
Cracking Encrypted PDFs - rishabhd
https://blog.didierstevens.com/2017/12/28/cracking-encrypted-pdfs-part-3/
======
userbinator
This reminds me of a large company whose products' datasheets are protected
with a password, presumably as an extra layer of security if they get leaked
(which they do...) They didn't use the very old 40-bit encryption, but the
slightly newer 128-bit RC4, which would theoretically be much harder to crack.
However, the password is 10 digits. I used a multithreaded version of
PDFcrack[1] and let it run overnight, recovering all of them in a few days.

(The irony is, this company probably makes more from the massive design-in and
additional product sales enabled by these leaked documents... so I'm not sure
if the passwords were deliberately weak, just strong enough to satisfy their
legal department but easy for anyone else to get through.)

[1]
[http://andi.flowrider.ch/research/pdfcrack.html](http://andi.flowrider.ch/research/pdfcrack.html)

~~~
javajosh
You can pick a password in proportion to the threat. A short password is
sufficient to thwart "casual attacks" (someone snooping around by accident).
You can increase the entropy of the password as needed to thwart arbitrary
compute. (Although to get enough entropy you'd probably want to generate a
GUID for a password, write it down, and don't lose it.) What I'm trying to say
is that your company wasn't necessarily being stupid.

------
Someone
So, no matter how good your password, by default they shorten it to a 40-bit
key, but they also allow you to override the encryption method?

Seems similar to what Office XP and 2003 do
([https://en.wikipedia.org/wiki/Microsoft_Office_password_prot...](https://en.wikipedia.org/wiki/Microsoft_Office_password_protection#History_of_Microsoft_Encryption_password)).

Did Adobe and Microsoft design this together?

~~~
erpellan
I think this article only applies to older PDFs. From what I can tell, PDF2.0
changed the encryption to AES-256. Almost none of the PDF tools the article
mentioned can even recognise PDF2.0

[https://www.pdflib.com/knowledge-base/pdf-password-
security/...](https://www.pdflib.com/knowledge-base/pdf-password-
security/encryption/)

~~~
agumonkey
Wasn't even aware that PDF2.0 was out

~~~
dunham
Neither was I. It appears to have been released around July 2017 as ISO
32000-2:2017.

