MS Office encryption flaw uncovered

A researcher has uncovered what is claimed to be a “serious” flaw in the way Microsoft implements document encryption in Word and Excel.

The problem relates to the way Microsoft implements the 128-bit RC4 encryption algorithm when re-saving documents after their initial creation. In this situation it appears that the programs use the same password key and initialization vectors to encrypt different versions of the same document. Normally where the same password key is being used, different vectors should be used.

The problem emerged from detailed investigation by Hongjun Wu of the Institute of Infocomm Research in Singapore and has been dissected by him in a new paper, “The Misuse of RC4 in Microsoft Word and Excel”.

The flaw, which is believed to affect all current versions of the Office programs named, sounds highly technical but Wu describes a number of everyday scenarios where it would seriously undermine document security. One likely compromise was where two co-workers edited successive versions of a document where the password remained constant.

“By XORing (a mathematical function) those two versions we could obtain a lot of information about the document,” he reports. “Once we obtained two different documents encrypted with the same keystream a lot of information could be retrieved.”

In his paper, Wu describes performing a proof-of-flaw experiment on a Word file, where he compared two versions which were identical except for a single word. He noticed that the binary output from these encrypted files was identical bar the address space accounted for by the plaintext change to the original.

Microsoft was asked for a comment but has not yet replied.