analysis of microsoft office password protection system,
TRANSCRIPT
8/14/2019 Analysis of Microsoft Office Password Protection System,
http://slidepdf.com/reader/full/analysis-of-microsoft-office-password-protection-system 1/17
http://www.elcomsoft.com
Presentation on
Black Hat Windows 2000 Security Conference
Analysis of Microsoft Office password protection system,
and survey of encryption holes in other MS Windows applications
8/14/2019 Analysis of Microsoft Office Password Protection System,
http://slidepdf.com/reader/full/analysis-of-microsoft-office-password-protection-system 2/17
Analysis of Microsoft Office password protection systemAnalysis of Microsoft Office password protection system
1. Key principles of data password protection
1. Key principles of data password protection
2. Passwords in Microsoft Word 97/2000
2. Passwords in Microsoft Word 97/2000
3. Passwords in Microsoft Excel 97/2000
3. Passwords in Microsoft Excel 97/2000
4. VBA Macros protection
4. VBA Macros protection
5. Microsoft Outlook personal storage files
5. Microsoft Outlook personal storage files
6. French version of MS Office – strong crypto prohibition
6. French version of MS Office – strong crypto prohibition
7. Old versions of MS Office applications
7. Old versions of MS Office applications
8. Protection recommendations
8. Protection recommendations
http://www.elcomsoft.com
8/14/2019 Analysis of Microsoft Office Password Protection System,
http://slidepdf.com/reader/full/analysis-of-microsoft-office-password-protection-system 3/17
Key principles of data password protection
1. Key is stored within the document. When someone attempts to open the
document, the program checks whether the key entered is the same as the storedone. If the key doesn’t match, the program locks further processing of the
document.
1. Key is stored within the document. When someone attempts to open the
document, the program checks whether the key entered is the same as the stored
one. If the key doesn’t match, the program locks further processing of the
document.
2. A key hash is stored within the document. "A hash function is a function,
mathematical or otherwise, that takes a variable-length input string (called a pre-
image) and converts it to a fixed-length (generally smaller) output string (called a
hash value)." (Bruce Schneier). When this method is employed, a key entered by a
user is being transformed into a data string of fixed length used to verify the key,
but that string cannot be used to retrieve the key itself.
2. A key hash is stored within the document. "A hash function is a function,
mathematical or otherwise, that takes a variable-length input string (called a pre-
image) and converts it to a fixed-length (generally smaller) output string (called ahash value)." (Bruce Schneier). When this method is employed, a key entered by a
user is being transformed into a data string of fixed length used to verify the key,
but that string cannot be used to retrieve the key itself.
3. A key is used to encrypt the document with a certain algorithm. The
protection reliability depends only on releability of the algorithm and the length of
the key.
3. A key is used to encrypt the document with a certain algorithm. Theprotection reliability depends only on releability of the algorithm and the length of
the key.
http://www.elcomsoft.com
8/14/2019 Analysis of Microsoft Office Password Protection System,
http://slidepdf.com/reader/full/analysis-of-microsoft-office-password-protection-system 4/17
Passwords in Microsoft Word 97/2000
Passwords in Microsoft Word 97/2000
Write protection password.
This password is stored inside the
document. You can see it using any
HEX-viewer.
Write protection password.This password is stored inside the
document. You can see it using any
HEX-viewer.
Document protection password.
Password hash is stored in the
document. Hash length is only 32 bits.
We can change this password to any
other one, or disable it (replace with a
hash of an empty string).
Document protection password.Password hash is stored in the
document. Hash length is only 32 bits.
We can change this password to any
other one, or disable it (replace with a
hash of an empty string).
Password to open
When this password is set, the entire Word
document (including a part of auxiliary
information) is encrypted with the RC4
algorithm (stream cipher). 128-bit long hash
formed with the MD5 algorithm is used for password verification. Encryption key is 40-bit
long, because state regulations of many
countries don’t allow using stronger crypto.
Password to open
When this password is set, the entire Word
document (including a part of auxiliary
information) is encrypted with the RC4
algorithm (stream cipher). 128-bit long hash
formed with the MD5 algorithm is used for
password verification. Encryption key is 40-bit
long, because state regulations of many
countries don’t allow using stronger crypto.
