Ms office 2010 agile encryption

Question

hi...

I m working on ms office 2010 opening password....In ms word 2010 agile encryption is used for password encryption. Agile encryption uses an Encryption key is build by the help of (salt+block keys)... is anybody having any idea regarding block keys used in agile encryption....

Answer 1

This link may give you basic idea: http://msdn.microsoft.com/en-us/library/dd949418(v=office.12).aspx

Other community members may know more.

Best Regards,

---

Forrest Guo | MSDN Community Support | Feedback to us

Answer 2

Thanks Forrest Guo. for sharing idea regarding format of 2010

But I m following Agile Encryption for word 2010 password in that i m not getting what is block key used in that encryption.I m getting Blocksize from the word file not the block value...

http://ebookbrowse.com/ms-offcrypto-pdf-d12613233

Answer 3

Hi prateek1108, thank you for your question. A member of the protocol documentation team will respond to you soon.

 

We will continue to use this thread for future communications and disregard the other one that you posted a similar question to.

---

Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

Answer 4

Hi Jurry,

Your responose regading my question is precious for me,

So suggest me away how to solve this agile encryption problem.

Answer 5

Hi Prateek1108, please make sure that you are referencing the protocol documents from the MSDN website. We (Microsoft) cannot ensure the integrity or accuracy of information posted on 3rd party websites. The latest version of the MS-OFFCRYPTO document can be found here.

 

In regards to your question that you posted on the other thread, the MS-OFFCRYPTO document describes the behavior used by several versions of Microsoft Office and SharePoint Server. Anywhere there is a difference in behavior between product versions in a given section you will see a link to a behavior note that looks like this <x>, where x is the behavior note number in section 5 of the document.

 

In regards to the contents of the block_key that is used when generating the encryption key, section 2.3.4.13 states "block_key byte array consisting of  the following bytes 0x14, 0x6e, 0x0b, 0xe7, 0xab, 0xac, 0xd0, 0xd6."

 

Please let me know if that helps.

---

Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

Answer 6

Hi Jurry,

I am following protocol documents from the MSDN website. I am bit confused while using block key.I am following these steps for calculating hash and at 3rd step i am using block_key in case of creating Encrypted Verifier hash Input.

1) H0 = H(salt+Password)

    H  --> Hash function

2) Hn = H(iterator+Hn-1)

    where iterator initializes from 0 to spin count-1;

3) Hfinal =H(Hn + Block_key)

 At this point I am confused which Block_key should be used.

 

Answer 7

Hi Jurry,

I had tried this block key " 0x14, 0x6e, 0x0b, 0xe7, 0xab, 0xac, 0xd0, 0xd6 "  as you guided me in your earlier post. but the hash doesn't match....

Answer 8

Hi prateek1108, I am still looking into this issue. I hope to have more information for you soon. Your patience is greatly appreciated.

---

Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

Answer 9

Hi Prateek1108, when generating the Encryption Key or Initialization Vector, the block_key used in the hashing algorithm will always be the block number being decrypted.  For example, when decrypting the first 4k block the block_key will be 0, the second will be 1, etc… The value is an 8-byte unsigned integer that is then stored in an 8-byte byte array in little endian order before being passed to the hashing algorithm.

---

Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

Answer 10

Hi Jurry,

Thanks for reply,but i had found that Alige Encryption is used for the Opening password encryption not for the content encryption of file.I am working on password encryption of the file so plz suggest me regarding opening password encryption of office 2010 file.

Answer 11

Hi Prateek1108, based on your initial question, I pointed you to the information in MS-OFFCRYPTO section 2.3.4.13 for PasswordKeyEncryptor Generation for Agile Encryption. You said that was not what you we're looking for and then were very specific in that you wanted to know what the block_key should be for the algorithm described in MS-OFFCRYPTO section 2.3.4.11, which is what I provided.

 

It is not clear what information you are looking for. Please specify exactly what information in what section of the document is not clear to you and exactly what it is that you are looking for so that I can answer your question.

---

Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

Answer 12

Hi Jurry,

Thanks for your reply. Let me explain you in brief what I am tring to do.I am getting these

following values from MS word 2010 file in Xml Tags form. 
1)Salt                                      <Pv3GlCYtaGpRptsrowoZ0Q==>
2) EncryptedVerifierHashInput    <zEhDT5iua3zwAZXyis5muA==>
3) encryptedVerifierHashValue          <X/gM/RFHzyhq5kcPrhpl7dYFHFlj1UlUERN3wYVdfw=>
4) spin count                           100000
5)Hash Function                       SHA1
6)Encryption Algorithm             AES-128
7)Chaning Mode                       CBC

The first three values are base 64 encoded.The open password of this file is "12"  (Without inverted qoutes).

