Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Misuse of RC4 in Microsoft Office A paper by: Hongjun Wu Institute for Infocomm Research, Singapore ECE 578 Matthew Fleming.

Published byPiers Harvey Modified over 9 years ago

Similar presentations

Presentation on theme: "The Misuse of RC4 in Microsoft Office A paper by: Hongjun Wu Institute for Infocomm Research, Singapore ECE 578 Matthew Fleming."— Presentation transcript:

1 The Misuse of RC4 in Microsoft Office A paper by: Hongjun Wu Institute for Infocomm Research, Singapore ECE 578 Matthew Fleming

2 Microsoft Office Overview Microsoft Office –Released in 1989 –Encryption added in 1995 Encryption Schema –Default: 40-bit RC4 Due to cipher export regulations –Allows up to 128-bit RC4 cipher

3 RC4 Overview RC4 –Stream cipher –Variable sized key 8 to 2048 bits Multiples of 8 bits –XOR’s values of state to input –Shuffles state with every output

4 RC4 Overview RC4 Cryptanalysis –XOR is a weak operation –Security depends entirely on the randomness of the state vector –States are pseudo-random They will repeat with time

5 RC4 Overview RC4 Cryptanalysis –Knowing the entire state at a given time allows knowledge of all future values –Knowing the entire initial state effectively breaks the cipher –Initial state depends only upon the key –The key uniquely determines the keystream

6 RC4 in Microsoft Office

7 Document Encryption in Office –Password protected by the user Key generated from password –Initialization vector generated by Office –Key and initialization vector hashed together to create RC4 secret key

8 RC4 in Microsoft Office Initialization Vector –Generated only once for a given document The same initialization vector is used for a document, regardless of any editing User Password Behavior –Users rarely change passwords for a given document

9 RC4 in Microsoft Office RC4 Secret Key –Secret key generated from initialization vector and user password Initialization vector never changes Typically users never change the password on a given document –This means the same secret key is used in every edition of a document!

10 Attacks on Office Cryptosystems

11 Brute Force Attack –Only 40-bit to 128-bit encryption used Brute force attack the key Alternate Attack –Obtain different editions of a document Both will use the same initial keystream

12 Attacks on Office Cryptosystems Alternate Attack –Original –Original (Encrypted) Alternate Attack –Modified (Encrypted)

13 Attacks on Office Cryptosystems Alternate Attack –Original (Encrypted) –Modified (Encrypted)

14 Attacks on Office Cryptosystems Alternate Attack –Further exploits ASCII characters all have a leading zero –Perform analysis on XOR result of two documents See: “Automated cryptanalysis of XOR plaintext strings” [3]

15 Making Office More Secure

16 Simple Changes –A quick patch to prevent this attack Generate a new initialization vector after each edit –Use HMAC with the user password as the key and the document as the message –Generate the initialization vector from a random source, such as time (to the millisecond), clock cycles since program launch, etc.

17 Making Office More Secure Simple Changes –Switch to a block cipher AES IDEA –Use CBC (or similar) Even if the same initialization vector is used, it is difficult to extract information with CBC

18 Conclusions Office Misuses RC4 Cipher –Initialization vector remains the same across edits –40-bit encryption is woefully insecure against brute force attacks –RC4 is not a very strong cipher anyway

19 Conclusions Proposals for Better Security –Release a quick patch to implement HMAC for initialization vector generation –Upgrade the cryptosystems to use a block cipher (AES) with CBC Make this default

20 Questions?

21

22 References [1]H. Wu. The Misuse of RC4 in Microsoft Word and Excel. Institute for Infocomm Research, Singapore, January 2005. [2]R. Wash. Lecture Notes on Stream Ciphers and RC4. Case Western Reserve University. [3]E. Dawson and L. Nielsen. Automated cryptanalysis of XOR plaintext strings. Cryptologia, (2):165-181, April 1996.

Download ppt "The Misuse of RC4 in Microsoft Office A paper by: Hongjun Wu Institute for Infocomm Research, Singapore ECE 578 Matthew Fleming."

Similar presentations

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Conventional Encryption: Algorithms

Conventional Encryption: Algorithms
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.

Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
15-441 Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from 15-441, semester’s past and others.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
CS 682 - Network Security Lecture 2 Prof. Katz. 9/7/2000Lecture 2 - Data Encryption2 DES – Data Encryption Standard Private key. Encrypts by series of.

CS Network Security Lecture 2 Prof. Katz. 9/7/2000Lecture 2 - Data Encryption2 DES – Data Encryption Standard Private key. Encrypts by series of.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.

Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.

Similar presentations

Ads by Google