum length of 32 characters and could contain only characters from the Latin-1 encoding.
- PDF 1.7 Adobe Extension Level 3 introduced Unicode characters and bumped the maximum length to 127 bytes in the UTF-8 representation of the password. Since UTF-8 encodes characters with a variable length of 1-4 bytes the allowed number of Unicode characters in the password is less than 127 if it contains non-ASCII characters. For example, since Japanese characters usually require 3 bytes in UTF-8 representation, up to 42 Japanese characters can be used in passwords.
In order to avoid ambiguities, Unicode passwords are normalized by a process called SASLprep (specified in RFC 4013 based on Stringprep in RFC 3454). This process eliminates non-text characters and normalizes certain character classes (e.g. non-ASCII space characters are mapped to the ASCII space character U+0020). The password is normalized to Unicode normalization form NFKC, and special bidirectional processing is applied to avoid ambiguities which may otherwise arise if right-to-left and left-to-right characters are mixed in a password.
The strength of PDF encryption is not only determined by the length of the encryption key, but also by the length and quality of the password. It is widely known that names, plain words, etc. should not be used as passwords since these can easily be guessed or systematically tried using a so-called dictionary attack. Surveys have shown that a significant number of passwords are chosen to be the spouse’s or pet’s name, the user’s birthday, the children’s nickname etc., and can therefore easily be guessed.
Security Recommendations
Keep in mind that only PDFs with a user password (required to open the document) are safe from cracking. The following should be avoided because the resulting encryption is weak and could be cracked:
- Passwords consisting of 1-6 characters should be avoided since they are susceptible to attacks which try all possible passwords (brute-force attack against the password).
- Passwords should not resemble a plain text word since the password would be susceptible to attacks which try all plaintext words (dictionary attack).
- Passwords should contain non-alphabetic characters. Don’t use your spouse’s or pet’s name, birthday, or other items which are easy to determine.
- 40-bit RC4 according to PDF 1.3 (Acrobat 4) encryption should be avoided since it is susceptible to attacks which try all possible keys (brute-force attack against the encryption key).
- The modern AES algorithm is preferable over the older RC4 algorithm.
- AES-256 according to PDF 1.7 Adobe Extension Level 3 (Acrobat 9) should be avoided because it contains a weakness in the password checking algorithm which facilitates brute-force attacks against the password. For this reason Acrobat X/XI/DC no longer offer Acrobat 9 encryption for protecting new documents (only for decrypting existing documents).
In summary, AES-256 according to PDF 1.7 Adobe Extension Level 8/PDF 2.0 should be used. Passwords should be longer than 6 characters and should contain non-alphabetic characters.