You are on page 1of 17

Presentation on

Black Hat Windows 2000 Security Conference

Analysis of Microsoft Office password protection system,


and survey of encryption holes in other MS Windows applications

http://www.elcomsoft.com
Analysis of Microsoft Office password protection system

1.
1.Key
Keyprinciples
principlesof
ofdata
datapassword
passwordprotection
protection

2.
2.Passwords
Passwordsin
inMicrosoft
MicrosoftWord
Word97/2000
97/2000

3.
3.Passwords
Passwordsin
inMicrosoft
MicrosoftExcel
Excel97/2000
97/2000

4.
4.VBA
VBAMacros
Macrosprotection
protection

5.
5.Microsoft
MicrosoftOutlook
Outlookpersonal
personalstorage
storagefiles
files

6.
6.French
Frenchversion
versionof
ofMS
MSOffice
Office––strong
strongcrypto
cryptoprohibition
prohibition

7.
7.Old
Oldversions
versionsof
ofMS
MSOffice
Officeapplications
applications

8.
8.Protection
Protectionrecommendations
recommendations

http://www.elcomsoft.com
Key principles of data password protection

1.1.Key
Keyis isstored
storedwithin
withinthe
thedocument.
document.When
Whensomeone
someoneattempts
attemptsto
toopen
openthe
the
document,
document,the theprogram
programchecks
checkswhether
whetherthe
thekey
keyentered
enteredisisthe
thesame
sameasasthe
thestored
stored
one.
one.IfIfthe
thekey
keydoesn’t
doesn’tmatch,
match,the
theprogram
programlocks
locksfurther
furtherprocessing
processingof
ofthe
the
document.
document.

2.2.AAkey
keyhash
hashis isstored
storedwithin
withinthethedocument.
document."A "Ahash
hashfunction
functionisisaafunction,
function,
mathematical
mathematicalor orotherwise,
otherwise,that thattakes
takesaavariable-length
variable-lengthinput
inputstring
string(called
(calledaapre-
pre-
image)
image)andandconverts
convertsitittotoaafixed-length
fixed-length(generally
(generallysmaller)
smaller)output
outputstring
string(called
(calledaa
hash
hashvalue)."
value)."(Bruce
(BruceSchneier).
Schneier).When Whenthis
thismethod
methodisisemployed,
employed,aakey keyentered
enteredbybyaa
user
userisisbeing
beingtransformed
transformedinto intoaadata
datastring
stringofoffixed
fixedlength
lengthused
usedtotoverify
verifythe
thekey,
key,
but that string cannot be used to retrieve the key
but that string cannot be used to retrieve the key itself. itself.

3.3.AAkey
keyisisused
usedto toencrypt
encryptthe
thedocument
documentwith withaacertain
certainalgorithm.
algorithm.The
The
protection
protectionreliability
reliabilitydepends
dependsonly
onlyon
onreleability
releabilityofofthe
thealgorithm
algorithmand
andthe
thelength
lengthofof
the
thekey.
key.

http://www.elcomsoft.com
Passwords
Passwordsin
inMicrosoft
MicrosoftWord
Word97/2000
97/2000

Write
Writeprotection
protectionpassword.
password. Document
Documentprotection
protectionpassword.
password.
This
Thispassword
passwordisisstored
storedinside
insidethe
the Password
Passwordhash
hashisisstored
storedininthe
the
document.
document.You
Youcancansee
seeititusing
usingany
any document.
document.Hash
Hashlength
lengthisisonly
only3232bits.
bits.
HEX-viewer.
HEX-viewer. We can change this password
We can change this password to any to any
other
otherone,
one,or
ordisable
disableitit(replace
(replacewith
withaa
hash
hashofofan
anempty
emptystring).
string).

