I was asked recently to comment on "security" of Office 2007. Conversations like this tend to unfold in a certain way… which is to play a fun game of Technology-Tennis, where we volley questions back and forth until we get at the root of the thing… although I've never understood why the grunting is necessary. In the end our conversation was about document encryption. I'd like to post (more or less) the answer to the question on my blog, as it is one that comes up from time to time.
The question was in reference to an article about another product opening XLS files that ignored the protection settings specified on a worksheet tab, and what they could do ensure their content was actually not viewable by unintended parties. For simplicity, I'll reduce the discussion to what happens in the applications here (Vs. the use of SharePoint, NTFS, BitLocker or things like IPSec).
The conversation began by explaining that the functionality in Excel to show/hide or protect content within the workbook are not intended as a full-fledged "security" feature, rather "strong guidance" for how the consumer should be reading the information in the workbook. The use of encryption with Office is much more robust, and is the recommended method for how to apply a password to an Office 2007 document for Word, Excel or PowerPoint.
For the full detail, read this document. If you are interested in the deeper story of how Office security is managed, download this guide. If you are interested in reading about how Open XML documents are encrypted, read this document. If you are interested in reading the blog of a (the) Office security guru, read here: http://blogs.msdn.com/david_leblanc/default.aspx . His most recent post is about the MS-CRYPTO documentation.
I think you'll find that the breadth and depth of coverage available for encrypting documents, helping secure communication, protecting users from potentially harmful content and other aspects of security are an excellent illustration of how much innovation we bring to the table with any new Office release.
Below is an excerpt from the first white paper I referenced:
Microsoft 2007 Office system Document Encryption Improvements
Password protection is not a new concept in the Microsoft 2007 Office system, but it has been made stronger and easier to use. Previous versions of Microsoft Office used an RC4 stream cipher with a key length of up to 128 bits. The problem with this approach was that when changes are made to the encrypted document and the document is saved, the initialization vector (IV) remains unchanged and the same keystream is used to encrypt subsequent versions of the encrypted document. This weakness in the implementation of the RC4 encryption algorithm made it possible for hackers compare two versions of a password-protected file to discover the contents and allow unauthorized users to read its contents. A number of software companies took advantage of these limitations to make "password recovery utilities" that could decrypt RC4-protected documents. Obviously, it was time to move to a now a new means of encrypting documents.
Microsoft 2007 Office system document encryption is a significant improvement. The encryption information block is the same as in previous versions of Office, but the Microsoft 2007 Office system uses the Advanced Encryption Standard (AES) encryption, which is the strongest industry-standard algorithm available and was selected by the National Security Agency (NSA) to be used as the standard for the U.S. Government, AES has a default 128-bit key (which can be increased to 256-bit via the Windows Registry) and uses SHA-1 hashing. In addition, The Microsoft 2007 Office system improves the algorithm of converting passwords into keys: 50,000 SHA-1 sequential iterations are performed.
Some key facts about Microsoft 2007 Office system document encryption:
It's important to note that there are two options to add a password in Microsoft 2007 Office system documents. One option enables you to encrypt the document using a password; this is referred to as a Password to open. The second option does not use any encryption. It is designed so you can collaborate with content reviewers you trust, but is not designed to help make the file more secure. This is referred to as the Password to modify.
Just referring back to our interoperability principles for a moment, and the ongoing commitment to them.
EMC Corporation, IBM and Microsoft today announced a jointly developed specification which uses Web Services and Web 2.0 interfaces to enable applications to interoperate with multiple Enterprise Content Management (ECM) repositories of different vendors.
CMIS is a technical specification domain model (data and services) for interacting with an ECM repository via Web Services. It provides a content management domain-specific data model, a set of generic services that act on that data model and several protocol bindings for these services, including: Simple Object Access Protocol (SOAP) and Representational State Transfer (REST)/(ATOM)
It is intended that the CMIS specification will be submitted to OASIS (Organization for the Advancement of Structured Information Standards).
By working with other ECM vendors, hopefully this proposed standard will simplify cross-system content exchange by easing some of the implementation complexity.
If you want to read the spec, go here: http://go.microsoft.com/fwlink/?LinkId=127855
More details are here and here.
It was pointed out to me today that some folks were unable to comment on the material. I was 'tuning' the site recently and probably was the cause of that, please accept my apologies. It should be working now!