Linker IT Software
Order Home
menubar-top-links menubar-top-rechts
ExcelLock: Locking and securing your valuable Excel spreadsheets.

SQL*XL: Database to Excel bridge

litLIB: Excel power functions pack

Home Products EncOffice

Buy now Download now EncOffice

Password Crackers

Document protection issues in MS-Office

There are many password crackers available, claiming that they can break any password protecting a Word or Excel document. That is just sales talk! They make use of weak protection schemes or vulnerabilities in the encryption techniques that are used by MS-Office. Don't forget that MS-Office exists since 1995. Old vulnerabilities still contribute to the security image of the product. The truth is that if you use a recent Office-version (XP/2003) and the proper security measures when applying the password, the encryption is strong enough to withstand crackers for years.

Different types of document protection
There are different types of document protection that all use passwords. Some examples:

  • Copy, save and print protection
    This 'security' is based on the willingness of the client software reading the document to respect these restrictions. From a security point of view it has no value. This is NOT used by encOffice.
  • Modify protection
    The purpose is to let you open the document but not modify it. It might stop the average computer user but offers no real security. This is NOT used by encOffice.
  • Protection against opening the document
    You can only view the file content after supplying the correct password. The whole file is encrypted and can only be decrypted with the right password. The protection against opening a document is used by encOffice.

Public known vulnerabilities
There are some public known vulnerabilities in MS-Word and MS-Excel that under certain conditions may allow a hacker to break the document protection. These vulnerabilities are:

  • Weak encryption method (Office95)
    MS-Office 95 used the XOR-algorithm, which is not considered real encryption and can be decoded instantly.
    This is solved by encOffice by not using the XOR-algorithm.
  • Vulnerability in Crypto Service Provider (Office97/2000)
    MS-Office 97 and 2000 use a Crypto Service Provider that contains a vulnerability that allows specialized crackers to crack the encryption key (without knowing the password) and open the document. This can be done within minutes.
    This is solved by encOffice by not using the Office97/2000-compatible CSP.
  • Vulnerability in seed for RC4 encryption key MS-Office uses the RC4 encryption algorithm to encrypt the document. For proper usage, RC4 needs to be seeded before each encryption. MS-Office does not perform a re-seed, so that analyzing different encrypted versions of a document may result in content disclosure.
    This is solved by encOffice by requesting a (new) password each time the document is saved.
  • Short passwords are cracked very soon
    MS-Office allows weak passwords. Passwords shorter than 5 characters can be cracked within seconds.
    This is solved by encOffice by warning the user when entering weak passwords and by offering random strong passwords.

The conclusion is that encOffice has knowledge of the security issues of MS-Office and has the knowledge to properly apply document protection.