Password
Passwordto toopen
open
When
Whenthis
thispassword
passwordisisset,set,the
theentire
entireWord
Word
document
document(including
(includingaapart
partofofauxiliary
auxiliary
information)
information) is encrypted with theRC4
is encrypted with the RC4
algorithm
algorithm (stream cipher). 128-bit longhash
(stream cipher). 128-bit long hash
formed with the MD5 algorithm is used
formed with the MD5 algorithm is used for for
password
passwordverification.
verification.Encryption
Encryptionkey keyisis40-bit
40-bit
long, because state regulations of
long, because state regulations of many many
countries
countriesdon’t
don’tallow
allowusing
usingstronger
strongercrypto.
crypto.

Applications
Applicationsfor
forpassword
passwordrecovery:
recovery:
Advanced
Advanced Office 2000 PasswordRecovery
Office 2000 Password Recovery
http://www.elcomsoft.com
Passwords
Passwordsin
inMicrosoft
MicrosoftExcel
Excel97/2000
97/2000

Write
Writeprotection
protectionpassword.
password. Document
Documentprotection
protectionpassword.
password.
This
Thispassword
passwordisisstored
storedinside
insidethe
the Password
Passwordhash
hashisisstored
storedininthe
the
document.
document.You
Youcancansee
seeititusing
usingany
any document.
document.Hash
Hashlength
lengthisisonly
only3232bits.
bits.
HEX-viewer.
HEX-viewer. We can change this password
We can change this password to any to any
other
otherone,
one,or
ordisable
disableitit(replace
(replacewith
withaa
hash
hashofofan
anempty
emptystring).
string).
Password
Passwordto toopen
open Book
BookandandSheet
Sheetpassword.
password.
When
Whenthis
thispassword
passwordisisset,
set,the
theentire
entire When
Whenan anExcel
ExcelSheet
Sheetisisbeing
being
Word
Word document (including a partofof
document (including a part protected
protected with a password,aa16-bit
with a password, 16-bit
auxiliary
auxiliaryinformation)
information)isisencrypted
encryptedwith
with (two byte) long hash is generated.
(two byte) long hash is generated.
the RC4 algorithm (stream cipher).
the RC4 algorithm (stream cipher). Book
Bookprotection
protectionisissomewhat
somewhatmoremore
128-bit
128-bitlong
longhash
hashformed
formedwith
withthe
theMD5
MD5 sophisticated. Hash generation
sophisticated. Hash generation
algorithm
algorithmisisused
usedfor
forpassword
password algorithm
algorithmisisthe
thesame
sameas aswith
withsheet
sheet
verification.
verification. Encryptionkey
Encryption keyisis40-bit
40-bit protection, however, a whole document
protection, however, a whole document
long,
long, because state regulationsofof
because state regulations isisbeing
beingencrypted.
encrypted.Password
Passwordfor for
many
manycountries
countriesdon’t
don’tallow
allowusing
using encryption is “VelvetSweatshop”.
encryption is “VelvetSweatshop”.
stronger crypto.
stronger crypto.

Applications
Applicationsfor
forpassword
passwordrecovery:
recovery:
Advanced
Advanced Office 2000 PasswordRecovery
Office 2000 Password Recovery
http://www.elcomsoft.com
VBA
VBAMacros
Macrosprotection
protection

Office
Office97:
97: Office
Office2000:
2000:
Passwords
Passwordsare arestored
storedalmost
almostinin Windows
WindowsCryptoAPI
CryptoAPIisisbeing
being
their
theiroriginal
originalform
form––aavery
verysimple
simple used.
used.Password
Passwordhashhashisis
encryption
encryptionalgorithm
algorithmisisbeing
being generated
generatedwith
withSHA
SHAalgorithm.
algorithm.
used.
used.These
Thesepasswords
passwordscan canbebe These
Thesepasswords
passwordscancanbe be
recovered or changed/removed
recovered or changed/removed recovered
recovered by brute-forceor
by brute-force or
instantly.
instantly. dictionary
dictionaryattacks
attacksonly;
only;however,
however,
they
theycan
canbe
bechanged
changedor orremoved.
removed.

