Adobe PDF security

May 22nd, 2009 by Vladimir Katalov
Category: «Passwords & Human Factor», «Security», «Software», «Tips & Tricks»

Wow, Adobe rethinks PDF security. Curious why? Because of vulnerabilities in Abobe Reader (and so zero-day exploits), of course. From the article:

According to Finnish security company F-Secure, patching 48.9% of all targeted attacks conducted this year involved a malicious PDF file attached to a legitimate-looking e-mail, a huge change from 2008, when PDFs made up just 28.6% of targeted attacks.

But security model of PDF encryption/protection is not going to change, [un]fortunately. It is still very easy to remove restrictions (from printing, copying etc) from PDF files. Moreover, Advanced PDF Password Recovery can clean PDF files from Form elements, digital signatures and JavaScript code (the last item is the most important, because the scripts inside PDFs may contain malicious code). The open password is harder to break: only if 40-bit encryption is used (obsolete, but still popular due to compatibility reasons), such protection can be removed almost instantly, thanks to Thunder Tables.

Better/improved encryption (128-bit RC4) has been introduced in Acrobat 5 a long time ago; in next version, AES encryption has been added — so only brute-force and dictionary attacks were applicable, and recovery speed was low. However, we have found that Adobe Acrobat 9 Is a Hundred Times Less Secure compared to version 8). Moreover, GPU acceleration is now possible, so achieving even better recovery speed.

Surprisingly, Adobe has responded in their blog: see Acrobat 9 and password encryption. Here is what they said:

The current specification for password-based 256-bit AES encryption in PDF provides greater performance than the previous 128-bit AES implementation.

First, that’s not true (if you don’t trust me, make some bench. Second, the encryption (of the file’s data) is not related to password verification routine. You can use the strongest zillion-bit algorithm, but simple and fast password checking function, and so passwords can be effectively cracked (well, recovered :)) in a reasonable time.

Last but not least (also from Adobe’s blog):

256-bit AES encryption is widely known to be stronger than 128-bit AES.

Of course it is. But first, it’s a pure marketing issue: 128 bit is more than enough (well, for next dozen years). Second, the password is still the weakest link.