PDF Encryption Standards Explained — RC4 vs AES
PDF encryption has evolved through five distinct generations across 30 years. Each generation was driven by either US export-control changes or the rolling obsolescence of older ciphers. Understanding the cryptographic difference between RC4 (used 1996-2010) and AES (2005-present) — and the key-derivation functions that wrap them — explains why different PDFs in the same era behave so differently when you try to recover them.
The 1996 origin: RC4 and US export controls
PDF 1.1 (1996, Acrobat 2) introduced the Standard Security Handler with V=1 and R=2 — a 40-bit RC4 cipher. The 40-bit key length wasn't a cryptographic choice; it was a regulatory one. The US Export Administration Regulations classified strong cryptography (above 40 bits) as munitions, requiring export licences. Software shipped globally with the weakened variant. Adobe followed this convention through PDF 1.3 (1999).
RC4 itself is a stream cipher designed by Ron Rivest in 1987. The cipher's internal state is updated per byte through three feedback registers seeded by the key. RC4 was widely deployed in TLS, WEP, and many file-encryption schemes — until weaknesses became public.
By 2026 standards, both the cipher and the key length are weak. RC4 has biased keystream output (FMS attack on related keys, AlFardan et al. multi-byte biases). The 40-bit key length means only 2^40 ≈ 1.1 trillion possible keys — exhaustively searchable on modern GPUs. The combination is what makes mode 10400 effectively guaranteed recoverable.
2001: 128-bit RC4 lifted by export-rule changes
The US relaxed export controls on cryptography in early 2000. Adobe responded with PDF 1.4 (2001, Acrobat 5), introducing V=2/R=3 with a configurable 40-128 bit RC4 key length. Most commercial software defaulted to 128-bit immediately.
The cipher (RC4) was unchanged — only the key length grew. This is mode 10500 in Hashcat. The 2^128 keyspace is beyond brute-force, so recovery shifted from a key-search problem to a password-search problem.
PDF 1.5 (2003) and PDF 1.6 (2004) reused V=2/R=3. By 2007, a meaningful fraction of business-grade PDFs in circulation used 128-bit RC4. Many still exist in archives today.
2005: AES enters the picture
PDF 1.6 introduced V=4/R=4 in 2004-2005, adding the crypt filter (CF) sub-dictionary. The new design allowed AES-128 in CBC mode. This is mode 10600.
AES (Advanced Encryption Standard, NIST FIPS 197) was specifically designed to replace ageing ciphers. It has no known practical attacks at 10 rounds (AES-128) or 14 rounds (AES-256) full-strength. Adopting AES future-proofed PDF encryption against cipher-level breakthroughs.
The key-derivation function in V=4/R=4 still used the legacy MD5-based chain from V=1 — a weakness that distinguishes mode 10600 from later modes. Per-password GPU verification remained fast because MD5 is fast.
2010: AES-256 with a strengthened KDF
PDF 1.7 Adobe Extension Level 8 (Acrobat X, 2010) introduced V=5/R=6 — AES-256 with a SHA-256-based KDF that's roughly 50-100x more expensive per password attempt. This is mode 10700.
Two structural improvements over previous generations: AES-256 has 2^256 possible keys (symbolically larger than 2^128, both beyond brute force, but quantum-resistant) and the SHA-256 KDF chain throttles password search throughput on GPUs.
The combination matters more than either individually. AES-256 alone with a fast KDF would still be password-strength-bound (and recoverable for weak passwords). The slow KDF reduces per-second attempt count, lengthening practical recovery times.
How V/R/Length encode the generation
Adobe's encrypt dictionary uses three fields to describe the cipher: V (algorithm version), R (revision), Length (key bits). Combined with the optional CFM field on V=4 and V=5, these unambiguously identify the encryption tier:
- V=1, R=2, Length=40: PDF 1.1-1.3 RC4 40-bit (Hashcat 10400)
- V=2, R=3, Length=40-128: PDF 1.4-1.6 RC4 (Hashcat 10500)
- V=4, R=4, Length=128, CFM=AESV2: PDF 1.6+ AES-128 (Hashcat 10600)
- V=5, R=6, Length=256, CFM=AESV3: PDF 1.7 ext 8 AES-256 (Hashcat 10700)
Reading the dictionary
qpdf --show-encryption file.pdf prints V, R, Length, and CFM directly without requiring the password. Same with pdfinfo (poppler-utils) and pikepdf.
Why the password's role changes by generation
For mode 10400 (40-bit), the password essentially doesn't matter for recovery. The cipher key is 40 bits and the entire keyspace is searchable. Whether you set 'apple' or '8&#wQ@9zR$1qE!' as your password, recovery operates on the 2^40 key space, not on the password's character pattern.
For modes 10500-10700, the password becomes everything. The cipher is sound and the key space is beyond brute force, so the only path is to test candidate passwords through the key-derivation function. Short or predictable passwords are recoverable; strong random passwords aren't.
This is the single most important practical insight when looking at a forgotten-password PDF. The encryption tier predicts whether the password matters.
What about future PDF encryption?
Adobe has discussed V=6 in standards meetings but no widely-deployed format has emerged in 2026. The most likely next step is integration with post-quantum cryptography (lattice-based key agreement) for hybrid quantum-resistant document protection — but this is research stage, not consumer.
For most current PDFs, mode 10700 (AES-256, V=5/R=6) remains the modern strong tier. New password-protected PDFs created in 2024-2026 are predominantly in this mode by default in Adobe products.
Frequently Asked Questions
Is RC4 considered broken in 2026?
Why does PDF still use MD5 in 2026?
Will AES-256 PDFs be quantum-secure?
Can I downgrade an AES-256 PDF to RC4 to make it recoverable?
What's the most common encryption mode in 2026?
Have a forgotten-password PDF to recover?
Run a free analysis — encryption type detected automatically, fast techniques tried first, pay only on success.
Run Free Analysis