Analysis Of Microsoft Office Password Protection System,

Presentation on Black Hat Windows 2000 Security Conference Analysis of Microsoft Office password protection system, and survey of encryption holes in other MS Windows applications

http://www.elcomsoft.com

Analysis of Microsoft Office password protection system 1. 1.Key Keyprinciples principlesof ofdata datapassword passwordprotection protection 2. 2.Passwords Passwordsin inMicrosoft MicrosoftWord Word97/2000 97/2000 3. 3.Passwords Passwordsin inMicrosoft MicrosoftExcel Excel97/2000 97/2000 4. 4.VBA VBAMacros Macrosprotection protection 5. 5.Microsoft MicrosoftOutlook Outlookpersonal personalstorage storagefiles files 6. 6.French Frenchversion versionof ofMS MSOffice Office––strong strongcrypto cryptoprohibition prohibition 7. 7.Old Oldversions versionsof ofMS MSOffice Officeapplications applications 8. 8.Protection Protectionrecommendations recommendations

http://www.elcomsoft.com

Key principles of data password protection 1.1.Key Keyis isstored storedwithin withinthe thedocument. document.When Whensomeone someoneattempts attemptsto toopen openthe the document, document,the theprogram programchecks checkswhether whetherthe thekey keyentered enteredisisthe thesame sameas asthe thestored stored one. one.IfIfthe thekey keydoesn’t doesn’tmatch, match,the theprogram programlocks locksfurther furtherprocessing processingof ofthe the document. document. 2.2.AAkey keyhash hashis isstored storedwithin withinthe thedocument. document."A "Ahash hashfunction functionisisaafunction, function, mathematical mathematicalor orotherwise, otherwise,that thattakes takesaavariable-length variable-lengthinput inputstring string(called (calledaaprepreimage) image)and andconverts convertsitittotoaafixed-length fixed-length(generally (generallysmaller) smaller)output outputstring string(called (calledaa hash hashvalue)." value)."(Bruce (BruceSchneier). Schneier).When Whenthis thismethod methodisisemployed, employed,aakey keyentered enteredby byaa user userisisbeing beingtransformed transformedinto intoaadata datastring stringofoffixed fixedlength lengthused usedto toverify verifythe thekey, key, but that string cannot be used to retrieve the key itself. but that string cannot be used to retrieve the key itself. 3.3.AAkey keyisisused usedto toencrypt encryptthe thedocument documentwith withaacertain certainalgorithm. algorithm.The The protection protectionreliability reliabilitydepends dependsonly onlyon onreleability releabilityofofthe thealgorithm algorithmand andthe thelength lengthofof the thekey. key.

http://www.elcomsoft.com

Passwords Passwordsin inMicrosoft MicrosoftWord Word97/2000 97/2000 Write Writeprotection protectionpassword. password. This Thispassword passwordisisstored storedinside insidethe the document. document.You Youcan cansee seeititusing usingany any HEX-viewer. HEX-viewer.

Document Documentprotection protectionpassword. password. Password Passwordhash hashisisstored storedininthe the document. document.Hash Hashlength lengthisisonly only32 32bits. bits. We can change this password to any We can change this password to any other otherone, one,or ordisable disableitit(replace (replacewith withaa hash hashofofan anempty emptystring). string).

Password Passwordto toopen open When Whenthis thispassword passwordisisset, set,the theentire entireWord Word document document(including (includingaapart partofofauxiliary auxiliary information) is encrypted with the information) is encrypted with theRC4 RC4 algorithm (stream cipher). 128-bit long algorithm (stream cipher). 128-bit longhash hash formed with the MD5 algorithm is used for formed with the MD5 algorithm is used for password passwordverification. verification.Encryption Encryptionkey keyisis40-bit 40-bit long, because state regulations of many long, because state regulations of many countries countriesdon’t don’tallow allowusing usingstronger strongercrypto. crypto.

http://www.elcomsoft.com

Applications Applicationsfor forpassword passwordrecovery: recovery: Advanced Office 2000 Password Advanced Office 2000 PasswordRecovery Recovery

Passwords Passwordsin inMicrosoft MicrosoftExcel Excel97/2000 97/2000 Write Writeprotection protectionpassword. password. This Thispassword passwordisisstored storedinside insidethe the document. document.You Youcan cansee seeititusing usingany any HEX-viewer. HEX-viewer.

