Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 1 Nov 2012 00:40:47 +0100
From: magnum <>
Subject: Re: Office <=2003 format

On 31 Oct, 2012, at 2:55 , Rich Rumble <> wrote:

> On Tue, Oct 30, 2012 at 8:02 PM, magnum <> wrote:
>> I am considering implementing oldoffice in OpenCL. This will be easy enough
>> but I would prefer splitting it into two different formats - one for MD5 and
>> another for SHA1. But what would I call them? When did they switch to SHA1?
>> It seems all Office 2003 test files are using SHA1.
> That's right, it changed in (office)2003 to a more secure default. The
> rounds changed between 2007 and 2010 I believe (from 1k to 50k).

Funny reading. OK so our "oldoffice" format handles versions between and including Office 97 and Office 2003. This is (counting actual digest calls, not "updates") either 9 x MD5 + RC4 decryption of 32 bytes, or 3 x SHA1 + RC4 decryption of 36 bytes. Maybe the latter is Office 2003?

Office 2007 defaults to 50004 x SHA1, then AES128 and a final SHA1.

Office 2010 is very similar but defaults to 100000 rounds of SHA1 (plus 4 outside the loop). Some other minor details are changed too.

Office 2013 is exactly like Office 2010, except it uses SHA-512.

> I'd call the old "weak" encryption MS_OFFICE_RC4, I think the md5 is
> the last part of the encryption and the RC4 the "main part" no? It's
> typically referred to as RC4

But it can be either MD5 + RC4 or SHA1 + MD4 so just saying RC4 is not enough.

> It appears they change the crypto with SP's
> (I've not changed the defaults in those example files, I may add some :)
> -rich

Good links. Thanks!


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.