Re: [users] Protection of documents

[Roberto Aguilar]

I got curious and found this newsgroup post that talks about OOo's encryption:

http://groups.google.com/group/sci.crypt/browse_thread/thread/79f0857bffb924c/966d4c23997be61e?lnk=st&q=&rnum=1&hl=en#966d4c23997be61e

One of the most interesting posts notes:

In the "OpenOffice.org XML File Format Specification", Chapter 11.3
(11. Package Format; 11.3 Encryption):

Quote:
--------------------
11.3 Encryption

The encryption process takes place in the following multiple stages:
1. A 20-byte SHA1 digest of the user entered password is created and
passed to the package component.
2. The package component initializes a random number generator with
the current time.
3. The random number generator is used to generate a random 8-byte
initialization vector and 16-byte salte for each file.
4. This salt is used together with the 20-byte SHA1 digest of the
password to derive a unique 128-bit key for each file. The algorithm
used to derive the key is the PBKDF2 (see RFC 2989) with an iteration
count of 1024.
5. The derived key is used together with the initialisation vector to
encrypt the file using the Blowfish algorithm in cipher-feedback (CFB)
mode.
----------------------

Also, as a test, I made a very simple file, which just contained the
word "Testing." in it.  saved it with and without a password, then
unzipped both files.

The document's content is kept in the content.xml file.  I opened the
unencrypted one with Firefox and get a nice XML representation of the
file.  There is no way that would work with the encrypted one as the
content.xml file is complete garbage:

----
XML Parsing Error: not well-formed
Location: file:///Users/berto/OOo_testcase/passworded/content.xml
Line Number 1, Column
2:t�����4�BSkأ%/��
��P��W���c�>v]�E��Ƶ���d~����ߟ6ƭ3�����:��W�;�}XJcs��
-^
----

After reading the encryption thread, I'd feel pretty good about the
encryption OOo uses.  Just make sure your password is sufficiently
long to make dictionary attacks hard.

In addition, if you really want to secure those docs, you may want to
double-encrypt the file; use OOo's password feature and then use GPG
to encrypt the document file.  This should make it quite hard to get
to the contents at the cost of convenience.

If you're on a Mac you can make an encrypted disk image, which is
AES-256 bit encrypted.  When you need the document, launch the disk
image, and provide the password.  Then your documents are available
within that disk image.  After you're done, eject the disk image and
it is kept encrypted on the disk.  Then again, on a Mac you can
encrypt your entire home directory with File Vault.

Hope this helps,
-Roberto.

On 8/2/06, Andy Pepperdine <[EMAIL PROTECTED]> wrote:

On Wednesday 02 August 2006 15:28, Immanuel CRC Office wrote:
> Andy Luddy wrote:
> > Norm Leaf wrote:
> >> I have previously used Microsoft Office 2000, and with their program I
> >> used  password to prevent someone  from opening personal financial
> >> document when they are on my computer. Is it possible to do the same
> >> with Open Office 2.0.
> >
> > When you create the document, File / Save As and check  "Save With
> > Password".  IIUC, this is only available if you are saving in Open
> > Document or OpenOffice 1.0 formats, not StarXxx or MS Office formats.
>
> On a side note, how do passwords work with the ODF? Can you not just
> unzip the file? or is it all gobbledegook when you do that when there is
> a password?

A check on a small example shows that the saved file is a normal zip file. The
manifest and metadata are clear and contain, among other things, details of
the type of cryptographic transformations in use; but no password. The other
files, like content, styles etc. are encrypted. And yes, the type of
encryption is strong - no chance of decrypting in a reasonable amount of time
without the password.
--
Andy Pepperdine

On this mailing list help is provided by volunteers.
Please subscribe to the mailing list to see all the replies to a query,
and reply only to the mailing list.

For FAQ, userguide, see: http://documentation.openoffice.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]