Http:// Presentation on Black Hat Windows 2000 Security Conference Analysis of Microsoft Office...

http://www.elcomsoft.com

Presentation on Black Hat Windows 2000 Security Conference

Analysis of Microsoft Office password protection system, and survey of encryption holes in other MS Windows applications

Analysis of Microsoft Office password protection systemAnalysis of Microsoft Office password protection system

1. Key principles of data password protection1. Key principles of data password protection

2. Passwords in Microsoft Word 97/20002. Passwords in Microsoft Word 97/2000

3. Passwords in Microsoft Excel 97/20003. Passwords in Microsoft Excel 97/2000

4. VBA Macros protection4. VBA Macros protection

5. Microsoft Outlook personal storage files5. Microsoft Outlook personal storage files

6. French version of MS Office – strong crypto prohibition6. French version of MS Office – strong crypto prohibition

7. Old versions of MS Office applications7. Old versions of MS Office applications

8. Protection recommendations8. Protection recommendations


http://www.elcomsoft.com/



Key principles of data password protection

1. Key is stored within the document. When someone attempts to open the document, the program checks whether the key entered is the same as the stored one. If the key doesn’t match, the program locks further processing of the document.

1. Key is stored within the document. When someone attempts to open the document, the program checks whether the key entered is the same as the stored one. If the key doesn’t match, the program locks further processing of the document.

2. A key hash is stored within the document. "A hash function is a function, mathematical or otherwise, that takes a variable-length input string (called a pre-image) and converts it to a fixed-length (generally smaller) output string (called a hash value)." (Bruce Schneier). When this method is employed, a key entered by a user is being transformed into a data string of fixed length used to verify the key, but that string cannot be used to retrieve the key itself.

2. A key hash is stored within the document. "A hash function is a function, mathematical or otherwise, that takes a variable-length input string (called a pre-image) and converts it to a fixed-length (generally smaller) output string (called a hash value)." (Bruce Schneier). When this method is employed, a key entered by a user is being transformed into a data string of fixed length used to verify the key, but that string cannot be used to retrieve the key itself.

3. A key is used to encrypt the document with a certain algorithm. The protection reliability depends only on releability of the algorithm and the length of the key.

3. A key is used to encrypt the document with a certain algorithm. The protection reliability depends only on releability of the algorithm and the length of the key.





Passwords in Microsoft Word 97/2000Passwords in Microsoft Word 97/2000

Write protection password.This password is stored inside the document. You can see it using any HEX-viewer.


Document protection password.Password hash is stored in the document. Hash length is only 32 bits. We can change this password to any other one, or disable it (replace with a hash of an empty string).


Password to openWhen this password is set, the entire Word document (including a part of auxiliary information) is encrypted with the RC4 algorithm (stream cipher). 128-bit long hash formed with the MD5 algorithm is used for password verification. Encryption key is 40-bit long, because state regulations of many countries don’t allow using stronger crypto.


Applications for password recovery:Advanced Office 2000 Password Recovery



http://www.elcomsoft.com/ao2000pr.html





Passwords in Microsoft Excel 97/2000Passwords in Microsoft Excel 97/2000







Book and Sheet password.When an Excel Sheet is being protected with a password, a 16-bit (two byte) long hash is generated. Book protection is somewhat more sophisticated. Hash generation algorithm is the same as with sheet protection, however, a whole document is being encrypted. Password for encryption is “VelvetSweatshop”.

Book and Sheet password.When an Excel Sheet is being protected with a password, a 16-bit (two byte) long hash is generated. Book protection is somewhat more sophisticated. Hash generation algorithm is the same as with sheet protection, however, a whole document is being encrypted. Password for encryption is “VelvetSweatshop”.









VBA Macros protectionVBA Macros protection

Office 97:Passwords are stored almost in their original form – a very simple encryption algorithm is being used. These passwords can be recovered or changed/removed instantly.

Office 97:Passwords are stored almost in their original form – a very simple encryption algorithm is being used. These passwords can be recovered or changed/removed instantly.

Office 2000:Windows CryptoAPI is being used. Password hash is generated with SHA algorithm. These passwords can be recovered by brute-force or dictionary attacks only; however, they can be changed or removed.

