none
Strange value of EncryptionHeaderFlags in files RRS feed

  • Question

  • Hello!

    I'm developing a document management system. I need to classify encrypted documents by cryptoalgorithms. So I read EncryptionHeaderFlags in every document to undestand what type is it. In Office 2013 document EncryptionHeaderFlags has a value of 0x40 (bit 6 is set). According MS-OFFCRYPTO specification, there are only 6 bits are used (from 0 to 5). Other bits (from 6 to 31) are unused. But in the document these bits are used.

    Can you explain that, please?

    Tuesday, July 29, 2014 2:46 PM

Answers

  • I've found the answer - Agile encryption document doesn't have EncryptionHeaderFlags. Instead of the flags it has reserved four bytes with value of 0x40 (MS-OFFCRYPTO section 2.3.4.10).
    • Marked as answer by Zeson Wednesday, July 30, 2014 9:20 AM
    Wednesday, July 30, 2014 9:20 AM

All replies

  • Hi Zeson, thank you for your question. A member of the protocol documentation team will respond to you soon.

    Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

    Tuesday, July 29, 2014 3:27 PM
    Moderator
  • Hi Zeson, according to MS-OFFCRYPTO section 2.3.1 the 26 unused bits at the end of the structure are "A value that is undefined and MUST be ignored." This typically means the that bits are junk. They just aren't being cleared, or set to 0. Unless it specifically says that the bits or value MUST be 0, or that the space is reserved, that is usually the case.

     

    Please let me know if that answers your question.


    Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

    Tuesday, July 29, 2014 5:18 PM
    Moderator
  • OK. But why EncryptionHeaderFlags are empty? How can I classify encryption in this case?

    Tuesday, July 29, 2014 5:33 PM
  • Hi Zeson, what do you mean by 'empty'? If the contents of the EncryptionHeaderFlag structure are not sufficient for you to 'classify encryption' you might want to look at other properties in the EncryptionHeader structure as well.


    Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

    Tuesday, July 29, 2014 6:52 PM
    Moderator
  • EncryptionHeaderFlags has value of 0x40. So all flags (bits 0 to 5) are zeros. According to  MS-OFFCRYPTO section 2.3.1  fCryptoAPI=0 means that CryptoAPI RC4 is used. But that's wrong. It's AES there.

    I need some universal method to know encryption type. So I try to analyze EncryptionHeaderFlags because it's common in every document (as I know).


    • Edited by Zeson Tuesday, July 29, 2014 9:17 PM
    Tuesday, July 29, 2014 9:15 PM
  • I've found the answer - Agile encryption document doesn't have EncryptionHeaderFlags. Instead of the flags it has reserved four bytes with value of 0x40 (MS-OFFCRYPTO section 2.3.4.10).
    • Marked as answer by Zeson Wednesday, July 30, 2014 9:20 AM
    Wednesday, July 30, 2014 9:20 AM