During the development of my AIP attack tool I came accross Microsofts mode of operation for symmetric encryption algorithms in AIP. They are named ‘ECB’, ‘CBC4k No Padding’, ‘CBC4k With Padding’ and ‘CBC512 no Padding’ (1). Previously I had the problem that I never saw the usage of CBC4k modes in any AD RMS, Azure RMS or AIP protected Word file. During a bachelor thesis of one of my students I took a closer look at ptxt files. Which are normal text documents protected with the help of RMS (2) (3). When I tried to decrypt this files with my tool, I saw that these files where protected with the help of ‘CBC4k With Padding’, so after searching through the internet for a while, I realized Microsoft never documented the implementation of these special CBC modes of operation.

CBC4k

In order to understand how this mode works, I started API Monitor and analyzed the IPCNotepad program. I found an IV in the called BCryptDecrypt() function, which popped out of nowhere. It took me more time then it would have been necessary, but finally I found the solution:

iv = AES_ECB_ENC{key}(‘00000000000000000000000000000000’)

plaintext = AES_CBC_DEC{key,iv}(ciphertext)

or as Python 3 code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

from Crypto.Cipher import AES
import binascii

key = binascii.unhexlify('7878aad480ae8efe82a2059026d280327582b6c399030d0f3ba989ea1097bfd9')
ciphertext = binascii.unhexlify('994487a54c865d7317d988bbcf3ae700')
encryptor_ecb = AES.new(key,AES.MODE_ECB)
iv = encryptor_ecb.encrypt(binascii.unhexlify('00000000000000000000000000000000'))
decryptor_cbc = AES.new(key,AES.MODE_CBC,iv)
plaintext_padded = decryptor_cbc.decrypt(ciphertext)
print(plaintext_padded)
# b'6d617274696e0a0a0a0a0a0a0a0a0a0a'

You will probably recognize this padding scheme because it is the padding known from PKCS #7 and also used in TLS. It was attacked in 2002 by Serge Vaudeney