analysis of microsoft office password protection system,

8/14/2019 Analysis of Microsoft Office Password Protection System,

http://slidepdf.com/reader/full/analysis-of-microsoft-office-password-protection-system 1/17

http://www.elcomsoft.com

Presentation on

Black Hat Windows 2000 Security Conference

Analysis of Microsoft Office password protection system,

and survey of encryption holes in other MS Windows applications

http://www.elcomsoft.com/






Analysis of Microsoft Office password protection systemAnalysis of Microsoft Office password protection system

1. Key principles of data password protection

1. Key principles of data password protection

2. Passwords in Microsoft Word 97/2000

2. Passwords in Microsoft Word 97/2000

3. Passwords in Microsoft Excel 97/2000

3. Passwords in Microsoft Excel 97/2000

4. VBA Macros protection

4. VBA Macros protection

5. Microsoft Outlook personal storage files

5. Microsoft Outlook personal storage files

6. French version of MS Office – strong crypto prohibition

6. French version of MS Office – strong crypto prohibition

7. Old versions of MS Office applications

7. Old versions of MS Office applications

8. Protection recommendations

8. Protection recommendations








Key principles of data password protection

1. Key is stored within the document. When someone attempts to open the

document, the program checks whether the key entered is the same as the storedone. If the key doesn’t match, the program locks further processing of the

document.

1. Key is stored within the document. When someone attempts to open the

document, the program checks whether the key entered is the same as the stored

one. If the key doesn’t match, the program locks further processing of the

document.

2. A key hash is stored within the document. "A hash function is a function,

mathematical or otherwise, that takes a variable-length input string (called a pre-

image) and converts it to a fixed-length (generally smaller) output string (called a

hash value)." (Bruce Schneier). When this method is employed, a key entered by a

user is being transformed into a data string of fixed length used to verify the key,

but that string cannot be used to retrieve the key itself.

2. A key hash is stored within the document. "A hash function is a function,

mathematical or otherwise, that takes a variable-length input string (called a pre-

image) and converts it to a fixed-length (generally smaller) output string (called ahash value)." (Bruce Schneier). When this method is employed, a key entered by a

user is being transformed into a data string of fixed length used to verify the key,

but that string cannot be used to retrieve the key itself.

3. A key is used to encrypt the document with a certain algorithm. The

protection reliability depends only on releability of the algorithm and the length of

the key.

3. A key is used to encrypt the document with a certain algorithm. Theprotection reliability depends only on releability of the algorithm and the length of

the key.








Passwords in Microsoft Word 97/2000

Passwords in Microsoft Word 97/2000

Write protection password.

This password is stored inside the

document. You can see it using any

HEX-viewer.

Write protection password.This password is stored inside the


HEX-viewer.

Document protection password.

Password hash is stored in the

document. Hash length is only 32 bits.

We can change this password to any

other one, or disable it (replace with a

hash of an empty string).

Document protection password.Password hash is stored in the





Password to open

When this password is set, the entire Word

document (including a part of auxiliary

information) is encrypted with the RC4

algorithm (stream cipher). 128-bit long hash

formed with the MD5 algorithm is used for password verification. Encryption key is 40-bit

long, because state regulations of many

countries don’t allow using stronger crypto.

Password to open

When this password is set, the entire Word

document (including a part of auxiliary

information) is encrypted with the RC4

algorithm (stream cipher). 128-bit long hash

formed with the MD5 algorithm is used for

password verification. Encryption key is 40-bit

long, because state regulations of many

countries don’t allow using stronger crypto.

Applications for password recovery:Advanced Office 2000 Password Recovery

Applications for password recovery:Advanced Office 2000 Password Recoveryhttp://www.elcomsoft.com

http://www.elcomsoft.com/ao2000pr.html









Passwords in Microsoft Excel 97/2000

Passwords in Microsoft Excel 97/2000

Write protection password.

This password is stored inside the


HEX-viewer.

Write protection password.This password is stored inside the


HEX-viewer.

Document protection password.

Password hash is stored in the





Document protection password.Password hash is stored in the





Password to open

When this password is set, the entire

Word document (including a part of

auxiliary information) is encrypted with

the RC4 algorithm (stream cipher).

128-bit long hash formed with the MD5

algorithm is used for passwordverification. Encryption key is 40-bit

long, because state regulations of

many countries don’t allow using

stronger crypto.

Password to open

When this password is set, the entire

Word document (including a part of

auxiliary information) is encrypted with

the RC4 algorithm (stream cipher).

