Is any PDF encryption secure?

[MartinThoma]

Somebody (I'm not sure if they want to stay anonymous) pointed out that AES in ECB mode is insecure. You can find this example for AES in ECB mode issues.

The PDF specs

PDF 1.7

According to PDF 32000-1:2008, page 58:

If using the AES algorithm, the Cipher Block Chaining (CBC) mode, which requires an initialization vector,
is used. The block size parameter is set to 16 bytes, and the initialization vector is a 16-byte random
number that is stored as the first 16 bytes of the encrypted stream or string.

And page 67:

The algorithms that shall be used to encrypt the enveloped data in the PKCS#7 object are: RC4 with key
lengths up to 256-bits, DES, Triple DES, RC2 with key lengths up to 128 bits, 128-bit AES in Cipher Block
Chaining (CBC) mode, 192-bit AES in CBC mode, 256-bit AES in CBC mode. The PKCS#7 specification is in
Internet RFC 2315, PKCS #7: Cryptographic Message Syntax, Version 1.5 (see the Bibliography).

The ECB mode is not mentioned at all. The CBC mode should be used.

Looking in https://developer.adobe.com/document-services/docs/assets/5b15559b96303194340b99820d3a70fa/PDF_ISO_32000-2.pdf

PDF 2.0

Decrypt the 16-byte Perms string using AES-256 in ECB mode with an initialization vector of zero and
the file encryption key as the key. Verify that bytes 9-11 of the result are the characters "a", "d", "b". Bytes
0-3 of the decrypted Perms entry, treated as a little-endian integer, are the user permissions. They shall
match the value in the P key.

and

Encrypt the 16-byte block using AES-256 in ECB mode with an initialization vector of zero, using the file
encryption key as the key. The result (16 bytes) is stored as the Perms string, and checked for validity
when the file is opened

pypdf

pypdf (AlgV5) uses ECB in verify_perms ; so we seem to follow the PDF 2.0 specs.

My Question

pypdf seems to do what it should do: Follow the specs.

My question is about the specs. Why does the perms use ECB mode while the rest uses CBC? Is that an issue? Why was it done like that?

[MartinThoma]

@exiledkingcc Do you have any insights about this topic?

My best guess is that it's not relevant for the perms as they are small. The ECB-issue only manifests if there are larger chunks of data.

[exiledkingcc]

Your thoughts are completely correct.
And I think, just my personal opinion, perms do not contain any secret information, the permissions flags are clear in the '/P' entry, perms are used to just verify the '/P' entry, so it's ok to use ECB. If perms choose CBC, there should be another entry to store the IV (initialization vector), which will make it more complex. Notice you should not use the same IV to encrypt different messages, it‘s inscure.

[MartinThoma]

Thank you for sharing your thought 🙏