Applications for password recovery:Advanced Office 2000 Password Recovery
Applications for password recovery:Advanced Office 2000 Password Recoveryhttp://www.elcomsoft.com
8/14/2019 Analysis of Microsoft Office Password Protection System,
http://slidepdf.com/reader/full/analysis-of-microsoft-office-password-protection-system 5/17
Passwords in Microsoft Excel 97/2000
Passwords in Microsoft Excel 97/2000
Write protection password.
This password is stored inside the
document. You can see it using any
HEX-viewer.
Write protection password.This password is stored inside the
document. You can see it using any
HEX-viewer.
Document protection password.
Password hash is stored in the
document. Hash length is only 32 bits.
We can change this password to any
other one, or disable it (replace with a
hash of an empty string).
Document protection password.Password hash is stored in the
document. Hash length is only 32 bits.
We can change this password to any
other one, or disable it (replace with a
hash of an empty string).
Password to open
When this password is set, the entire
Word document (including a part of
auxiliary information) is encrypted with
the RC4 algorithm (stream cipher).
128-bit long hash formed with the MD5
algorithm is used for passwordverification. Encryption key is 40-bit
long, because state regulations of
many countries don’t allow using
stronger crypto.
Password to open
When this password is set, the entire
Word document (including a part of
auxiliary information) is encrypted with
the RC4 algorithm (stream cipher).
128-bit long hash formed with the MD5
algorithm is used for passwordverification. Encryption key is 40-bit
long, because state regulations of
many countries don’t allow using
stronger crypto.
Book and Sheet password.
When an Excel Sheet is being
protected with a password, a 16-bit
(two byte) long hash is generated.
Book protection is somewhat more
sophisticated. Hash generation
algorithm is the same as with sheetprotection, however, a whole document
is being encrypted. Password for
encryption is “VelvetSweatshop”.
Book and Sheet password.
When an Excel Sheet is being
protected with a password, a 16-bit
(two byte) long hash is generated.
Book protection is somewhat more
sophisticated. Hash generation
algorithm is the same as with sheetprotection, however, a whole document
is being encrypted. Password for
encryption is “VelvetSweatshop”.
Applications for password recovery:Advanced Office 2000 Password Recovery
Applications for password recovery:Advanced Office 2000 Password Recoveryhttp://www.elcomsoft.com
8/14/2019 Analysis of Microsoft Office Password Protection System,
http://slidepdf.com/reader/full/analysis-of-microsoft-office-password-protection-system 6/17
VBA Macros protection
VBA Macros protection
Office 97:
Passwords are stored almost in
their original form – a very simple
encryption algorithm is being
used. These passwords can be
recovered or changed/removed
instantly.
Office 97:Passwords are stored almost in
their original form – a very simple
encryption algorithm is being
used. These passwords can be
recovered or changed/removed
instantly.
Office 2000:
Windows CryptoAPI is being
used. Password hash is
generated with SHA algorithm.
These passwords can be
recovered by brute-force or
dictionary attacks only; however,
they can be changed or removed.
Office 2000:Windows CryptoAPI is being
used. Password hash is
generated with SHA algorithm.
These passwords can be
recovered by brute-force or
dictionary attacks only; however,they can be changed or removed.
Applications for password recovery:
Advanced Office 2000 Password RecoveryAdvanced VBA Password Recovery
Applications for password recovery:
Advanced Office 2000 Password Recovery
Advanced VBA Password Recoveryhttp://www.elcomsoft.com
8/14/2019 Analysis of Microsoft Office Password Protection System,
http://slidepdf.com/reader/full/analysis-of-microsoft-office-password-protection-system 7/17
Microsoft Outlook Personal Storage filesMicrosoft Outlook Personal Storage files
This application allows protecting user’s personal data stored in *.pst files(Personal Storage Files) with a password. Protection of user’s personal
information and of his/her personal correspondence is a very important factor to
be taken into account when developing general concept of information
protection. However, Microsoft is using a very simple and unstable algorithm
here as well. Password hash is generated with CRC-32 algorithm (32-bit check
sum). It has been proven that a 6-character input data array (non-printablecharacters not included) can be found for any check sum. So, password
retrieval turns to be a trivial task.
This application allows protecting user’s personal data stored in *.pst files(Personal Storage Files) with a password. Protection of user’s personal
information and of his/her personal correspondence is a very important factor to
be taken into account when developing general concept of information
protection. However, Microsoft is using a very simple and unstable algorithm
here as well. Password hash is generated with CRC-32 algorithm (32-bit check
sum). It has been proven that a 6-character input data array (non-printablecharacters not included) can be found for any check sum. So, password
retrieval turns to be a trivial task.
