# 2.3.6.2 Encryption Key Derivation

**Office**

The encryption key for Office binary document RC4 encryption is generated by using the following method: Let H() be the MD5 hashing algorithm, Hn be the hash data of the nth iteration, and a plus sign (+) represent concatenation. The password MUST be provided as an array of Unicode characters.

Limitations on the length of the password and the characters used by the password are implementation-dependent. For details about behavior variations, see [MS-DOC] and [MS-XLS]. Unless otherwise specified, the maximum password length MUST be 255 Unicode characters.

The initial password hash is generated as follows.

H0 = H(password)

The salt used MUST be generated randomly and MUST be 16
bytes in size. The salt MUST be stored in the **Salt** field of the **RC4
Encryption Header** structure (section 2.3.6.1). The hash is then
computed by using the following approach:

Let

**TruncatedHash**be the first 5 bytes of H0.Let

**IntermediateBuffer**be a 336-byte buffer.Form a 21-byte buffer by concatenating

**TruncatedHash**plus the salt. Initialize**IntermediateBuffer**by copying the 21-byte buffer into**IntermediateBuffer**a total of 16 times.Use the following: H1 = H(IntermediateBuffer).

After the final hash has been obtained, the encryption key MUST be generated by using the first 5 bytes of the final hash data and a block number that is provided by the application. The encryption algorithm MUST be RC4. The method used to generate the hash data that is the input into the key derivation algorithm is the following:

Let

**TruncatedHash**be the first 5 bytes of H1.Use the following: Hfinal equals H(TruncatedHash + block).

The block number MUST be a 32-bit unsigned value provided by the application.

The first 128 bits of Hfinal MUST then be used as the derived encryption key.