Password Recovery for ZIP/OFFICE File on FPGA

1. WORD format analysis:

Word 2007:

Example format:
Test_1.docx:$office$ *2007*20*128*16*e5cd4f385f8e37a4c72dfc688473c661
*633207a4a300e00f5650cdc66a778c57*fa111b113a17b90d4e33b652b5e3e093d5527a0b

filename:$office$ *Version*verifierHashSize*keySize*saltSize*Salt *
encryptedVerifier * encryptedVerifierHash

- Version : 2007
- VerifierHashSize (4byte): specifies the number of bytes used by the hash of the randomly
generated Verifier.
- KeySizDerive PBKDF2 key : KeyBits (AES 128/192/256)
- SaltSize : Size of Salt Value
- Salt : Salt Value
- EncryptedVerifier (16byte) : An encrypted form of a randomly generated, 16-byte verifier
value, which is the randomly generated Verifier value encrypted using the algorithm chosen
by the implementation.
- EncryptedVerifierHash: An array of bytes that contains the encrypted form of the hash of
the randomly generated Verifier value.

2. ZIP format analysis:

ZIP2

Format:
filename:$zip2$ * Ty * Mo * Ma * Sa * Va * Le * DF * Au*$/zip2$

Ty : type (0) and ignored.

Mo : mode (1 2 3 for 128/192/256 bit)
Ma : magic (file magic). This is reservered for now, this must be a '0'
Sa : salt(hex). 8, 12 or 16 bytes of salt (depends on mode)
Va : Verification bytes(hex) (2 byte quick checker)
Le : real compr len (hex) length of compressed/encrypted data (field DF)
DF :compressed data DF can be Le*2 hex bytes, and if so, then it is the ENTIRE file blob
written 'inline'
Au : Authentication code (hex) a 10 byte hex value that is the hmac-sha1 of data over DF.
This is the binary() value

* Metadata: Local File Header chứa thông tin của file nén (TY, Mo, Ma)
* Salt : Salt (8/12/16 byte) (Sa)
* Ciphertext: kết quả của quá trình mã hóa data. (DF)
* Password Verification Value PV (2byte): Giá trị dùng để kiểm tra (so sánh) với PV khi mã
hóa(Va)
* MAC : Authentication code (Au).

ZIP format:

filename:
$zip$*type*hex(CRC)*encryption_strength*hex(salt)*hex(password_verfication_value):
hex(authentication_code)
ZIP3 format:

filename:$zip3$*Ty*Al*Bi*Ma*Sa*Erd*Le*DF*Au*Fn
Ty : type (0) and ignored.
Al :algorithm (1 for AES)
Bi : bit length (128/192/256 bit)
Ma : magic (file magic), reserved, must be '0' now
Sa :salt(hex), 12 or 16 bytes of IV data
Erd : encrypted random data (max. 256 bytes)
Le : real compr len (hex) length of compressed/encrypted data (field DF), unused currently
DF : compressed data DF can be Le*2 hex bytes, and if so, then it is the ENTIRE file blob
written 'inline', unused currently
Au : authentication code, a 8 byte hex value that contains a CRC32 checksum, unused
currently
Fn : filename within zip file