Applications
Applicationsfor
forpassword
passwordrecovery:
recovery:
Advanced
Advanced Office 2000 PasswordRecovery
Office 2000 Password Recovery
Advanced VBA Password Recovery
Advanced VBA Password Recovery
http://www.elcomsoft.com
Microsoft
MicrosoftOutlook
OutlookPersonal
PersonalStorage
Storagefiles
files

This
Thisapplication
applicationallows
allowsprotecting
protectinguser’s
user’spersonal
personaldata
datastored
storedinin*.pst
*.pstfiles
files
(Personal
(PersonalStorage
StorageFiles)
Files)with
withaapassword.
password.Protection
Protectionofofuser’s
user’spersonal
personal
information
informationandandofofhis/her
his/herpersonal
personalcorrespondence
correspondenceisisaavery
veryimportant
importantfactor
factorto
to
be
betaken
takeninto
intoaccount
accountwhenwhendeveloping
developinggeneral
generalconcept
conceptofofinformation
information
protection.
protection.However,
However,Microsoft
Microsoftisisusing
usingaavery
verysimple
simpleand
andunstable
unstablealgorithm
algorithm
here
here as well. Password hash is generated with CRC-32 algorithm (32-bitcheck
as well. Password hash is generated with CRC-32 algorithm (32-bit check
sum).
sum).ItIthas
hasbeen
beenproven
proventhatthataa6-character
6-characterinput
inputdata
dataarray
array(non-printable
(non-printable
characters
charactersnotnotincluded)
included)can canbe befound
foundfor
forany
anycheck
checksum.
sum.So,So,password
password
retrieval
retrievalturns
turnstotobe
beaatrivial
trivialtask.
task.

Applications
Applicationsfor
forpassword
passwordrecovery:
recovery:
Advanced
Advanced Office 2000 PasswordRecovery
Office 2000 Password Recovery
Advanced Outlook Password Recovery
Advanced Outlook Password Recovery
http://www.elcomsoft.com
French
Frenchversions
versionsof
ofMicrosoft
MicrosoftOffice
Office

Strong
Strongcryptographic
cryptographicalgorithms
algorithmsarearebanned
bannedininFrance.
France.So,So,ififMS
MSWord
Wordor orExcel
Excel
document
documenthashasbeen
beencreated
created(password-protected)
(password-protected)on onaacomputer
computerwithwithFrench
French
regional
regionalsettings,
settings,very
verysimple
simpleencryption
encryptionalgorithm
algorithm(XOR-based)
(XOR-based)isisbeingbeingused.
used.
AA16-byte
16-bytesequence
sequenceisisgenerated
generatedfromfromany
anypassword
password(we (wecan
canalso
alsocalculate
calculatethe
the
password
passwordfrom
fromthat
thatsequence).
sequence).IfIfwe weknow
know1616bytes
bytesfrom
fromsource
sourceplaintext,
plaintext,then
then
password recovery is trivial. In most cases, passwords for these files
password recovery is trivial. In most cases, passwords for these files can be can be
recovered
recoveredinstantly
instantlyby
bymeans
meansofofstatistical
statisticalplaintext
plaintextanalysis.
analysis.

Applications
Applicationsfor
forpassword
passwordrecovery:
recovery:
Advanced
Advanced Office 2000 PasswordRecovery
Office 2000 Password Recovery
http://www.elcomsoft.com
Old
Oldversions
versionsof
ofMS
MSOffice
Officeapplications
applications

Microsoft
MicrosoftWord
Word2.0,
2.0,6.0
6.0and
and95
95(7.0),
(7.0),Excel
Excel4.0,
4.0,5.0
5.0and
and95
95(7.0)
(7.0)are
areusing
usingeven
even
less
less powerful
powerful encrypting
encrypting algorithm.
algorithm. ToTo encrypt
encrypt aa document,
document, anan exclusive
exclusive OR
OR
operation
operation(XOR)
(XOR)with
withaasequence
sequencederived
derivedfrom
fromthe
thepassword
passwordisisbeing
beingused.
used.As
As
some
some(predictable)
(predictable)auxiliary
auxiliaryinformation
informationisisencrypted,
encrypted,too,
too,that
thatsequence
sequencecancanbebe
recovered.
recovered. So,
So, file
file open
open password
password inin these
these Word
Word and
and Excel
Excel versions
versions can
can be
be
retrieved in a fraction of second.
retrieved in a fraction of second.

