‘The Misuse of RC4 in Microsoft Word and Excel’


A serious security flaw in Microsoft Word and Excel allows an attacker to easily decrypt a Microsoft encrypted document.

The stream cipher RC4 with key length up to 128 bits is used in Microsoft Word and Excel to protect the documents. However, when an encrypted document gets modified and saved, the initialization vector remains the same and thus the same keystream generated from RC4 is used to encrypt the different versions of that document. The consequence is disastrous since a lot of information of the document could be recovered.’


‘The original article can be found at: http://eprint.iacr.org/2005/007.pdf


After more than two decades of public research on cryptography, many practically secure ciphers have been proposed. If we use those ciphers properly, adequate protection could be achieved.

Unfortunately, when the ciphers are implemented in products, various security problems may arise. A well-known story is related to an old version of the Netscape browser. In the implementation of the Secure Socket Layer (SSL) in Netscape 1.1, the key of the symmetric key cipher is derived from the current time and the process ID (or the system time).

The key space becomes severely limited, and even the 128-bit encryption version could be easily cracked [4]. For the implementation of stream ciphers, the basic principle is that if the same key is used for more than once, different initialization vectors should be used to prevent the same keystream from being used to encrypt more than one message.

When the stream cipher is used in the data transmission, normally people would follow this principle strictly. However, in the environment where the document needs to be edited and modified, such principle may be forgotten. This kind of mistake takes place in the Microsoft Office (Word and Excel) encryption, the same key and the same initialization vector are allowed to encrypt different versions of a document.

This happens as follows. We encrypt a Microsoft Office (Word or Excel) document with a password and save that file. Later that document is modified and being saved again. In this process, the key and initialization vector remain unchanged, so the same keystream is used to protect two different versions (the original and the modified versions) of the documents.

By XORing those two versions, we could obtain a lot of information about the document. The above attack could take place in real life. Suppose that Alice and Bob are working on the same Microsoft Office (Word or Excel) document. They share the same password and use that password to protect the document. They would make changes to the document and the document is encrypted and transmitted between them for a number of times.

In this process, the same password and initialization vector are used to protect all the modified versions of that document and the document could be easily recovered from those intercepted files with high chance.

Here is another example, suppose that Alice is working on a Microsoft Office document (Word and Excel) and she uses a password to protect it. During the process, Alice may need to backup her files. An attacker could retrieve a lot of information from those backup files even though the attacker does not know Alice’s password.

This report is organized as follows:
 * The background information on the security of Microsoft Office
 * We illustrate the misuse of RC4 in Microsoft Word and Excel
 * We discuss the countermeasure
 * We provide a conclusion’

Categories: Reviews