MS Word Encryption Options: FIPS-approved (AES, Triple DES, Skipjack)

Do any of the following MS Word 2002 encryption algorithms conform with any of the three (3) FIPS-approved encryption algorithms: AES, Triple DES, and Skipjack?

RC4, Microsoft Base Cryptographic Provider 1.0
RC4, Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
RC4, Microsoft DH SChannel Cryptographic Provider
RC4, Microsoft Enhanced Cryptographic Provider v1.0
RC4, Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
RC4, Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)
RC4, Microsoft RSA SChannel Cryptographic Provider
RC4, Microsoft Strong Cryptographic Provider
BenBurnedAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PowerITCommented:
First, you'll need to use the Microsoft Enhanced Cryptographic Provider
It's FIPS 140-1 Level 1 compliant and only support AES & Triple DES, no Skipjack.
This has been validated under Windows XP for versions 5.1.2518.0, 5.1.2600.1029 and 5.1.2600.2161 (so the original, SP1 & SP2).

This is the documentation of the security policy: http://csrc.nist.gov/cryptval/140-1/140sp/140sp238.pdf and the certificate: http://csrc.nist.gov/cryptval/140-1/140crt/140crt238.pdf.

So nothing built into Word 2002, but the cryptographic provider by the OS!
You select the cryptographic method from the Advanced button on the Security dialog (File | Save As | Tools | Security Options menu option). The default encryption can also be set for users by implementing a group policy.

BTW, there is also a version on 2003 server which is validated to FIPS 140-2 (Software Versions 5.2.3790.0 and 5.2.3790.1830 (=SP1) ).
http://csrc.nist.gov/cryptval/140-1/140sp/140sp382.pdf & http://csrc.nist.gov/cryptval/140-1/140crt/140crt382.pdf 


J.



0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BenBurnedAuthor Commented:
Thanks, PowerIT

I saw a report from Feb 2005 about an encryption flaw in MS Office, using 128-bit RC4-based encryption, whereby "it is possible to compare two password-protected Word or Excel drafts and discern the original password "  See http://reviews.cnet.com/4520-3513_7-5662635-1.html?tag=txt 

If I understand you, the Microsoft Enhanced Cryptographic Provider is in Windows itself and, therefore does NOT have this flaw.

I scanned the security policy PDF you cite above but did not see any "user-friendly" guidance for the typical MS office user.  Just so I'm sure I understand, are the following instructions correct?

[START OF INSTRUCTIONS]

To encrypt a MS Word, Excel or PowerPoint file, perform the following steps

(1) File | Save As | Tools |
(2) Security Options (for Excel, it is General Options) |
(3) Advanced | RC4, Microsoft Enhanced Cryptographic Provider v1.0
(4) Enter a strong password in the "Password to Open" field and then hit OK.  You will then be prompted to re-enter the password.  You can reuse the same strong password for multiple files.
(5) Leave key length at the default of 128
(6) To be safe, leave "Encrypt document properties" checked.
(7) If you are encrypting an existing (un-safely) unencrypted file that already has sensitive data, and that file is on "unsecure" media, such as a laptop or USB flash drive that you carry around outside the office, you need to "wipe" the unsecure file using a ______-compliant utility

The encryption/decryption engine is built into the Windows Operating system itself.  You will be able to decrypt this file in MS Office running on any version of WinXP or Vista, but not Windows 2000.

[END OF INSTRUCTIONS]

I don't have the time to cover other details, but I realize that I have not covered all bases such as:
(8) The definition of a strong password
(9) Data that may be in the Windows swap file
(10) Definition of "sensitive" data: proprietary, for official use only, security sensitive, etc
(11) Wipe utility
(12) Versions of MS Office that support this
(13) Physically locking up laptops or portable media

0
PowerITCommented:
Tolomir, I think I gave a proper answer to the original question: which algorithm is FIPS approved.
The additional comment to me  was the author dwelling. His view is right but not part of the original question.
If he really wanted an answer he could have started a new question asking something like 'What are the exact steps to encrypt a Word document using the MS ECP and what are the security risks'.

J.
0
BenBurnedAuthor Commented:
I'm not sure how to respond, but let me try this.  Aside from the step-by-step instructions (which I can post as a new question) I thought I had two legitimate follow-up questions.

(1) I saw a report from Feb 2005 about an encryption flaw in MS Office, using 128-bit RC4-based encryption, whereby "it is possible to compare two password-protected Word or Excel drafts and discern the original password "  See http://reviews.cnet.com/4520-3513_7-5662635-1.html?tag=txt 

If I understand you, the Microsoft Enhanced Cryptographic Provider is in Windows itself and, therefore does NOT have this flaw.

(2) PowerIT said to use "Microsoft Enhanced Cryptographic Provider" which supports "support AES & Triple DES"  In my step-by-step instructions I cited the use of
RC4, Microsoft Enhanced Cryptographic Provider v1.0
as opposed to
RC4, Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
RC4, Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)

In other words, I simply wanted confirmation of the correct algorithm.  The 3rd algorithm mentions AES, but the first does NOT.  However, it is a prototype & I'm not sure of the implications of that.

0
BenBurnedAuthor Commented:
I will award points to PowerIT since my EE subscription is expiring today
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.