X-RDate: Wed, 14 Apr 1999 17:57:39 +0100 (IST)
Received: from mailgate2.ul.ie ([136.201.1.2]) by exch-staff1.ul.ie with SMTP
 (Microsoft Exchange Internet Mail Service Version 5.5.1960.3) id 284D4XF8;
 Wed, 14 Apr 1999 17:50:49 +0100
Received: from hermes.ucd.ie by mailgate2.ul.ie with SMTP (PP) id
 <08098-0@mailgate2.ul.ie>; Wed, 14 Apr 1999 17:39:57 +0000
Received: from platon.cs.rhbnc.ac.uk (dns1.rhbnc.ac.uk) by hermes.ucd.ie (PMDF
 V5.1-10 #U3251) with ESMTP  id <0FA600N3NQC5FY@hermes.ucd.ie> for
 Caolan.McNamara@ul.ie; Wed, 14 Apr 1999 16:14:34 +0100 (BST)
Received: from sartre.cs.rhbnc.ac.uk (sartre.cs.rhbnc.ac.uk [134.219.188.2]) by
 platon.cs.rhbnc.ac.uk (8.9.1a/8.9.1) with SMTP id QAA02297  for
 <Caolan.McNamara@ul.ie>; Wed, 14 Apr 1999 16:11:59 +0100 (BST)
Date: Wed, 14 Apr 1999 16:11:59 +0100 (BST)
In-reply-to: <XFMail.990412204301.Caolan.McNamara@ul.ie>
X-Sender: fauzan@sartre.cs.rhbnc.ac.uk
Message-id: <Pine.OSF.3.96.990414155707.5753D-100000@sartre.cs.rhbnc.ac.uk>
MIME-version: 1.0
Content-type: TEXT/PLAIN; charset=US-ASCII
XFMstatus: 0002
From: Fauzan Mirza <fauzan@dcs.rhbnc.ac.uk>
To: Caolan McNamara <Caolan.McNamara@ul.ie>
Subject: Re: rc4 and office 97 ?


Hi Caolan

> Would you possibly have any information to shed some light on the
> decryption of word docs. All i want is to be able to do is prompt the
> user for the correct password and then demunge the word doc. Can you
> confirm that the encryption algorithm is rc4 ?. 

I attempted to work out the encryption method from Word 97 a brief
while ago by examining lots of password protected documents. I found a few
interesting properties of the encryption but couldn't work out the exact
system. I decided that the easiest thing would be to pay Microsoft for the
details or reverse engineer Word 97. Sadly, I can't do either of those,
so I've given up (temporarily).

>From what I've gathered, Word 97 uses the RC4 stream cipher and a modified
MD5 hash (I don't know how the hash is modified though). I also know that
there is a slow key processing stage where the MD5 is iterated a number of
times (I've forgotten the exact number of times). This alone would imply
that working out the exact decryption method merely by examining
ciphertexts would be infeasible. As I said, the easiest thing would be to
get the details from Microsoft (however, I doubt they'd do this willingly)
or have Word 97 reverse engineered. 

It would be excellent if someone did this and published the details.
 
> The reference to yourself i got from
> http://www.rz.uni-konstanz.de/Antivirus/F-Prot/wdcrypt.txt
> 
> If you are very interested (doubtful) you could look at
> http://www.csn.ul.ie/~caolan/challenge/decryption.README

Thanks for the URLs. I did check them out. I think the challenge is too
tough - it would appeal more to the Windows 95 reverse engineering
specialists than to cryptanalysts. Even then, they would need some
motivation.

If you do figure out how to decrypt Word 97 documents, I would love to
know. Likewise, if I find out how it's done and if I'm at liberty to do
so, I'll let you know. 

Cheers
Fauzan

==================================================================
 Fauzan Mirza                Department of Mathematics
 Research Postgraduate       Royal Holloway, University of London
==================================================================
