Office 2007 'Password to Open' Decryption

Posted on 2007-08-04
Last Modified: 2008-01-09
I am a C++ developer trying to programatically decrypt an office 2007 file. I know the password, and i'm trying to map the algorithm to extract the document into an unencrypted archive. There are a couple issues i am having, though they are all tied into the decryption process. I have scoured the net for information on how to open the encrypted archive without luck.

The encrypted file is saved as an OLE document. The "EncryptedPackage" OLE storage contains the encrypted data. AES 128 is used by default. The encrypted data has to have a multiple of 16B in order to be properly decrypted. The encrypted data always contains an extra 8B.  How do i account for this extra data? How is the original data padded to fit the 16B standards.

The password to AES 128 is 32B. The marketting surrounding the office 2007 encryption claims the password goes through 50,000 iterations of SHA1 hash. SHA1 returns a 20B hash for the password. Office 2007 allows for passwords up to 255 characters long. How is the password formatted upon entering the SHA1 hash? Is a salt used? Do i padd the resulting 20B SHA1 result with 12 0's after the result?

There are multiple questions listed here, but all fall under the same problem. If i should split it down into 2 or more questions, please let me know. Pointing me to a resource where this has been addressed would work just as well.

Question by:NVin
    LVL 13

    Expert Comment

    Just a wild guess here, but I'm thinking the reason you haven't seen much about this in your "scouring" is because there is a likely chance that it violates the EULA with Microsoft. Reverse Engineering their encryption is probably something they would frown upon.

    Author Comment

    I thought one of the targets of the Office Open XML standard was to allow third party applications to use the same formats as Office 2007. If there is no way to obtain certain specifics for the new format, then they are effectively saying that no third party app will be able to support opening or creating passworded office 2007 files?

    Maybe the protected documents do not fit in with the OOXML standard as closely as i hoped they would.
    LVL 13

    Accepted Solution

    I honestly can't say I'm sure about the XML version documents, but then again, even if the document is XML, once it is encrypted into a password protected document, then is it really still XML as XML standards go?

    I do know that I worked on a project about two years ago in which we had to work on documents in Excel that were not based on XML. We had contacted Microsoft about it, and they were able to provide all kinds of detailed information about the standards for the file formats at the time, but only after signing contractual agreements and non-disclosure documents that our legal department had to review first. The fundamental part of those documents was that while we were permitted to create documents in that format, we could not develop or distribute any tool that could be used for decrypting or deconstructing an existing document, and were also prohibited from sharing the information provided with other third parties.
    LVL 18

    Assisted Solution

    Encryption is not part of the OpenXML standard, so it is not published.
    As you know the OpenXML file is actually a ZIP file with all the XML files stored in it, but for encryption it does not use any of the zip encryptions! The file is stored as a stream in an IStorage:
    There is another part which is published in OpenXML: the open password. This is no encryption, just a password protection and flags with the allowed operations, which can easily be circumvented. See the Office Open XML documentation part 4,
    So, you are right about the targets for OOXML, except encryption was not included. Silly, I know.
    Like dhoffman said: contact microsoft.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    Outlook Free & Paid Tools
    This video walks the viewer through the process of creating Hyperlinks for the web and other documents. Select the "Insert" tab: Click "Hyperlink":  Type "http://" followed by a web address to reference a website or navigate to a document to ref…
    Learn how to create and modify your own paragraph styles in Microsoft Word. This can be helpful when wanting to make consistently referenced styles throughout a document or template.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now