Backdoors with the MS Office file encryption master key

and a proposal for a reliable file format

2015/10/28, 29 CODE BLUEMitsunari Shigeo （ @herumi ）

• Attacking Excel files without a password• This bug is fixed at 2015/Oct/13 (MS15-110)

• Comparison of password encrypted file formats • How I found this bug• Proposal for a backdoor-resistant format

Abstract

2/54

• R&D for cloud security andinfrastructure at Cybozu Labs, Inc.

• Author of 　“ Applied Cryptography forthe Cloud“ (in Japanese)• about PFS, ECC, IBE, ABE, FE, HE, ZKP,...• http://herumi.github.io/ango/

• Microsoft MVP Developer Security (2015)• Author of the fastest implementation of pairing

• https://github.com/herumi/ate-pairing• Software implementation of an Attribute-Based

Encryption Scheme, IEEE trans on computers, 2014

Mitsunari Shigeo(@herumi)

3/54

• Technical Fellow at Recruit Marketing Partners• Visiting associate professor at Kochi National

College of Technology • Review board for CODE BLUE• OWASP Japan advisory board• Chairperson of SECCON CTF• Leader of Shibuya Perl Mongers• Microsoft MVP Developer Security in 2008• Author of "How to Execute Arbitrary Code on x86 JIT Compliers"• Translator of "Reading ECMA-262 Edition 5.1" (2013)• Best award of CSSx2.0 at "Computer Security Symposium 2013"

Takesako Yoshinori (@takesako)

4/54

• Comparison of password encrypted file formats• Demo• Situations• MS Office file format• How I found this bug• Proposal for a backdoor-resistant format

Agenda

5/54

• Comparison of password encrypted file formats• Password encryption• Introduction to attack tools• Comparison of attack time

• Demo• Situations• MS Office file format• How I found this bug• Proposal for a backdoor-resistant format

Agenda

6/54

• The very basic way• input : : password, : message1. 2. 3. output :

• Vulnerable• The same password always generates

the same .

Encrypted file with password

𝑚

𝑝𝑎𝑠𝑠

𝑆𝐾

h𝐻𝑎𝑠

𝐸𝑛𝑐

𝑚depends on only

7/54

• Password attack tool• http://hashcat.net/oclhashcat/• GPGPU based very fast engine

hashcat

8/54

• Number of attempts per second• SHA1 : times/sec on 8x NVidia Titan X• SHA512 : times/sec

• Time to detect password from value• assume [a-zA-Z0-9]; 62 letters• to try all patterns for SHA1

Performance of hashcat

9/54

• Add salt1. generate randomly2. 3. : Initialization Vector4.

• Even the same password generatesdifferent

• Stronger against rainbow tables attacks

More secure file formats

𝑝𝑎𝑠𝑠h𝐻𝑎𝑠𝑠𝑎𝑙𝑡

𝑆𝐾𝑚

𝐸𝑛𝑐

𝑚

𝑖𝑣

10/54

• Iterate the hash function many times

• is iteration count•

• Decrease attack ability to • PKCS#5(RFC 2898)

• Password-Based CryptographySpecification

• PBKDF2(password based keyderivation functions)• used by ZIP format, etc.

Key stretching

𝑝𝑎𝑠𝑠

𝐻𝑀𝐴𝐶

𝑑𝑖

𝑆𝐾=𝑑1⊕𝑑2⊕…

𝑛

𝑠𝑎𝑙𝑡

𝑝𝑎𝑠𝑠

𝐻𝑀𝐴𝐶𝑑𝑖+1

11/54

• Another password recovery tool• http://passcovery.com/

Passcovery

12/54

• Brute-force attack time against 8-byte password• by Passcovery on GeForce GTX860M 1019MHz

• Office 2013 docx format is strong• Recently, a memory-hard function is recommended• Argon2 is the winner of Password Hashing Competition

at 2015/Jul/20

Compare attack time

File format # of tries/sec hash stretching daysZIP(96-bit) 230000000 none 10 daysOffice2003 doc 11000000 ? 220 daysZIP(256-bit AES) 370000 1000 x HMAC SHA1 18 yearsOffice2007 docx 16000 50000 x SHA1 430 yearsOffice2010 docx 8100 100000 x SHA1 854 yearsOffice2013 docx 337 100000 x SHA512 20000 years

13/54

• Comparison of password encrypted file formats• Demo

• MS Office file format• Secret key generator of the MS Office file format• Introduction of my tool• Demo

• Situations• MS Office file format• How I found this bug• Proposal for a backdoor-resistant format

