4.1.3.2 Office Binary Document RC4 CryptoAPI Encryption

The Office binary document RC4 CryptoAPI encryption method is not recommended and ought to be used only when backward compatibility is required.

Passwords are limited to 255 Unicode characters.

Office binary document RC4 CryptoAPI encryption has the following known cryptographic weaknesses:

• The key derivation algorithm described in section 2.3.5.2 is weak because of the lack of a repeated iteration mechanism, and the password might be subject to rapid brute-force attacks.

• Encryption begins with the first byte and does not throw away an initial range as is recommended to overcome a known weakness in the RC4 pseudorandom number generator.

• No provision is made for detecting corruption within the encryption stream (1), which exposes encrypted data to bit-flipping attacks.

• When used with small key lengths (such as 40-bit), brute-force attacks on the key without knowing the password are possible.

• Some streams (1) are not encrypted.

• Key stream (1) reuse can occur in document data streams (1), potentially with known plaintext, implying that certain portions of encrypted data can be either directly extracted or trivially retrieved.

• Key stream (1) reuse occurs multiple times within the RC4 CryptoAPI Encrypted Summary stream (1).

• Document properties might not be encrypted, which could result in information leakage.

Because of the cryptographic weaknesses of the Office binary document RC4 CryptoAPI encryption, it is considered insecure, and therefore is not recommended when storing sensitive materials.