The Misuse of RC4 in Microsoft Office
A paper by:
Hongjun WuInstitute for Infocomm Research, Singapore
ECE 578Matthew Fleming
Microsoft Office Overview
• Microsoft Office– Released in 1989
– Encryption added in 1995
• Encryption Schema– Default: 40-bit RC4
• Due to cipher export regulations
– Allows up to 128-bit RC4 cipher
RC4 Overview
• RC4– Stream cipher
– Variable sized key• 8 to 2048 bits• Multiples of 8 bits
– XOR’s values of state to input
– Shuffles state with every output
RC4 Overview
• RC4 Cryptanalysis– XOR is a weak operation
– Security depends entirely on the randomness of the state vector
– States are pseudo-random• They will repeat with time
RC4 Overview
• RC4 Cryptanalysis– Knowing the entire state at a given time
allows knowledge of all future values
– Knowing the entire initial state effectively breaks the cipher
– Initial state depends only upon the key
– The key uniquely determines the keystream
RC4 in Microsoft Office
• Document Encryption in Office– Password protected by the user
• Key generated from password
– Initialization vector generated by Office
– Key and initialization vector hashed together to create RC4 secret key
RC4 in Microsoft Office
• Initialization Vector– Generated only once for a given
document• The same initialization vector is used for a
document, regardless of any editing
• User Password Behavior– Users rarely change passwords for a
given document
RC4 in Microsoft Office
• RC4 Secret Key– Secret key generated from initialization
vector and user password• Initialization vector never changes• Typically users never change the password
on a given document
– This means the same secret key is used in every edition of a document!
Attacks on Office Cryptosystems
• Brute Force Attack– Only 40-bit to 128-bit encryption used
• Brute force attack the key
• Alternate Attack– Obtain different editions of a document
• Both will use the same initial keystream
Attacks on Office Cryptosystems
• Alternate Attack– Original
– Original (Encrypted)
• Alternate Attack
– Modified (Encrypted)
Attacks on Office Cryptosystems
• Alternate Attack– Further exploits
• ASCII characters all have a leading zero
– Perform analysis on XOR result of two documents• See: “Automated cryptanalysis of XOR
plaintext strings”[3]
Making Office More Secure
• Simple Changes– A quick patch to prevent this attack
• Generate a new initialization vector after each edit
– Use HMAC with the user password as the key and the document as the message
– Generate the initialization vector from a random source, such as time (to the millisecond), clock cycles since program launch, etc.
Making Office More Secure
• Simple Changes– Switch to a block cipher
• AES• IDEA
– Use CBC (or similar)• Even if the same initialization vector is used,
it is difficult to extract information with CBC
Conclusions
• Office Misuses RC4 Cipher– Initialization vector remains the same
across edits
– 40-bit encryption is woefully insecure against brute force attacks
– RC4 is not a very strong cipher anyway
Conclusions
• Proposals for Better Security– Release a quick patch to implement
HMAC for initialization vector generation
– Upgrade the cryptosystems to use a block cipher (AES) with CBC• Make this default
References
• [1] H. Wu. The Misuse of RC4 in Microsoft Word and Excel. Institute for Infocomm Research, Singapore, January 2005.
• [2] R. Wash. Lecture Notes on Stream Ciphers and RC4. Case Western Reserve University.
• [3] E. Dawson and L. Nielsen. Automated cryptanalysis of XOR plaintext strings. Cryptologia, (2):165-181, April 1996.
Top Related