Office 2000:Windows CryptoAPI is being used. Password hash is generated with SHA algorithm. These passwords can be recovered by brute-force or dictionary attacks only; however, they can be changed or removed.


Advanced VBA Password Recovery


Advanced VBA Password Recoveryhttp://www.elcomsoft.com


http://www.elcomsoft.com/avpr.html


http://www.elcomsoft.com/avpr.html




Microsoft Outlook Personal Storage filesMicrosoft Outlook Personal Storage files

This application allows protecting user’s personal data stored in *.pst files (Personal Storage Files) with a password. Protection of user’s personal information and of his/her personal correspondence is a very important factor to be taken into account when developing general concept of information protection. However, Microsoft is using a very simple and unstable algorithm here as well. Password hash is generated with CRC-32 algorithm (32-bit check sum). It has been proven that a 6-character input data array (non-printable characters not included) can be found for any check sum. So, password retrieval turns to be a trivial task.

This application allows protecting user’s personal data stored in *.pst files (Personal Storage Files) with a password. Protection of user’s personal information and of his/her personal correspondence is a very important factor to be taken into account when developing general concept of information protection. However, Microsoft is using a very simple and unstable algorithm here as well. Password hash is generated with CRC-32 algorithm (32-bit check sum). It has been proven that a 6-character input data array (non-printable characters not included) can be found for any check sum. So, password retrieval turns to be a trivial task.


Advanced Outlook Password Recovery


Advanced Outlook Password Recoveryhttp://www.elcomsoft.com


http://www.elcomsoft.com/aolpr.html


http://www.elcomsoft.com/aolpr.html




French versions of Microsoft OfficeFrench versions of Microsoft Office

Strong cryptographic algorithms are banned in France. So, if MS Word or Excel document has been created (password-protected) on a computer with French regional settings, very simple encryption algorithm (XOR-based) is being used. A 16-byte sequence is generated from any password (we can also calculate the password from that sequence). If we know 16 bytes from source plaintext, then password recovery is trivial. In most cases, passwords for these files can be recovered instantly by means of statistical plaintext analysis.

Strong cryptographic algorithms are banned in France. So, if MS Word or Excel document has been created (password-protected) on a computer with French regional settings, very simple encryption algorithm (XOR-based) is being used. A 16-byte sequence is generated from any password (we can also calculate the password from that sequence). If we know 16 bytes from source plaintext, then password recovery is trivial. In most cases, passwords for these files can be recovered instantly by means of statistical plaintext analysis.









Old versions of MS Office applicationsOld versions of MS Office applications

Microsoft Word 2.0, 6.0 and 95 (7.0), Excel 4.0, 5.0 and 95 (7.0) are using even less powerful encrypting algorithm. To encrypt a document, an exclusive OR operation (XOR) with a sequence derived from the password is being used. As some (predictable) auxiliary information is encrypted, too, that sequence can be recovered. So, file open password in these Word and Excel versions can be retrieved in a fraction of second.

Microsoft Word 2.0, 6.0 and 95 (7.0), Excel 4.0, 5.0 and 95 (7.0) are using even less powerful encrypting algorithm. To encrypt a document, an exclusive OR operation (XOR) with a sequence derived from the password is being used. As some (predictable) auxiliary information is encrypted, too, that sequence can be recovered. So, file open password in these Word and Excel versions can be retrieved in a fraction of second.


Advanced Office 95 Password Recovery


Advanced Office 95 Password Recoveryhttp://www.elcomsoft.com








Protection recommendationsProtection recommendations

Having read this text, many users will become unsure about entrusting their secrets to Microsoft software. The answer is very simple – use other software products to protect confidential information. For example, one can use a reputable, thoroughly tested Pretty Good Privacy (PGP) software. It is based on a well-known mathematical problem – factorization of a very great number into prime numbers. There is no known (analytical) solution of this problem, and exhaustion of all possible combinations will take forever – even with state-of-the-art machines.If you decide to protect your document with a password (to set a file open password in Word or Excel) anyway, choose a complicated one. Avoid using words from a dictionary, or your name/surname as a password. Your password should consist of letters (both upper- and lower-case), numbers, and special symbols. You can also use symbols from your national alphabet. A secure password might look like this: “fO7#s!kP4x*a”. However please, note that with today’s computers, decrypting your document won’t take longer than a few days (or even hours on a LAN).