Applications
Applicationsfor
forpassword
passwordrecovery:
recovery:
Advanced
Advanced Office 2000 PasswordRecovery
Office 2000 Password Recovery
Advanced Office 95 Password Recovery
Advanced Office 95 Password Recovery
http://www.elcomsoft.com
Protection
Protectionrecommendations
recommendations

Having
Having read
read this
this text,
text, many
many users
users will
will become
become unsure
unsure about
about entrusting
entrusting their
their
secrets
secrets toto Microsoft
Microsoft software.
software. The The answer
answer isis very
very simple
simple ––use
use other
other software
software
products
products to to protect
protect confidential
confidential information.
information. ForFor example,
example, one one can
can useuse aa
reputable,
reputable,thoroughly
thoroughlytested
testedPretty
PrettyGood
GoodPrivacy
Privacy(PGP)
(PGP)software.
software.ItItisisbased
basedon on
aawell-known
well-knownmathematical
mathematicalproblem problem––factorization
factorizationofofaavery
verygreat
greatnumber
numberinto into
prime numbers. There is no known (analytical) solution
prime numbers. There is no known (analytical) solution of this problem, andof this problem, and
exhaustion
exhaustion ofof all
all possible
possible combinations
combinations will will take
take forever
forever –– even
even with
with state-of-
state-of-
the-art
the-artmachines.
machines.
IfIf you
you decide
decide toto protect
protect youryour document
document with with aa password
password (to (to set
set aa file
file open
open
password
password inin Word
Word or or Excel)
Excel) anyway,
anyway, choose
choose aa complicated
complicated one. one. Avoid
Avoid using
using
words from a dictionary, or your name/surname as a password.
words from a dictionary, or your name/surname as a password. Your password Your password
should
should consist
consist ofof letters
letters (both
(both upper-
upper- and
and lower-case),
lower-case), numbers,
numbers, and and special
special
symbols.
symbols. You You can
can alsoalso use
use symbols
symbols fromfrom your
your national
national alphabet.
alphabet. AA secure
secure
password
password mightmight look
look like
like this:
this: “fO7#s!kP4x*a”.
“fO7#s!kP4x*a”. However
However please,
please, note
note that
that with
with
today’s
today’s computers,
computers, decrypting
decrypting your your document
document won’twon’t take
take longer
longer than
than aa fewfew
days (or even hours on
days (or even hours on a LAN). a LAN).

http://www.elcomsoft.com
Other Windows applications

1.
1.ZIP
ZIParchiver,
archiver,known-plaintext
known-plaintextattack
attack

2.
2.ARJ
ARJarchiver,
archiver,very
veryweak
weakencryption
encryption

3.
3.RAR
RARarchiver,
archiver,strong
strongcrypto
cryptofrom
fromRussia
Russia

4.
4.Protection
Protectionin
inAdobe
AdobeAcrobat
Acrobat

5.
5.Internet
InternetExplorer
Explorercontent
contentadvisor
advisorpassword
password

