FIPS Compliance

To comply with NIST requirements for data protection, Acrobat and Reader on Windows can provide encryption via the Federal Information Processing Standard (FIPS) 140-2 mode. FIPS 140 is a cryptographic security standard used by the federal government and others requiring higher degrees of security. Adobe utilizes certified and unmodified encryption modules licensed from RSA Security within desktop and server products. Therefore, Adobe will not show up in the NIST Cryptographic Module Validation Program vendor lists. When the FIPS mode is enabled via the registry, encryption in digital signature workflows use FIPS-approved algorithms during the production of PDFs (not the consumption of PDFs).

Note

See the Preference Reference for configuration details and links to the FIPS validation certificates.

FIPS mode changes Acrobat’s default behavior as follows:

  • FIPS-compliant algorithms are always used.

  • Users cannot save self-signed certificates to a P12/PFX file since password security is not permitted in FIPS mode. * However, users can save self-signed digital IDs to the Windows Certificate Store.

  • Signing with non-FIPS supported algorithms results in an error message; that is, signing fails if the document hash algorithm (digest method) is set to MD5 or RIPEMD160.

  • Password security is turned off. Users can apply certificate or Adobe LifeCycle Rights Management Server security using the AES encryption algorithm to a document, but password encryption is disabled.

  • When applying certificate security, the RC4 encryption algorithm is not allowed.

  • Documents protected with non-FIPS compliant algorithms cannot be saved.

Document encryption

When FIPS mode is disabled, you can still create encrypted documents that are equivalent to documents encrypted with FIPS mode enabled if you do one of the following:

  • Use AES-128 or AES-256 with certificate-based encryption, or

  • Use AEM Document Security, which only supports AES-128 and AES-256.