Having read this text, many users will become unsure about entrusting their secrets to Microsoft software. The answer is very simple – use other software products to protect confidential information. For example, one can use a reputable, thoroughly tested Pretty Good Privacy (PGP) software. It is based on a well-known mathematical problem – factorization of a very great number into prime numbers. There is no known (analytical) solution of this problem, and exhaustion of all possible combinations will take forever – even with state-of-the-art machines.If you decide to protect your document with a password (to set a file open password in Word or Excel) anyway, choose a complicated one. Avoid using words from a dictionary, or your name/surname as a password. Your password should consist of letters (both upper- and lower-case), numbers, and special symbols. You can also use symbols from your national alphabet. A secure password might look like this: “fO7#s!kP4x*a”. However please, note that with today’s computers, decrypting your document won’t take longer than a few days (or even hours on a LAN).


Other Windows applicationsOther Windows applications

1. ZIP archiver, known-plaintext attack1. ZIP archiver, known-plaintext attack

2. ARJ archiver, very weak encryption2. ARJ archiver, very weak encryption

3. RAR archiver, strong crypto from Russia3. RAR archiver, strong crypto from Russia

4. Protection in Adobe Acrobat4. Protection in Adobe Acrobat

5. Internet Explorer content advisor password5. Internet Explorer content advisor password

6. Database protection in Microsoft Money6. Database protection in Microsoft Money


ZIP archiverZIP archiver

This archiver allows to set an archive password. Whole archive is encrypted using the specific algorithm. Each password is converted to three 32-bit keys. Two famous cryptoanalysts, Eli Biham and Paul Kocher, have analyzed this algorithm and found out that it’s possible to find the encryption keys by means a known-plaintext attack. Only 12 bytes of plaintext are needed for keys recovery. Then, we can manually decrypt the whole archive using that encryption keys. If we don’t have any plaintext, it’s possible to recover a password using a brute-force or dictionary attacks (which could be implemented very effectively on modern CPUs).

This archiver allows to set an archive password. Whole archive is encrypted using the specific algorithm. Each password is converted to three 32-bit keys. Two famous cryptoanalysts, Eli Biham and Paul Kocher, have analyzed this algorithm and found out that it’s possible to find the encryption keys by means a known-plaintext attack. Only 12 bytes of plaintext are needed for keys recovery. Then, we can manually decrypt the whole archive using that encryption keys. If we don’t have any plaintext, it’s possible to recover a password using a brute-force or dictionary attacks (which could be implemented very effectively on modern CPUs).

Charset Length Passwords Time

All printable 1..5 7,820,126,720 65 minutes

Digits, small/capital, space 6 62,523,502,592 9 hours

Digits, small letters, space 7 94,931,877,888 13 hours

Digits 8..11 111,100,002,304 15,5 hours

Small letters, space 8 282,429,521,920 ~1,5 days

Brute force speed analysis for ZIP (for P-II 350 CPU)Brute force speed analysis for ZIP (for P-II 350 CPU)

Applications for password recovery:Advanced Archive Password Recovery

Advanced ZIP Password Recovery


Advanced ZIP Password Recoveryhttp://www.elcomsoft.com

http://www.elcomsoft.com/archpr.html

http://www.elcomsoft.com/azpr.html


http://www.elcomsoft.com/azpr.html

ARJ archiverARJ archiver

Very simple and weak encryption algorithm is used in this archiver. “Exclusive OR” logical operation is performed on the archive contents. The second argument in this operation is a password. Of course, we can use a known-plaintext attack, or just brute-force approach if archive contents is unknown. But in the latest versions of ARJ strong encryption (GOST algorithm) is available as an option.

Very simple and weak encryption algorithm is used in this archiver. “Exclusive OR” logical operation is performed on the archive contents. The second argument in this operation is a password. Of course, we can use a known-plaintext attack, or just brute-force approach if archive contents is unknown. But in the latest versions of ARJ strong encryption (GOST algorithm) is available as an option.


