PDF 1.7 AES-128 — Hashcat Mode 10600

What changed in PDF 1.6

PDF 1.6 (2004, Acrobat 7) was the first revision to introduce AES — initially as an option, later as the default in Acrobat 9 and beyond. The Standard Security Handler grew a new value V=4 and revision R=4, plus the CF (crypt filter) sub-dictionary that defines per-stream cipher choices.

AES-128 in PDF uses CBC mode with a per-document IV. The 128-bit key is derived from the user password through a chain that mirrors the RC4 derivation: pad the password to 32 bytes, MD5 it together with the O field and P flags, then iterate MD5 50 times. The first 16 bytes of the final hash become the AES key.

Crucially, the cipher itself is not the vulnerability point. AES-128 is part of NIST FIPS 197 and remains the default symmetric cipher for TLS 1.3, OpenPGP, and most file-encryption standards in 2026.

• V (algorithm version) = 4
• R (revision) = 4
• Length = 128 bits
• Cipher: AES in CBC mode, per-document random IV
• Crypt filter (CF) dictionary defines stream-specific cipher
• CFM (crypt filter method) = AESV2

Why mode 10600 reduces to password strength

AES-128 has 2^128 possible keys — a search space astronomically larger than what any known compute budget can address. Specialised attacks on reduced-round AES exist in academic literature, but no shortcut applies to full 10-round AES-128 used by PDF.

Because the cipher is sound, recovery operates exclusively at the password layer. A candidate password is run through the same key-derivation function used by Adobe Reader; the resulting AES key decrypts a known portion of the encrypted dictionary; if the decryption matches the expected padding, the password is verified.

This is identical in shape to mode 10500 (RC4-128) recovery: the cipher is irrelevant; the password's own complexity determines whether recovery is feasible. If you set a 14-character random password from a manager, no realistic compute budget will recover it. If you set 'Spring2008!' because that was your office network password at the time, recovery will likely succeed.

Key-derivation function in detail

Adobe's Standard Security Handler v4 uses a deterministic key-derivation function defined in the PDF 1.6 specification Algorithm 3.2. The steps are: (1) right-pad the password with the standard 32-byte padding string to total 32 bytes; (2) append the O field (32 bytes); (3) append P (4 bytes, little-endian); (4) append the file ID (16 bytes); (5) compute MD5 of this 84-byte input; (6) iterate MD5 50 times on the previous output; (7) take the first 16 bytes as the AES key.

MD5 is cryptographically broken for collision resistance, but the PDF KDF doesn't depend on MD5's collision resistance — it depends on MD5 being a one-way function for password-recovery purposes, which it still effectively is. Note that this design predates the modern key-derivation best practice (PBKDF2, scrypt, Argon2) of using a high iteration count for memory-hardness; PDF's 50 iterations is substantially weaker than PBKDF2's 100,000+ iterations recommended in 2026.

The MD5-50-iteration design means GPUs can verify candidate passwords very quickly per second. But the keyspace is the password's keyspace, not the cipher's — which loops back to the same constraint: password complexity determines feasibility, period.

Identifying mode 10600 files

The encrypt dictionary tells you exactly what cipher and revision is in use. Look for `/V 4 /R 4 /Length 128`, plus the crypt filter sub-dictionary with `/CFM /AESV2`. The presence of CFM is the unambiguous signal that AES is in use rather than RC4.

Files in this category are typical for PDFs created by Adobe Acrobat 7 through 9 (2004-2008), or by third-party libraries that adopted AES-128 during this window: iText 2.x with strong encryption enabled, PDFKit on macOS, and various enterprise-grade PDF generation tools.

From 2008 onward (Acrobat 9, PDF 1.7 Adobe Extension Level 3), the default moved to V=4/R=4 with strengthened AES-128 — same Hashcat mode 10600. Acrobat X (2010) introduced V=5/R=6 with AES-256 (mode 10700) as the new default.

Recovery strategy questions for owners

When you submit a mode 10600 file, the determining factors are: (1) password length range you remember; (2) character classes used (digits only, lower/upper, symbols, mixed); (3) whether the password was likely a dictionary word, a date, a personal name, or random; (4) any hint phrase or partial recollection.

Without any hint, the only path is targeted dictionary attacks plus mask-based searches against common patterns. With a length hint and character-class hint, the search space shrinks dramatically. With a known prefix or known word, it can collapse to a few thousand candidates.

We do not publish recovery probability percentages because the variance is enormous and depends on what the password is. We will tell you what we found in the free-check phase — the techniques that complete in minutes — before any paid attempt is started. That gives you a real-data signal before committing.

AES-128 in the broader 2026 context

AES-128 remains the workhorse symmetric cipher in 2026. It's the default in TLS 1.3 cipher suites, the foundation for FIPS 140-3 compliance, and approved by NIST for protecting up to TOP SECRET data (FIPS 197). PDF's adoption in 2004 was actually relatively early.

The weakest link in mode 10600 isn't AES — it's the user-chosen password and the relatively weak KDF (MD5×50). For a properly random 16-character password, the document is effectively unrecoverable by any realistic adversary in the foreseeable future. For a typical human-chosen password, it is recoverable by anyone with enough GPU time, service or DIY.

The shift from this generation (V=4/R=4) to V=5/R=6 in PDF 1.7 ext 8 (Acrobat X, 2010) addressed the KDF weakness — AES-256 with a much stronger SHA-256-based key derivation. Files in that mode (10700) are categorically harder to recover.

Frequently Asked Questions

Related references