Solved

MS Word Encryption Options: FIPS-approved (AES, Triple DES, Skipjack)

Posted on 2007-03-24
6
1,081 Views
Last Modified: 2008-01-09
Do any of the following MS Word 2002 encryption algorithms conform with any of the three (3) FIPS-approved encryption algorithms: AES, Triple DES, and Skipjack?

RC4, Microsoft Base Cryptographic Provider 1.0
RC4, Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
RC4, Microsoft DH SChannel Cryptographic Provider
RC4, Microsoft Enhanced Cryptographic Provider v1.0
RC4, Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
RC4, Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)
RC4, Microsoft RSA SChannel Cryptographic Provider
RC4, Microsoft Strong Cryptographic Provider
0
Comment
Question by:BenBurned
  • 3
  • 2
6 Comments
 
LVL 18

Accepted Solution

by:
PowerIT earned 250 total points
Comment Utility
First, you'll need to use the Microsoft Enhanced Cryptographic Provider
It's FIPS 140-1 Level 1 compliant and only support AES & Triple DES, no Skipjack.
This has been validated under Windows XP for versions 5.1.2518.0, 5.1.2600.1029 and 5.1.2600.2161 (so the original, SP1 & SP2).

This is the documentation of the security policy: http://csrc.nist.gov/cryptval/140-1/140sp/140sp238.pdf and the certificate: http://csrc.nist.gov/cryptval/140-1/140crt/140crt238.pdf.

So nothing built into Word 2002, but the cryptographic provider by the OS!
You select the cryptographic method from the Advanced button on the Security dialog (File | Save As | Tools | Security Options menu option). The default encryption can also be set for users by implementing a group policy.

BTW, there is also a version on 2003 server which is validated to FIPS 140-2 (Software Versions 5.2.3790.0 and 5.2.3790.1830 (=SP1) ).
http://csrc.nist.gov/cryptval/140-1/140sp/140sp382.pdf & http://csrc.nist.gov/cryptval/140-1/140crt/140crt382.pdf


J.



0
 

Author Comment

by:BenBurned
Comment Utility
Thanks, PowerIT

I saw a report from Feb 2005 about an encryption flaw in MS Office, using 128-bit RC4-based encryption, whereby "it is possible to compare two password-protected Word or Excel drafts and discern the original password "  See http://reviews.cnet.com/4520-3513_7-5662635-1.html?tag=txt

If I understand you, the Microsoft Enhanced Cryptographic Provider is in Windows itself and, therefore does NOT have this flaw.

I scanned the security policy PDF you cite above but did not see any "user-friendly" guidance for the typical MS office user.  Just so I'm sure I understand, are the following instructions correct?

[START OF INSTRUCTIONS]

To encrypt a MS Word, Excel or PowerPoint file, perform the following steps

(1) File | Save As | Tools |
(2) Security Options (for Excel, it is General Options) |
(3) Advanced | RC4, Microsoft Enhanced Cryptographic Provider v1.0
(4) Enter a strong password in the "Password to Open" field and then hit OK.  You will then be prompted to re-enter the password.  You can reuse the same strong password for multiple files.
(5) Leave key length at the default of 128
(6) To be safe, leave "Encrypt document properties" checked.
(7) If you are encrypting an existing (un-safely) unencrypted file that already has sensitive data, and that file is on "unsecure" media, such as a laptop or USB flash drive that you carry around outside the office, you need to "wipe" the unsecure file using a ______-compliant utility

The encryption/decryption engine is built into the Windows Operating system itself.  You will be able to decrypt this file in MS Office running on any version of WinXP or Vista, but not Windows 2000.

[END OF INSTRUCTIONS]

I don't have the time to cover other details, but I realize that I have not covered all bases such as:
(8) The definition of a strong password
(9) Data that may be in the Windows swap file
(10) Definition of "sensitive" data: proprietary, for official use only, security sensitive, etc
(11) Wipe utility
(12) Versions of MS Office that support this
(13) Physically locking up laptops or portable media

0
 
LVL 18

Expert Comment

by:PowerIT
Comment Utility
Tolomir, I think I gave a proper answer to the original question: which algorithm is FIPS approved.
The additional comment to me  was the author dwelling. His view is right but not part of the original question.
If he really wanted an answer he could have started a new question asking something like 'What are the exact steps to encrypt a Word document using the MS ECP and what are the security risks'.

J.
0
 

Author Comment

by:BenBurned
Comment Utility
I'm not sure how to respond, but let me try this.  Aside from the step-by-step instructions (which I can post as a new question) I thought I had two legitimate follow-up questions.

(1) I saw a report from Feb 2005 about an encryption flaw in MS Office, using 128-bit RC4-based encryption, whereby "it is possible to compare two password-protected Word or Excel drafts and discern the original password "  See http://reviews.cnet.com/4520-3513_7-5662635-1.html?tag=txt

If I understand you, the Microsoft Enhanced Cryptographic Provider is in Windows itself and, therefore does NOT have this flaw.

(2) PowerIT said to use "Microsoft Enhanced Cryptographic Provider" which supports "support AES & Triple DES"  In my step-by-step instructions I cited the use of
RC4, Microsoft Enhanced Cryptographic Provider v1.0
as opposed to
RC4, Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
RC4, Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)

In other words, I simply wanted confirmation of the correct algorithm.  The 3rd algorithm mentions AES, but the first does NOT.  However, it is a prototype & I'm not sure of the implications of that.

0
 

Author Comment

by:BenBurned
Comment Utility
I will award points to PowerIT since my EE subscription is expiring today
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
This video walks the viewer through the process of creating an MLA formatted document, as well as a bibliography with citations.
This video shows where to find templates, what they are used for, and how to create and save a custom template using Microsoft Word.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now