Agenda

14/54

• [MS-OFFCRYPTO]• Office Document Cryptography Structure

• [MS-CFB]• Compound File Binary - file format

MS Office documents

15/54

• Hashing algorithm

• : iteration count•

• : 4-byte little endian

Secret key generator of MS Office

𝑝𝑎𝑠𝑠

h𝑜

h𝐻𝑎𝑠𝑠𝑎𝑙𝑡

h 𝑖−1𝑖h𝐻𝑎𝑠

h 𝑖𝑛

𝑆𝐾≔h𝑛 16/54

• Use two kinds of secret key• : the above iterated hash function1. generate from and 2. generate and encrypt it by 3. encrypt by

• I will explain latter

• two keys for key escrow• Administrator can decrypt

if password is lost• encrypt with public key of Administrator in advance

MS Office Agile format

𝑚

𝑝𝑎𝑠𝑠

𝑆𝐾

Enc by

𝑆𝐾

𝑚

Enc by 𝑠𝐻

𝑠𝑎𝑙𝑡

17/54

• https://github.com/herumi/msoffice/• My tool to encrypt/decrypt MS Office files• Supports Windows/Linux• Supports OpenXML of Office 2007~

• Support Agile format of Office 2010 ～• LibreOffice does not support the format yet

• Configurable secret key for Agile format• Configurable iteration count for stretching

msoffice-crypt

18/54

demo

• encrypt with password "test"

• decrypt with password "test"

• attack without password

Usage

decrypt easy.xlsxwith "test" and get

attack complex.xlsx by without password

msoffice-crypt -d complex.xlsx -by easy.xlsx -p test

msoffice-crypt -e plain.xlsx enc.xlsx –p test

msoffice-crypt -d enc.xlsx dec.xlsx –p test

20/54

• Comparison of password encrypted file formats• Demo• Situations

• What happened?• Some scenarios

• MS Office file format• How I found this bug• Proposal for a backdoor-resistant format

Agenda

21/54

• Excel 2010/2013 does not update the secret key in the file when password is changed (Bug).

What happened?

We can attack them with this one secret key.

master filewith pass

with pass1

with pass2

with pass3

save as...have same secret key

22/54

• At HR• prepares a master Excel file• write pay slip into the file, change password, send to

staff

Scenario 1 （ pay slip delivery ）

master filewith pass HR

can attack other files

23/54

• Owner• A master Excel file encrypted with an easy pass• Modify it and make an important file with strong pass

• Attacker• Brute-force attack against easy pass

and attack important file

Scenario 2 （ lost PC ）

Brute-force attackto easy pass

save itwith strong pass

write secret info.

can attack this

PC

24/54

• Comparison of password encrypted file formats• Demo• Situations• MS Office file format

• Detail of MS Office file encryption structure• Relation between password and secret key

• How I found this bug• Proposal for a backdoor-resistant format

Agenda

25/54

• Old format and new format• MS OLE2 のヘッダは "D0 CF 11 E0"

MS Office file encryption details

Office file type Formatdoc, ppt, xls (old Office files)

MS OLE2

plain docx, pptx, xlsx ZIP file of Open XML filesencrypted docx, pptx, xlsx MS OLE2 including a

headerand an encrypted ZIP file

ZIP files (Open XML)

Enc(ZIP files)encrypted with AES

header

not encrypted

encrypted

26/54

• There is a directory structure in one fileLayout of encrypted docx

root/EncryptionPackage

EncryptionInfoDataSpaces/

Version

DataSpaceMap

Transformation/StrongEncryptionTransform/Primary

DataSpaceInfo/StrongEncryptionDataSpace

not used

encrypted main ZIP file

encryption information

27/54

• Standard encryption (~Office 2007)• binary format• supports only SHA-1• spinCount(=# of iteration) is fixed to 50000

• Agile encryption (Office 2010~)• XmlEncryptionDescriptor

• supports SHA-1, SHA256, etc.• variable spinCount

Version of EncryptionInfo

28/54

XmlEncryptionDescriptor<encryption> <keyData saltSize="16" blockSize="16" keyBits="256" hashSize="64" cipherAlgorithm="AES" cipherChaining="ChainingModeCBC" hashAlgorithm="SHA512" saltValue="..."/> <dataIntegrity encryptedHmacKey="..." encryptedHmacValue="..."/> <keyEncryptors><keyEncryptor uri="http://schemas.microsoft.com/office/2006/keyEncryptor/password"> <p:encryptedKey spinCount="100000" saltSize="16" blockSize="16" keyBits="256" hashSize="64" cipherAlgorithm="AES" cipherChaining="ChainingModeCBC" hashAlgorithm="SHA512" saltValue="..." encryptedVerifierHashInput="..." encryptedVerifierHashValue="..." encryptedKeyValue="..."/> </keyEncryptor></keyEncryptors></encryption> 29/54

