SPSS Data File Cryptographic Flaws

IBM SPSS 21 and later support a form of encrypted data files. The cryptographic scheme used, which is not publicly documented, has recently come to my attention. It is flawed enough that I feel I must present it publicly.

The encrypted data file format is identical to the pre-existing plaintext file format (which isn't important here), except that each 16-byte block is encrypted with AES-256 in ECB mode. The AES-256 key is derived from a password by a single AES-256 CMAC operation, as:

CMAC-AES-256(password, constant)

where password is the literal password typed by the user (padded on the right with zeros to fill out a 32-byte AES-256 key, since CMAC needs a real cryptographic key not just any random string of bytes like HMAC) and constant is a particular 73-byte constant. This only produces a 16-byte result. AES-256 needs a 32-byte key, so the 16-byte result is repeated twice to expand it to 32 bytes.

(I think that the authors of the implementation must have thought they were doing something smart, because the 73-byte constant is in the right form for the NIST SP 800-108 key derivation function in counter mode. But that KDF is meant for deriving one cryptographic key from another, not from a password.)

The problems I see:

Other issues:

I have written a program that decrypts such a data file, given the plaintext or “encrypted” password. Compile the source code and link against libcrypto (from OpenSSL).


Last updated 14 Dec 2013 09:34. Copyright © 2013 Ben Pfaff.
May be freely redistributed, but copyright notice must be retained.