Breaking PDF Passwords

Fast hashes are easy to brute force, let's apply this to an actual scheme


30 solved
Jan. 15, 2016, 3:25 p.m.

I'm probably missing something obvious but:

Do the following 50 times: Take the output of the previous MD5 call and pass it as input to MD5. Take the output of the final MD5 call. Truncate it down to be the same length as the value specified by key length. This is the symmetric key.

the output from the md5 hash is always 16 bytes so it would never need to be truncated?

Also any chance of a test vectors for the two parts symmetric key and user hash on their own? Cheers


Jan. 16, 2016, 10 p.m.

Truncation only applies when the symmetric key is export grade i.e. 40 bits. You indeed don't have to worry about it for this problem. And yes, I'll add a test vector later today.


36 solved
March 5, 2016, 2:38 a.m.

Can you provide the test vector values for intermediate steps like "padded out" password value and first md5 value please. I tried a bunch of variations but not getting the symmetric key value to match


March 7, 2016, 9:53 a.m.

Sure, a couple things to keep in mind:

  • The given document ID and the owner hash are hex encoded, the MD5 algorithm operates on raw bytes so you'll want to decode those before passing them to MD5.
  • Permissions is the hex representation (in two's complement) of -3 in this case. Just interpret it as a hex encoded string like the above two values and do the same decoding before feeding it to MD5.
Padded out password (hex encoded):


First MD5 digest (hex encoded):