MS-OFFCRYPTO Examples

Updated Wiki: Home

DrTusk — Thu, 22 Nov 2012 21:26:00 GMT

Project Description
This project demonstrates the techniques documented in MS-OFFCRYPTO.

The code presented here is for demonstration purposes only. While the code has been written to be robust, it has not been tested to production quality, and some shortcuts may have been taken because the code is not intended for general use. You are welcome to use the code for any purpose you like, but you should review it and test it carefully before using it for any production purpose.

This project currently consists of:

1) ExtractStream.cpp - many of the techniques rely on isolating a stream from a compound file. This application can extract streams, even if there are unprintable characters in the stream name. It can also be used to list the streams and storages.

2) OoxmlEncrypt.cs - a C# project that demonstrates how to correctly verify an entire EncryptionInfo stream, and check that the password matches. The code only works for ECMA-376 Document Encryption - the older RC4 encryption will be handled in another project, which is TBD at the moment. This is written in C# because the original code was written in C++, and by using a different language, we can ensure that language and library-specific assumptions are taken into account.

3) ManagedRC4 - A wrapper over CAPI RC4 needed by the other RC4 encryption projects.

4) CapiRC4Encrypt - a C# project that demonstrates how to correctly verify the encryption info header and verify the password for CAPI RC4 encryption, which is the default for PowerPoint encryption of .ppt files, and is an option on Word and Excel files.

5) Legacy RC4 - another C# project that demonstrates how to verify a legacy encryption header and verify the password. Note - completing this entailed a minor bug fix to ManagedRC4 - if you grab this project, please get that one as well.

Note - the ManagedRC4 project has just been updated to make some of the behavior underlying CryptDeriveKey explicit. This should help facilitate porting to crypto libraries other than CAPI (including CNG).

4/9/2009 - Just updated ExtractStream to get it to pull out the encryption header directly from a PowerPoint file, as it is a bit of a pain to find the correct offset. I've also updated the CapiRC4Encrypt project to deal correctly with the fact that there is now (as of Office 2007 SP2) a major version of 4. previously, we enforced major version of 2 or 3 only.

11/22/2012 - added a C# project that demonstrates reading and writing version4 encrypted Office documents, and a test application to read an existing encrypted OpenXml file and dump out various information.

To get all the files, go to the Releases tab.

Source code checked in, #70372

DrTusk — Thu, 22 Nov 2012 03:11:55 GMT

Source code checked in, #70371

DrTusk — Thu, 22 Nov 2012 02:55:56 GMT

Initial implementation of OfficeAgile crypto support library. Also included test exe

Source code checked in, #69709

Project Collection Service Accounts — Mon, 01 Oct 2012 22:10:56 GMT

Upgrade: New Version of LabDefaultTemplate.xaml. To upgrade your build definitions, please visit the following link: http://go.microsoft.com/fwlink/?LinkId=254563

Source code checked in, #69708

Project Collection Service Accounts — Mon, 01 Oct 2012 22:06:45 GMT

Checked in by server upgrade

Source code checked in, #52373

_TFSSERVICE — Wed, 28 Jul 2010 17:08:20 GMT

Checked in by server upgrade

Updated Release: CapiRC4Encrypt (Jan 08, 2009)

dcleblanc — Fri, 10 Apr 2009 02:30:29 GMT

This code demonstrates parsing an EncryptionInfo struct generated by a PowerPoint file. It depends on the ManagedRC4 project.

Use ExtractStream -e to get the header from the PowerPoint file. The password for the file is 'password'.

Note - I updated this to use CryptImportKey instead of CryptDeriveKey - this takes one layer of the black box out of the equation.

Released: CapiRC4Encrypt (Jan 08, 2009)

Fri, 10 Apr 2009 02:30:29 GMT

Updated Release: ExtractStream (Dec 21, 2008)

dcleblanc — Fri, 10 Apr 2009 02:28:34 GMT

ExtractStream is a utility used to list and extract streams from an OLE compound file, which is what is used for Office 2003 and earlier files, as well as encrypted files generated by Office 2007.