 The steps which i am following to verify the password or password hash of this file.

1)   Encryption Key Generation (Agile Encryption)
    a) H0 = H(salt + password) where H stands for hashing algorithm.
    b) Hn = H(iterator + Hn-1) Where n stands for spincount(100000 times)
    c) Hfinal = H(Hn + block_key) here i am using block_key, (given in 2.3.4.13) i.e 0xfe, 0xa7,0xd2, 0x76, 0x3b, 0x4b, 0x9e, 0x79. Using Hfinal hash as encryption Key.  

2)    a) IV = H(KeySalt + blockKey)if block is given
       b)IV=  KeySalt.if blockkey is not given
    In this file i am not able to find any Blockkey so i am using the second step(b).

3)     Then I am passing these values(IV and Encryption Key ) to the AES in cbc mode function.Then     I compare the output with given encrypted verifier hash input  which is not matching. One more thing i want to ask that my AES_cbc function returns 32 byte value which i have to compare with
encrypted verifier hash input which should be in 16 bytes as according to the MS offcrypto document.

1)Please help me how to verify the password hash with given hash in file ?
2)whats the Block_Key used in Encryption Key Generation   and Blockkey used in IV.?

Answer 13

Hi Prateek1108, regarding item 3 from your previous post…

 

3) Then I am passing these values(IV and Encryption Key ) to the AES in cbc mode function. Then I compare the output with given encrypted verifier hash input which is not matching.

You need to decrypt EncryptedVerifierHashInput and feed it through the Hash algorithm. Then decrypt EncryptedVerifierHashValue using steps 1a-c again with the 2nd block key (0xd7, 0xaa, …) and compare that value.

---

Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

Answer 14

Hi Jcurry,

Thanks for your reply. But when i am working on the changes as per your guide line. I am facing few problems?. i.e

1)  At the step (1b) step
     Hn=H(iterator+Hn-1)

    a)    Iterator 4 bytes value must must be overwritten in the begning of the hashing result after SHA-1 or iterator just concatenated in begin of that hashing result.

    b)    Function for SHA-1 (Hashing algorithm) is returning hashing result in 24 bytes.whether I have to truncate that hashing result for further use or I must use that hashing result as it is.

2) At the step (1c )step
    Hfinal=H(Hn+Block_key) where Block_key= 0xfe, 0xa7,0xd2, 0x76, 0x3b, 0x4b, 0x9e, 0x79.
Whether the Block_key should be concatenated (as it is mentioned) with Hn and then SHA1 or Block_key will be XORed with Hn and Then SHA1 hash like in 2007 word file ??

Answer 15

You will find several instances where the '+' operator is used in MS-OFFCRYPTO. In each case, there is a statement that clarifies it's use. Specifically, that '+' always means concatenation, not an XOR operation.

 

In section 2.3.4.11 it specifically states the following regarding the length of Hfinal…

 

"If size of the resulting Hfinal is smaller than PasswordKeyEncryptor.keyBits, then the key MUST be padded by appending bytes with a value of 0x36. If the hash value is larger in size than PasswordKeyEncryptor.keyBits, the key is obtained by truncating the hash value."

---

Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

Answer 16

Hi Jcurry,

Thanks for your reply.I had made changes as per your instructions.But in sha-1 function input and output both are of 20 bytes .if we cocatenate Block_key at the step (1-c) after 20bytes those bytes may remain unused? I am confused wheather i use all hash 20 bytes of  step (1-b) output or i concatenate the block_key after 12 bytes and again made that (Hn+block_key) of 20bytes.

Answer 17

The byte array that you provide as input to the SHA1 hashing algorithm is not limited to 20 bytes. However, you are correct that the byte array that is returned by it will be 20 bytes.

 

You may also find the following project on CodePlex helpful. http://offcrypto.codeplex.com/

---

Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

Answer 18

Hi Prateek1108, the Open Specifications forums are here to provide support for the protocol documentation set. We do not review source code or provide direct support with the implementation of any protocol. Please review the documentation and let me know if you have any further questions.

 

You may also find the following resources helpful.

• Microsoft Consulting Services

• Parallel Computing in C++ and Native Code

• MS-OFFCRYPTO Examples

---

Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

Answer 19

Hi Jcurry,

1) I want to know is any difference between Salt and keysalt..as keysalt is used in making Initialization vector, In the (2a -2b) step in algo i had already posted you.

2) wheather i have to take blockkey as 0x0000 if not given or i just have to ignore and use only keysalt if not given.without sha1.