Document Documentprotection protectionpassword. password. Password Passwordhash hashisisstored storedininthe the document. document.Hash Hashlength lengthisisonly only32 32bits. bits. We can change this password to any We can change this password to any other otherone, one,or ordisable disableitit(replace (replacewith withaa hash hashofofan anempty emptystring). string).

Password Passwordto toopen open When Whenthis thispassword passwordisisset, set,the theentire entire Word Worddocument document(including (includingaapart partofof auxiliary auxiliaryinformation) information)isisencrypted encryptedwith with the RC4 algorithm (stream cipher). the RC4 algorithm (stream cipher). 128-bit 128-bitlong longhash hashformed formedwith withthe theMD5 MD5 algorithm algorithmisisused usedfor forpassword password verification. Encryption verification. Encryptionkey keyisis40-bit 40-bit long, because state regulations long, because state regulationsofof many manycountries countriesdon’t don’tallow allowusing using stronger crypto. stronger crypto.

Book Bookand andSheet Sheetpassword. password. When Whenan anExcel ExcelSheet Sheetisisbeing being protected protectedwith withaapassword, password,aa16-bit 16-bit (two byte) long hash is generated. (two byte) long hash is generated. Book Bookprotection protectionisissomewhat somewhatmore more sophisticated. Hash generation sophisticated. Hash generation algorithm algorithmisisthe thesame sameas aswith withsheet sheet protection, however, a whole document protection, however, a whole document isisbeing beingencrypted. encrypted.Password Passwordfor for encryption is “VelvetSweatshop”. encryption is “VelvetSweatshop”.

http://www.elcomsoft.com

Applications Applicationsfor forpassword passwordrecovery: recovery: Advanced Office 2000 Password Advanced Office 2000 PasswordRecovery Recovery

VBA VBAMacros Macrosprotection protection Office Office97: 97: Passwords Passwordsare arestored storedalmost almostinin their theiroriginal originalform form––aavery verysimple simple encryption encryptionalgorithm algorithmisisbeing being used. used.These Thesepasswords passwordscan canbe be recovered or changed/removed recovered or changed/removed instantly. instantly.

http://www.elcomsoft.com

Office Office2000: 2000: Windows WindowsCryptoAPI CryptoAPIisisbeing being used. used.Password Passwordhash hashisis generated generatedwith withSHA SHAalgorithm. algorithm. These Thesepasswords passwordscan canbe be recovered by brute-force recovered by brute-forceor or dictionary dictionaryattacks attacksonly; only;however, however, they theycan canbe bechanged changedor orremoved. removed.

Applications Applicationsfor forpassword passwordrecovery: recovery: Advanced Office 2000 Password Advanced Office 2000 PasswordRecovery Recovery Advanced VBA Password Recovery Advanced VBA Password Recovery

Microsoft MicrosoftOutlook OutlookPersonal PersonalStorage Storagefiles files This Thisapplication applicationallows allowsprotecting protectinguser’s user’spersonal personaldata datastored storedinin*.pst *.pstfiles files (Personal (PersonalStorage StorageFiles) Files)with withaapassword. password.Protection Protectionofofuser’s user’spersonal personal information informationand andofofhis/her his/herpersonal personalcorrespondence correspondenceisisaavery veryimportant importantfactor factorto to be betaken takeninto intoaccount accountwhen whendeveloping developinggeneral generalconcept conceptofofinformation information protection. protection.However, However,Microsoft Microsoftisisusing usingaavery verysimple simpleand andunstable unstablealgorithm algorithm here as well. Password hash is generated with CRC-32 algorithm (32-bit here as well. Password hash is generated with CRC-32 algorithm (32-bitcheck check sum). sum).ItIthas hasbeen beenproven proventhat thataa6-character 6-characterinput inputdata dataarray array(non-printable (non-printable characters charactersnot notincluded) included)can canbe befound foundfor forany anycheck checksum. sum.So, So,password password retrieval retrievalturns turnsto tobe beaatrivial trivialtask. task.

