Security Adviser | Roger A. Grimes » Phillip Oechslin responds to my Rainbow Table column

January 18, 2007 | Comments: (0)

Phillip Oechslin responds to my Rainbow Table column

TAGS: None

Rainbow Method and Table creator Phillip Oechslin emailed me regarding my recent column on Rainbow tables.

Here's his email.

Hello Roger,

I just saw your online article on CSO online in Australia.

I thought you might interested to know that rainbow tables can also be used to crack office documents. The default encryption scheme of Word and Excel has the same default as Windows password hashes, it is predictible (there is no salt or randomness).

We have a product that cracks a Word or Excel document in minutes, whatever the password (any length or complexity, since what we crack is not the password but the resulting 40 bit key that is used to encrypt the document).

I could get you a evaluation version if you wanted to test (would have to send you a DVD with the 4GB of tables). Alternatively I could crack a few documents for you.

There is info on this on our product page:
http://www.objectif-securite.ch/en/products.php

Well and you write: "Rainbow tables are closely related to a cracking technique pioneered by Philippe Oechslin".

Actually rainbow tables have been invented by Philippe Oechslin. I should know. I coined the name rainbow table in my research paper presented at Crypto 2003.

http://lasecwww.epfl.ch/pub/lasec/doc/Oech03.pdf

BTW, we have a large article in the February issue of Hackin9
(http://en.hakin9.org/) magazine about rainbow tables and how we optimize their implementation.

regards,

Philippe

Posted by Roger Grimes on January 18, 2007 06:42 AM

RATE THIS ARTICLE: