Office workers looking to protect their documents may want to select a higher grade of encryption.
Swiss information-technology firm Objectif Sécurité announced last week that its latest pre-generated list of passwords and their hashes, known as a rainbow table, can now crack the standard encryption on Word and Excel documents in about 5 minutes on average. Using about 4 gigabytes of data, the program--named Ophcrack_office--can quickly defeate almost 99.6 percent of all passwords, according to the company.
"What happens is that we actually crack the 40-bit key that is used to encrypt Word and Excel documents," Philippe Oechslin, CEO of Swiss information-technology firm Objectif Sécurité and the inventor of rainbow tables, told SecurityFocus in an e-mail. "We found a way to use the same tables for both Word and Excel, although they have different file formats."
Rainbow tables sidestep the difficulty in cracking a single password by instead creating a large data set of hashes from nearly every possible password. To break a password, the attacker merely looks up the hash to find the password that produces that code. The theory behind rainbow tables extends research by Martin Hellman and Ronald Rivest done in the early 1980s on the performance trade-offs between processing time and the memory needed for cryptoanalysis. Others have also attempted to turn the tables into a business.
While such software has legitimate uses, such as recovering a document to which the password has been lost, data thieves could also use it to steal corporate secrets.
Posted by: Robert Lemos