http://www.elcomsoft.com

Applications Applicationsfor forpassword passwordrecovery: recovery: Advanced Office 2000 Password Advanced Office 2000 PasswordRecovery Recovery Advanced Outlook Password Recovery Advanced Outlook Password Recovery

French Frenchversions versionsof ofMicrosoft MicrosoftOffice Office Strong Strongcryptographic cryptographicalgorithms algorithmsare arebanned bannedininFrance. France.So, So,ififMS MSWord Wordor orExcel Excel document documenthas hasbeen beencreated created(password-protected) (password-protected)on onaacomputer computerwith withFrench French regional regionalsettings, settings,very verysimple simpleencryption encryptionalgorithm algorithm(XOR-based) (XOR-based)isisbeing beingused. used. AA16-byte 16-bytesequence sequenceisisgenerated generatedfrom fromany anypassword password(we (wecan canalso alsocalculate calculatethe the password passwordfrom fromthat thatsequence). sequence).IfIfwe weknow know16 16bytes bytesfrom fromsource sourceplaintext, plaintext,then then password recovery is trivial. In most cases, passwords for these files can be password recovery is trivial. In most cases, passwords for these files can be recovered recoveredinstantly instantlyby bymeans meansofofstatistical statisticalplaintext plaintextanalysis. analysis.

http://www.elcomsoft.com

Applications Applicationsfor forpassword passwordrecovery: recovery: Advanced Office 2000 Password Advanced Office 2000 PasswordRecovery Recovery

Old Oldversions versionsof ofMS MSOffice Officeapplications applications Microsoft MicrosoftWord Word2.0, 2.0,6.0 6.0and and95 95(7.0), (7.0),Excel Excel4.0, 4.0,5.0 5.0and and95 95(7.0) (7.0)are areusing usingeven even less less powerful powerful encrypting encrypting algorithm. algorithm. To To encrypt encrypt aa document, document, an an exclusive exclusive OR OR operation operation(XOR) (XOR)with withaasequence sequencederived derivedfrom fromthe thepassword passwordisisbeing beingused. used.As As some some(predictable) (predictable)auxiliary auxiliaryinformation informationisisencrypted, encrypted,too, too,that thatsequence sequencecan canbe be recovered. recovered. So, So, file file open open password password inin these these Word Word and and Excel Excel versions versions can can be be retrieved in a fraction of second. retrieved in a fraction of second.

http://www.elcomsoft.com

Applications Applicationsfor forpassword passwordrecovery: recovery: Advanced Office 2000 Password Advanced Office 2000 PasswordRecovery Recovery Advanced Office 95 Password Recovery Advanced Office 95 Password Recovery

Protection Protectionrecommendations recommendations Having Having read read this this text, text, many many users users will will become become unsure unsure about about entrusting entrusting their their secrets secrets to to Microsoft Microsoft software. software. The The answer answer isis very very simple simple ––use use other other software software products products to to protect protect confidential confidential information. information. For For example, example, one one can can use use aa reputable, reputable,thoroughly thoroughlytested testedPretty PrettyGood GoodPrivacy Privacy(PGP) (PGP)software. software.ItItisisbased basedon on aawell-known well-knownmathematical mathematicalproblem problem––factorization factorizationofofaavery verygreat greatnumber numberinto into prime numbers. There is no known (analytical) solution of this problem, and prime numbers. There is no known (analytical) solution of this problem, and exhaustion exhaustion ofof all all possible possible combinations combinations will will take take forever forever –– even even with with state-ofstate-ofthe-art the-artmachines. machines. IfIf you you decide decide to to protect protect your your document document with with aa password password (to (to set set aa file file open open password password inin Word Word or or Excel) Excel) anyway, anyway, choose choose aa complicated complicated one. one. Avoid Avoid using using words from a dictionary, or your name/surname as a password. Your password words from a dictionary, or your name/surname as a password. Your password should should consist consist ofof letters letters (both (both upperupper- and and lower-case), lower-case), numbers, numbers, and and special special symbols. symbols. You You can can also also use use symbols symbols from from your your national national alphabet. alphabet. AA secure secure password password might might look look like like this: this: “fO7#s!kP4x*a”. “fO7#s!kP4x*a”. However However please, please, note note that that with with today’s today’s computers, computers, decrypting decrypting your your document document won’t won’t take take longer longer than than aa few few days (or even hours on a LAN). days (or even hours on a LAN).

