A Chinese cryptographer/mathematician has found serious
vulnerabilities in the encryption used to protect a common class of Excel and
Word files.

Details

Q: What’s worse than no cryptography?

A: Weak cryptography.

Why? Because if you have weak encryption (which few
programmers, let alone users, really understand), users, managers, and
corporate management believe their secrets are protected. At least, if you have
no encryption, then no one is surprised to learn that documents can be easily
compromised.

Many companies and individuals rely on the encryption
technology provided by Microsoft for Office users but this is not a seriously
secure encryption tool, as a recent academic paper demonstrates.

Hongjun Wu has discovered that RC4 is being critically misused
in both Microsoft Word and Excel file encryption. RC4 is a stream cipher that can
be applied with up to a 128-bit encryption level on any Word or Excel file.

A
report in CNETasia highlighted this problem on January 10. The problem isn’t
terribly complex; in fact, it is a very basic vulnerability where multiple
files are being encrypted using a fixed algorithm and the same password. This
can easily be overcome by using different initialization vectors, but Microsoft
Office fails to do this in some very common circumstances.

Note on basic encryption

For those who aren’t familiar with even basic cryptography
technology, it is common to use the same password and encryption algorithm. If
you do this twice with similar information, then cracking one document is
almost a trivial exercise when a second example is available. The use of XOR to
compare two versions of a document is a well-known decryption tool. The way
around this is simple—use a different factor as a starting point for each
separate document being encrypted.

Microsoft Office does use a different initialization vector
for each new document but the problem lies in the way it treats edited documents.
Every time you open, edit, and resave the document, it is encrypted using the
same key—since many documents are saved in multiple versions or are backed up,
cracking the document can be relatively easy. This could apply to stolen
backups, stolen PCs, discarded hard drives, or when multiple users pass an
encrypted file back and forth.

Details proving the problem are available in an academic paper. This doesn’t
include an exploit, and getting plaintext data out of the encrypted files isn’t
a job for a script kiddie; however, a serious security professional would find
the task relatively simple.

Applicability

This vulnerability affects Microsoft Excel and Word
documents saved using the provided Microsoft encryption system.

Mitigating factors

You would still need a basic knowledge of cryptography and
access to multiple copies of a similar file encrypted using the same password,
but that only provides protection against very unskilled attackers.

Fix

There is no way to fix this on your own until Microsoft,
which has acknowledged the problem, provides a fix. Otherwise, all you can do
is turn to a more secure encryption technology, especially when sharing files
between different editors/contributors.

Final word

I can’t emphasize enough that this vulnerability isn’t some
esoteric flaw, but an extremely basic error in simple cryptographic thinking
that, even worse, was widely publicized in the crypto-community back in 1999 by
Bruce Schneider of Counterpane Internet Security.

I always cringe when programmers tell me that they can
easily write a crypto-algorithm but couldn’t tell me the difference between a
Prime and a Mersenne Prime. This was a hot button topic when I wrote a
developer security newsletter for another CNET Web site, but that only
reinforced my belief that encryption is the most vital and most poorly applied
security technology in use today. Personally, I studied both quantum physics
and the math needed to understand it and, despite a serious decades-long
interest in cryptography, I would never attempt to create an end-to-end
encryption scheme.

Those with knowledge of history, or who are fans of war
movies, will recognize that decrypting very similar files is relatively easy and
that this has been widely recognized for a long time.

Also watch for …

  • Oracle has released its quarterly security
    updates, some covering quite serious vulnerabilities. An
    11-page PDF document     explains the patches for 23 separate vulnerabilities
    in different versions of the database software. The document is extremely
    well-organized and provides lots of useful details about just what
    vulnerability exists where and how to repair it. Oracle has set a new standard
    for the way complex security updates should be documented.
  • The HIPPA deadline
    is looming on April 14, just the thing to cheer managers on the day before tax
    deadline. The Health Insurance Portability and Accountability
    Act (HIPPA) (Public Law 104-191) provides for severe penalties if those
    handling medical records get careless. This includes companies with information
    about employees as well as any medical-related businesses. There are some
    useful, publicly-accessible documents at the AICPA
    site     (American Institute of Certified Public Accountants, Inc.). The
    overview document     carries a good summary that you can pass along to upper
    management or even your accounting department.