Recently, D-Russia published the author's opinion of Vladimir Katalov, CEO of Elcomsoft, on the level of susceptibility to brute-force attacks on password-protected office software files. The company specializes in forensic analysis of computers, mobile devices and cloud data, and in its publication, among other things, provided an assessment of the security of MyOffice products when working with data. We, as a developer of Russian software for collaborative work with documents and communications, adhere to a different point of view and want to draw attention to inaccuracies in the publication.
It should be said right away that it is incorrect to equate the issues of certification and confirmation of the reliability of products with the implementation of one specific function of password protection for documents and, moreover, to identify this function with the general level of security of MyOffice products.
We welcome the expertise and development of Elcomsoft in the direction of password protection, while we would like to note that the use of document encryption mechanisms based on password information does not lead to an adequate level of confidentiality of information with limited access (in ordinary editors). The line of secure solutions from any manufacturer implies the use of complex (layered) protection at the level of the application, operating system, workstation, network and information infrastructure as a whole.
MyOffice offers application-level information security tools. MyOffice solutions implement communication channel protection technologies (TLS), encryption and electronic signature functions for mail messages, as well as the ability to support Russian cryptographic libraries ( more about security functions ). MyOffice products regularly undergo certification tests for compliance with the requirements of the current regulations of the regulator, and fully comply with them. In particular, the product "MyOffice Standard", the trial version of which was studied by Elcomsoft specialists in their publication, was successfully certified by the FSTEC of Russia and received a certificate that determines the absence of undeclared capabilities and compliance with the requirements for the level of trust ( more about certification ).
If necessary and at the request of the customer, MyOffice solutions can be supplemented with additional information security tools. These include both overlaid software and software and hardware protection, for example, protected key media. MyOffice products are compatible with CryptoPro solutions, which are widespread in the Russian Federation, including in government bodies and large commercial structures. The complex of implemented information security measures allows our users to use MyOffice products at critical information infrastructure facilities.
Considering the above, the password protection function cannot be considered the only and, moreover, the key criterion for ensuring information security. Due to a number of its technological features, it is also not subject to certification. In general, according to the current regulations of the FSTEC of Russia certification system , the software is assessed for compliance with a specific set of requirements, and the standard file password protection function is not claimed as a protection function.
Nevertheless, we are grateful to our colleagues for their attention to the peculiarities of the implementation of this function in the editors of MyOffice. It was included in the products, among other things, to ensure compatibility with the existing files of our users. One of the key advantages of our products is the support of a large number of different formats - document and spreadsheet editors are able to work with all known file formats, including obsolete ones that have been accumulated by our users over the years and are still used in their technological processes.
The choice of parameters for the password protection function is determined by the requirements of the OOXML and ODF standards in terms of backward compatibility criteria. Considering the exponential dependence of the key guessing speed on the key length, the number of characters in the password, and the type of character set used, we would be interested to know under what test conditions we were able to observe such a significant bias in the published results. We will further strengthen the password protection function, but we emphasize once again that it cannot comprehensively affect the security issues of our products.
If we talk about document encryption as a method of restricting access to information, then it is advisable to use not the password protection functions, but to use the PKI (public key infrastructure) elements. This includes protecting data using qualified certificates for electronic signature verification keys, where the level of cryptographic strength, including resistance to password guessing mechanisms, is fundamentally at a different level. This method allows for encryption using asymmetric cryptography technology, which is not applicable to brute-force attacks, which Elcomsoft specializes in.
The security of an electronic signature in accordance with GOST R 34.10-2012 is based on the complexity of calculating the discrete logarithm in a group of points of an elliptic curve, as well as the security of the used hash function in accordance with GOST R 34.11-2012. The standards for cryptographic information protection have been developed by the Center for Information Security and Special Communications of the FSB of Russia together with TC 26.
The article also contains inaccurate data on the open source software components used in MyOffice solutions: it is not true that the password protection function is implemented on the basis of OpenOffice technologies. The core, interface, a significant part of the code of the MyOffice platform, including office editors, were written from scratch, entirely by the company's specialists (more than 1.5 million lines of own code in total). The password protection feature mentioned in this article is proprietary and has nothing to do with OpenOffice solutions.
We welcome Elcomsoft's decision to add password recovery to encrypted documents and spreadsheets in MyOffice document formats in the new versions of Advanced Office Password Recovery and Distributed Password Recovery. Thus, the MyOffice ecosystem has been replenished with another technology partner, a leader in the development of service utilities in the field of information security. We hope for further cooperation in the independent audit of MyOffice software solutions, which will make our products even better.