Adobe has acknowledged on its blog, ‘Security Matters’, the encryption change that has most recently been noted by Russian security firm ElomSoft.
On Adobe’s blog, the company notes, ‘[T]he current specification for password-based 256-bit AES encryption in PDF provides greater performance than the previous 128-bit AES implementation.’
The blog post continues, ‘While this allows for 256-bit AES password protected documents can open faster in Acrobat 9, it can also allow external brute-force cracking tools to attempt to guess document passwords more rapidly because fewer processor cycles are required to test each password guess.’
In the announcement of its newly released Advanced PDF Password Recovery 5.0, ElcomSoft’s CEO Vladimir Katalov was quoted in November as saying, ‘The newer version of Adobe Acrobat is easier to break.’ The company claimed Adobe Acrobat 9 is a 100 times less secure in its latest version.
Adobe has recommended on its security blog that customers using password-based encryption utilize long pass-phrases with upper case, lower case, numbers, and symbols to help mitigate dictionary attacks.
Adobe also noted that additional security measures were added to the 256-bit AES implementation of password security in PDF and Adobe Acrobat and Adobe Reader both support these measures, as described on Adobe’s security blog.