PDF 1.1-1.3 RC4 40-bit Encryption — Hashcat Mode 10400

How PDF 1.1-1.3 stores its password

PDF encryption introduced in 1996 with PDF 1.1 used the Standard Security Handler with V=1 and R=2 in the document's encrypt dictionary. The user password is processed through a chain that combines an MD5 hash of the password, a per-document file ID (O), and a per-document permissions flag (P). This material is run through 50 iterations of MD5 and truncated to 5 bytes — exactly 40 bits — to form the encryption key.

Once derived, the 40-bit RC4 key encrypts every string and stream in the PDF. The encrypt dictionary itself stays in clear text, which is why analyzers can identify a PDF as v1/r2 without decryption.

The key length is the binding constraint. RC4 as a stream cipher is theoretically broken (RC4 was retired from TLS in 2015 by RFC 7465), but for PDF the practical issue is the 5-byte key — only 2^40 ≈ 1.1 trillion possible keys.

• V (algorithm version) = 1
• R (revision) = 2
• Length = 40 (bits)
• Cipher: RC4 with key truncated to 5 bytes
• Padding: PDF Standard Security Handler 32-byte string

Why 40 bits is below the modern security floor

Forty bits emerged as a US export-control compromise in the 1990s. Encryption stronger than 40 bits required an export licence under the Export Administration Regulations, so commercial software shipped with the weakened variant globally. Adobe followed this convention until export rules relaxed in 2000.

By comparison, today's NIST recommendation is a minimum of 112 bits of effective security strength for symmetric ciphers (NIST SP 800-131A). PDF 1.4+ moved to 128-bit RC4, and PDF 1.7 to AES-128 then AES-256.

Because the 40-bit RC4 key derivation is deterministic and the verification path is well-defined (the user-password padding string), the recovery problem reduces to finding the key, not the password. This is what makes mode 10400 unique among Hashcat modes: a successful key search yields plaintext access regardless of the original password's complexity.

Identifying a 40-bit PDF without opening it

The encrypt dictionary inside a PDF is not encrypted itself, so the algorithm version and revision are readable in any text editor. A line like `/V 1 /R 2 /Length 40` (or the omitted Length attribute, which defaults to 40 for V=1) confirms 40-bit RC4. This is documented in Adobe PDF Reference 1.3, section 3.5.

Adobe Acrobat 5.0 (released 2001) was the last consumer release that defaulted to 40-bit. Files produced by Acrobat 2-5, by older Adobe Distiller versions, or by third-party libraries that used the legacy security handler will all be in this category.

Pre-flight tools such as the qpdf CLI, pdfinfo (poppler-utils), or the pikepdf Python library expose the V/R/Length triple without requiring the password.

• Look for `/V 1` and `/R 2` in the encrypt dictionary
• `/Length` will be 40 or absent (default for V=1)
• Acrobat versions 2-5 (1996-2003) typically produced these files
• The PDF version metadata (e.g. `%PDF-1.3`) is a strong hint but not authoritative

Recovery feasibility — what to expect

Because the key length is finite and small by 2026 standards, recovery for PDF 1.1-1.3 is the most predictable case in the entire family of password-protected file formats. Recovery does not depend on the password being weak — even a 40-character random user password produces a key from the same 2^40 keyspace. This is the unusual property that makes mode 10400 effectively guaranteed in practice for legitimate document owners.

Once the key is known, the PDF can be re-saved without a password while preserving all original content, signatures, and metadata exactly. The recovered file is byte-identical to what an authenticated reader would have produced — important for tax authorities, legal admissibility, and audit trails.

There is no scenario where a 40-bit RC4 PDF is not recoverable given enough compute time. The variability is duration, not outcome. Modern GPUs make the search tractable on single-machine timescales.

Why these files still appear in 2026

The most common sources of 40-bit PDFs in 2026 are: archived tax returns and government documents from the 2000s; legal disclosure bundles where the original was scanned and protected with an older tool; bank statements exported from internet-banking portals that haven't been modernised; and engineering or pharmaceutical drawings stored long-term in document management systems that preserve the original encryption.

When organisations migrate document archives, the original encryption is often preserved by default — not upgraded. This means PDFs that were created with Acrobat 4 in 2001 are still encrypted with 40-bit RC4 today, even after several round-trips through modern systems.

PDF/A archival format (ISO 19005) does not mandate stronger encryption — PDF/A-1 explicitly allows the original encryption to be retained. So a long-term-preserved archive may still have 1990s-era cryptography.

Adobe's revision history at a glance

PDF 1.1 (1996, Acrobat 2): introduced password protection with 40-bit RC4 (V=1, R=2). PDF 1.2 (1996, Acrobat 3): kept V=1/R=2; added 40-bit RC4 for streams. PDF 1.3 (1999, Acrobat 4): unchanged security model from 1.2. PDF 1.4 (2001, Acrobat 5): added V=2/R=3 with 40-128 bit RC4 (mode 10500). PDF 1.6 (2004, Acrobat 7): introduced V=4/R=4 with AES-128. PDF 1.7 + extension level 3 (Acrobat 9, 2008): V=4/R=4 with strengthened AES-128 (mode 10600). PDF 1.7 extension level 8 (Acrobat X, 2010): V=5/R=6 with AES-256 (mode 10700).

Frequently Asked Questions

Related references