Dependency of variables in encryption

generate encryptedKey.saltValue

encryptedVerifierHashValue

encryptedVerifierHashInputencryptedKeyValue

encryptedHmacKey

encryptedHmacValue

password

gen. secretKey

hash

EncryptionPackage

Enc(ZIP file)

ZIP filegen.

keyData.saltValue

gen. verifierHashInput

verifierHashValue

gen.HmacKey

hash 30/54

Check password integrity

generate encryptedKey.saltValue

encryptedVerifierHashValue

encryptedVerifierHashInputencryptedKeyValue

encryptedHmacKey

encryptedHmacValue

password

gen. secretKey

hash

EncryptionPackage

Enc(ZIP file)

ZIP filegen.

keyData.saltValue

gen. verifierHashInput

verifierHashValue

gen.HmacKey

hash 31/54

Check data integrity

generate encryptedKey.saltValue

encryptedVerifierHashValue

encryptedVerifierHashInputencryptedKeyValue

encryptedHmacKey

encryptedHmacValue

password

gen. secretKey

hash

EncryptionPackage

Enc(ZIP file)

ZIP filegen.

keyData.saltValue

gen. verifierHashInput

verifierHashValue

gen.HmacKey

hash 32/54

Dependency of encryption

generate encryptedKey.saltValue

encryptedVerifierHashValue

encryptedVerifierHashInputencryptedKeyValue

encryptedHmacKey

encryptedHmacValue

password

gen. secretKey

hash

EncryptionPackage

Enc(ZIP file)

ZIP filegen.

keyData.saltValue

gen. verifierHashInput

verifierHashValue

gen.HmacKey

hash

irrelevant to pass

33/54

• Comparison of password encrypted file formats• Demo• Situations• MS Office file format• How I found this bug

• Motivation• CSPRG• Example of known backdoor• Hooking into MS Office's secret key generator

• Proposal for a backdoor-resistant format

Agenda

34/54

• Normal encryptor• main part to encrypt

• You can not decrypt without • We can make a backdoor

if the generator of is controlled.

generate randomlygenerate randomly

Motivation

𝑚 (𝑠𝑎𝑙𝑡 ,𝑐)

35/54

• Malicious (having backdoor ） encryptor• Malicious Eve prepares a master secret key • Eve embeds into an encryptor

• Eve can get by then decrypt it• You can not notice that has a backdoor

An example of controlled

𝑚 (𝑠𝑎𝑙𝑡 ,𝑐)generate randomly

Eve𝑋

𝑆𝐾

36/54

• 5 p.m. on Friday,Make a proof of concept for MS Office

Hi Mitsunari,could you hook into the random

generator of MS Office?

I'll try it.By when do you need it?

Coming Monday.

...

37/54

• PRG （ Pseudo Random Generator ）• used for game and simulation• MT(Mersenne Twister) is popular

• CSPRG(Cryptographically Secure PRG)• Nobody should be able to predict next bit

from previous bits• used for secret key generator

• MT is not CSPRG• inner status is determined by 624x4-byte output

CSPRG

0 1 0 0 1 1 1 0 1 ?

known previous bits

CSPRG

next bit

38/54

• I strongly discourage you from implementing your own CSPRG

• Use CSPRG provided by system vendor instead• /dev/urandom on Linux

• non blocking device for CSPRG• entropy from mouse, keyboard, disk I/O and interrupts

Example of CSPRG

39/54

• Intel hardware CSPRG instruction• Meets the NIST SP 800-90A standard• Uses an on-chip non-deterministic entropy source

• Easy to use

• Difficult to use it safely• Retry limit should be employed to prevent a busy

loop(extremely rare)

rdrand

// uint64_t getRand();getRand:.lp: rdrand rax // store random number in rax jnc .lp // retry if failure (rare) ret

40/54

• Output of /dev/urandom is fixed by only modified rdrand (kernel 3.8.13 by Taylor Hornby ）• rdrand() { return [edx] ^ 0x41414141; }

• Combine other entropy sources to avoid having a single point of failure

If rdrand has a backdoor?

41/54

• CSPRG of Microsoft CryptoAPI• Used to generate salt and secret key

• Hook this function• I expected that MS Office calls this to make a secret

key• If my hooked CryptGenRandom always return fixed

bytes, then a secret key may be fixed.

