Schneier on Security: Microsoft RC4 Flaw

R.A. Hettinga rah at
Wed Jan 19 07:08:25 PST 2005



Bruce Schneier

Schneier on Security

A weblog covering security and security technology.

January 18, 2005

Microsoft RC4 Flaw

One of the most important rules of stream ciphers is to never use the same
keystream to encrypt two different documents. If someone does, you can
break the encryption by XORing the two ciphertext streams together. The
keystream drops out, and you end up with plaintext XORed with plaintext --
and you can easily recover the two plaintexts using letter frequency
analysis and other basic techniques.

It's an amateur crypto mistake. The easy way to prevent this attack is to
use a unique initialization vector (IV) in addition to the key whenever you
encrypt a document.

Microsoft uses the RC4 stream cipher in both Word and Excel. And they make
this mistake. Hongjun Wu has details (link is a PDF).
In this report, we point out a serious security flaw in Microsoft Word and
Excel. The stream cipher RC4 [9] with key length up to 128 bits is used in
Microsoft Word and Excel to protect the documents. But when an encrypted
document gets modified and saved, the initialization vector remains the
same and thus the same keystream generated from RC4 is applied to encrypt
the different versions of that document. The consequence is disastrous
since a lot of information of the document could be recovered easily.

This isn't new. Microsoft made the same mistake in 1999 with RC4 in WinNT
Syskey. Five years later, Microsoft has the same flaw in other products.

Posted on January 18, 2005 at 09:00 AM

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list