Note - updated to allow PowerPoint files to have the encryption header extracted directly, since it was a pain to specify the offset. Will tackle Word and Excel shortly.

Released: ExtractStream (Dec 21, 2008)

Fri, 10 Apr 2009 02:28:34 GMT

Updated Wiki: Home

dcleblanc — Fri, 10 Apr 2009 02:26:38 GMT

New Post: Incorrect versions exception with PPTX

tcnguyen — Tue, 07 Apr 2009 16:48:51 GMT

Greetings,

Thank you for your great work, David.

I tried to run the OoxmlEncrypt.cs against a file that I created in Office 2007 and I got an error complaining the first 4-bytes block of the file stream does not contain the correct versions.

Would you please let me know what's the workaround for this little problem?

Thank you again.

-- Tommy.

Updated Release: ManagedRC4 (Jan 08, 2009)

dcleblanc — Fri, 06 Feb 2009 09:02:36 GMT

This project is to get around the issue that RC4 is not available in .NET. It isn't a fully featured RC4 wrapper, but it is enough to illustrate the concepts.

An issue worth mentioning here is that CryptDeriveKey and CryptImportKey have some special behaviors with respect to 40-bit encryption. The MSDN topic "Salt Value Functionality" explains this:

=== begin quote====
The Base Provider creates 40-bit symmetric keys created with eleven bytes of zero-value salt, eleven bytes of nonzero salt if CRYPTCREATESALT is specified, or no salt value. A 40-bit symmetric key with zero-value salt, however, is not equivalent to a 40-bit symmetric key without salt. For interoperability, keys must be created without salt. This problem results from a default condition that occurs only with keys of exactly 40 bits. All other key lengths do not have salt allocated by default.

Both the Base Providers and the Extended Provider can use the CRYPTNOSALT flag to specify that no salt value is allocated for a 40-bit symmetric key. The functions that accept this flag are CryptGenKey, CryptDeriveKey, and CryptImportKey. By default, these functions provide backward compatibility for the 40-bit symmetric key case by continuing the use of the eleven-byte-long zero-value salt.
=== end quote =====

1/9/09 - Made a minor tweak to RC4Native::ImportKey to make the above explicit. Comments from the code:

// This step makes explicit what the Microsoft implementation of RC4 is really doing, unless
// CRYPTNOSALT flag is set. Essentially, there's a 128-bit key, just that the last 88 bits
// are all 0. Unfortunately, there is no standard for RC4, which is part of why this happens.
if( cbKeyData == 5 )
*pcbKeyData = 16;

So essentially, a PLAINTEXTBLOB for 40-bit RC4 is exactly the same if:
a) Data size = 5
b) Data size = 16 AND the last 11 bytes are 0

This project is needed in order to use the CapiRC4Encrypt project.

Note - this was just updated to use CryptImportKey, instead of CryptDeriveKey - removes one more layer of the CAPI calls.

2/6 - Minor bug fix for Legacy RC4 example

Released: ManagedRC4 (Jan 08, 2009)

Fri, 06 Feb 2009 09:02:35 GMT

Updated Release: ManagedRC4 (Jan 08, 2009)

dcleblanc — Fri, 06 Feb 2009 09:01:12 GMT

This project is to get around the issue that RC4 is not available in .NET. It isn't a fully featured RC4 wrapper, but it is enough to illustrate the concepts. One limitation is that it does not load the CAPI provider which gives you 128-bit encryption - the default for this encryption approach is 40-bit, which works just fine.

An issue worth mentioning here is that CryptDeriveKey and CryptImportKey have some special behaviors with respect to 40-bit encryption. The MSDN topic "Salt Value Functionality" explains this:

=== begin quote====
The Base Provider creates 40-bit symmetric keys created with eleven bytes of zero-value salt, eleven bytes of nonzero salt if CRYPTCREATESALT is specified, or no salt value. A 40-bit symmetric key with zero-value salt, however, is not equivalent to a 40-bit symmetric key without salt. For interoperability, keys must be created without salt. This problem results from a default condition that occurs only with keys of exactly 40 bits. All other key lengths do not have salt allocated by default.