Advanced ARJ Password Recovery


Advanced ARJ Password Recoveryhttp://www.elcomsoft.com


http://www.elcomsoft.com/aapr.html


http://www.elcomsoft.com/aapr.html

RAR archiverRAR archiver

RAR archiver, developed by Eugene Roshal, uses a very strong encryption algorithm. Encryption key is 128 bits long. 256 bytes S-Box is derived from each key. S-Box operations are very complicated and slow. Known-plaintext attack is not possible at all. Only brute-force or dictionary attack can be used for password recovery. Recovery speed is very low; for example, we can test only about 4800 passwords per second on P-III 800.

RAR archiver, developed by Eugene Roshal, uses a very strong encryption algorithm. Encryption key is 128 bits long. 256 bytes S-Box is derived from each key. S-Box operations are very complicated and slow. Known-plaintext attack is not possible at all. Only brute-force or dictionary attack can be used for password recovery. Recovery speed is very low; for example, we can test only about 4800 passwords per second on P-III 800.


Advanced RAR Password Recovery


Advanced RAR Password Recoveryhttp://www.elcomsoft.com


http://www.elcomsoft.com/arpr.html


http://www.elcomsoft.com/arpr.html

Passwords in Adobe AcrobatPasswords in Adobe Acrobat

Standard PDF securityProtected PDF document has two passwords: an owner password and a user password. The document also specifies operations that should be restricted even when the document is decrypted: printing; copying text and graphics out of the document; modifying the document; and adding or modifying text notes and AcroForm fields.

Standard PDF securityProtected PDF document has two passwords: an owner password and a user password. The document also specifies operations that should be restricted even when the document is decrypted: printing; copying text and graphics out of the document; modifying the document; and adding or modifying text notes and AcroForm fields.

Applications for password recovery:Advanced PDF Password Recovery

Applications for password recovery:Advanced PDF Password Recovery


Password typesWhen the correct user password is supplied, the document is opened and decrypted but these operations are restricted; when the owner password is supplied, all operations are allowed. The owner password is required to change these passwords and restrictions.

Password typesWhen the correct user password is supplied, the document is opened and decrypted but these operations are restricted; when the owner password is supplied, all operations are allowed. The owner password is required to change these passwords and restrictions.

Encryption keyProtected PDF document is encrypted with the RC4 algorithm. Encryption key length is 40 bits. Key is calculated from the user password. Knowing of the owner password allows calculation of the user password and therefore encryption key. All restrictions are enforced by software, not by PDF format itself.

Encryption keyProtected PDF document is encrypted with the RC4 algorithm. Encryption key length is 40 bits. Key is calculated from the user password. Knowing of the owner password allows calculation of the user password and therefore encryption key. All restrictions are enforced by software, not by PDF format itself.

http://www.elcomsoft.com/apdfpr.html

http://www.elcomsoft.com/apdfpr.html

Internet Explorer Content Advisor passwordInternet Explorer Content Advisor password

Microsoft Internet Explorer allows to set up a password for Content Advisor. This protection is extremely weak. MD5 hash is calculated from the password, and stored in system Registry. We can simply remove the contents of appropriate Registry key, or generate the necessary hash and change the password to any other one.

Microsoft Internet Explorer allows to set up a password for Content Advisor. This protection is extremely weak. MD5 hash is calculated from the password, and stored in system Registry. We can simply remove the contents of appropriate Registry key, or generate the necessary hash and change the password to any other one.






Passwords in Microsoft MoneyPasswords in Microsoft Money

Latest versions of Microsoft Money uses MS Jet storage system. Database password is stored in the file header. Whole database is encrypted using RC4 algorithm. But encryption key is permanent (by the way key length is only 32 bits). This key is stored in one of the system DLL’s. Therefore any database password can be recovered instantly.

Latest versions of Microsoft Money uses MS Jet storage system. Database password is stored in the file header. Whole database is encrypted using RC4 algorithm. But encryption key is permanent (by the way key length is only 32 bits). This key is stored in one of the system DLL’s. Therefore any database password can be recovered instantly.

Applications for password recovering:Advanced Money Password Recovery

Applications for password recovering:Advanced Money Password Recovery




Http:// Presentation on Black Hat Windows 2000 Security Conference Analysis of Microsoft Office...

Documents

Transcript of Http:// Presentation on Black Hat Windows 2000 Security Conference Analysis of Microsoft Office...