With 256-bit encryption, Acrobat 9 passwords still easy to crack

Following ElcomSoft's claim that despite the 256-bit encryption Acrobat 9 passwords are susceptible to more efficient brute forcing than Acrobat 8 passwords -- a claim that Adobe confirmed citing usability trade-offs and urged users to take advantage of its improved passphrase mechanisms -- ElcomSoft's Dmitry Sklyarov and Vladimir Katalov provide more insights on the implications of their discovery, Adobe's reaction, and what should end users and companies do in order to balance security with usability.

Go through the Q&A.

Q: Could you please elaborate a bit more on what exactly does the vulnerability allows you, or a potential malicious attacker to do?

A: Passwords for PDF documents encrypted with AES-256 could be tested much faster than earlier. So, password that considered to be secure enough (difficult to find) in Acrobat 8 could become insecure (easy to find) in Acrobat 9.

Q: Have you contacted Adobe in regard to the vulnerability you've discovered, and did they confirm it?

A: Actually vice versa: Adobe representatives contacted us right after the press release with a question on vulnerability we discovered and we provided our technical clarifications. Yesterday there appeared an article on Adobe corporate website, which actually doesn't explain anything.

Q: Compared to Adobe Reader 8.0, how has your brute force rate improved by taking advantage of the flaw in numbers?

A: In Acrobat versions from 5 to 8, it was needed to make 51 MD5 calls and 20 RC4 calls, making password verification relatively slow, and so brute-force attacks were not effective -- only about 50,000 passwords per second on modern Intel processor, so even 6-character password was strong enough.

In Acrobat version 9, password checking routine consist of just one call to SHA256 hash function. That function can be implemented really effectively on all modern CPUs with SSE2 instruction set, with linear scalability on multi-core and multi-CPU systems, allowing to reach the speed from 5 to 10 million passwords per second. Moreover, SHA256 algorithm fits really good to stream processors such as ones used in NVIDIA video cards, reaching the speed of up to 100 million passwords per second on a single GPU, again with a linear scalability to multi-GPU systems and Tesla. That makes even 8-character password (mixed uppercase and lowercase letters) not secure.

To be more precise, Q6600 - iCore 4 cores on 2.4GHz :

Acrobat 8  ~ 56 700 p/s for user password Acrobat 9  ~ 5 100 000 p/s for user password on one core Acrobat 9 ~ 20 350 000 p/s on Q6600 (4 cores)

GPU GTX260 has 192 stream processors: Acrobat 9 ~ 74 500 000 p/s

You can see the difference.

Q: What should end user and companies do to ensure that their encrypted and password protected remain private, whereas they're still using the latest version of Adobe's product, potentially mitigating several known vulnerabilities found in the previous one?

A: AES-256 encryption introduced in Acrobat 9 does not significantly change level of document security. 256-bit encryption is stronger than 128-bit encryption used in previous versions of Acrobat. But it seems to be impossible to test all possible 128-bit keys in nearest future (several million years). So, Adobe just makes unbreakable thing stronger in Acrobat 9.

But actually security level is determined by the weakest link. In case if strong cryptography is used, the weakest link is a password - it could be guessed much easily than encryption key. Computers become faster every year. And common practice is to increase complexity of password testing process in new versions of software. But Adobe decided to make password testing faster. To preserve level of security provided by Acrobat 8 user just needs to use 128-bit security (which still available in Acrobat 9). Or make new passwords several characters longer than earlier.