PDF
PDF Password Toolspdfpassword.net
Technical Reference

PDF Encryption Types Explained

From easily-crackable 40-bit RC4 to modern AES-256: a complete breakdown of every PDF encryption standard, what each means for security, and what your recovery options are.

Quick Reference

/RCipherKeyAcrobatRecovery
R=2RC440 bitsAcrobat 2–4Guaranteed
R=3 (128-bit)RC4128 bitsAcrobat 5–6~50% success
R=4 (AES-128)AES-128128 bitsAcrobat 7~40% success
R=5AES-256256 bitsAcrobat 9~15% success
R=6AES-256256 bitsAcrobat X+<10% success

R=240-bit RC4

PDF 1.1–1.3 (Acrobat 2–4) · 1993–2000

Guaranteed

Cipher

RC4

Key Length

40 bits

Key Space

2⁴⁰ ≈ 1.1 trillion

Recovery

Guaranteed

The original PDF encryption. 40 bits was deliberately chosen to comply with US export restrictions on cryptography at the time. Even in 1993 this was considered weak — by today's standards it offers essentially no real security.

Technical Detail

The PDF standard derives a 40-bit RC4 key from the password, file ID, and permissions flags using an MD5-based key generation algorithm. Because the key space is finite (2⁴⁰ possible keys), a brute-force attack against the key directly — not the password — always succeeds. Password complexity is irrelevant.

Commonly created by

Adobe Acrobat 1.x–4.x, old scanners, legacy enterprise document systems

How to identify

/R 2 or /R 3 in the /Encrypt dictionary, /V 1, /Length 40

Legacy 40-bit recovery available

100% Guaranteed PDF Recovery

Your PDF uses 40-bit encryption — mathematically breakable every time. Our service guarantees full recovery. No result, no charge.

✓ No password needed✓ Original file unchanged✓ 24–48hr turnaround✓ Secure upload
Start Legacy Recovery

R=3 (128-bit)128-bit RC4

PDF 1.4–1.5 (Acrobat 5–6) · 2001–2005

~50% success

Cipher

RC4

Key Length

128 bits

Key Space

2¹²⁸ ≈ 3.4 × 10³⁸

Recovery

~50% success

A significant improvement over 40-bit but still using the RC4 cipher, which is known to have weaknesses. The 128-bit key is far too large for brute force, so recovery depends on dictionary attacks against the password.

Technical Detail

Uses MD5-based key derivation with 50–51 iterations of mixing (improved from R=2). While the key space is enormous, the weak point is the password itself — if it's a dictionary word, name, or short phrase, dictionary attacks can recover it. RC4's stream cipher properties also allow some optimizations.

Commonly created by

Adobe Acrobat 5–6, many PDF printers from 2001–2007

How to identify

/R 3, /V 2, /Length 128

R=4 (AES-128)AES-128

PDF 1.6 (Acrobat 7) · 2005–2012

~40% success

Cipher

AES-128

Key Length

128 bits

Key Space

2¹²⁸ ≈ 3.4 × 10³⁸

Recovery

~40% success

The first version to use AES (Advanced Encryption Standard). AES replaced RC4 as the industry standard due to RC4's known weaknesses. This is still recoverable if the password is human-generated, but requires significantly more compute than RC4-128.

Technical Detail

Introduced in PDF 1.6 with /R 4. The PDF spec added optional AES alongside RC4 for Revision 4 — both use 128-bit keys but AES is significantly stronger. Key derivation uses SHA-1 with a salt for R=4 (unlike the MD5 chain used for R=2/3). Recovery requires pure dictionary/pattern attacks.

Commonly created by

Adobe Acrobat 7–9, many business PDF tools from 2005 onward

How to identify

/R 4, /V 4, /Length 128, /Filter /Standard

R=5AES-256 (v1)

PDF 1.7 Ext. Level 3 (Acrobat 9) · 2008–2012

~15% success

Cipher

AES-256

Key Length

256 bits

Key Space

2²⁵⁶ ≈ 1.2 × 10⁷⁷

Recovery

~15% success

The first 256-bit AES PDF encryption. Introduced in Acrobat 9 but later found to have a weaker-than-expected key derivation scheme — only a single SHA-256 iteration for the key check.

Technical Detail

Uses a single SHA-256 hash for the password validation check (O/U strings). This relatively weak key derivation means GPU-based attacks can test hundreds of millions of passwords per second — fast for AES-256. The encryption key itself is random and strong; the vulnerability is in how it's validated.

Commonly created by

Adobe Acrobat 9, some PDF printers and document management systems from 2008–2012

How to identify

/R 5, /V 5, /Length 256

R=6AES-256 (v2)

PDF 1.7 Ext. Level 8 (Acrobat X+) · 2010–present

<10% success

Cipher

AES-256

Key Length

256 bits

Key Space

2²⁵⁶ ≈ 1.2 × 10⁷⁷

Recovery

<10% success

The current strongest PDF encryption standard. Fixed the key derivation weakness of R=5 by using PBKDF2-SHA256 with 100,000 iterations — intentionally slow to prevent brute force.

Technical Detail

R=6 uses PBKDF2-SHA256 with 100,000 iterations and a unique per-file salt. This means each password guess requires 100,000 SHA-256 computations. On a high-end GPU, this limits attack speed to roughly 50,000 passwords per second — compared to billions per second for weak encryption. Only very short or common passwords are feasible targets.

Commonly created by

Adobe Acrobat X (10) and later, macOS Preview (recent versions), most modern PDF tools

How to identify

/R 6, /V 5, /Length 256

Frequently Asked Questions

What is 40-bit PDF encryption?
40-bit PDF encryption uses the RC4 stream cipher with a 40-bit key. This was the only encryption option in early Acrobat versions (1.1–1.3). The 40-bit key space contains exactly 2⁴⁰ = 1,099,511,627,776 possible keys — a small enough number that modern hardware can test all of them in hours, making recovery guaranteed regardless of the password used.
What PDF version uses AES encryption?
AES-128 encryption was introduced in PDF 1.6 (Acrobat 7, 2005) using Revision 4. AES-256 was introduced in PDF 1.7 Extension Level 3 (Acrobat 9, 2008) as Revision 5, and improved in PDF 1.7 Extension Level 8 (Acrobat X, 2010) as Revision 6 with better key derivation.
How do I know what encryption my PDF uses?
The easiest way is to use a PDF encryption analyzer tool that reads the file metadata locally. The /Encrypt dictionary in the PDF contains /R (revision), /V (algorithm version), and /Length (key length in bits) fields. Revision 2-3 = 40-bit RC4, Revision 4 = 128-bit (RC4 or AES), Revision 5-6 = 256-bit AES.