There was an interesting discussion that took place on one of the mailing lists I follow the other day with people trying to figure out if the password encryption used in Word 2007 is secure. As most of us know, older versions are easily cracked however the more recent versions are suppose to be more secure. In the discussion there were lots of guesses however no concrete answers.
Finally Bob Weiss, who does stuff like this for a living over at Password Crackers, Inc. up in MD, chimed in with a very informative response. Since I thought a wider audience might be interested in his answer, I contacted Bob and after a few edits he gave me permission to post it here. Enjoy!
Word 2007 uses AES 128-bit encryption however the key is transmitted along with the document (otherwise you couldn’t open it). The key is itself encrypted and this is where the questions about the implementation come in.
Generally attacks against Word are not an attack against AES but rather an attack on the protection of the key. A key is created from the 50,000 SHA-1 hashed rounds of the password combined with the document_id. Then both the key and the hash of the key are encrypted using this new key. When the password is presented for decryption, the process runs again in reverse. The key is encrypted and hashed and this hash is compared to the hash of the key that was encrypted originally. If you gave the correct password, the key is correct and the file is decrypted. If you didn’t, then the key will not be correct. Right now, it is easier to attack the key protection scheme than the AES encryption.
So for the purposes of security analysis, you wouldn’t ask how strong is AES-128 but instead how strong is the algorithm protecting the AES key. The answer right now is … pretty strong. The 50,000 rounds of SHA-1 make a brute-force attack very slow or require significant resources. The state of the art is huge arrays of FPGAs to accelerate the testing; however, this hardware is very expensive and not fast enough to assure password recovery in a reasonable length of time. Unless a user chooses an easy password, but password strength is always a potential vulnerability.
So how secure is it? Let’s say that I would be comfortable locking something important in a .docx or .xlsx without any additional encryption. If you want, you can always wrap the file in another container such as .zip, .rar, .pgp, etc. Each of these is pretty secure as long as you use a strong password and that password is also stored securely.
Robert Weiss is founder and owner of Password Crackers, Inc. He specializes in counter-cryptography and cryptanalysis. He can be contacted at pwcrack theatsign pwcrack dot com.