http://www.elcomsoft.com

Other Windows applications 1. 1.ZIP ZIParchiver, archiver,known-plaintext known-plaintextattack attack 2. 2.ARJ ARJarchiver, archiver,very veryweak weakencryption encryption 3. 3.RAR RARarchiver, archiver,strong strongcrypto cryptofrom fromRussia Russia 4. 4.Protection Protectionin inAdobe AdobeAcrobat Acrobat 5. 5.Internet InternetExplorer Explorercontent contentadvisor advisorpassword password 6. 6.Database Databaseprotection protectionin inMicrosoft MicrosoftMoney Money

http://www.elcomsoft.com

ZIP ZIParchiver archiver This Thisarchiver archiverallows allowstotoset setan anarchive archivepassword. password.Whole Wholearchive archiveisisencrypted encryptedusing usingthe the specific specificalgorithm. algorithm.Each Eachpassword passwordisisconverted convertedtotothree three32-bit 32-bitkeys. keys.Two Twofamous famous cryptoanalysts, cryptoanalysts,Eli EliBiham Bihamand andPaul PaulKocher, Kocher,have haveanalyzed analyzedthis thisalgorithm algorithmand andfound foundout out that it’s possible to find the encryption keys by means a known-plaintext attack. Only that it’s possible to find the encryption keys by means a known-plaintext attack. Only12 12 bytes of plaintext are needed for keys recovery. Then, we can manually decrypt the bytes of plaintext are needed for keys recovery. Then, we can manually decrypt the whole wholearchive archiveusing usingthat thatencryption encryptionkeys. keys.IfIfwe wedon’t don’thave haveany anyplaintext, plaintext,it’s it’spossible possibletoto recover recoveraapassword passwordusing usingaabrute-force brute-forceor ordictionary dictionaryattacks attacks(which (whichcould couldbe be implemented very effectively on modern CPUs). implemented very effectively on modern CPUs).

Brute Bruteforce forcespeed speedanalysis analysisfor forZIP ZIP(for (forP-II P-II350 350CPU) CPU) Charset

Length

Passwords

Time

All printable

1..5

7,820,126,720

65 minutes

Digits, small/capital, space

6

62,523,502,592

9 hours

Digits, small letters, space

7

94,931,877,888

13 hours

Digits

8..11

111,100,002,304

15,5 hours

Small letters, space

8

282,429,521,920

~1,5 days

http://www.elcomsoft.com

Applications Applicationsfor forpassword passwordrecovery: recovery: Advanced Archive Password Advanced Archive PasswordRecovery Recovery Advanced ZIP Password Recovery Advanced ZIP Password Recovery

ARJ ARJarchiver archiver Very Verysimple simpleand andweak weakencryption encryptionalgorithm algorithmisisused usedininthis thisarchiver. archiver.“Exclusive “Exclusive OR” OR”logical logicaloperation operationisisperformed performedon onthe thearchive archivecontents. contents.The Thesecond second argument argumentininthis thisoperation operationisisaapassword. password.Of Ofcourse, course,we wecan canuse useaaknownknownplaintext plaintextattack, attack,or orjust justbrute-force brute-forceapproach approachififarchive archivecontents contentsisisunknown. unknown.But But ininthe thelatest latestversions versionsofofARJ ARJstrong strongencryption encryption(GOST (GOSTalgorithm) algorithm)isisavailable availableas as an option. an option.

http://www.elcomsoft.com

Applications Applicationsfor forpassword passwordrecovery: recovery: Advanced Archive Password Advanced Archive PasswordRecovery Recovery Advanced ARJ Password Recovery Advanced ARJ Password Recovery

RAR RARarchiver archiver RAR RARarchiver, archiver,developed developedby byEugene EugeneRoshal, Roshal,uses usesaavery verystrong strongencryption encryption algorithm. algorithm.Encryption Encryptionkey keyisis128 128bits bitslong. long.256 256bytes bytesS-Box S-Boxisisderived derivedfrom from each eachkey. key.S-Box S-Boxoperations operationsare arevery verycomplicated complicatedand andslow. slow.Known-plaintext Known-plaintext attack attackisisnot notpossible possibleatatall. all.Only Onlybrute-force brute-forceor ordictionary dictionaryattack attackcan canbe beused usedfor for password passwordrecovery. recovery.Recovery Recoveryspeed speedisisvery verylow; low;for forexample, example,we wecan cantest testonly only about 4800 passwords per second on P-III 800. about 4800 passwords per second on P-III 800.

