none
AD RMS protected XLS with macro

    Dotaz

  • Hi,

    I'm developing a service that protects Office files using AD RMS (Office IRM). What I did was to implement the OFFCRYPTO specifications as described here: http://msdn.microsoft.com/en-us/library/cc313071(v=office.12).aspx. It works well for all the Office file types I've tested except for XLS files that have VBA projects. The protection itself works but when I open such a protected XLS file I get pop-ups saying there are problems with the macros and VBA projects.

    To investigate I used a hex editor to compare an XLS file protected by Office and one protected by my service. It seems that the OLE compound file produced by Office after protection is different from what OFFCRYPTO describes. In other words, there's a storage called "_VBA_PROJECT_CUR" and two streams, "Workbook" and "\x01CompObj" which aren't mentioned anywhere in the OFFCRYPTO standard. My interpretation is that somehow these things should not be encrypted in the \tDRMContent stream and instead be left outside.

    I would like some clarifications on this. Are there any other "exceptions" from the standard? Why is it that XLS files don't follow the standard? Is there a way to force that?

    Thanks in advance,

    Alex

    20. února 2012 17:59

Odpovědi

  • Hi Alex,

    It would be better to start with the file format in question (for example, Word's .doc format) than to start with MS-OFFCRYPTO when trying to understand to what extent that format protects data.   MS-OFFCRYPTO describes structures and algorithms that are used by the Office document formats but does not dictate whether these structures and algorithms are used for every part of a particular format or in which parts they are used.  The file format specifications themselves provide that detail. 

    In both [MS-DOC] and [MS-PPT], Section 4 Security Considerations details which streams are treated or not treated by a particular protection mechanism and if there are any special considerations.  [MS-PPT] Section 2.1.6 states that the "EncryptedSummary" stream only exists in an encrypted document.  Likewise, in [MS-DOC] 2.1.8, the conditions for the existence of the "encryption" stream are stated.  There may be others but they should be relatively clearly marked as "security" or "encryption" or "protection" considerations.

    I hope this helps,

    Best regards,
    Tom Jebo
    Escalation Engineer
    Microsoft Open Specifications 

    24. února 2012 4:27
    Moderátor

Všechny reakce

  • Hi Alex, thank you for your question. A member of the protocol documentation team will respond to you soon.

    Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

    20. února 2012 18:39
    Vlastník
  • Hi Alex,

    That is correct, the _VBA_PROJECT_CUR" storage should not be encrypted.  That is specified in [MS-XLS] 2.2.10 Encryption as well as other streams and storages that are not to be encrypted.  Also, just a note that you should be using [MS-XLS], [MS-OVBA] as well as [MS-OFFCRYPTO] to understand how to protect an Excel spreadsheet.  These specifications work together.

    Best regards,
    Tom Jebo
    Escalation Engineer
    Microsoft Open Specifications

    21. února 2012 22:02
    Moderátor
  • Hi Tom,

    Ok, I understand. It's a bit confusing because MS-OFFCRYPTO makes no references to these other specifications whereas they link back to it. I was under the impression that there's a global straightforward way to protect Office files but clearly that doesn't hold for XLS files. Are there any other such cases?

    Alex

    24. února 2012 2:20
  • Hi Alex,

    It would be better to start with the file format in question (for example, Word's .doc format) than to start with MS-OFFCRYPTO when trying to understand to what extent that format protects data.   MS-OFFCRYPTO describes structures and algorithms that are used by the Office document formats but does not dictate whether these structures and algorithms are used for every part of a particular format or in which parts they are used.  The file format specifications themselves provide that detail. 

    In both [MS-DOC] and [MS-PPT], Section 4 Security Considerations details which streams are treated or not treated by a particular protection mechanism and if there are any special considerations.  [MS-PPT] Section 2.1.6 states that the "EncryptedSummary" stream only exists in an encrypted document.  Likewise, in [MS-DOC] 2.1.8, the conditions for the existence of the "encryption" stream are stated.  There may be others but they should be relatively clearly marked as "security" or "encryption" or "protection" considerations.

    I hope this helps,

    Best regards,
    Tom Jebo
    Escalation Engineer
    Microsoft Open Specifications 

    24. února 2012 4:27
    Moderátor
  • Ok, I got the full picture now. Thanks for the swift reply. 
    25. února 2012 2:05