Password hash


#1

Dear Laurence,



Previously when we used JExcelAPI we were able to extract the password
hash from a sheet inorder to verify that the user submitting the excel
file hasn’t tampered with the workbook. Is this something you could
consider to add to Aspose Cells?



Best regards,

Ulf Ekström


#2

Dear Ulf,

I am not clear about your need. Could you elaborate it? Please provide sample file and code to show your need.


#3

Dear Laurence,



Our system sends out bidforms (excel workbooks) to a lot of different
suppliers. The suppliers then fill in certain fields in the bidform and
submitts it back to our system. It is really easy for anyone to
download a password cracker for Excel from Internet and therefore we
need to check that the submitted bidform hasn’t been tampered with. One
way to do this is by extracting the hashed password from each sheet and
compare it with our original sheets. Each Excel worksheet contains a
hashed version of its password. JExcelApi has the following method in
the SheetSettings object:

getPasswordHash

public int getPasswordHash()

Accessor for the password hash

Returns:passwordHash

Could you add a similar method to your Protection class?



Thanks and best regards,

Ulf Ekström


#4

Dear Ulf,

I have the following questions:

1. Do you know if this hash code is created by JExcelApi or MS Excel?

2. Are those files encrypted in MS Excel?


#5

If your files’ password are cracked, how can this hash code figure it out? We will check this issue but currently I don’t understand why this hash code can distiguish if the file is tampered.


#6

Could you post a sample file to show how your file is protected?


#7

Dear Laurence,



The hash value is calculated by Excel when you protect a sheet. From
the http://sc.openoffice.org/excelfileformat.pdf file (page 108):

----------------------------------------------------------------------------------------------

5.18.2 Sheet Protection in a Workbook (BIFF4W-BIFF8)

The PROTECT record in the Worksheet Protection Block indicates that the sheet is protected. There may follow a

SCENPROTECT record or/and an OBJECTPROTECT record. The optional PASSWORD record contains the hash

value of the password used to protect the sheet (➜5.18.4). In BIFF8X
there may occur additional records following the cell records in the
Worksheet Substream (➜5.2.6).

Sheet protection with password does not cause to switch on read/write file protection. Therefore the file will not be

encrypted.

Structure of the Worksheet Protection Block, BIFF4W-BIFF8:

○ PROTECT Worksheet contents: 1 = protected (➜6.77)

○ WINDOWPROTECT Window settings: 1 = protected (BIFF4W only, ➜6.110)

○ OBJECTPROTECT Embedded objects: 1 = protected (➜6.69)

○ SCENPROTECT Scenarios: 1 = protected (BIFF5-BIFF8, ➜6.86)

○ PASSWORD Hash value of the password; 0 = no password (➜6.72)

------------------------------------------------------------------------------------------------



This is the password hash value I am interested in.



Comparing the hash values in submitted sheets with hash values in the original sheets we can stop the users from two things:

  1. Removing the sheet and adding a new sheet with the same name, since the new sheet will have different hash value.
  2. Using a password cracker to unprotect the sheet, since that will also change the hash value in the excel file.



    Best regards,

    Ulf

#8

Hi Ulf,

We will release a new version which will include this feature in the next week .


#9

That is great news. Thanks a lot.



Best regards,

Ulf Ekström