I got curious and found this newsgroup post that talks about OOo's encryption:
http://groups.google.com/group/sci.crypt/browse_thread/thread/79f0857bffb924c/966d4c23997be61e?lnk=st&q=&rnum=1&hl=en#966d4c23997be61e One of the most interesting posts notes: In the "OpenOffice.org XML File Format Specification", Chapter 11.3 (11. Package Format; 11.3 Encryption): Quote: -------------------- 11.3 Encryption The encryption process takes place in the following multiple stages: 1. A 20-byte SHA1 digest of the user entered password is created and passed to the package component. 2. The package component initializes a random number generator with the current time. 3. The random number generator is used to generate a random 8-byte initialization vector and 16-byte salte for each file. 4. This salt is used together with the 20-byte SHA1 digest of the password to derive a unique 128-bit key for each file. The algorithm used to derive the key is the PBKDF2 (see RFC 2989) with an iteration count of 1024. 5. The derived key is used together with the initialisation vector to encrypt the file using the Blowfish algorithm in cipher-feedback (CFB) mode. ---------------------- Also, as a test, I made a very simple file, which just contained the word "Testing." in it. saved it with and without a password, then unzipped both files. The document's content is kept in the content.xml file. I opened the unencrypted one with Firefox and get a nice XML representation of the file. There is no way that would work with the encrypted one as the content.xml file is complete garbage: ---- XML Parsing Error: not well-formed Location: file:///Users/berto/OOo_testcase/passworded/content.xml Line Number 1, Column 2:t�����4�BSkأ%/�� ��P��W���c�>v]�E��Ƶ���d~����ߟ6ƭ3�����:��W�;�}XJcs�� -^ ---- After reading the encryption thread, I'd feel pretty good about the encryption OOo uses. Just make sure your password is sufficiently long to make dictionary attacks hard. In addition, if you really want to secure those docs, you may want to double-encrypt the file; use OOo's password feature and then use GPG to encrypt the document file. This should make it quite hard to get to the contents at the cost of convenience. If you're on a Mac you can make an encrypted disk image, which is AES-256 bit encrypted. When you need the document, launch the disk image, and provide the password. Then your documents are available within that disk image. After you're done, eject the disk image and it is kept encrypted on the disk. Then again, on a Mac you can encrypt your entire home directory with File Vault. Hope this helps, -Roberto. On 8/2/06, Andy Pepperdine <[EMAIL PROTECTED]> wrote:
On Wednesday 02 August 2006 15:28, Immanuel CRC Office wrote: > Andy Luddy wrote: > > Norm Leaf wrote: > >> I have previously used Microsoft Office 2000, and with their program I > >> used password to prevent someone from opening personal financial > >> document when they are on my computer. Is it possible to do the same > >> with Open Office 2.0. > > > > When you create the document, File / Save As and check "Save With > > Password". IIUC, this is only available if you are saving in Open > > Document or OpenOffice 1.0 formats, not StarXxx or MS Office formats. > > On a side note, how do passwords work with the ODF? Can you not just > unzip the file? or is it all gobbledegook when you do that when there is > a password? A check on a small example shows that the saved file is a normal zip file. The manifest and metadata are clear and contain, among other things, details of the type of cryptographic transformations in use; but no password. The other files, like content, styles etc. are encrypted. And yes, the type of encryption is strong - no chance of decrypting in a reasonable amount of time without the password. -- Andy Pepperdine On this mailing list help is provided by volunteers. Please subscribe to the mailing list to see all the replies to a query, and reply only to the mailing list. For FAQ, userguide, see: http://documentation.openoffice.org/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]