AD RMS protected XLS with macro

Question

Hi,

I'm developing a service that protects Office files using AD RMS (Office IRM). What I did was to implement the OFFCRYPTO specifications as described here: http://msdn.microsoft.com/en-us/library/cc313071(v=office.12).aspx. It works well for all the Office file types I've tested except for XLS files that have VBA projects. The protection itself works but when I open such a protected XLS file I get pop-ups saying there are problems with the macros and VBA projects.

To investigate I used a hex editor to compare an XLS file protected by Office and one protected by my service. It seems that the OLE compound file produced by Office after protection is different from what OFFCRYPTO describes. In other words, there's a storage called "_VBA_PROJECT_CUR" and two streams, "Workbook" and "\x01CompObj" which aren't mentioned anywhere in the OFFCRYPTO standard. My interpretation is that somehow these things should not be encrypted in the \tDRMContent stream and instead be left outside.

I would like some clarifications on this. Are there any other "exceptions" from the standard? Why is it that XLS files don't follow the standard? Is there a way to force that?

Thanks in advance,

Alex

Answer 1

Hi Alex, thank you for your question. A member of the protocol documentation team will respond to you soon.

---

Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

Answer 2

Hi Alex,

That is correct, the _VBA_PROJECT_CUR" storage should not be encrypted.  That is specified in [MS-XLS] 2.2.10 Encryption as well as other streams and storages that are not to be encrypted.  Also, just a note that you should be using [MS-XLS], [MS-OVBA] as well as [MS-OFFCRYPTO] to understand how to protect an Excel spreadsheet.  These specifications work together.

Best regards,
Tom Jebo
Escalation Engineer
Microsoft Open Specifications

Answer 3

Hi Tom,

Ok, I understand. It's a bit confusing because MS-OFFCRYPTO makes no references to these other specifications whereas they link back to it. I was under the impression that there's a global straightforward way to protect Office files but clearly that doesn't hold for XLS files. Are there any other such cases?

Alex

Answer 4

Hi Alex,

It would be better to start with the file format in question (for example, Word's .doc format) than to start with MS-OFFCRYPTO when trying to understand to what extent that format protects data.   MS-OFFCRYPTO describes structures and algorithms that are used by the Office document formats but does not dictate whether these structures and algorithms are used for every part of a particular format or in which parts they are used.  The file format specifications themselves provide that detail. 

In both [MS-DOC] and [MS-PPT], Section 4 Security Considerations details which streams are treated or not treated by a particular protection mechanism and if there are any special considerations.  [MS-PPT] Section 2.1.6 states that the "EncryptedSummary" stream only exists in an encrypted document.  Likewise, in [MS-DOC] 2.1.8, the conditions for the existence of the "encryption" stream are stated.  There may be others but they should be relatively clearly marked as "security" or "encryption" or "protection" considerations.

I hope this helps,

Best regards,
Tom Jebo
Escalation Engineer
Microsoft Open Specifications 

Answer 5

Ok, I got the full picture now. Thanks for the swift reply.