6.
6.Database
Databaseprotection
protectionin
inMicrosoft
MicrosoftMoney
Money

http://www.elcomsoft.com
ZIP
ZIParchiver
archiver

This
Thisarchiver
archiverallows
allowstotoset
setan
anarchive
archivepassword.
password.Whole
Wholearchive
archiveisisencrypted
encryptedusingusingthe
the
specific
specificalgorithm.
algorithm.Each
Eachpassword
passwordisisconverted
convertedtotothree
three32-bit
32-bitkeys.
keys.Two
Twofamous
famous
cryptoanalysts,
cryptoanalysts, Eli Biham and Paul Kocher, have analyzed this algorithm andfound
Eli Biham and Paul Kocher, have analyzed this algorithm and foundoutout
that
that it’s possible to find the encryption keys by means a known-plaintext attack. Only12
it’s possible to find the encryption keys by means a known-plaintext attack. Only 12
bytes of plaintext are needed for keys recovery. Then, we can manually
bytes of plaintext are needed for keys recovery. Then, we can manually decrypt thedecrypt the
whole
wholearchive
archiveusing
usingthat
thatencryption
encryptionkeys.
keys.IfIfwe
wedon’t
don’thave
haveany
anyplaintext,
plaintext,it’s
it’spossible
possibletoto
recover
recoveraapassword
passwordusingusingaabrute-force
brute-forceorordictionary
dictionaryattacks
attacks(which
(whichcould
couldbe be
implemented very effectively on modern
implemented very effectively on modern CPUs). CPUs).

Brute
Bruteforce
forcespeed
speedanalysis
analysisfor
forZIP
ZIP(for
(forP-II
P-II350
350CPU)
CPU)
Charset Length Passwords Time
All printable 1..5 7,820,126,720 65 minutes
Digits, small/capital, space 6 62,523,502,592 9 hours
Digits, small letters, space 7 94,931,877,888 13 hours
Digits 8..11 111,100,002,304 15,5 hours
Small letters, space 8 282,429,521,920 ~1,5 days

Applications
Applicationsfor
forpassword
passwordrecovery:
recovery:
Advanced
Advanced Archive PasswordRecovery
Archive Password Recovery
Advanced ZIP Password Recovery
Advanced ZIP Password Recovery
http://www.elcomsoft.com
ARJ
ARJarchiver
archiver

Very
Verysimple
simpleand
andweak
weakencryption
encryptionalgorithm
algorithmisisused
usedininthis
thisarchiver.
archiver.“Exclusive
“Exclusive
OR”
OR”logical
logicaloperation
operationisisperformed
performedon onthe
thearchive
archivecontents.
contents.TheThesecond
second
argument
argumentininthis
thisoperation
operationisisaapassword.
password.Of
Ofcourse,
course,wewecan
canuse
useaaknown-
known-
plaintext
plaintextattack,
attack,or
orjust
justbrute-force
brute-forceapproach
approachififarchive
archivecontents
contentsisisunknown.
unknown.ButBut
ininthe
thelatest
latestversions
versionsofofARJ
ARJstrong
strongencryption
encryption(GOST
(GOSTalgorithm)
algorithm)isisavailable
availableas
as
an option.
an option.

Applications
Applicationsfor
forpassword
passwordrecovery:
recovery:
Advanced
Advanced Archive PasswordRecovery
Archive Password Recovery
Advanced ARJ Password Recovery
Advanced ARJ Password Recovery
http://www.elcomsoft.com
RAR
RARarchiver
archiver

RAR
RARarchiver,
archiver,developed
developedby byEugene
EugeneRoshal,
Roshal,uses
usesaavery
verystrong
strongencryption
encryption
algorithm.
algorithm.Encryption
Encryptionkey
keyisis128128bits
bitslong.
long.256
256bytes
bytesS-Box
S-Boxisisderived
derivedfrom
from
each
eachkey.
key.S-Box
S-Boxoperations
operationsare arevery
verycomplicated
complicatedandandslow.
slow.Known-plaintext
Known-plaintext
attack
attackisisnot
notpossible
possibleatatall.
all.Only
Onlybrute-force
brute-forceorordictionary
dictionaryattack
attackcan
canbe
beused
usedfor
for
password
passwordrecovery.
recovery.Recovery
Recoveryspeedspeedisisvery
verylow;
low;for
forexample,
example,wewecan
cantest
testonly
only
about 4800 passwords per second on P-III
about 4800 passwords per second on P-III 800. 800.

