Hi Lars, On Mon, Mar 21, 2005 at 08:02:40 -0500, Lars D. Noodén wrote:
> I think he may be looking for assurance that OOo has good encryption. Of course a valid concern. To me it sounded (and I may be totally wrong on this) like he thought that the Google SDK was able or could be enabled to read documents without knowing the password, and I wondered what gave him the impression. > Where can we read a bit about how the OOo files are encrypted and which > algorithm(s) are used? The OOo help menu doesn't say much. Citing from the OASIS OpenDocument specification 1.0-cd-3 available at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=office 17.3 Encryption The encryption process takes place in the following multiple stages: 1.A 20-byte SHA1 digest of the user entered password is created and passed to the package component. 2.The package component initializes a random number generator with the current time. 3.The random number generator is used to generate a random 8-byte initialization vector and 16-byte salt for each file. 4.This salt is used together with the 20-byte SHA1 digest of the password to derive a unique 128-bit key for each file. The algorithm used to derive the key is PBKDF2 using HMAC-SHA-1 (see [RFC2898]) with an iteration count of 1024. 5.The derived key is used together with the initialization vector to encrypt the file using the Blowfish algorithm in cipher-feedback (CFB) mode. For further technical details of the actual implementation I suggest the [EMAIL PROTECTED] mailing list. Eike -- OOo/SO Calc core developer. Number formatter bedevilled I18N transpositionizer. GnuPG key 0x293C05FD: 997A 4C60 CE41 0149 0DB3 9E96 2F1A D073 293C 05FD --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
