Skip to main content
PDFb2PDFb2
Security7 min read

A Major PDF Vendor Promised 256-Bit Security. Researchers Found It Was 100x Easier to Crack.

Technical analysis showing 256-bit AES PDF encryption weaker than 128-bit due to implementation flaw
256-Bit PDF Encryption That Was 100x Weaker Than 128-Bit

"The strongest encryption available for PDF documents." That is how a major PDF software vendor marketed the 256-bit AES encryption introduced in version 9 of its flagship product. Twice the key size of the previous version. Military-grade. Unbreakable. The kind of marketing copy that reassures IT departments and greenlights purchase orders. There was one problem: security researchers later discovered the new encryption was roughly 100 times easier to crack than the 128-bit encryption it replaced. A bigger number, but weaker security.

The Upgrade That Was a Downgrade

When the vendor released version 9 of its PDF software in 2008, the headline security feature was the jump from 128-bit AES to 256-bit AES encryption. On paper, this sounds straightforward. AES-256 is the encryption standard used by the U.S. government for classified information. The key space is astronomically larger. In a sound implementation, upgrading from AES-128 to AES-256 would make brute-force attacks effectively impossible for the foreseeable future.

The operative phrase there is "in a sound implementation."

The strength of password-based encryption does not just depend on the cipher. It depends critically on how the password is converted into the encryption key — a process called key derivation. And this is where things went wrong. The vendor changed the key derivation function, and the replacement turned out to be dramatically weaker than what it superseded.

What Went Wrong With the Key Derivation

In the previous version (PDF encryption revision 4, using AES-128), the key derivation process was based on MD5 and ran through 50 rounds of hashing. It was not state-of-the-art, but the iterative hashing added meaningful computational cost to each password guess. Brute-forcing the password meant doing 50 rounds of work per attempt.

For the new 256-bit version (PDF encryption revision 5), the vendor replaced the key derivation with a scheme that used SHA-256 — but with far fewer iterations of the stretching process. The result was that each password guess required significantly less computational work. Independent security researchers benchmarked the two schemes and found that password recovery tools could test passwords against the AES-256 encrypted PDFs roughly 100 times faster than against the older AES-128 encrypted PDFs.

Put differently, the "enhanced" 256-bit encryption allowed attackers to test 100 passwords in the same time it took to test one password against the older 128-bit version. The lock had been upgraded while the door got thinner — the security equivalent of fitting a titanium deadbolt on a screen door.

The Numbers

AES-128 (Revision 4)

  • 128-bit key size
  • 50 rounds of key stretching
  • Slower password testing
  • Actually harder to crack

AES-256 (Revision 5)

  • 256-bit key size
  • Weaker key derivation
  • 100x faster password testing
  • Bigger number, worse security

The Fix Came Later

The vendor did eventually address the problem. PDF encryption revision 6, introduced in a subsequent release, replaced the weak key derivation with an implementation that used thousands of rounds of hashing, making password guessing substantially harder. But for several years, every PDF encrypted with the version 9 defaults was weaker than the version before it — while advertising itself as stronger. Many of those PDFs still exist today, and their owners likely believe the files are more secure than they actually are.

None of this means AES-256 is a weak cipher — it is excellent. The point is that encryption strength is a chain, and the weakest link determines the real security level. A 256-bit cipher paired with an inadequate key derivation function produces inadequate security, regardless of what the marketing materials say.

The Other PDF Security Gap: Permission Restrictions

The encryption story is not the only gap in PDF security. PDF "permissions" — the settings that restrict copying, printing, or editing — are another area worth examining. Most people have encountered these at some point: a PDF that grays out the print button or prevents text selection. It looks like a real security control.

In practice, it offers almost no protection.

PDF permission restrictions are enforced by the viewer application, not by the file format itself. The dominant PDF reader respects these flags because the same vendor designed both the format and the reader. But the PDF specification is an open standard (ISO 32000). Anyone can write a PDF reader, and a reader that ignores the permission flags can open, copy, print, and edit the "restricted" document without any password at all.

Free, widely available tools strip PDF permission restrictions in seconds. Some online services do it with a single click. The "no copy, no print" flags function as a polite request, not a security mechanism. They may deter casual users but do little against anyone with even mild motivation to get around them. In practice, relying on PDF permission restrictions for document security is comparable to placing a "Please Do Not Read" sticky note on a classified folder.

What PDF Permissions Actually Protect

  • No-copy flag: Only enforced by compliant viewers. Easily bypassed.
  • No-print flag: Ignored by most third-party PDF tools and print-to-PDF drivers.
  • No-edit flag: Prevents editing in compliant software, but the content is fully accessible to any tool that reads the PDF structure directly.
  • Owner password: Controls permission settings, not document access. Removable in seconds with free tools.

Permission restrictions are a courtesy, not a security boundary.

What Actually Works for PDF Security

For genuine PDF protection, the only reliable mechanism is a strong user password (also called the "open password") combined with a modern encryption implementation. A user password with proper encryption means the document content is actually encrypted — the bytes on disk are scrambled and cannot be read without the correct password to derive the decryption key.

The key word there is "strong." A six-character password on a PDF with weak key derivation can be cracked in minutes. A long, random passphrase on a properly implemented encryption scheme is genuinely secure. The encryption is only as good as the password protecting it.

PDFb2's Protect tool applies a strong password to a PDF using AES encryption — and does it entirely in the browser. The unprotected document never leaves the device, which avoids sending an unencrypted version through a cloud service that might log, cache, or expose it.

Permission restrictions can also be set alongside encryption. They will deter casual users who rely on the default PDF reader, though they are not a substitute for actual encryption.

The Takeaway

The 256-bit encryption episode is a useful reminder that marketing and security are different disciplines with different objectives. A bigger number on the spec sheet does not automatically mean better protection. The implementation details — key derivation, hashing rounds, password handling — matter far more than the headline cipher strength. And PDF permission restrictions, while they look official, are about as enforceable as a "keep off the grass" sign. Genuine PDF protection comes down to a strong open password with real encryption, keeping unencrypted files off cloud servers, and recognizing that "256-bit" does not automatically mean "secure."

Protect PDFs with Real Encryption — No Upload Required

PDFb2's Protect tool encrypts your PDF with a strong password entirely in your browser. The unencrypted file never touches a server.

Protect PDF Now