2.3.6.2 Encryption Key Derivation

The encryption key for Office binary document RC4 encryption is generated by using the following method: Let H() be the MD5 hashing algorithm, Hn be the hash data of the nth iteration, and a plus sign (+) represent concatenation. The password MUST be provided as an array of Unicode characters.

Limitations on the length of the password and the characters used by the password are implementation-dependent. For details about behavior variations, see [MS-DOC] and [MS-XLS]. Unless otherwise specified, the maximum password length MUST be 255 Unicode characters.

The initial password hash is generated as follows.

  • H0 = H(password)

The salt used MUST be generated randomly and MUST be 16 bytes in size. The salt MUST be stored in the Salt field of the RC4 Encryption Header structure (section 2.3.6.1). The hash is then computed by using the following approach:

  1. Let TruncatedHash be the first 5 bytes of H0.

  2. Let IntermediateBuffer be a 336-byte buffer.

  3. Form a 21-byte buffer by concatenating TruncatedHash plus the salt. Initialize IntermediateBuffer by copying the 21-byte buffer into IntermediateBuffer a total of 16 times.

  4. Use the following: H1 = H(IntermediateBuffer).

After the final hash has been obtained, the encryption key MUST be generated by using the first 5 bytes of the final hash data and a block number that is provided by the application. The encryption algorithm MUST be RC4. The method used to generate the hash data that is the input into the key derivation algorithm is the following:

  • Let TruncatedHash be the first 5 bytes of H1.

  • Use the following: Hfinal equals H(TruncatedHash + block).

The block number MUST be a 32-bit unsigned value provided by the application.

The first 128 bits of Hfinal MUST then be used as the derived encryption key.