Elser

Word convertress

About password protection
of Word documents

Privacy is still a blind spot in the laboratories of standard software applications. This results in a privacy catastrophe for password encryption with Microsoft Word. Starting with Word 2 Microsoft used WPA 1.0b encryption, that is version 1.0 beta of Weakest Possible encryption Algorithm. WPA 1.0b stamps a 16 byte key with xor (logical exclusive or) all over the documents data.

In Word 2.0 this 16 byte key was trivial to find, because MS applied the key on well known permanent data. To find the key one just had to xor the well known permanent data with the crypted data. The most convenient to find permanent data in fact has been 16 zero bytes. Because key xor zero always equals key, one not even had to apply a xor on it. In other words, Microsoft hid the key in the doors lock. Marc Thibault (marc@tanda.isis.org) found out this. At January of 1993 he spent the program (wu.cpp, Word Unprotect) including source code to public. WU (27 KB) simply fetched the key, deciphered the document and marked it as not protected. In his documentation Marc pleased Microsoft to use real protection next time, because:

"A false sense of security is much worse than none at all."

Word 6.0 was following Word 2.0 and WPA 1.0 was following WPA 1.0b. Apart from this from then on documents are stored together with some additional data. You can think of this as the document letter inside an additional data envelope. Actually it now would have been easy like a leisure dress to apply real protection on the document, making it finally secure from spying out. The letter just needed to be put into a further cryptographic envelope. Anyway, encryption of Word 6.0 documents just slightly varies from encryption of Word 2.0 documents. The key used with WPA 1.0 still comprises 16 bytes. But now a key byte is applied with xor on a data byte only, if neither the data byte nor the result byte is zero. So there are mainly three difficulties:

  1. The document letter has to be drawn out of the OLE envelope.
    This is not trivial, because Microsoft is not explaining, how this envelope is structured. To get the letter safely out one had to use libraries, that Microsoft just provides for Microsoft Windows.

  2. 16 well known bytes have to be found.
    This is tricky, too. Either one has to be very familiar with Word's document structure, or one has to rely on stocchastic crypto analysis. Both methods make trouble. The latter is not very clever, as it fails if the text is to short and one has to make predictions about the language used in the document. The former has been a problem, because Microsoft makes a secret out of the document format. However, Elser knows, that from Word 6 on the Word document summary information data is stored not only in Word's document letter, but as a copy also in the OLE document envelope. This to know is nearly always more than enough information.

  3. Sometimes even more than 16 bytes have to be found.
    The case can occur, that the key byte is either zero, or it is equal to the byte to be crypted. This makes an ambiguity. To solve this, one needs at least two different well known text bytes for one key byte.

As far as I know, these problems are beeing solved quite ok by five programs. There is of course Elser, smile. WFWCD is good, though it is free software. WDPASS is very expensive, but it is easy to install and use. Wdcrak allows you interactively to make corrections when decoding documents. Same does WWPRT.

Elser by Martin Schwartz (schwartz@cs.tu-berlin.de)
Elser is distributed as perl source code according to the terms of GNU General Public License. Elser can even decrypt documents containing very few or none text.
All systems. Features: decrypting, password resolving

WFWCD by Fauzan Mirza (fauzan@dcs.rhbnc.ac.uk)
WFWCD (20KB). "Word for Windows Password Cracker Demo" is a freeware program, that Fauzan dedicates to Hamid Moosavi, Christopher Wilkinson, John Godley and IRON MAIDEN.
DOS program. Features: password resolving

WDPASS by AccessData Corp.
WDPASS is sold for currently $185.00. AccessData provides a demonstration version, that should be able to decipher documents with passwords having a length of exactly 10 characters.
Windows program. Features: decrypting, password resolving

Wdcrak by Crak Software
Wdcrak is sold for currently $99.00. Crak Software provides a demonstration version, that should be able to decipher documents with passwords having a length of exactly 10 characters. You can apply manual changes to control decrypting.
Windows program. Features: password resolving

WWPRT by VDS Advanced Research Group
WinWord Password Recovery Tool is sold for currently $37.00. VDSARG provides a demonstration version, that should be able to decipher documents with passwords having a length of exactly 12 characters.
Windows 95 / NT 4 program. Features: password resolving

Back to Laola homepage.

Martin Schwartz