http://www.elcomsoft.com

Applications Applicationsfor forpassword passwordrecovery: recovery: Advanced Archive Password Advanced Archive PasswordRecovery Recovery Advanced RAR Password Recovery Advanced RAR Password Recovery

Passwords Passwordsin inAdobe AdobeAcrobat Acrobat Standard StandardPDF PDFsecurity security Protected PDF document Protected PDF documenthas hastwo twopasswords: passwords:an anowner ownerpassword passwordand andaauser userpassword. password. The document also specifies operations that should be restricted even when the The document also specifies operations that should be restricted even when the document documentisisdecrypted: decrypted:printing; printing;copying copyingtext textand andgraphics graphicsout outofofthe thedocument; document;modifying modifying the thedocument; document;and andadding addingor ormodifying modifyingtext textnotes notesand andAcroForm AcroFormfields. fields. Password Passwordtypes types When Whenthe thecorrect correctuser userpassword passwordisissupplied, supplied,the thedocument documentisisopened openedand anddecrypted decryptedbut but these theseoperations operationsare arerestricted; restricted;when whenthe theowner ownerpassword passwordisissupplied, supplied,all alloperations operationsare are allowed. The owner password is required to change these passwords and restrictions. allowed. The owner password is required to change these passwords and restrictions. Encryption Encryptionkey key Protected ProtectedPDF PDFdocument documentisisencrypted encryptedwith withthe theRC4 RC4algorithm. algorithm.Encryption Encryptionkey keylength lengthisis40 40 bits. bits.Key Keyisiscalculated calculatedfrom fromthe theuser userpassword. password.Knowing Knowingofofthe theowner ownerpassword passwordallows allows calculation of the user password and therefore encryption key. All restrictions are calculation of the user password and therefore encryption key. All restrictions areenforced enforced by software, not by PDF format itself. by software, not by PDF format itself.

http://www.elcomsoft.com

Applications Applicationsfor forpassword passwordrecovery: recovery: Advanced PDF Password Recovery Advanced PDF Password Recovery

Internet InternetExplorer ExplorerContent ContentAdvisor Advisorpassword password Microsoft MicrosoftInternet InternetExplorer Explorerallows allowstotoset setup upaapassword passwordfor forContent ContentAdvisor. Advisor. This Thisprotection protectionisisextremely extremelyweak. weak.MD5 MD5hash hashisiscalculated calculatedfrom fromthe thepassword, password, and andstored storedininsystem systemRegistry. Registry.We Wecan cansimply simplyremove removethe thecontents contentsof of appropriate appropriateRegistry Registrykey, key,or orgenerate generatethe thenecessary necessaryhash hashand andchange changethe the password passwordto toany anyother otherone. one.

http://www.elcomsoft.com

Applications Applicationsfor forpassword passwordrecovery: recovery: Advanced Office 2000 Password Advanced Office 2000 PasswordRecovery Recovery

Passwords Passwordsin inMicrosoft MicrosoftMoney Money Latest Latestversions versionsofofMicrosoft MicrosoftMoney Moneyuses usesMS MSJet Jetstorage storagesystem. system.Database Database password passwordisisstored storedininthe thefile fileheader. header.Whole Wholedatabase databaseisisencrypted encryptedusing usingRC4 RC4 algorithm. algorithm.But Butencryption encryptionkey keyisispermanent permanent(by (bythe theway waykey keylength lengthisisonly only32 32 bits). bits).This Thiskey keyisisstored storedininone oneofofthe thesystem systemDLL’s. DLL’s.Therefore Thereforeany anydatabase database password passwordcan canbe berecovered recoveredinstantly. instantly.

http://www.elcomsoft.com

Applications Applicationsfor forpassword passwordrecovering: recovering: Advanced Money Password Advanced Money PasswordRecovery Recovery