KR-102963414-B1 - Hangul file decryption system, method, and application using the same

Abstract

A Korean file decryption system, a method, and an application using the same are provided. A Korean file decryption system according to an embodiment of the present invention comprises: a decryption key generation unit that generates a password and converts the generated password into an 8-byte decryption key to generate the 8-byte decryption key; a decryption key verification unit that acquires an encrypted file, verifies the 8-byte decryption key using a verification method defined according to the version of the encrypted file, and generates a verification result; and a file decryption unit that performs decryption of the encrypted file using the 8-byte decryption key when the verification result is determined to be normal; wherein the predefined verification method performs verification using the characteristics of a pre-set stream.

Inventors

• 윤희서
• 김역
• 서승희
• 이창훈

Assignees

• 서울과학기술대학교 산학협력단

Dates

Publication Date

20260508

Application Date

20231124

Claims (5)

1. A decryption key generation unit that generates a password, converts the generated password into an 8-byte decryption key, and generates the 8-byte decryption key; A decryption key verification unit that acquires an encrypted file, verifies the 8-byte decryption key using a verification method defined according to the version of the encrypted file, and generates a verification result; and It includes a file decryption unit that performs decryption of the encrypted file using the 8-byte decryption key when the above verification result is determined to be normal; The above-mentioned predefined verification method is, Validation is performed using the pre-configured stream characteristics, and The above decryption key verification unit selects a different stream according to the file version when the encrypted file is hwp 5.0 or higher, and A Hangul file decryption system that verifies an 8-byte decryption key and generates a verification result, using a tag ID (10 bits each), data inserted between headers, and a version-specific offset in a stream selected according to a Hangul 2004 or higher version and a Hangul 2004 or lower version as verification criteria.
2. In Article 1, The above decryption key generation unit is, A password generation module that generates the above password; An encoding module that performs encoding of the above password to derive an encoded password; and A Korean file decryption system comprising: a decryption key acquisition module that converts the above-mentioned encoded password to obtain the above-mentioned 8-byte decryption key.
3. In Article 1, The above decryption key verification unit is, A file version checking module that obtains the above encrypted file and checks the version of the above encrypted file; and A Hangul file decryption system comprising: a decryption verification module that, when the version of the encrypted file satisfies a preset condition, verifies the 8-byte decryption key according to the preset condition according to the version of the encrypted file and generates the verification result.
4. A decryption key generation step of generating a password using a decryption key generation unit, converting the generated password into an 8-byte decryption key to generate the 8-byte decryption key; A decryption key verification step of obtaining an encrypted file using a decryption key verification unit, verifying the 8-byte decryption key using a verification method defined according to the version of the encrypted file, and generating a verification result; and It includes a file decryption step of performing decryption of the encrypted file using the 8-byte decryption key when the verification result is determined to be normal using the file decryption unit; The above-mentioned predefined verification method is, Validation is performed using the pre-configured stream characteristics, and The above decryption key verification step selects a different stream according to the file version when the encrypted file is hwp 5.0 or higher, and A method for decrypting a Hangul file, further comprising the step of verifying the 8-byte decryption key and generating a verification result based on verification criteria for a stream selected according to a Hangul 2004 or higher version and a Hangul 2004 or lower version, using a tag ID (10 bits each), data inserted between headers, and a version-specific offset.
5. A decryption key generation step of generating a password, converting the generated password into an 8-byte decryption key to generate the 8-byte decryption key; A decryption key verification step of obtaining an encrypted file, verifying the 8-byte decryption key using a verification method defined according to the version of the encrypted file, and generating a verification result; and It includes a file decryption step of performing decryption of the encrypted file using the 8-byte decryption key when the above verification result is determined to be normal; The above decryption key verification step selects a different stream according to the file version when the encrypted file is hwp 5.0 or higher, and It further includes the step of verifying the 8-byte decryption key and generating a verification result using the tag ID (10 bits each), data inserted between headers, and version-specific offset as verification criteria in a stream selected according to Hangul 2004 or higher version and Hangul 2004 or lower version, and The above-mentioned predefined verification method is, An application stored on a storage medium of a digital terminal to perform verification using the characteristics of a pre-configured stream.

