1 / 17

Analysis of Microsoft Office password protection system

Presentation on Black Hat Windows 2000 Security Conference, exploring the vulnerabilities in Microsoft Office password protection system and encryption holes in other MS Windows applications.

hodgest
Download Presentation

Analysis of Microsoft Office password protection system

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Presentation on Black Hat Windows 2000 Security Conference Analysis of Microsoft Office password protection system, and survey of encryption holes in other MS Windows applications http://www.elcomsoft.com

  2. Analysis of Microsoft Office password protection system 1. Key principles of data password protection 2. Passwords in Microsoft Word 97/2000 3. Passwords in Microsoft Excel 97/2000 4. VBA Macros protection 5. Microsoft Outlook personal storage files 6. French version of MS Office – strong crypto prohibition 7. Old versions of MS Office applications 8. Protection recommendations http://www.elcomsoft.com

  3. Key principles of data password protection 1. Key is stored within the document. When someone attempts to openthe document, the program checks whether the key entered is the same as the stored one. If the key doesn’t match, the program locks further processing of the document. 2. A key hash is stored within the document. "A hash function is a function, mathematical or otherwise, that takes a variable-length input string (called a pre-image) and converts it to a fixed-length (generally smaller) output string (called a hash value)." (Bruce Schneier). When this method is employed, a key entered by a user is being transformed into a data string of fixed length used to verify the key, but that string cannot be used to retrieve the key itself. 3. A key is used to encrypt the document with a certain algorithm. The protection reliability depends only on releability of the algorithm and the length of the key. http://www.elcomsoft.com

  4. Passwords in Microsoft Word 97/2000 Write protection password. This password is stored inside the document. You can see it using any HEX-viewer. Document protection password. Password hash is stored in the document. Hash length is only 32 bits. We can change this password to any other one, or disable it (replace with a hash of an empty string). Password to open When this password is set, the entire Word document (including a part of auxiliary information) is encrypted with the RC4 algorithm (stream cipher). 128-bit long hash formed with the MD5 algorithm is used for password verification. Encryption key is 40-bit long, because state regulations of many countries don’t allow using stronger crypto. Applications for password recovery: Advanced Office 2000 Password Recovery http://www.elcomsoft.com

  5. Passwords in Microsoft Excel 97/2000 Write protection password. This password is stored inside the document. You can see it using any HEX-viewer. Document protection password. Password hash is stored in the document. Hash length is only 32 bits. We can change this password to any other one, or disable it (replace with a hash of an empty string). Password to open When this password is set, the entire Word document (including a part of auxiliary information) is encrypted with the RC4 algorithm (stream cipher). 128-bit long hash formed with the MD5 algorithm is used for password verification. Encryption key is 40-bit long, because state regulations of many countries don’t allow using stronger crypto. Book and Sheet password. When an Excel Sheet is being protected with a password, a 16-bit (two byte) long hash is generated. Book protection is somewhat more sophisticated. Hash generation algorithm is the same as with sheet protection, however, a whole document is being encrypted. Password for encryption is “VelvetSweatshop”. Applications for password recovery: Advanced Office 2000 Password Recovery http://www.elcomsoft.com

  6. VBA Macros protection Office 97: Passwords are stored almost in their original form – a very simple encryption algorithm is being used. These passwords can be recovered or changed/removed instantly. Office 2000: Windows CryptoAPI is being used. Password hash is generated with SHA algorithm.These passwords can be recovered by brute-force or dictionary attacks only; however, they can be changed or removed. Applications for password recovery: Advanced Office 2000 Password Recovery Advanced VBA Password Recovery http://www.elcomsoft.com

  7. Microsoft Outlook Personal Storage files This application allows protecting user’s personal data stored in *.pst files (Personal Storage Files) with a password. Protection of user’s personal information and of his/her personal correspondence is a very important factor to be taken into account when developing general concept of information protection. However, Microsoft is using a very simple and unstable algorithm here as well. Password hash is generated with CRC-32 algorithm (32-bit check sum). It has been proven that a 6-character input data array (non-printable characters not included) can be found for any check sum. So, password retrieval turns to be a trivial task. Applications for password recovery: Advanced Office 2000 Password Recovery Advanced Outlook Password Recovery http://www.elcomsoft.com

  8. French versions of Microsoft Office Strong cryptographic algorithms are banned in France. So, if MS Word or Excel document has been created (password-protected) on a computer with French regional settings, very simple encryption algorithm (XOR-based) is being used. A 16-byte sequence is generated from any password (we can also calculate the password from that sequence). If we know 16 bytes from source plaintext, then password recovery is trivial. In most cases, passwords for these files can be recovered instantly by means of statistical plaintext analysis. Applications for password recovery: Advanced Office 2000 Password Recovery http://www.elcomsoft.com

