

Microsoft Office file encryption flaws - yuhong

From http://news.ycombinator.com/item?id=653484 :<p>"If you're encrypting a file, then the obvious, elegant thing to do is to use position in the file as your counter. But then the moment you encrypt two files using the same key, you're screwed: you've just committed the equivalent of reusing a one-time pad."<p>"If "don't overfill a buffer" is an easy prescription that cost industry $4+bn USD, it's hard to imagine how unlikely it is people can avoid screwing up "don't reuse anything"."<p>For example, Office binary formats' RC4 encryption did almost everything right (ok, they did reuse the salt/IV on saves, but that is an implementation problem easily fixed and has been in Office 2007), except that they decided to use it block by block starting RC4 over each time. They did mix in a block number into the key, but here is the major mistake they made in the Word/Excel version: They decided to always start it at zero at the beginning of <i>each stream</i>, and did not mix in the name of the stream! Can you say keystream reuse?<p>I got all this by just reading the public Office file format docs. For example:<p>http://msdn.microsoft.com/en-us/library/dd946845%28v=office.12%29.aspx<p>Challenge: Reading the docs, can you find all the places where the block number is reset to zero causing keystream reuse (even PowerPoint have them!)?
======
NateLawson
This is interesting. Have you contacted them with your findings? How prevalent
are multi-stream docs?

Also, they don't discuss discarding any of the initial keystream, which means
that combined with the block number, this could lead to related-key attacks
just as with WEP.

~~~
yuhong
Oh, I forgot to mention that they did use a hash to generate the key, which
means that it is not vulnerable to the related-key attacks.

"This is interesting. Have you contacted them with your findings? "

Yes, I did. I began with David LeBlanc's blog's contact page, and ended up
starting an email thread about it. I know they know about it even long before.

"How prevalent are multi-stream docs?"

Pretty much all encrypted docs are multi-stream. And it is easy to read the
streams on Windows, just use the OLE compound storage API.

~~~
yuhong
BTW, not all data are encrypted in an Office file. Usually only three or four
entire streams are encrypted in Word/Excel.

