Is Adobe 9 weaker than Adobe 8?

Once more Elcomsoft is making the buzz (see post where they claimed to have broken WPA2). Their new target is Adobe 9.

Adobe 9 uses AES-256 to protect pdf files. Unfortunately, calculating SHA256 is faster using Graphical Processor Units (GPU) than calculating MD5 as in previous versions of Adobe. Thus, ElcomSoft claims that is less secure because they can brute force 8 characters passwords with Adobe 9 at the same speed than 6 characters with previous versions of Adobe.

The answer from Adobe is clear and technical (see Security matters: Acrobat 9 and passwords encryption). With the new version, they have allowed passphrases of up to 127 characters!

My comments are:

  • Was is it useful to used AES256? Is it not simply a stupid commercial argument? To use the full benefit of AES256, the passwords should exceed 37 characters (I used 127 bits per character to calculate it). It represents passphrase as long as “Law #1: Attackers will always find th”. Who will
    1. dial such long passphrase?
    2. remember it? especially if not used daily.
  • Would it not be also better for Adobe to come with a more human understandable answer?
  • Once more, Elcomsoft is twisting the information. The only thing they are really demonstrating is that they are able to crack a 8 character password. Wow! :Sad:  But, they succeed to create the buzz in a field that most people do not understand. They are good at that.
  • Password sucks if there is no limitations in the number of trials.

Leave a Reply

Your email address will not be published. Required fields are marked *