1 / 22

Improving Security: The Misuse of RC4 in Microsoft Office Encryption

This paper examines the vulnerabilities of the RC4 encryption scheme used in Microsoft Office documents, revealing critical flaws in its implementation. Since Microsoft Office introduced encryption in 1995, the default use of 40-bit RC4 due to export restrictions has rendered documents susceptible to brute force attacks. The paper details how the same initialization vector is used for all edits, which compromises security. Recommendations for improving Office's security include switching to a stronger block cipher like AES and generating new initialization vectors after each document edit.

abeni
Télécharger la présentation

Improving Security: The Misuse of RC4 in Microsoft Office Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Misuse of RC4 in Microsoft OfficeA paper by:Hongjun WuInstitute for Infocomm Research, SingaporeECE 578Matthew Fleming

  2. Microsoft Office Overview • Microsoft Office • Released in 1989 • Encryption added in 1995 • Encryption Schema • Default: 40-bit RC4 • Due to cipher export regulations • Allows up to 128-bit RC4 cipher

  3. RC4 Overview • RC4 • Stream cipher • Variable sized key • 8 to 2048 bits • Multiples of 8 bits • XOR’s values of state to input • Shuffles state with every output

  4. RC4 Overview • RC4 Cryptanalysis • XOR is a weak operation • Security depends entirely on the randomness of the state vector • States are pseudo-random • They will repeat with time

  5. RC4 Overview • RC4 Cryptanalysis • Knowing the entire state at a given time allows knowledge of all future values • Knowing the entire initial state effectively breaks the cipher • Initial state depends only upon the key • The key uniquely determines the keystream

  6. RC4 in Microsoft Office

  7. RC4 in Microsoft Office • Document Encryption in Office • Password protected by the user • Key generated from password • Initialization vector generated by Office • Key and initialization vector hashed together to create RC4 secret key

  8. RC4 in Microsoft Office • Initialization Vector • Generated only once for a given document • The same initialization vector is used for a document, regardless of any editing • User Password Behavior • Users rarely change passwords for a given document

  9. RC4 in Microsoft Office • RC4 Secret Key • Secret key generated from initialization vector and user password • Initialization vector never changes • Typically users never change the password on a given document • This means the same secret key is used in every edition of a document!

  10. Attacks on Office Cryptosystems

  11. Attacks on Office Cryptosystems • Brute Force Attack • Only 40-bit to 128-bit encryption used • Brute force attack the key • Alternate Attack • Obtain different editions of a document • Both will use the same initial keystream

  12. Attacks on Office Cryptosystems • Alternate Attack • Original • Original (Encrypted) • Alternate Attack • Modified (Encrypted)

  13. Attacks on Office Cryptosystems • Alternate Attack • Original (Encrypted) • Modified (Encrypted)

  14. Attacks on Office Cryptosystems • Alternate Attack • Further exploits • ASCII characters all have a leading zero • Perform analysis on XOR result of two documents • See: “Automated cryptanalysis of XOR plaintext strings”[3]

  15. Making Office More Secure

  16. Making Office More Secure • Simple Changes • A quick patch to prevent this attack • Generate a new initialization vector after each edit • Use HMAC with the user password as the key and the document as the message • Generate the initialization vector from a random source, such as time (to the millisecond), clock cycles since program launch, etc.

  17. Making Office More Secure • Simple Changes • Switch to a block cipher • AES • IDEA • Use CBC (or similar) • Even if the same initialization vector is used, it is difficult to extract information with CBC

  18. Conclusions • Office Misuses RC4 Cipher • Initialization vector remains the same across edits • 40-bit encryption is woefully insecure against brute force attacks • RC4 is not a very strong cipher anyway

  19. Conclusions • Proposals for Better Security • Release a quick patch to implement HMAC for initialization vector generation • Upgrade the cryptosystems to use a block cipher (AES) with CBC • Make this default

  20. Questions?

  21. References • [1] H. Wu. The Misuse of RC4 in Microsoft Word and Excel. Institute for Infocomm Research, Singapore, January 2005. • [2] R. Wash. Lecture Notes on Stream Ciphers and RC4. Case Western Reserve University. • [3] E. Dawson and L. Nielsen. Automated cryptanalysis of XOR plaintext strings. Cryptologia, (2):165-181, April 1996.

More Related