  9. Old versions of MS Office applications Microsoft Word 2.0, 6.0 and 95 (7.0), Excel 4.0, 5.0 and 95 (7.0) are using even less powerful encrypting algorithm. To encrypt a document, an exclusive OR operation (XOR) with a sequence derived from the password is being used. As some (predictable) auxiliary information is encrypted, too, that sequence can be recovered. So, file open password in these Word and Excel versions can be retrieved in a fraction of second. Applications for password recovery: Advanced Office 2000 Password Recovery Advanced Office 95 Password Recovery http://www.elcomsoft.com

  10. Protection recommendations Having read this text, many users will become unsure about entrusting their secrets to Microsoft software. The answer is very simple – use other software products to protect confidential information. For example, one can use a reputable, thoroughly tested Pretty Good Privacy (PGP) software. It is based on a well-known mathematical problem – factorization of a very great number into prime numbers. There is no known (analytical) solution of this problem, and exhaustion of all possible combinations will take forever – even with state-of-the-art machines. If you decide to protect your document with a password (to set a file open password in Word or Excel) anyway, choose a complicated one. Avoid using words from a dictionary, or your name/surname as a password. Your password should consist of letters (both upper- and lower-case), numbers, and special symbols. You can also use symbols from your national alphabet. A secure password might look like this: “fO7#s!kP4x*a”. However please, note that with today’s computers, decrypting your document won’t take longer than a few days (or even hours on a LAN). http://www.elcomsoft.com

  11. Other Windows applications 1. ZIP archiver, known-plaintext attack 2. ARJ archiver, very weak encryption 3. RAR archiver, strong crypto from Russia 4. Protection in Adobe Acrobat 5. Internet Explorer content advisor password 6. Database protection in Microsoft Money http://www.elcomsoft.com

  12. ZIP archiver This archiver allows to set an archive password. Whole archive is encrypted using the specific algorithm. Each password is converted to three 32-bit keys. Two famous cryptoanalysts, Eli Biham and Paul Kocher, have analyzed this algorithmand found out that it’s possible to find the encryption keys by means a known-plaintext attack. Only 12 bytes of plaintext are needed for keys recovery. Then, we can manually decrypt the whole archive using that encryption keys. If we don’t have any plaintext, it’s possible to recover a password using a brute-force or dictionary attacks (which could be implemented very effectively on modern CPUs). Brute force speed analysis for ZIP (for P-II 350 CPU) Applications for password recovery: Advanced Archive Password Recovery Advanced ZIP Password Recovery http://www.elcomsoft.com

  13. ARJ archiver Very simple and weak encryption algorithm is used in this archiver. “Exclusive OR” logical operation is performed on the archive contents. The second argument in this operation is a password. Of course, we can use a known-plaintext attack, or just brute-force approach if archive contents is unknown. But in the latest versions of ARJ strong encryption (GOST algorithm) is available as an option. Applications for password recovery: Advanced Archive Password Recovery Advanced ARJ Password Recovery http://www.elcomsoft.com

  14. RAR archiver RAR archiver, developed by Eugene Roshal, uses a very strong encryption algorithm. Encryption key is 128 bits long. 256 bytes S-Box is derived from each key. S-Box operations are very complicated and slow. Known-plaintext attack is not possible at all. Only brute-force or dictionary attack can be used for password recovery. Recovery speed is very low; for example, we can test only about 4800 passwords per second on P-III 800. Applications for password recovery: Advanced Archive Password Recovery Advanced RAR Password Recovery http://www.elcomsoft.com

  15. Passwords in Adobe Acrobat Standard PDF security Protected PDF document has two passwords: an owner password and a user password. The document also specifies operations that should be restricted even when the document is decrypted: printing; copying text and graphics out of the document; modifying the document; and adding or modifying text notes and AcroForm fields. Password types When the correct user password is supplied, the document is opened and decrypted but these operations are restricted; when the owner password is supplied, all operations are allowed. The owner password is required to change these passwords and restrictions. Encryption key Protected PDF document is encrypted with the RC4 algorithm. Encryption key length is 40 bits. Key is calculated from the user password. Knowing of the owner password allows calculation of the user password and therefore encryption key. All restrictions are enforced by software, not by PDF format itself. Applications for password recovery: Advanced PDF Password Recovery http://www.elcomsoft.com

  16. Internet Explorer Content Advisor password Microsoft Internet Explorer allows to set up a password for Content Advisor. This protection is extremely weak. MD5 hash is calculated from the password, and stored in system Registry. We can simply remove the contents of appropriate Registry key, or generate the necessary hash and change the password to any other one. Applications for password recovery: Advanced Office 2000 Password Recovery http://www.elcomsoft.com

  17. Passwords in Microsoft Money Latest versions of Microsoft Money uses MS Jet storage system. Database password is stored in the file header. Whole database is encrypted using RC4 algorithm. But encryption key is permanent (by the way key length is only 32 bits). This key is stored in one of the system DLL’s. Therefore any database password can be recovered instantly. Applications for password recovering: Advanced Money Password Recovery http://www.elcomsoft.com

More Related