# 2.3.6.2 Encryption Key Derivation

The encryption key for Office binary document RC4 encryption
is generated by using the following method: Let H() be the MD5 hashing
algorithm, H_{n} be the hash data of the n^{th} iteration, and
a plus sign (+) represent concatenation. The password MUST be provided as an
array of Unicode characters.

Limitations on the length of the password and the characters used by the password are implementation-dependent. For details about behavior variations, see [MS-DOC] and [MS-XLS]. Unless otherwise specified, the maximum password length MUST be 255 Unicode characters.

The initial password hash is generated as follows.

H

_{0}= H(password)

The salt used MUST be generated randomly and MUST be 16
bytes in size. The salt MUST be stored in the **Salt** field of the **RC4
Encryption Header** structure (section 2.3.6.1). The hash
is then computed by using the following approach:

Let

**TruncatedHash**be the first 5 bytes of H_{0}.Let

**IntermediateBuffer**be a 336-byte buffer.Form a 21-byte buffer by concatenating

**TruncatedHash**plus the salt. Initialize**IntermediateBuffer**by copying the 21-byte buffer into**IntermediateBuffer**a total of 16 times.Use the following: H

_{1}= H(IntermediateBuffer).

After the final hash has been obtained, the encryption key MUST be generated by using the first 5 bytes of the final hash data and a block number that is provided by the application. The encryption algorithm MUST be RC4. The method used to generate the hash data that is the input into the key derivation algorithm is the following:

Let

**TruncatedHash**be the first 5 bytes of H_{1}.Use the following: H

_{final}equals H(TruncatedHash + block).

The block number MUST be a 32-bit unsigned value provided by the application.

The first 128 bits of H_{final} MUST then be used as
the derived encryption key.