Microsoft Office RC4 Decryption
Microsoft Office has several available cryptographic options for encrypting office documents. In the 97-2003 doc format the RC4 stream cipher with 40bit key is used by default. The 40 bit key was chosen at a time when export restrictions on encryption technology existed. There have been publications exposing the weaknesses in the implementation beyond the 40bit key size, but the format is still the default in all office installation prior to 2007.
I recently had to read up on the implementation in Microsoft Office for word documents to solve part of the 2009 DC3 forensics challenge. I found the scattered nature of the documentation concerning it somewhat frustrating, and not as clear as it could be in demonstrating the process. I decided to document it here in a single location for posterity. This post will detail the verification process step by step with illustrations showing the process in pseudo code/math/memory. For the most part the images represent byte arrays manipulated with various functions, but should be fairly clear. They are SVG format images; if your browser does not support them you may view them in inkscape, but most modern browsers should handle them fine. This document does not cover the word document format itself or how to extract the encryption information – I’ll save that for another post later when I add some code for automatically extracting it.
MediaSentry – Defense moves to suppress in RIAA case
The RIAA cases reminds me a great deal of Alice in Wonderland. Sometimes the arguments raised on both sides stretch credulity to the point where I wonder at the respective attorney’s ability to raise them with a straight face. During my morning browsing of slashdot I came across this article which links to a motion to suppress all the MediaSentry evidence. Normally the RIAA case is not relevant enough to forensics for me to comment on, but the motion made here touches on the Private Investigators (“PI”) issue which is becoming more relevant to digital forensics in light of Texas’ opinion on digital/computer forensics needing to be done by PIs.
Here, the Defense is arguing MediaSentry violated several state and federal laws in performing its investigation without having a PI license. I am a little biased here, so my personal view is that digital forensics is an expertise based field just as any other forensics field is and PI licensing is inappropriate. I picked out a few sections of the brief which I want to look at from a technical perspective. One of my interests right now is examining intersections of law and technology specifically in terms of what I like to call the “Abstraction Lie.” Technology is presented as an abstraction, and we tend to think of it in abstract terms which hide the ugly implementation details. We may see a picture on the screen, but the actuality of that image exists as bits, gates, registers, and so forth. I’ve observed the legal system often, for want of a pertinent example, tries to fit a technical abstraction into an existing mold but the underlying implementation does not fit this contrived congruence.
Continue reading