From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 17 Feb 2005 19:23:55 +0200
Subject: [REVS] The Misuse of RC4 in Microsoft Word and Excel
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050217181242.EA4CA573E@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
The Misuse of RC4 in Microsoft Word and Excel
------------------------------------------------------------------------
SUMMARY
A serious security flaw in Microsoft Word and Excel allows an attacker to
easily decrypt a Microsoft encrypted document.
The stream cipher RC4 with key length up to 128 bits is used in Microsoft
Word and Excel to protect the documents. However, when an encrypted
document gets modified and saved, the initialization vector remains the
same and thus the same keystream generated from RC4 is used to encrypt the
different versions of that document. The consequence is disastrous since a
lot of information of the document could be recovered.
DETAILS
Introduction:
After more than two decades of public research on cryptography, many
practically secure ciphers have been proposed. If we use those ciphers
properly, adequate protection could be achieved.
Unfortunately, when the ciphers are implemented in products, various
security problems may arise. A well-known story is related to an old
version of the Netscape browser. In the implementation of the Secure
Socket Layer (SSL) in Netscape 1.1, the key of the symmetric key cipher is
derived from the current time and the process ID (or the system time).
The key space becomes severely limited, and even the 128-bit encryption
version could be easily cracked [4]. For the implementation of stream
ciphers, the basic principle is that if the same key is used for more than
once, different initialization vectors should be used to prevent the same
keystream from being used to encrypt more than one message.
When the stream cipher is used in the data transmission, normally people
would follow this principle strictly. However, in the environment where
the document needs to be edited and modified, such principle may be
forgotten. This kind of mistake takes place in the Microsoft Office (Word
and Excel) encryption, the same key and the same initialization vector are
allowed to encrypt different versions of a document.
This happens as follows. We encrypt a Microsoft Office (Word or Excel)
document with a password and save that file. Later that document is
modified and being saved again. In this process, the key and
initialization vector remain unchanged, so the same keystream is used to
protect two different versions (the original and the modified versions) of
the documents.
By XORing those two versions, we could obtain a lot of information about
the document. The above attack could take place in real life. Suppose that
Alice and Bob are working on the same Microsoft Office (Word or Excel)
document. They share the same password and use that password to protect
the document. They would make changes to the document and the document is
encrypted and transmitted between them for a number of times.
In this process, the same password and initialization vector are used to
protect all the modified versions of that document and the document could
be easily recovered from those intercepted files with high chance.
Here is another example, suppose that Alice is working on a Microsoft
Office document (Word and Excel) and she uses a password to protect it.
During the process, Alice may need to backup her files. An attacker could
retrieve a lot of information from those backup files even though the
attacker does not know Alice's password.
This report is organized as follows:
* The background information on the security of Microsoft Office
* We illustrate the misuse of RC4 in Microsoft Word and Excel
* We discuss the countermeasure
* We provide a conclusion
ADDITIONAL INFORMATION
The original article can be found at:
<http://eprint.iacr.org/2005/007.pdf> http://eprint.iacr.org/2005/007.pdf
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.