Adobe Acrobat X and Creating FIPS Compliance

| No Comments

I’ve been getting a few questions lately asking if Acrobat X is FIPS compliant. The short answer is “Yes” – but, on Windows, IT Administrators can take even further action to put Acrobat into FIPS mode which will actually change the way Acrobat X works to help keep users compliant. The information below is an excerpt from the Digital Signatures & Rights Management in the Acrobat Family of Products.

Acrobat and Reader can provide encryption via the Federal Information Processing Standard (FIPS) 140-2 mode. FIPS 140 is a cryptographic security standard used by the federal government and others requiring higher degrees of security. Through registry configuration it is possible to force Acrobat to use only FIPS 140-certified cryptographic libraries. Doing so only affects the production and not the
consumption of PDF files, and it only affects encryption and digital signature workflows.

When the FIPS mode is on, Acrobat X encryption uses the Crypto-C ME 3.0.0.1 encryption module with FIPS 140-2 validation certificate 1092.

FIPS mode changes the default behavior of Acrobat X in the following ways:

  • FIPS-compliant algorithms are always used.
  • Self-signed certificate creation is disabled. In FIPS mode, users cannot create self-signed certificates.
  • Signing with non-FIPS supported algorithms results in an error message; that is, signing fails if the
    document hash algorithm (digest method) is set to MD5 or RIPEMD160.
  • Password security is turned off. Users can apply certificate or Adobe LiveCycle Right Management
    Server security using the AES encryption algorithm to a document, but password encryption is
    disabled.
  • When applying certificate security, the RC4 encryption algorithm is not allowed.
  • Documents protected with non-FIPS compliant algorithms cannot be saved.

FIPS mode cannot be toggled from the preferences panel; you must use the registry. To turn FIPS mode on set the following registry key to 1.

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\10.0\AVGeneral\bFIPSMode

This setting is a Windows only feature. On the Mac, enabling the FIPS mode plist setting will limit the supported algorithms for new documents to those allowed per FIPS standards but due to lack of FIPS certified cryptography options on the Mac platform, Acrobat and Reader do not currently use a FIPS certified implementation.

Download the “Administrator’s Information Manager” for a list of all registry and plist options and documentation.