Both the Base Providers and the Extended Provider can use the CRYPTNOSALT flag to specify that no salt value is allocated for a 40-bit symmetric key. The functions that accept this flag are CryptGenKey, CryptDeriveKey, and CryptImportKey. By default, these functions provide backward compatibility for the 40-bit symmetric key case by continuing the use of the eleven-byte-long zero-value salt.
=== end quote =====

1/9/09 - Made a minor tweak to RC4Native::ImportKey to make the above explicit. Comments from the code:

// This step makes explicit what the Microsoft implementation of RC4 is really doing, unless
// CRYPTNOSALT flag is set. Essentially, there's a 128-bit key, just that the last 88 bits
// are all 0. Unfortunately, there is no standard for RC4, which is part of why this happens.
if( cbKeyData == 5 )
*pcbKeyData = 16;

So essentially, a PLAINTEXTBLOB for 40-bit RC4 is exactly the same if:
a) Data size = 5
b) Data size = 16 AND the last 11 bytes are 0

This project is needed in order to use the CapiRC4Encrypt project.

Note - this was just updated to use CryptImportKey, instead of CryptDeriveKey - removes one more layer of the CAPI calls.

2/6 - Minor bug fix for Legacy RC4 example

Updated Release: Legacy RC4 (Feb 06, 2009)

dcleblanc — Fri, 06 Feb 2009 08:58:09 GMT

Demonstrates the legacy RC4 encryption technique. Files include:

LegacyRC4.cs - source code to verify the header.
password_dump.txt - notes on the intermediate hash results for the password.doc file
password.doc - a 40-bit RC4 encrypted document with a password of (you guessed it) 'password'

Released: Legacy RC4 (Feb 06, 2009)

Fri, 06 Feb 2009 08:58:08 GMT

Created Release: Legacy RC4 (Feb 06, 2009)

dcleblanc — Fri, 06 Feb 2009 08:54:17 GMT

Demonstrates the legacy RC4 encryption technique.

Updated Wiki: Home

dcleblanc — Fri, 06 Feb 2009 08:52:16 GMT

Updated Wiki: Home

dcleblanc — Fri, 09 Jan 2009 19:16:53 GMT

Project Description
This project demonstrates the techniques documented in MS-OFFCRYPTO.

The code presented here is for demonstration purposes only. While the code has been written to be robust, it has not been tested to production quality, and some shortcuts may have been taken because the code is not intended for general use. You are welcome to use the code for any purpose you like, but you should review it and test it carefully before using it for any production purpose.

This project currently consists of:

1) ExtractStream.cpp - many of the techniques rely on isolating a stream from a compound file. This application can extract streams, even if there are unprintable characters in the stream name. It can also be used to list the streams and storages.

2) OoxmlEncrypt.cs - a C# project that demonstrates how to correctly verify an entire EncryptionInfo stream, and check that the password matches. The code only works for ECMA-376 Document Encryption - the older RC4 encryption will be handled in another project, which is TBD at the moment. This is written in C# because the original code was written in C++, and by using a different language, we can ensure that language and library-specific assumptions are taken into account.

3) ManagedRC4 - A wrapper over CAPI RC4 needed by the other RC4 encryption projects.

4) CapiRC4Encrypt - a C# project that demonstrates how to correctly verify the encryption info header and verify the password for CAPI RC4 encryption, which is the default for PowerPoint encryption of .ppt files, and is an option on Word and Excel files.

Code to demonstrate the legacy RC4 encryption is in progress, and will posted once I sort out the nuances of CryptDeriveKey.

Note - the ManagedRC4 project has just been updated to make some of the behavior underlying CryptDeriveKey explicit. This should help facilitate porting to crypto libraries other than CAPI (including CNG).

To get all the files, go to the Releases tab.