Applications for password recovery:
Advanced Office 2000 Password RecoveryAdvanced Outlook Password Recovery
Applications for password recovery:
Advanced Office 2000 Password Recovery
Advanced Outlook Password Recoveryhttp://www.elcomsoft.com
8/14/2019 Analysis of Microsoft Office Password Protection System,
http://slidepdf.com/reader/full/analysis-of-microsoft-office-password-protection-system 8/17
French versions of Microsoft OfficeFrench versions of Microsoft Office
Strong cryptographic algorithms are banned in France. So, if MS Word or Excel
document has been created (password-protected) on a computer with Frenchregional settings, very simple encryption algorithm (XOR-based) is being used.
A 16-byte sequence is generated from any password (we can also calculate the
password from that sequence). If we know 16 bytes from source plaintext, then
password recovery is trivial. In most cases, passwords for these files can be
recovered instantly by means of statistical plaintext analysis.
Strong cryptographic algorithms are banned in France. So, if MS Word or Excel
document has been created (password-protected) on a computer with Frenchregional settings, very simple encryption algorithm (XOR-based) is being used.
A 16-byte sequence is generated from any password (we can also calculate the
password from that sequence). If we know 16 bytes from source plaintext, then
password recovery is trivial. In most cases, passwords for these files can be
recovered instantly by means of statistical plaintext analysis.
Applications for password recovery:Advanced Office 2000 Password Recovery
Applications for password recovery:Advanced Office 2000 Password Recoveryhttp://www.elcomsoft.com
8/14/2019 Analysis of Microsoft Office Password Protection System,
http://slidepdf.com/reader/full/analysis-of-microsoft-office-password-protection-system 9/17
Old versions of MS Office applicationsOld versions of MS Office applications
Microsoft Word 2.0, 6.0 and 95 (7.0), Excel 4.0, 5.0 and 95 (7.0) are using even
less powerful encrypting algorithm. To encrypt a document, an exclusive ORoperation (XOR) with a sequence derived from the password is being used. As
some (predictable) auxiliary information is encrypted, too, that sequence can be
recovered. So, file open password in these Word and Excel versions can be
retrieved in a fraction of second.
Microsoft Word 2.0, 6.0 and 95 (7.0), Excel 4.0, 5.0 and 95 (7.0) are using even
less powerful encrypting algorithm. To encrypt a document, an exclusive ORoperation (XOR) with a sequence derived from the password is being used. As
some (predictable) auxiliary information is encrypted, too, that sequence can be
recovered. So, file open password in these Word and Excel versions can be
retrieved in a fraction of second.
Applications for password recovery:
Advanced Office 2000 Password RecoveryAdvanced Office 95 Password Recovery
Applications for password recovery:
Advanced Office 2000 Password Recovery
Advanced Office 95 Password Recoveryhttp://www.elcomsoft.com
8/14/2019 Analysis of Microsoft Office Password Protection System,
http://slidepdf.com/reader/full/analysis-of-microsoft-office-password-protection-system 10/17
Protection recommendationsProtection recommendations
Having read this text, many users will become unsure about entrusting their
secrets to Microsoft software. The answer is very simple – use other softwareproducts to protect confidential information. For example, one can use a
reputable, thoroughly tested Pretty Good Privacy (PGP) software. It is based on
a well-known mathematical problem – factorization of a very great number into
prime numbers. There is no known (analytical) solution of this problem, and
exhaustion of all possible combinations will take forever – even with state-of-
the-art machines.
If you decide to protect your document with a password (to set a file open
password in Word or Excel) anyway, choose a complicated one. Avoid using
words from a dictionary, or your name/surname as a password. Your password
should consist of letters (both upper- and lower-case), numbers, and special
symbols. You can also use symbols from your national alphabet. A securepassword might look like this: “fO7#s!kP4x*a”. However please, note that with
today’s computers, decrypting your document won’t take longer than a few
days (or even hours on a LAN).
