Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <a5927a734d8600fad6ee2124dc83df20@smtp.hushmail.com>
Date: Thu, 1 Nov 2012 00:40:47 +0100
From: magnum <john.magnum@...hmail.com>
To: john-dev@...ts.openwall.com
Subject: Re: Office <=2003 format


On 31 Oct, 2012, at 2:55 , Rich Rumble <richrumble@...il.com> wrote:

> On Tue, Oct 30, 2012 at 8:02 PM, magnum <john.magnum@...hmail.com> wrote:
>> I am considering implementing oldoffice in OpenCL. This will be easy enough
>> but I would prefer splitting it into two different formats - one for MD5 and
>> another for SHA1. But what would I call them? When did they switch to SHA1?
>> It seems all Office 2003 test files are using SHA1.
> That's right, it changed in (office)2003 to a more secure default. The
> rounds changed between 2007 and 2010 I believe (from 1k to 50k).
> http://blogs.msdn.com/b/david_leblanc/archive/2008/07/03/office-crypto-follies.aspx

Funny reading. OK so our "oldoffice" format handles versions between and including Office 97 and Office 2003. This is (counting actual digest calls, not "updates") either 9 x MD5 + RC4 decryption of 32 bytes, or 3 x SHA1 + RC4 decryption of 36 bytes. Maybe the latter is Office 2003?

Office 2007 defaults to 50004 x SHA1, then AES128 and a final SHA1.

Office 2010 is very similar but defaults to 100000 rounds of SHA1 (plus 4 outside the loop). Some other minor details are changed too.

Office 2013 is exactly like Office 2010, except it uses SHA-512.

> I'd call the old "weak" encryption MS_OFFICE_RC4, I think the md5 is
> the last part of the encryption and the RC4 the "main part" no? It's
> typically referred to as RC4

But it can be either MD5 + RC4 or SHA1 + MD4 so just saying RC4 is not enough.

> http://blogs.msdn.com//b/david_leblanc/archive/2010/04/16/don-t-use-office-rc4-encryption-really-just-don-t-do-it.aspx
> It appears they change the crypto with SP's
> http://blogs.msdn.com//b/david_leblanc/archive/2009/05/20/office-2007-sp2-encryption-settings.aspx
> (I've not changed the defaults in those example files, I may add some :)
> http://blogs.msdn.com//b/david_leblanc/archive/2008/12/04/new-improved-office-crypto.aspx
> -rich


Good links. Thanks!

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.