Microsoft Office and it’s VelvetSweatshop password protected files

Everyone knows that since Office 2007, all file formats from Office have been converted to the OfficeOpen standard, which is nothing more then a zip containing a bunch of XMLs. A lot of IT guys also know that Microsoft and the (password) protection of spreadsheets is nothing more then a tiny user interface lock and one line of code in the underlying XML, which of course is only a real issue to users of Excel. Starting with OpenOffice, there is actually a good encryption built into the file format. It now can use AES encryption, which is currently the standard for encryption.

But what if we’d locked parts of the spreadsheet, but without password-protecting the file  (but just the cell protection)? This would implicitly tell us that Office can open the file without password. Inspecting some of these files I got as an assignment for my job, I found out that Office does encrypt these files. Opening these kind of files as a zip is impossible because they have become some OLE-object instead. Which acts as the encrypted data container.

To unlock these files, you’ll need the password Microsoft used as some hardcoded useless feature in their Office programs, “VelvetSweatshop” (which is ironically enough a wink at critics on Microsoft’s PO policy in 1989). Microsoft Office of course has this feature (try the password and if we fail, ask the user). Luckily I was not the first to find out that Microsoft introduced this password protection. Although it took me some hours of googling to get this knowledge.

I could get my files decrypted using the ooxmlcrypto library of Danilo Mirkovic (plus some minor tweaks to get it running using mono).

One thought on “Microsoft Office and it’s VelvetSweatshop password protected files

  1. Beste Meindert-Jan,

    Zojuist vond ik jouw website.

    Ben jij momenteel beschikbaar voor een project? Voor een groot project zoek ik momenteel een Medior C# Ontwikkelaar. Minimaal 4 dagen per week. Vanaf december 2012 tot september 2013.

    Je mag mailen (m.visscher@aatop.nl) of bellen via 06 – 47 57 86 46.

    Hartelijke groet,
    Aatop ICT

    Matthijs Visscher

Leave a Reply

Your email address will not be published. Required fields are marked *