128-bit long hash formed with the MD5

algorithm is used for passwordverification. Encryption key is 40-bit

long, because state regulations of

many countries don’t allow using

stronger crypto.

Book and Sheet password.

When an Excel Sheet is being

protected with a password, a 16-bit

(two byte) long hash is generated.

Book protection is somewhat more

sophisticated. Hash generation

algorithm is the same as with sheetprotection, however, a whole document

is being encrypted. Password for

encryption is “VelvetSweatshop”.

Book and Sheet password.

When an Excel Sheet is being

protected with a password, a 16-bit

(two byte) long hash is generated.

Book protection is somewhat more

sophisticated. Hash generation

algorithm is the same as with sheetprotection, however, a whole document

is being encrypted. Password for

encryption is “VelvetSweatshop”.












VBA Macros protection

VBA Macros protection

Office 97:

Passwords are stored almost in

their original form – a very simple

encryption algorithm is being

used. These passwords can be

recovered or changed/removed

instantly.

Office 97:Passwords are stored almost in

their original form – a very simple

encryption algorithm is being

used. These passwords can be

recovered or changed/removed

instantly.

Office 2000:

Windows CryptoAPI is being

used. Password hash is

generated with SHA algorithm.

These passwords can be

recovered by brute-force or

dictionary attacks only; however,

they can be changed or removed.

Office 2000:Windows CryptoAPI is being

used. Password hash is

generated with SHA algorithm.

These passwords can be

recovered by brute-force or

dictionary attacks only; however,they can be changed or removed.

Applications for password recovery:

Advanced Office 2000 Password RecoveryAdvanced VBA Password Recovery


Advanced Office 2000 Password Recovery

Advanced VBA Password Recoveryhttp://www.elcomsoft.com


http://www.elcomsoft.com/avpr.html











Microsoft Outlook Personal Storage filesMicrosoft Outlook Personal Storage files

This application allows protecting user’s personal data stored in *.pst files(Personal Storage Files) with a password. Protection of user’s personal

information and of his/her personal correspondence is a very important factor to

be taken into account when developing general concept of information

protection. However, Microsoft is using a very simple and unstable algorithm

here as well. Password hash is generated with CRC-32 algorithm (32-bit check

sum). It has been proven that a 6-character input data array (non-printablecharacters not included) can be found for any check sum. So, password

retrieval turns to be a trivial task.

This application allows protecting user’s personal data stored in *.pst files(Personal Storage Files) with a password. Protection of user’s personal

information and of his/her personal correspondence is a very important factor to

be taken into account when developing general concept of information

protection. However, Microsoft is using a very simple and unstable algorithm

here as well. Password hash is generated with CRC-32 algorithm (32-bit check

sum). It has been proven that a 6-character input data array (non-printablecharacters not included) can be found for any check sum. So, password

retrieval turns to be a trivial task.


Advanced Office 2000 Password RecoveryAdvanced Outlook Password Recovery



Advanced Outlook Password Recoveryhttp://www.elcomsoft.com

http://www.elcomsoft.com/aolpr.html













French versions of Microsoft OfficeFrench versions of Microsoft Office

Strong cryptographic algorithms are banned in France. So, if MS Word or Excel

document has been created (password-protected) on a computer with Frenchregional settings, very simple encryption algorithm (XOR-based) is being used.

A 16-byte sequence is generated from any password (we can also calculate the

password from that sequence). If we know 16 bytes from source plaintext, then

password recovery is trivial. In most cases, passwords for these files can be

recovered instantly by means of statistical plaintext analysis.

Strong cryptographic algorithms are banned in France. So, if MS Word or Excel

document has been created (password-protected) on a computer with Frenchregional settings, very simple encryption algorithm (XOR-based) is being used.

A 16-byte sequence is generated from any password (we can also calculate the

password from that sequence). If we know 16 bytes from source plaintext, then

password recovery is trivial. In most cases, passwords for these files can be

recovered instantly by means of statistical plaintext analysis.












Old versions of MS Office applicationsOld versions of MS Office applications

Microsoft Word 2.0, 6.0 and 95 (7.0), Excel 4.0, 5.0 and 95 (7.0) are using even

less powerful encrypting algorithm. To encrypt a document, an exclusive ORoperation (XOR) with a sequence derived from the password is being used. As

some (predictable) auxiliary information is encrypted, too, that sequence can be

recovered. So, file open password in these Word and Excel versions can be

retrieved in a fraction of second.