Description

Hangul file decryption system, method, and application using the same The present invention relates to a Hangul file decryption system, a method, and an application using the same. In particular, it relates to a Hangul file decryption system, a method, and an application using the same that can verify a valid password by utilizing the characteristics of the file structure to recover an encrypted Hangul (HWP) file during a domestic forensic investigation. Hangul (Araea) is a word processor developed by Hancom and, along with Microsoft Word, is the most widely used document program in South Korea, supporting a document encryption function. While this function is used for the protection of personal information and document security, in the process of digital forensic investigations, file viewing itself is impossible without knowing the password, requiring a decryption process to analyze collected evidence. Since Hangul document files are utilized as digital evidence or clues in actual investigations, a verification method is required to decrypt files through password cracking and to verify whether the correct password was used. While the encryption process for Microsoft Word is publicly available, Hancom has never officially released information regarding the decryption/verification mechanism of the Hangul program. Encrypted Hangul document files are not supported by password cracking tools such as Passware Kit Forensic and hashcat; although Elcomsoft’s Distributed Password Recovery and GMDSOFT’s MD-HWP support password cracking for hwp files, they do not disclose the decryption logic for encrypted Hangul documents. Therefore, there is a problem requiring a verification method that can decrypt hwp files, which are widely used in Korea, through password cracking and determine whether they were decrypted with the correct password. FIG. 1 is a block diagram of a Korean file decoding system according to an embodiment of the present invention. Figure 2 is a block diagram of the decryption key generation unit of Figure 1. Figure 3 is a block diagram of the decryption key verification unit of Figure 1. Figure 4 is a flowchart of a Korean file decoding method according to an embodiment of the present invention. Figure 5 is a flowchart of step S11 of Figure 4. Figure 6 is a flowchart of step S13 of Figure 4. Figure 7 is a flowchart of the key generation process of a Hangul document program confirmed through reverse engineering. FIG. 8 is an example structural diagram of decoded DocInfo according to one embodiment of the present invention. FIG. 9 is an example structural diagram of (a) a decrypted section of Hangul 2002 version and (b) a decrypted section of Hangul 2014 version according to one embodiment of the present invention. FIG. 10 is an example structural diagram of (a) a decrypted DefaultJScript of Hangul 2005 version and (b) a decrypted DefaultJScript of Hangul 2020 version according to one embodiment of the present invention. FIG. 11 is an example structural diagram of a decoded JScriptVersion according to one embodiment of the present invention. FIG. 12 is a flowchart of the overall algorithm in which a Korean file decoding system and method according to one embodiment of the present invention are performed. Hereinafter, some embodiments of the present disclosure will be described in detail with reference to the exemplary drawings. In assigning reference numerals to the components of each drawing, the same components may have the same reference numeral as much as possible, even if they are shown in different drawings. Furthermore, in describing the embodiments, if it is determined that a detailed description of related known components or functions may obscure the essence of the technical concept, such detailed description may be omitted. Where terms such as "comprising," "having," or "consisting of" are used in this specification, other parts may be added unless "only" is used. Where a component is expressed in the singular, it may include a plural unless otherwise specified. Additionally, terms such as first, second, A, B, (a), (b), etc., may be used to describe the components of the present disclosure. These terms are used merely to distinguish the components from other components, and the nature, order, sequence, or number of the components are not limited by such terms. In describing the positional relationship of components, where it is stated that two or more components are "connected," "combined," or "joined," it should be understood that while the two or more components may be directly "connected," "combined," or "joined," they may also be "connected," "combined," or "joined" with other components "intervened." Here, the other components may be included in one or more of the two or more components that are "connected," "combined," or "joined" with one another. In describing the temporal flow relationship regarding components, methods of operation, or methods of production, for example, when the temp