Having read this text, many users will become unsure about entrusting their
secrets to Microsoft software. The answer is very simple – use other softwareproducts to protect confidential information. For example, one can use a
reputable, thoroughly tested Pretty Good Privacy (PGP) software. It is based on
a well-known mathematical problem – factorization of a very great number into
prime numbers. There is no known (analytical) solution of this problem, and
exhaustion of all possible combinations will take forever – even with state-of-
the-art machines.If you decide to protect your document with a password (to set a file open
password in Word or Excel) anyway, choose a complicated one. Avoid using
words from a dictionary, or your name/surname as a password. Your password
should consist of letters (both upper- and lower-case), numbers, and special
symbols. You can also use symbols from your national alphabet. A secure
password might look like this: “fO7#s!kP4x*a”. However please, note that withtoday’s computers, decrypting your document won’t take longer than a few
days (or even hours on a LAN).
http://www.elcomsoft.com
8/14/2019 Analysis of Microsoft Office Password Protection System,
http://slidepdf.com/reader/full/analysis-of-microsoft-office-password-protection-system 11/17
Other Windows applicationsOther Windows applications
1. ZIP archiver, known-plaintext attack1. ZIP archiver, known-plaintext attack
2. ARJ archiver, very weak encryption2. ARJ archiver, very weak encryption
3. RAR archiver, strong crypto from Russia3. RAR archiver, strong crypto from Russia
4. Protection in Adobe Acrobat4. Protection in Adobe Acrobat
5. Internet Explorer content advisor password5. Internet Explorer content advisor password
6. Database protection in Microsoft Money6. Database protection in Microsoft Money
http://www.elcomsoft.com
8/14/2019 Analysis of Microsoft Office Password Protection System,
http://slidepdf.com/reader/full/analysis-of-microsoft-office-password-protection-system 12/17
ZIP archiver ZIP archiver
This archiver allows to set an archive password. Whole archive is encrypted using the
specific algorithm. Each password is converted to three 32-bit keys. Two famouscryptoanalysts, Eli Biham and Paul Kocher, have analyzed this algorithm and found out
that it’s possible to find the encryption keys by means a known-plaintext attack. Only 12
bytes of plaintext are needed for keys recovery. Then, we can manually decrypt the
whole archive using that encryption keys. If we don’t have any plaintext, it’s possible to
recover a password using a brute-force or dictionary attacks (which could be
implemented very effectively on modern CPUs).
This archiver allows to set an archive password. Whole archive is encrypted using the
specific algorithm. Each password is converted to three 32-bit keys. Two famouscryptoanalysts, Eli Biham and Paul Kocher, have analyzed this algorithm and found out
that it’s possible to find the encryption keys by means a known-plaintext attack. Only 12
bytes of plaintext are needed for keys recovery. Then, we can manually decrypt the
whole archive using that encryption keys. If we don’t have any plaintext, it’s possible to
recover a password using a brute-force or dictionary attacks (which could be
implemented very effectively on modern CPUs).
Charset Length Passwords Time
All printable 1..5 7,820,126,720 65 minutes
Digits, small/capital, space 6 62,523,502,592 9 hours
Digits, small letters, space 7 94,931,877,888 13 hours
Digits 8..11 111,100,002,304 15,5 hours
Small letters, space 8 282,429,521,920 ~1,5 days
Brute force speed analysis for ZIP (for P-II 350 CPU)Brute force speed analysis for ZIP (for P-II 350 CPU)
Applications for password recovery:
Advanced Archive Password RecoveryAdvanced ZIP Password Recovery
Applications for password recovery:
Advanced Archive Password Recovery
Advanced ZIP Password Recoveryhttp://www.elcomsoft.com
8/14/2019 Analysis of Microsoft Office Password Protection System,
http://slidepdf.com/reader/full/analysis-of-microsoft-office-password-protection-system 13/17
ARJ archiver ARJ archiver
Very simple and weak encryption algorithm is used in this archiver. “ExclusiveOR” logical operation is performed on the archive contents. The second
argument in this operation is a password. Of course, we can use a known-
plaintext attack, or just brute-force approach if archive contents is unknown. But
in the latest versions of ARJ strong encryption (GOST algorithm) is available as
an option.
Very simple and weak encryption algorithm is used in this archiver. “Exclusive
OR” logical operation is performed on the archive contents. The second
argument in this operation is a password. Of course, we can use a known-
plaintext attack, or just brute-force approach if archive contents is unknown. But
in the latest versions of ARJ strong encryption (GOST algorithm) is available as
an option.