• First, I tried to my (very old) DLL injection library• Did not work as expected due to ASLR

CryptGenRandom()

42/54

• A library to hook Win32 APIs by MS Research• http://research.microsoft.com/en-us/projects/detours/

• 64-bit version costs $9,999.95 (32-bit version is free)• Usage

• Source code of dll to hook

Detours library (1/2)

BOOL HookCryptGenRandom(HCRYPTPROV, DWORD len, BYTE *p) { memset(p, 'a', len); return TRUE;}

BOOL DllMain(HINSTANCE, DWORD reason, LPVOID) { if (reason == DLL_PROCESS_ATTACH) { orgFunc = DetourFindFunction("adapi32.dll", "CryptGenRandom"); DetourAttach(&orgFunc, HookCryptGenRandom); ... 43/54

• test.exe

• Run test.exe with withdll.exe in Detours

• CryptGenRandom is now hooked!• But, the function is not called by MS Office...

Detours library (2/2)

int main() { RandomGenerator rg; // wrapper of CryptGenRandom() for (int i = 0; i < 3; i++) printf("%08x\n", rg.get32());}

>test.exe812e1af0 // randomad990e76865cb964

>withdll.exe /d:hook.dll test.exe61616161 // "aaaa"6161616161616161

44/54

• Run Excel on debugger, see loaded DLLs

• I found rsaenh.dll

Trial and error (1/3)

45/54

• Extract symbols of rsaenh.dll• dumpbin /exports rsaenh.dll

• What is CPGenRandom?

Trial and error (2/3)

ordinal hint RVA name

1 0 0000230C CPAcquireContext 2 1 00003A80 CPCreateHash 3 2 0001CC1C CPDecrypt 4 3 0001DBC8 CPDeriveKey ... 11 A 00009A80 CPGenKey 12 B 00001D3C CPGenRandom

46/54

• CPxxx functions are obsolete• CPxxx is renamed to Cryptxxx• CPxxx is called from Cryptxxx

• Cryptxxx is hooked automatically if CPxxx is hooked• Excel calls CPGenRandom

• Excel seems to generate secret key!

• However,

Trial and error (3/3)

>msoffice-crypt –psk easy.xlsx –p test ... secretKey = 8BBE31319EA4CAB9F...33013EB8853F8C6A7F5>msoffice-crypt –psk complex.xlsx –p testtest ... secretKey = 8BBE31319EA4CAB9F...33013EB8853F8C6A7F5

47/54

• Excel generates same secret key without hook• MS Office Word, PowerPoint generate different key• Only Excel has a bug

• About hooking CPGenRandom• This hook was not enough to take control over the

generator• Hooking timer functions were not enough yet• Details unknown because of no investigation made

It is a bug of Excel

48/54

• Comparison of password encrypted file formats• Demo• Situations• MS Office file format• How I found this bug• Proposal for a backdoor-resistant format

• Check your Excel files• Improved format

Agenda

49/54

• This bug is fixed at 2015/Oct/13 (MS15-110)• But, the generated files won't be fixed• Verify secret keys in your files by msoffice-crypt

• Re-encrypt files if you find the same secret keys

Check your Excel files

50/54

• What is a reliable format?• MS Office format is secure enough,

but it is difficult to prove no backdoor exists in the file• The problem generally exists for tools provided in

binary

• (again) malicious encryptor

• We want a format that is provably secure against the backdoor

Future work

𝑚 (𝑠𝑎𝑙𝑡 ,𝑐 ) ,𝑆𝐾blackboxencryptor

: random number : master secret key in the encryptor : Eve gets by

51/54

• Generate with KDF(Key Derivation Function)1. generate randomly2. , : KDF3. 4. by 5. output:

• Format validation• Verify the output follows the correct steps1.

A backdoor-resistant format

𝑆𝐾𝑚

𝑚

𝑟0 𝑟1𝑝𝑎𝑠𝑠

𝐻 𝐻𝑠𝑎𝑙𝑡

𝐸𝑛𝑐

52/54

• For a person who knows only • same difficulty as previous formats

• For Eve• same difficulty of the attack against

KDF to get from when is known

• Detection of maliciousness is easyif is fixed• seems to be safe if all are

different from each other when10000 times encrypted

• then, the attack is 10000 times harder for Eve

Difficutly of the proposed format

𝑆𝐾𝑚

𝑚

𝑟0 𝑟1𝑝𝑎𝑠𝑠

𝐻 𝐻𝑠𝑎𝑙𝑡

𝐸𝑛𝑐

53/54

• Excel files can be attacked through their secret key without knowing the pass• It is a bug of Excel and is fixed

• Proposal for a backdoor-resistant format• It can be applied to general password based encrypted

file formats

Conclusion

54/54