PDF 1.7 Extension 8 AES-256 — Hashcat Mode 10700

What's new in V=5/R=6

PDF 1.7 with Adobe Extension Level 8 (released 2010 alongside Acrobat X) added a brand-new Standard Security Handler revision: V=5, R=6. The cipher is AES-256 in CBC mode. The key derivation moves from the legacy MD5-iterated chain to a SHA-256-based scheme with a per-attempt cost roughly two orders of magnitude higher than the old design.

Six new fields appear in the encrypt dictionary: U (48 bytes), O (48 bytes), UE (32 bytes), OE (32 bytes), Perms (16 bytes), and the standard CF/CFM/AESV3 setup. The U and O fields contain validation salts plus the encrypted user/owner key; UE and OE contain the encrypted file encryption key.

The two-stage design — password verifies an intermediate key, intermediate key decrypts the actual file encryption key — is similar to LUKS or BitLocker. It allows password change without re-encrypting the file content.

• V (algorithm version) = 5
• R (revision) = 6
• Length = 256 bits
• Cipher: AES-256 in CBC mode
• CFM = AESV3
• KDF: SHA-256 with multi-round mixing (variable cost)
• Two-key design: password → intermediate key → file key

Why mode 10700 is the strongest standard tier

Three things combine to make mode 10700 substantially harder than mode 10600. First, AES-256 has 2^256 possible keys vs 2^128 for AES-128. Both are far beyond exhaustive search, so this difference is symbolic — neither cipher can be brute-forced. But it puts AES-256 firmly in the 'post-quantum-resistant' category for current quantum computer capabilities.

Second, the SHA-256 KDF is ~50-100x slower per password attempt than the MD5×50 KDF used in mode 10600. This directly slows down password search throughput on the same hardware — fewer candidate passwords per second tested.

Third, the validation logic is more rigorous: the U field includes both a validation salt and a key salt, and the verification must match a specific 32-byte hash output. This makes false-positive verification (collisions on shorter hashes) impossible.

The SHA-256 hash chain

Adobe Algorithm 2.B (PDF 1.7 ext 8) describes the iterative hash. Initial input: SHA-256(password || validation salt). Then up to 64 rounds of mixing: each round computes SHA-256, SHA-384, or SHA-512 (chosen by the last byte of previous output), with input being 64 copies of (password || prev || zero-padding). The variable-length input means GPU implementations cannot vectorise as efficiently as fixed-length hashes.

Adobe deliberately designed the algorithm to be expensive. While modern GPUs still attempt millions of candidates per second on a single high-end card, that's two orders of magnitude slower than the equivalent throughput against mode 10500 or 10600. Per-second attempt count translates directly into recovery wall-clock time.

Identifying mode 10700 files

Look in the encrypt dictionary for `/V 5 /R 6 /Length 256` and the CFM=AESV3 entry. Adobe Reader X and later display 'AES-256 (Acrobat X+)' in the document properties → security pane.

Files protected with the modern 'Acrobat X and later' option in any post-2010 Adobe product are mode 10700. Many enterprise PDF generation pipelines (Adobe Document Cloud, modern Foxit, modern Nitro) default to AES-256 today — so files created in 2018+ are predominantly in this category.

The PDF version line at the top of the file (`%PDF-1.7`) is not a reliable indicator on its own — the same line could be either V=4/R=4 (mode 10600) or V=5/R=6 (mode 10700). Check the encrypt dictionary directly.

Recovery realism for mode 10700

Mode 10700 recovery is most realistic when the password is short (under 8 characters), based on a common pattern (year + word, name + digit), or when the file owner remembers significant fragments. Beyond that, recovery curves stretch into impractical timescales.

We do not quote specific success rates because they vary so much with password type. What we can say honestly: if the document was protected with a password manager's randomly-generated password of 12+ characters, recovery is not realistic; if it was protected with a personal password from memory, the probability of success during a free check is meaningful and worth attempting.

Files in this tier are increasingly common in 2026 because Adobe products default to AES-256 today. If you have a recent document that's password-protected and you remember roughly what you set, mode 10700 recovery is the right call. If you don't remember, the honest answer is that the file is likely permanent.

Quantum resistance considerations

AES-256 is widely considered quantum-resistant for confidentiality purposes. Grover's algorithm provides only a quadratic speedup against symmetric ciphers, so AES-256 retains an effective 128-bit security margin against quantum adversaries — still beyond any feasible compute budget.

By contrast, public-key components in PDF (digital signatures using RSA-2048 or ECDSA-P256) would be at risk under sufficiently large quantum computers (Shor's algorithm). But this risk applies to signatures, not to password-based content encryption.

For password-recovery purposes, quantum threats are not yet relevant in 2026. The bottleneck remains the password's own entropy, not the cipher.

Frequently Asked Questions

Related references