Cryptography expert Phil Zimmermann says he believes a flaw recently discovered in Microsoft Office's Word and Excel encryption is serious and warrants immediate attention.
"I think this is a serious flaw--it is highly exploitable. It is not a theoretical attack," says Zimmermann, referring to a flaw in Microsoft's use of RC4 document encryption unearthed recently by a researcher in Singapore.
Zimmermann is best known as the creator of Pretty Good Privacy, a desktop encryption program so powerful that U.S. authorities attempted to have its distribution stopped and Zimmermann imprisoned for writing it. The case was abandoned in 1996.
The problem relates to the way Microsoft's applications implement the 128-bit RC4 encryption algorithm when resaving documents after their initial creation. In this situation the programs apparently use the same password key and initialization vectors to encrypt different versions of the same document. Normally where the same password key is being used, different vectors should be used.
Hongjun Wu of the Institute of Infocomm Research in Singapore discovered the flaw and dissects it in a new paper, "The Misuse of RC4 in Microsoft Word and Excel".
The flaw, which is believed to affect all current versions of the Office programs named, sounds highly technical, but Wu describes a number of everyday scenarios in which it would seriously undermine document security. One likely compromise would occur if two coworkers edit successive versions of a document where the password remains constant.
In his paper, Wu describes performing a proof-of-flaw experiment on a Word file, where he compared two versions that were identical except for a single word. He noticed that the binary output from these encrypted files was identical except for the address space accounted for by the plain-text change to the original.
Microsoft acknowledges on its Web site that the password feature in question is less secure than other security features, such as those allowing users to lock entire documents with a password.
"The lay user ought to be entitled to assume that the encryption produced by Microsoft is adequate...." Zimmerman says. "If Microsoft wants to earn the respect of the cryptographic community and the public, it must rise to the occasion by producing competent security."
Microsoft says it is unable to commit to a time scale for correcting the flaw but has issued the following statement: "Microsoft is still investigating this report of a possible vulnerability in Microsoft Office. When that investigation is complete, we will take the appropriate actions to protect customers. This may include providing a security update through our monthly release process."
"Stream ciphers have to be used most carefully. Any failure to do this will result in a disastrous loss of security," Zimmermann says. "Even with a properly chosen initialization vector, you have to run it for a while before the quality of the stream cipher is good enough to use." Contrary to Microsoft's claims that the issue is a "very low threat," he counters that gaining access to a document would not present problems for a determined hacker. "There are tools one can use to cryptanalyze messages in this way."
Even if the flaw is fixed, Zimmerman says a more fundamental problem is Microsoft's use of RC4, licensed from RSA Security.
"Why does Microsoft continue to use RC4 in this day and age?" he says. "It has other security flaws that have been published in other papers." He adds, "RC4 is a proprietary cipher and has not stood up well to peer review. They should just stop using RC4. It would be better to switch to a block cipher."
Zimmermann, meanwhile, emphasizes the need for responsible disclosure of such problems. "The best way is to quietly disclose the problem to the vendor and then allow the vendor 30 days to fix the problem. Then go public," he says.