Tool for cracking Office encryption in minutes
An implementation flaw allows attackers to bypass the encryption mechanism used for Microsoft Office documents. Although this isn't news, having been made public in 2005, no (officially acknowledged) attack or tool for exploiting the vulnerability has existed until now. Which probably explains why Microsoft has never fixed the problem with an update for older versions of Office.
French crypto expert Eric Filiol in his presentation
at the recent Black Hat security conference emphasised that the situation has now changed. He says his tool can decrypt a document within a few minutes. Filiol said he began working on the statistical analysis of the RC4 algorithm used in Office back in 1994. Talking to heise Security, the expert explained why he has only now published his results: "I was employed by the French military at the time. Everything I did was classified. Now I am free speak about it."
The crypto expert's analysis of RC4-encoded data took advantage of the fact that many implementations of the algorithm are flawed. For RC4 to produce reliable encryption, no key can ever be used more than once. For example, the main reason why the WEP (Wired Equivalent Privacy) encryption used in wireless LANs was cracked so thoroughly was that there weren't enough initialisation vectors (IV) to provide sufficient key variations. Frequently packets appeared that had been encoded via identical combinations of the same IV and an already static password.
Filiol (and Hongjun Wu back in 2005) found a similar implementation flaw in all Microsoft Office packages up to and including version 2003. According to Filiol, Office versions from 2007 are not affected because Microsoft uses the AES algorithm in these versions. Nevertheless, the problem is relevant because the predecessors of Office 2007 are still likely to hold the biggest market share.
Microsoft's implementation of RC4 has the following flaw: keys are not automatically replaced when a new version of an existing Word document or Excel spreadsheet is generated. By comparing two such file versions that are encoded using the same key, Filiol's software – which the French crypto expert doesn't intend to publish – can determine the plain text within minutes.
According to Filiol, the software only needs to compare the backup copy, which Office applications automatically generate in encrypted form when a file is opened, with the respective original document. Apparently the only requirement is that there is a minimal difference between the files. Even a date that is updated when opening the file represents sufficient variation for comparing the files. The crypto expert explains that, during his tests, *.tmp files restored via a data recovery tool were always sufficient to achieve success.
It remains to be seen whether Microsoft, who don't appear to have known about the new findings before Filiol's presentation, will now fix the problem with a software update. Unofficial company sources said that the problem isn't serious enough – especially because Microsoft Office users can encrypt their files with other freely available programs.
(Uli Ries)
(crve)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