Applications for password recovery:
Advanced Archive Password RecoveryAdvanced ARJ Password Recovery
Applications for password recovery:
Advanced Archive Password Recovery
Advanced ARJ Password Recoveryhttp://www.elcomsoft.com
8/14/2019 Analysis of Microsoft Office Password Protection System,
http://slidepdf.com/reader/full/analysis-of-microsoft-office-password-protection-system 14/17
RAR archiver RAR archiver
RAR archiver, developed by Eugene Roshal, uses a very strong encryptionalgorithm. Encryption key is 128 bits long. 256 bytes S-Box is derived from
each key. S-Box operations are very complicated and slow. Known-plaintext
attack is not possible at all. Only brute-force or dictionary attack can be used for
password recovery. Recovery speed is very low; for example, we can test only
about 4800 passwords per second on P-III 800.
RAR archiver, developed by Eugene Roshal, uses a very strong encryption
algorithm. Encryption key is 128 bits long. 256 bytes S-Box is derived from
each key. S-Box operations are very complicated and slow. Known-plaintext
attack is not possible at all. Only brute-force or dictionary attack can be used for
password recovery. Recovery speed is very low; for example, we can test only
about 4800 passwords per second on P-III 800.
Applications for password recovery:
Advanced Archive Password RecoveryAdvanced RAR Password Recovery
Applications for password recovery:
Advanced Archive Password Recovery
Advanced RAR Password Recoveryhttp://www.elcomsoft.com
8/14/2019 Analysis of Microsoft Office Password Protection System,
http://slidepdf.com/reader/full/analysis-of-microsoft-office-password-protection-system 15/17
Passwords in Adobe AcrobatPasswords in Adobe Acrobat
Standard PDF security
Protected PDF document has two passwords: an owner password and a user password.
The document also specifies operations that should be restricted even when the
document is decrypted: printing; copying text and graphics out of the document; modifying
the document; and adding or modifying text notes and AcroForm fields.
Standard PDF security
Protected PDF document has two passwords: an owner password and a user password.The document also specifies operations that should be restricted even when the
document is decrypted: printing; copying text and graphics out of the document; modifying
the document; and adding or modifying text notes and AcroForm fields.
Applications for password recovery:Advanced PDF Password Recovery
Applications for password recovery:
Advanced PDF Password Recoveryhttp://www.elcomsoft.com
Password types
When the correct user password is supplied, the document is opened and decrypted but
these operations are restricted; when the owner password is supplied, all operations are
allowed. The owner password is required to change these passwords and restrictions.
Password types
When the correct user password is supplied, the document is opened and decrypted butthese operations are restricted; when the owner password is supplied, all operations are
allowed. The owner password is required to change these passwords and restrictions.
Encryption key
Protected PDF document is encrypted with the RC4 algorithm. Encryption key length is 40
bits. Key is calculated from the user password. Knowing of the owner password allows
calculation of the user password and therefore encryption key. All restrictions are enforced
by software, not by PDF format itself.
Encryption key
Protected PDF document is encrypted with the RC4 algorithm. Encryption key length is 40
bits. Key is calculated from the user password. Knowing of the owner password allowscalculation of the user password and therefore encryption key. All restrictions are enforced
by software, not by PDF format itself.
8/14/2019 Analysis of Microsoft Office Password Protection System,
http://slidepdf.com/reader/full/analysis-of-microsoft-office-password-protection-system 16/17
8/14/2019 Analysis of Microsoft Office Password Protection System,
http://slidepdf.com/reader/full/analysis-of-microsoft-office-password-protection-system 17/17
Passwords in Microsoft MoneyPasswords in Microsoft Money
Latest versions of Microsoft Money uses MS Jet storage system. Databasepassword is stored in the file header. Whole database is encrypted using RC4
algorithm. But encryption key is permanent (by the way key length is only 32
bits). This key is stored in one of the system DLL’s. Therefore any database
password can be recovered instantly.
Latest versions of Microsoft Money uses MS Jet storage system. Database
password is stored in the file header. Whole database is encrypted using RC4
algorithm. But encryption key is permanent (by the way key length is only 32
bits). This key is stored in one of the system DLL’s. Therefore any database
password can be recovered instantly.
Applications for password recovering:Advanced Money Password Recovery
Applications for password recovering:
Advanced Money Password Recoveryhttp://www elcomsoft com