Answer 20

For your first question, if you are asking if there is a difference between the value of 'Salt' that is used in section 2.3.4.11 and 'KeySalt' in section 2.3.4.12, the answer is no. They both refer to the value of the saltValue element that is stored in the \EncryptionInfo Stream. Please see section 2.3.4.10 for more information about the \EncryptionInfo stream.

 

For number 2, section 2.3.4.12 states that "If a blockKey is not provided, let IV be equal to KeySalt:IV = KeySalt."

---

Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

Answer 21

hello JCurry,

I had made Encrypted Verifier Hash Input and Encrypted Verifier Hash Value by the help of above steps ...But in ms word 2010 file  for Verifying Password i.e  (the chosen password is password of this that file) which String is to be  matched by which string. As in 2007 we compare  Computed Verifier and Encrypted Verifier Hash...

should I match the strings of  Encrypted Verifier Hash Input and Encrypted Verifier Hash Value???

Answer 22

I believe that I answered this question for you in my post on January 10th…

 

"You need to decrypt EncryptedVerifierHashInput and feed it through the Hash algorithm. Then decrypt EncryptedVerifierHashValue using steps 1a-c again with the 2nd block key (0xd7, 0xaa, …) and compare that value."

 

Have you looked at the MS-OFFCRYPTO Examples project on Codeplex?

---

Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

Answer 23

hi Jcurry

I am having problem in decrypting EncryptedVerifierHashValue...

encryptedVerifierHashValue: This attribute MUST be generated using the following steps:
1. Obtain the hash value of the random array of bytes generated in step 1 of the encryptedVerifierHashInput.
2. Generate an encryption key as specified in section 2.3.4.11 by using the user-supplied password, the binary byte array used to create the saltvalue attribute, and a block_key byte array consisting of the following bytes: 0xd7, 0xaa, 0x0f, 0x6d, 0x30, 0x61, 0x34, 0x4e.
3. Encrypt the hash value obtained in step 1 by using the binary form of the saltValue attribute as an initialization vector as specified in section 2.3.4.12. If hashSize is not an integral multiple of blockSize bytes, pad the hash value with 0x00 to an integral multiple of blockSize bytes.
4. Use base64 to encode the result of step 3. 

In step1--->> Random array of bytes generated in step1 of encryptedVerifierHashInput.In decrypting the encryptedVerifierHashValue.

wheather we have to take the hash Value of 1-c step of encryptedVerifierHashValue and then we have to add password and fallow the 1-a ,b,c  again or we have to take (salt +password ) and start with 1-a step for decrypting encryptedVerifierHashValue ?????

Answer 24

The following step from section 2.3.4.13 of the document...

 

1. Obtain the hash value of the random array of bytes generated in step 1 of the encryptedVerifierHashInput.

 

Means to just simply pass it to the hashing algorithm, nothing more.

 

HashResult = H(byte_array);

---

Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

Answer 25

hi Jcurry,

Thanks for your reply . For decrypting EncryptedVerifierHashValue we prepare second key whether we have to take (salt + password)again and fallow the same step as for 1st key...i.e 100000 times Sha-1 calculation for second key

                                                                  or

we just use salt and calculate sha-1 one times and then concatenate with Block_key of  EncryptedVerifierHashValue.

Answer 26

Hi Prateek, it sounds like you are asking about this step from section  2.3.4.13 that refers to the encryptedVerifierHashValue.

 

1. Generate an encryption key as specified in section 2.3.4.11 by using the user-supplied password, the binary byte array used to create the saltvalue attribute, and a block_key byte array consisting of the following bytes: 0xd7, 0xaa, 0x0f, 0x6d, 0x30, 0x61, 0x34, 0x4e.

 

You need to follow the same process that you did previously where you have to perform the Hn = H(iterator + Hn-1) process the number of times specified in PasswordKey.spinCount,  but use the block_key from step 2 in section 2.3.4.13 in the last step.

---

Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

Answer 27

hi Jcurry,

I had fallowed all the steps given in MS_OFFCRYPTO (MS-OFFCRYPTO document can be found here) and as per Discussed or guided by you.But my encrypted verifier hash input and encrypted verifier hash value hashes still not matching...is this document is having complete steps or any steps is missing in it??

Answer 28

hi Jcurry,

I am still working on ms word 2010 password and doesn't getting a way.please reply me regarding my above question as soon as possible ....

Answer 29

Hi Prateek1108, there is no other information that I can provide for you regarding this issue. An update to the MS-OFFCRYPTO project on codeplex should be posted within the next few weeks that includes an agile decryption solution. Once that is available, you should look through it carefully to figure out why the hash values don't match in your own code.

---

Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team