Applications
Applicationsfor
forpassword
passwordrecovery:
recovery:
Advanced
Advanced Archive PasswordRecovery
Archive Password Recovery
Advanced RAR Password Recovery
Advanced RAR Password Recovery
http://www.elcomsoft.com
Passwords
Passwordsin
inAdobe
AdobeAcrobat
Acrobat

Standard
StandardPDF
PDFsecurity
security
Protected
Protected PDF documenthas
PDF document hastwo
twopasswords:
passwords:an anowner
ownerpassword
passwordand andaauser
userpassword.
password.
The document also specifies operations that should be restricted even when
The document also specifies operations that should be restricted even when the the
document
documentisisdecrypted:
decrypted:printing;
printing;copying
copyingtext
textand
andgraphics
graphicsout
outofofthe
thedocument;
document;modifying
modifying
the
thedocument;
document;and
andadding
addingorormodifying
modifyingtext
textnotes
notesand
andAcroForm
AcroFormfields.
fields.

Password
Passwordtypes
types
When
Whenthe
thecorrect
correctuser
userpassword
passwordisissupplied,
supplied,the
thedocument
documentisisopened
openedand
anddecrypted
decryptedbutbut
these
theseoperations
operationsare
arerestricted;
restricted;when
whenthe
theowner
ownerpassword
passwordisissupplied,
supplied,all
alloperations
operationsareare
allowed. The owner password is required to change these passwords and restrictions.
allowed. The owner password is required to change these passwords and restrictions.

Encryption
Encryptionkey key
Protected
ProtectedPDF PDFdocument
documentisisencrypted
encryptedwith
withthe
theRC4
RC4algorithm.
algorithm.Encryption
Encryptionkeykeylength
lengthisis40
40
bits.
bits.Key
Keyisiscalculated
calculatedfrom
fromthe
theuser
userpassword.
password.Knowing
Knowingofofthe
theowner
ownerpassword
passwordallows
allows
calculation
calculation of the user password and therefore encryption key. All restrictions areenforced
of the user password and therefore encryption key. All restrictions are enforced
by software, not by PDF format itself.
by software, not by PDF format itself.

Applications
Applicationsfor
forpassword
passwordrecovery:
recovery:
Advanced PDF Password Recovery
Advanced PDF Password Recovery
http://www.elcomsoft.com
Internet
InternetExplorer
ExplorerContent
ContentAdvisor
Advisorpassword
password

Microsoft
MicrosoftInternet
InternetExplorer
Explorerallows
allowstotoset
setup
upaapassword
passwordfor forContent
ContentAdvisor.
Advisor.
This
Thisprotection
protectionisisextremely
extremelyweak.
weak.MD5MD5hash
hashisiscalculated
calculatedfrom
fromthe
thepassword,
password,
and
andstored
storedininsystem
systemRegistry.
Registry.We
Wecancansimply
simplyremove
removethethecontents
contentsofof
appropriate
appropriateRegistry
Registrykey,
key,or
orgenerate
generatethethenecessary
necessaryhashhashand
andchange
changethethe
password
passwordto toany
anyother
otherone.
one.

Applications
Applicationsfor
forpassword
passwordrecovery:
recovery:
Advanced
Advanced Office 2000 PasswordRecovery
Office 2000 Password Recovery
http://www.elcomsoft.com
Passwords
Passwordsin
inMicrosoft
MicrosoftMoney
Money

Latest
Latestversions
versionsofofMicrosoft
MicrosoftMoney
Moneyuses
usesMS
MSJetJetstorage
storagesystem.
system.Database
Database
password
passwordisisstored
storedininthe
thefile
fileheader.
header.Whole
Wholedatabase
databaseisisencrypted
encryptedusing
usingRC4
RC4
algorithm.
algorithm.But
Butencryption
encryptionkeykeyisispermanent
permanent(by(bythe
theway
waykey
keylength
lengthisisonly
only32
32
bits).
bits).This
Thiskey
keyisisstored
storedininone
oneofofthe
thesystem
systemDLL’s.
DLL’s.Therefore
Thereforeany
anydatabase
database
password
passwordcan canbeberecovered
recoveredinstantly.
instantly.

Applications
Applicationsfor
forpassword
passwordrecovering:
recovering:
Advanced
Advanced Money PasswordRecovery
Money Password Recovery
http://www.elcomsoft.com

You might also like