Posts Tagged ‘password’
We are waiting for release of new Microsoft office suite – Office 2010. Right now Microsoft has only technical preview of new Office; this preview has been leaked from Microsoft and everyone can download it with the help of torrent trackers. We’ve got a copy of Office 2010 and analysed its (new) password protection.
Starting from Office 2007, Microsoft used password protection system called ECMA-376, developed by ECMA International. This standard is open and everyone can write ECMA-376 based protection which will be accepted by Microsoft Office. The standard allows to select hash and encryption algorithms as well as the number of hash rounds (up to 10 millions is allowed).
In Office 2007, ECMA-376 with SHA-1 hash and AES-128 encryption is implemented. The number of hash rounds is 50000 that makes password recovery really difficult and slow. Office 2010 also uses SHA-1 and AES-128, but the number of hash rounds is now 100000. Therefore password recovery for new Office files will be two times slower.
Here is a diagram of password recovery speed for Office 2007:
To get a speed for Office 2010, simply divide these values to 2. We’ll get about 175 pps on Core2 6600 and about 8750 pps on Tesla S1070.
Why don’t increase the number of hash rounds to 10 millions ? Security is really important but it always affects usability. The hash is calculating to verify a password and when each document block is decrypted. If we add hash rounds – the document decryption time is increased. If a document is opening in MS Office during one hour – its unacceptable despite of high security.
Anyway – Office 2010 documents will be more secure than Office 2007 ones. And the new encryption has backward compatibility – all Office 2010 documents can be opened in Office 2007.
Do you understand a word? Except for "password"? Translator needed! 🙂
In this entry I’d like to suggest a kind of a list of various legal decisions on password [ab]use I could find on the web. Your add-ins are welcome, just put in any other acts you know…
Time is money, difficult to contradict this fact. And another proven fact is that you lose something exactly when something turns out to be absolutely necessary. Once you lost a password to your Word document or presentation that you were going to give in an hour, or Excel report which was supposed to be sent to your manager yesterday… you will count seconds before you get back your files. (more…)
No, it’s no a typo :). COFEE means Computer Online Forensic Evidence Extractor, actually. Never heard about it? Then read Microsoft supplies Interpol with DIY forensics tool. Just don’t ask where to get it. We have not seen it either.
Nice lyrics stirs up hacker’s morning drowsy feelings 🙂