Sign in
 
Open Specifications Developer Center > Open Specifications Forums > Office File Formats > About PowerPoint Binary File Format Decryption
Ask a questionAsk a question
Search Forums:
 

AnswerAbout PowerPoint Binary File Format Decryption

  • Wednesday, June 24, 2009 7:03 AMAllen Yao Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote

    I am attempting to implement decryption of PowerPoint binary files that have been encrypted according to section 2.3.5 of [MS-OFFCRYPT] and section 2.37. of [MS-PPT] documentation.

    I have read http://social.msdn.microsoft.com/Forums/en-US/os_binaryfile/thread/e33189a5-0b00-44b7-b084-f2757e9b7536, but I am confused in my sample file.

    CryptSession10Container in my sample file has the following fields.

    EncryptionVersionInfo = 0x00020002
    EncryptionHeader.Flags = 0x00000004
    EncryptionHeaderSize = 0x0076
    EncryptionHeader (variable)
     Flags = 0x00000004
     SizeExtra = 0x00000000
     AlgID = 0x00006801 (RC4 encryption)
     AlgIDHash = 0x00008004 (SHA1 hashing)
     KeySize = 0x00000000(Should be 40 bit encryption key)
     ProviderType = 0x00000001
     Reserved1 = 0x0A680030
     Reserved2 = 0x00000000
     CSPName (variable) = Microsoft Base Cryptographic Provider v1.0
    EncryptionVerifier (variable)
     SaltSize = 0x00000010
     Salt (16 bytes) = 0x05 0xc5 0x95 0xaf 0x2b 0x3c 0xed 0x08 0xa5 0x27 0x28 0xb3 0x81 0xa8 0x61 0x74
     EncryptedVerifier (16 bytes) = 0xfd 0x2d 0xd1 0xee 0xfb 0x17 0x51 0x42 0xb6 0xe4 0x4b 0x48 0x5d 0x61 0x5e 0xd4
     VerifierHashSize = 0x00000014
     EncryptedVerifierHash (variable) = 0xe7 0xf7 0x07 0x64 0x3b 0xbe 0x85 0x0e 0x38 0xd5 0x76 0x76 0x42 0xa6 0xe2 0x5d 0xb8 0xa8 0xbe 0x11

    The password used to generate this example was the string '123' as the password to open the document.

    When executing the password verifier as outlined below from [MS-OFFCRYPT] 2.3.5.6 I get the following failed results ..

    1. Generate an encryption key as specified in section 2.3.5.2 utilizing a block number of 0x00000000.
        The password is the string '123' .
     H0 = H (Salt, Password) =
      SHA1 (05 c5 95 af 2b 3c ed 08 a5 27 28 b3 81 a8 61 74 31 00 32 00 33 00) =
       6e 87 44 3a 3b 7b 9c 9f cf 22 ea 5f fd 7d 71 66 4a 32 b7 22 
     HFinal = H (H0, blockNumber) =
      SHA1 ( 6e 87 44 3a 3b 7b 9c 9f cf 22 ea 5f fd 7d 71 66 4a 32 b7 22  00 00 00 00 ) =
      fe b5 f4 12 4d f7 2f 69 9b b8 25 0a 10 d5 ed 6e 94 db 1c 8f

     Encryption Key = First Fivebytes (40bit key) of HFinal = fe b5 f4 12 4d

    2. Decrypt the EncryptedVerifier field of the EncryptionVerifier structure to obtain the Verifier value. The resultant Verifier value MUST be an array of 16 bytes.
    3. Decrypt the EncryptedVerifierHash field of the EncryptionVerifier structure to obtain the hash of the Verifier value. The number of bytes used by the encrypted Verifier hash MUST be 20.
     RC4_Init (fe b5 f4 12 4d );

     RC4 ( fd 2d d1 ee fb 17 51 42 b6 e4 4b 48 5d 61 5e d4 e7 f7 07 64 3b be 85 0e 38 d5 76 76 42 a6 e2 5d b8 a8 be 11) =
     26 3f 7a 47 07 90 56 46 70 f3 8f 25 b1 fa c6 fb a0 b0 58 7c 95 05 b8 37 14 17 a4 08 e5 b3 7e 9c 9c 9a 3b fc

    4. Calculate the SHA1 hash value of the Verifier value calculated in step 2.
      SHA1 (26 3f 7a 47 07 90 56 46 70 f3 8f 25 b1 fa c6 fb) =
      5c 9a 99 a9 b9 97 a6 bf a2 33 fc d5 6a fa c6 9e d6 64 3d 4c

    5. Compare the results of step 3 and step 4. If the two hash values do not match the password is incorrect

      PASSWORD DOES NOT MATCH!

    I am confused by the above problem. Which step is wrong? Any assistance with this issue would be greatly appreciated.

    Thanks!

     

Answers

All Replies

  • Wednesday, June 24, 2009 3:38 PMObaid FarooqiMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi Allen:
    I have alerted Protocol Documentation Team to your question. A team member will be in touch soon through this forum.
    Regards, Obaid Farooqi
     
  • Wednesday, June 24, 2009 10:01 PMMark Miller_DSCMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote

    Hello Allen,

     

    Thank you for your question.

     

    A colleague on my team created the following blog as a direct response to the issue you mention and reference on our forum, http://social.msdn.microsoft.com/Forums/en-US/os_binaryfile/thread/e33189a5-0b00-44b7-b084-f2757e9b7536.

     

    Please review and compare the detailed steps in this blog and if you still have an issue send me your sample file and I will delve further, http://blogs.msdn.com/openspecification/archive/2009/05/08/Dominic-Salemno.aspx

     

    This is where I think your issue may be based on what you sent (end of step 1):  Encryption Key = First Five bytes (40bit key) of HFinal = fe b5 f4 12 4d

     

    The example on the blog indicates this at end of step 1:

    This 40-bit key must then be appended with 88 bits set to zero with the resulting derived encryption key equal to 128 bits.

     

    derived encryption key = D7 BE C9 31 88 00 00 00 00 00 00 00 00 00 00 00

     

     

    Regards,
    Mark Miller
    Escalation Engineer

    US-CSS DSC PROTOCOL TEAM

    • Marked As Answer byAllen Yao Thursday, June 25, 2009 12:50 AM
    •  
     
  • Thursday, June 25, 2009 12:50 AMAllen Yao Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote

    Hi Mark Miller_DSC,

    Thank you for your perfect answer.With your suggestion I have solved this problem.

    Your support is greatly appreciated.

    Regards,
    Allen