Microsoft Word 2.0, 6.0 and 95 (7.0), Excel 4.0, 5.0 and 95 (7.0) are using even

less powerful encrypting algorithm. To encrypt a document, an exclusive ORoperation (XOR) with a sequence derived from the password is being used. As

some (predictable) auxiliary information is encrypted, too, that sequence can be

recovered. So, file open password in these Word and Excel versions can be

retrieved in a fraction of second.


Advanced Office 2000 Password RecoveryAdvanced Office 95 Password Recovery



Advanced Office 95 Password Recoveryhttp://www.elcomsoft.com














Protection recommendationsProtection recommendations

Having read this text, many users will become unsure about entrusting their

secrets to Microsoft software. The answer is very simple – use other softwareproducts to protect confidential information. For example, one can use a

reputable, thoroughly tested Pretty Good Privacy (PGP) software. It is based on

a well-known mathematical problem – factorization of a very great number into

prime numbers. There is no known (analytical) solution of this problem, and

exhaustion of all possible combinations will take forever – even with state-of-

the-art machines.

If you decide to protect your document with a password (to set a file open

password in Word or Excel) anyway, choose a complicated one. Avoid using

words from a dictionary, or your name/surname as a password. Your password

should consist of letters (both upper- and lower-case), numbers, and special

symbols. You can also use symbols from your national alphabet. A securepassword might look like this: “fO7#s!kP4x*a”. However please, note that with

today’s computers, decrypting your document won’t take longer than a few

days (or even hours on a LAN).

Having read this text, many users will become unsure about entrusting their

secrets to Microsoft software. The answer is very simple – use other softwareproducts to protect confidential information. For example, one can use a

reputable, thoroughly tested Pretty Good Privacy (PGP) software. It is based on

a well-known mathematical problem – factorization of a very great number into

prime numbers. There is no known (analytical) solution of this problem, and

exhaustion of all possible combinations will take forever – even with state-of-

the-art machines.If you decide to protect your document with a password (to set a file open

password in Word or Excel) anyway, choose a complicated one. Avoid using

words from a dictionary, or your name/surname as a password. Your password

should consist of letters (both upper- and lower-case), numbers, and special

symbols. You can also use symbols from your national alphabet. A secure

password might look like this: “fO7#s!kP4x*a”. However please, note that withtoday’s computers, decrypting your document won’t take longer than a few

days (or even hours on a LAN).








Other Windows applicationsOther Windows applications

1. ZIP archiver, known-plaintext attack1. ZIP archiver, known-plaintext attack

2. ARJ archiver, very weak encryption2. ARJ archiver, very weak encryption

3. RAR archiver, strong crypto from Russia3. RAR archiver, strong crypto from Russia

4. Protection in Adobe Acrobat4. Protection in Adobe Acrobat

5. Internet Explorer content advisor password5. Internet Explorer content advisor password

6. Database protection in Microsoft Money6. Database protection in Microsoft Money








ZIP archiver ZIP archiver

This archiver allows to set an archive password. Whole archive is encrypted using the

specific algorithm. Each password is converted to three 32-bit keys. Two famouscryptoanalysts, Eli Biham and Paul Kocher, have analyzed this algorithm and found out

that it’s possible to find the encryption keys by means a known-plaintext attack. Only 12

bytes of plaintext are needed for keys recovery. Then, we can manually decrypt the

whole archive using that encryption keys. If we don’t have any plaintext, it’s possible to

recover a password using a brute-force or dictionary attacks (which could be

implemented very effectively on modern CPUs).

This archiver allows to set an archive password. Whole archive is encrypted using the

specific algorithm. Each password is converted to three 32-bit keys. Two famouscryptoanalysts, Eli Biham and Paul Kocher, have analyzed this algorithm and found out

that it’s possible to find the encryption keys by means a known-plaintext attack. Only 12

bytes of plaintext are needed for keys recovery. Then, we can manually decrypt the

whole archive using that encryption keys. If we don’t have any plaintext, it’s possible to

recover a password using a brute-force or dictionary attacks (which could be

implemented very effectively on modern CPUs).

Charset Length Passwords Time

All printable 1..5 7,820,126,720 65 minutes

Digits, small/capital, space 6 62,523,502,592 9 hours

Digits, small letters, space 7 94,931,877,888 13 hours

Digits 8..11 111,100,002,304 15,5 hours

Small letters, space 8 282,429,521,920 ~1,5 days

Brute force speed analysis for ZIP (for P-II 350 CPU)Brute force speed analysis for ZIP (for P-II 350 CPU)


Advanced Archive Password RecoveryAdvanced ZIP Password Recovery


Advanced Archive Password Recovery

Advanced ZIP Password Recoveryhttp://www.elcomsoft.com

http://www.elcomsoft.com/archpr.html

http://www.elcomsoft.com/azpr.html











ARJ archiver ARJ archiver

Very simple and weak encryption algorithm is used in this archiver. “ExclusiveOR” logical operation is performed on the archive contents. The second

argument in this operation is a password. Of course, we can use a known-

plaintext attack, or just brute-force approach if archive contents is unknown. But

in the latest versions of ARJ strong encryption (GOST algorithm) is available as

an option.

