Weak/Broken: MS office encryption for Word & Excel
Results 1 to 8 of 8

Thread: Weak/Broken: MS office encryption for Word & Excel

  1. #1
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177

    Post Weak/Broken: MS office encryption for Word & Excel

    Bruce Schneier mentioned this a few days ago, and while the topic of misusing an encryption protocol is not new, I feel it bears repeating.

    Hongjun Wu of the Institute for Infocomm Research, Singapore has written an informative paper entitled The Misuse of RC4 in Microsoft Word and Excel. He pretty much sums up the whole point right there.

    The distilled version is this: if you have two versions of an encrypted Word or Excel document, you can compare them to recover the data. This is done by XORing the two documents against each other and then using some basic pattern analysis. Not your typical script kiddie fare, but not too difficult either, if one applies some time and effort to learning a few skills.

    It's an amateur crypto mistake.
    I like how Bruce put's it, and he's right. What is trully dissapointing is the fact that MS was stung by this before...5 years ago, with their NT Syskey encryption of the SAM. Two whole OS versions and god knows HOW many Office versions later, and this is still an issue? Someone in MS product development and engineering should be fired, IMNSHO.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Well Zen~ since when have Microsoft done anything secure?................like the passwords in Win 9x? or the whole office suite?

    My complaint is that they do not make the limitations clear. Their security prevents casual or inadvertent interception/interference, but is in no way real security.....................it never has been.

    I remember getting this Access tool from Avionics Division.................a guy rang me up a few hours later and said "you will need the password" to which I replied "lager1664................can't you guys spell Kronenbourg?".......................he was not a happy bunny

    It is the false sense of security that is the problem?

  3. #3
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    I think it is moreso a misuse of the product. I've read many security policies and most of them say that sensitive/secure data needs to be encrypted. But I've never seen one that said MS Office encryption is the encryption to use. Now, most policies insist on 256bit AES or higher encryption for documents. Definitely not what MS Office is giving. I guess it really comes down to how secure is the product and how secure is it marketed.. I've never seen an MS document that says you can use MS Office encryption to secure government secrets. It's just not what the product was designed for.

    If you are using MS Office to secure something that is worth the time of a cracker to find another encrypted copy and work through this, then you are not doing your job properly.

    Does Word really need to do 256 AES encryption when there are so many other tools that do it so well? Word isn't a security product, it is a word processor. Leave the encryption to true encryption packages. It just amazes me that the experts in the field still love to find products that are not intended for secure use and then bash them. I guess they have to keep their name in the media somehow.

    I just checked the MS Office 2k3 help file and this is what it says- "Note Requiring a password to modify a file does not encrypt the contents of the file."

    So why the hell are these guys even writing the articles when the product documentation says it is not really encrypting the contents??????? The help file doesn't make a distinction between the weak XOR that is default and the MS Strong encryption that they used in this article, but either way. I'm not going to use a product for security purposes when the help file clearly says what I posted above.

  4. #4
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by mohaughn
    I think it is moreso a misuse of the product.
    How is it a misuse of the product? Microsoft sell's that product with one of the features being touted as the ability to protect a document from being opened (or modified...more on this below...) with a password.

    It's not mis-use of the product...if anything, it's mis-representation of the products capabilities. If Ford-rolet designs, builds, and sells a car, advertising all its advantages including a "Big-Gulp sized cup holder", someone buys the car and puts a Big-Gulp in the cup holder, which then drops the cup and spills it on the new-car carpet and they get mad, is it reasonable to tell that person "you shouldn't be buying a car just for the cup holder!" It was advertised that way!

    Does Word really need to do 256 AES encryption when there are so many other tools that do it so well? Word isn't a security product, it is a word processor. Leave the encryption to true encryption packages. It just amazes me that the experts in the field still love to find products that are not intended for secure use and then bash them. I guess they have to keep their name in the media somehow.
    No, I don't think many of us would legitimately argue with you that word needs 256bit AES to protect the documents. And yes, those in the know WOULD use one of the much better products, I'd think. But when Microsoft sells a product with "Security Features" they've built in, then it's not a matter of whether it "needs" the features...they're already there. And some companies are buying it because the spec sheet reflects these "features" exist.

    I just checked the MS Office 2k3 help file and this is what it says- "Note Requiring a password to modify a file does not encrypt the contents of the file."
    So if we mark a document for modify-only-with-password, we shouldn't expect encryption? Thanks. Much appreciated. But I never did. Modify-only has *nothing* to do with encryption except the fact that they both use a password. We're talking about encrypting the whole document...i.e. password needed to open/view/read/print the document.

    So why the hell are these guys even writing the articles when the product documentation says it is not really encrypting the contents??????? The help file doesn't make a distinction between the weak XOR that is default and the MS Strong encryption that they used in this article, but either way. I'm not going to use a product for security purposes when the help file clearly says what I posted above.
    Go back to my last statement. They are reviewing the use of an accepted and approved encryption algorithm by the single most recognized software firm in the world in a product stated to have security features to protect the users content. The use of this algorith is incorrect, and this is the point of the article. If you really think this is about MS bashing, think again. It's about saying "this is done wrong", proving it, and opening discussion so the industry can learn from this mistake. Will they learn from the mistake? That's another discussion.

    /* edited for grammatical errors */
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  5. #5
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    If you think these people are doing this simply to justify their own existence, you may be right. Go ahead, use that ROT13 encryption. It's safe...no need to have it tested by anyone outside the company selling you the software using it. Trust them.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  6. #6
    Senior Member
    Join Date
    Jan 2005
    Posts
    128
    M$ are notorious fundamental weak security.

    But, if you only rely on certain security features, and not their whole suite, then your just as bad as the employees at M$...

    If you have a document you dont want others to see, use NTFS permissions along with encrypting the file via Office/PGP, etc etc

    Win9X Security was pretty pathetic, but once you really hacked it up, it became alot more secure.
    http://sfx-images.mozilla.org/affili...88x31/take.gif
    If You\'ve Done Something Right. People Wont Know You\'ve Done Anything At All - God (futurama)

  7. #7
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    How is it a misuse of the product? Microsoft sell's that product with one of the features being touted as the ability to protect a document from being opened (or modified...more on this below...) with a password.
    So you expect a file to be read only or hidden just because you check the file attribute box that says so? Where is the news article blasting MS for having such weak security that you can simply run attrib or change the attributes through the GUI??? It is non-news. These experts are just publishing this kind of stuff to keep their names in the media. It is FUD reporting, and we don't need it.

    It is the responsibility of the user to understand how secure the product is and make sure that the security of the product matches up with the desired security of the content they are trying to protect.

  8. #8
    Member
    Join Date
    Mar 2003
    Posts
    50
    It is the responsibility of the user to understand how secure the product is and make sure that the security of the product matches up with the desired security of the content they are trying to protect.
    I agree.

    I tend not to look at the protections provided by M$ as the end all (imagine that). It's just naive practice. But, if you look at it as an additional layer, it's certainly has merit. Security, after all, is something that needs to be dealt with in various layers. Obviously, if somthing is worth cracking, it's worth the consideration of multiple security layers. Using the password feature is a good (not to mention minimally intrusive) added step.
    Always happens, I get all worked up to say somthing profound and bam!!! uh... whut were we talkin bout?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •