Document protection issues in MS-Office
There are many password crackers available, claiming that they can break any password protecting a Word or Excel document. That is just sales talk! They make use of weak protection schemes or vulnerabilities in the encryption techniques that are used by MS-Office. Don't forget that MS-Office exists since 1995. Old vulnerabilities still contribute to the security image of the product. The truth is that if you use a recent Office-version (XP/2003) and the proper security measures when applying the password, the encryption is strong enough to withstand crackers for years.
Different types of document protection
There are different types of document protection that all use passwords. Some examples:
- Copy, save and print protection
This 'security' is based on the willingness of the client software reading the document to respect these restrictions.
From a security point of view it has no value. This is NOT used by
- Modify protection
The purpose is to let you open the document but not modify it. It might stop the average computer user but offers no real
security. This is NOT used by encOffice.
- Protection against opening the document
You can only view the file content after supplying the correct password. The whole file is encrypted and can only
be decrypted with the right password. The protection against opening a document is used by encOffice.
Public known vulnerabilities
There are some public known vulnerabilities in MS-Word and MS-Excel that under certain conditions may allow a hacker
to break the document protection. These vulnerabilities are:
- Weak encryption method (Office95)
MS-Office 95 used the XOR-algorithm, which is not considered real encryption and can be decoded instantly.
This is solved by encOffice by not using the XOR-algorithm.
- Vulnerability in Crypto Service Provider (Office97/2000)
MS-Office 97 and 2000 use a Crypto Service Provider that contains a vulnerability that allows specialized crackers to
crack the encryption key (without knowing the password) and open the document. This can be done within minutes.
This is solved by encOffice by not using the Office97/2000-compatible CSP.
- Vulnerability in seed for RC4 encryption key
MS-Office uses the RC4 encryption algorithm to encrypt the document. For proper usage, RC4 needs to be seeded before
each encryption. MS-Office does not perform a re-seed, so that analyzing different encrypted versions of a document may
result in content disclosure.
This is solved by encOffice by requesting a (new) password each time the document is saved.
- Short passwords are cracked very soon
MS-Office allows weak passwords. Passwords shorter than 5 characters can be cracked within seconds.
This is solved by encOffice by warning the user when entering weak passwords and by offering random strong passwords.
The conclusion is that
encOffice has knowledge of the security issues of MS-Office and has
the knowledge to properly apply document protection.