I don't know what the intention for LibreOffice is, but I can say that there
are likely changes being made in anticipation of ODF 1.2 approval.
There has been extensive tightening to the Encryption specification in the
Package description for ODF 1.2. That specification is now separated into Part
3 of the ODF 1.2 Committee Specification 01 which is now under Public Review as
a Candidate OASIS Standard.
Consulting that document might provide some insight into changes that have
occurred in the OO.o code base. I'll take responsibility for what I hope is a
more rigorous specification of package encryption in ODF 1.2, but I have no
idea how this is tied to changes in the ODF 1.2-anticipating *Office.org
implementations.
- Dennis
DETAILS AND SPECULATIONS:
manifest:checksum-type="sha256-1k" is now recommended for the hash that is used
to verify that the decryption appears to be correct, although consumers are
expected to support both "sha1-1k" and "sha256-1k". (Part 3 section 4.8.3)
manifest:start-key-generation-name="http://www.w3.org/2000/09/xmldsig#sha256";
is now recommended for the initial hash of the password that is then used for
encryption-key derivation. Consumers are required to support that value and
the two other values,
"SHA1" and "http://www.w3.org/2000/09/xmldsg#sha1";. (Part 3 section 4.8.6)
These are the only places where SHA256 has been explicitly introduced in
conjunction with package encryption. The PBKDF2 key-derivation is still based
on HMAC-SHA-1 although there is now provision for alternative key-derivation
algorithms.
I assume the change for manifest:start-key-generation-name is simply to provide
a better hash and make it a bit harder to attack the password. Some believe
that the detection of SHA1 collisions makes these cases of SHA1 usage
compromised. That does not appear to be very relevant since the start-key is
not recorded anywhere, in contrast with the protection-key hash values which an
ODF document can be littered with.
The change for manifest:checksum-type does not appear cryptographically
significant since it doesn't change anything with regard to how the
manifest:checksum might be exploited as information leakage in aid of
known-plaintext discovery/attack.
-Original Message-
From: libreoffice-bounces+dennis.hamilton=acm@lists.freedesktop.org
[mailto:libreoffice-bounces+dennis.hamilton=acm@lists.freedesktop.org] On
Behalf Of Markus Mohrhard
Sent: Sunday, June 26, 2011 11:27
To: libreoffice-dev
Subject: [Libreoffice] can no longer encrypt files if build with
--disable-mozilla
Hello,
is it in our intention that we can no longer encrypt files if we build with
--disable-mozilla? It seems that this was introduced through our latest merge
from OOo. It seems that we need SHA-1 and SHA256 since the latest merge. SHA-1
still works but for SHA-256 we rely on NSS which is disabled if we build with
--disable-mozilla.
Does anyone know why they added SHA-256?
Regards,
Markus
___
LibreOffice mailing list
LibreOffice@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice
