Some interesting tid-bits from the password crackers:

http://www.lostpassword.com/office.htm

  • Word 2007 and Excel 2007 use an industry-strength AES encryption algorithm that makes password search speed slow: 20-100 passwords per second on an average PC.
  • Word 97-2003 and Excel 97-2003 use an industry-strength RC4 encryption algorithm that makes instant password calculation impossible. Office Key finds the password by checking millions of passwords per minute.

They left out that PowerPoint works the same way, and that the password to modify on Word and PowerPoint 2007 is just as hard to crack as the encryption – you can ditch the modify protection, but have fun getting the password.

Then there's this (http://www.net-security.org/secworld.php?id=4873):

"Microsoft Office documents security is considerably enhanced in version 2007. The encryption information block is the same as in Office XP/2003, but Office 2007 always uses AES encryption (is the strongest industry-standard algorithm available) with 128 bit key and SHA-1 hashing; besides, new version improves the algorithm of converting passwords into keys: 50000 SHA-1 sequential iterations are being performed now. You would never notice it when opening a file because the whole process requires less than a second. But in a password recovery process, the speed drops significantly: one can test only about 500 passwords per second even on cutting-edge processors such as Intel Core 2 Duo. Thus, one computer can find 4-5 letter passwords only, and so the only way to recover longer passwords to Office 2007 documents is using a cluster. 1000 computers are able to maintain the speed at 500,000 passwords -- comparable to the speed of password recovery on a single computer for older Microsoft Office documents."

Really nice to see Office getting positive press for encryption.

Oh – and a fun fact – if you had a cluster of 1000 high-end systems (for comparison, I only get 5 cracks/sec on my laptop) all hammering away at the 8 character, alpha-numeric (upper and lower case) non-dictionary password you gave the document, it would still take 13.8 years to brute force the entire keyspace. That's not factoring in replacing the systems periodically so that Moore's Law can kick in. Also note that this significantly exceeds RFC 2898 standards. Oh – and I think the 16 bytes of random salt is going to make Rainbow tables really hard…

This is fairly cool, too – create a PowerPoint slide with a password to modify. Save out the file, rename it to .zip, and then open it with WinZip or explorer. Then check out presentation.xml. At the bottom, you'll find:

<p:modifyVerifier cryptProviderType="rsaFull" cryptAlgorithmClass="hash" cryptAlgorithmType="typeAny" cryptAlgorithmSid="4" spinCount="50000" saltData="0WWz2SJqZG2CLRdSM4yecg" hashData="5X9Wi67Tm07FpoGEIB0ZGUgMsqw" cryptProvider="" algIdExt="0" algIdExtSource="" cryptProviderTypeExt="0" cryptProviderTypeExtSource="" />

It isn't really as agile or fleshed out as I'd like, but this is an example of crypto agility. Same thing works in Word 2007, too.