Very simple and weak encryption algorithm is used in this archiver. “Exclusive

OR” logical operation is performed on the archive contents. The second

argument in this operation is a password. Of course, we can use a known-

plaintext attack, or just brute-force approach if archive contents is unknown. But

in the latest versions of ARJ strong encryption (GOST algorithm) is available as

an option.


Advanced Archive Password RecoveryAdvanced ARJ Password Recovery



Advanced ARJ Password Recoveryhttp://www.elcomsoft.com


http://www.elcomsoft.com/aapr.html











RAR archiver RAR archiver

RAR archiver, developed by Eugene Roshal, uses a very strong encryptionalgorithm. Encryption key is 128 bits long. 256 bytes S-Box is derived from

each key. S-Box operations are very complicated and slow. Known-plaintext

attack is not possible at all. Only brute-force or dictionary attack can be used for

password recovery. Recovery speed is very low; for example, we can test only

about 4800 passwords per second on P-III 800.

RAR archiver, developed by Eugene Roshal, uses a very strong encryption

algorithm. Encryption key is 128 bits long. 256 bytes S-Box is derived from

each key. S-Box operations are very complicated and slow. Known-plaintext

attack is not possible at all. Only brute-force or dictionary attack can be used for

password recovery. Recovery speed is very low; for example, we can test only

about 4800 passwords per second on P-III 800.


Advanced Archive Password RecoveryAdvanced RAR Password Recovery



Advanced RAR Password Recoveryhttp://www.elcomsoft.com


http://www.elcomsoft.com/arpr.html











Passwords in Adobe AcrobatPasswords in Adobe Acrobat

Standard PDF security

Protected PDF document has two passwords: an owner password and a user password.

The document also specifies operations that should be restricted even when the

document is decrypted: printing; copying text and graphics out of the document; modifying

the document; and adding or modifying text notes and AcroForm fields.

Standard PDF security

Protected PDF document has two passwords: an owner password and a user password.The document also specifies operations that should be restricted even when the

document is decrypted: printing; copying text and graphics out of the document; modifying

the document; and adding or modifying text notes and AcroForm fields.

Applications for password recovery:Advanced PDF Password Recovery


Advanced PDF Password Recoveryhttp://www.elcomsoft.com

Password types

When the correct user password is supplied, the document is opened and decrypted but

these operations are restricted; when the owner password is supplied, all operations are

allowed. The owner password is required to change these passwords and restrictions.

Password types

When the correct user password is supplied, the document is opened and decrypted butthese operations are restricted; when the owner password is supplied, all operations are

allowed. The owner password is required to change these passwords and restrictions.

Encryption key

Protected PDF document is encrypted with the RC4 algorithm. Encryption key length is 40

bits. Key is calculated from the user password. Knowing of the owner password allows

calculation of the user password and therefore encryption key. All restrictions are enforced

by software, not by PDF format itself.

Encryption key

Protected PDF document is encrypted with the RC4 algorithm. Encryption key length is 40

bits. Key is calculated from the user password. Knowing of the owner password allowscalculation of the user password and therefore encryption key. All restrictions are enforced

by software, not by PDF format itself.

http://www.elcomsoft.com/apdfpr.html









Passwords in Microsoft MoneyPasswords in Microsoft Money

Latest versions of Microsoft Money uses MS Jet storage system. Databasepassword is stored in the file header. Whole database is encrypted using RC4

algorithm. But encryption key is permanent (by the way key length is only 32

bits). This key is stored in one of the system DLL’s. Therefore any database

password can be recovered instantly.

Latest versions of Microsoft Money uses MS Jet storage system. Database

password is stored in the file header. Whole database is encrypted using RC4

algorithm. But encryption key is permanent (by the way key length is only 32

bits). This key is stored in one of the system DLL’s. Therefore any database

password can be recovered instantly.

Applications for password recovering:Advanced Money Password Recovery

Applications for password recovering:

Advanced Money Password Recoveryhttp://www elcomsoft com








analysis of microsoft office password protection system,

Documents