Overview
The other day I was searching online for ways to encrypt a spreadsheet in Google Drive and apparently there is no straight forward way to do this without 3rd party applications, scripts and workarounds. While the reasons why Google doesn’t provide this feature are somewhat understandable, I was more interested in the other solutions which popped out in the search results. One of them is by far the most popular and has been picked up and recommended by many technical guides websites like Lifehacker, Quora, Addictivetips and others.
Curious, I decided to read more. Then I noticed the Step 8 of the guide above states that after setting a password and encrypting the spreadsheet:
Now your data is fully password protected and nobody can read it without having the password you have set.
Observations
Unfortunately it didn’t take much to see the encryption was way to easy to bypass. Let’s start with a simple message and see what happens when we enable encryption:
Some secret message
Gets encrypted to:
Zvtl'zljyl 'tlzzhnl
Just by trying to encrypt a short text a few times with different keys we, a few facts were clear:
- The script accepts any password (even blank!).
- The ciphertext is not dependent on the password.
- Moreover, it looks like a simple mono-alphabetic substitution cipher. The same letters get encrypted to the same value, on all the positions they appear.
Attacks
Although probably other attacks are possible, three are straight forward to do:
- Chosen plaintext attack - An attacker has the ability to obtain the ciphertext for his chosen plaintext. Entirely possible here since the encrypted text doesn’t depend on the password. An attacker needs just to encrypt the whole alpha-numeric range and he’ll be able to map any plaintext characters to the corresponding values.
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789
Encrypts to:
hijklmnopqrstuvwxyz !"#$%&HIJKLMNOPQRSTUVWXYZ[\]^_`a'789:;<=>?@
- Frequency analysis attack - This is a classic attack based on the fact that, in any given language, certain letters and combinations of letters occur with varying frequencies. If an attacker has access to enough ciphertext material, it’s very easy to derive the substitution map and then be able to decrypt anything.
- Source code review - The code responsible for the encryption of the spreadsheet can be accessed by navigating to Tools → Script Editor. Have fun reversing it if you’re interested!
(Instead of) Conclusions
- If the goal is to prevent an attacker with access to the spreadsheet to read the content, than this method is totally unsuitable!
In some ways, cryptography is like pharmaceuticals. Its integrity may be absolutely crucial. But bad penicillin looks the same as good penicillin - Philip Zimmermann