Friday May 29, 2009

ODF / OpenOffice.org Document Encryption

Quite frequently, people ask about the document encryption used in OpenOffice.org for ODF documents. Which algorithms are used? Is it really secure?

If you try some internet search, it's difficult to find the really useful information.
To make it easier for all, including me when I again have to answer such questions, I decided to write down some information here.

ODF documents are Zip archives, and the encryption is applied to all ODF relevant streams, and not to the zip archive itself.
The encryption is described in the ODF 1.1 specification, chapter 17.3:

17.3 Encryption The encryption process takes place in the following multiple stages:

1. A 20-byte SHA1 digest of the user entered password is created and passed to the package component.

2. The package component initializes a random number generator with the current time.

3. The random number generator is used to generate a random 8-byte initialization vector and 16-byte salt for each file.

4. This salt is used together with the 20-byte SHA1 digest of the password to derive a unique 128-bit key for each file. The algorithm used to derive the key is PBKDF2 using HMAC-SHA-1 (see [RFC2898]) with an iteration count of 1024.

5. The derived key is used together with the initialization vector to encrypt the file using the Blowfish algorithm in cipher-feedback (CFB) mode.

Each file that is encrypted is compressed before being encrypted. To allow the contents of the package file to be verified, it is necessary that encrypted files are flagged as 'STORED' rather than 'DEFLATED'. As entries which are 'STORED' must have their size equal to the compressed size, it is necessary to store the uncompressed size in the manifest. The compressed size is stored in both the local file header and central directory record of the Zip file.

So the ODF encryption can be considered to be quite strong.

If you search for ODF encryption, very likely you will stumble over many password recovery tools. But none of these tools found any weaknesses in ODF encryption. All these tools can only provide brute force attacks for ODF documents.

I found this on the web site from Intelore, one of the major password recovery tools providers:

"As a true open source product with UNIX roots, OpenOffice.org supports strong document protection for ultimate security. All OpenOffice documents can be saved with a password, enabling strong password security. OpenOffice.org uses industry standard encryption methods that are extremely hard to break."

If you have other opinions about ODF encryption quality, please let me know...

Posted by Malte Timmermann ( May 29 2009, 01:35:51 PM CEST ) Permalink Comments [9]

Wednesday May 27, 2009

OpenOffice.org Connector for Alfresco CMS

People using Alfesco, the Open Source Alternative for Enterprise Content Management, might want to try our brand new OOo extension "Sun Connector for Alfresco CMS".

It was just released today, feedback welcome.

Posted by Malte Timmermann ( May 27 2009, 03:50:52 PM CEST ) Permalink Comments [2]

Thursday May 07, 2009

OpenOffice.org 3.1 released - download the genuine and FREE version now!

The final version of OpenOffice.org 3.1 is available for download now!

A lot of new features and improvements make it really worth updating to this new version.

Important: Make sure to download genuine OpenOffice.org from a trusted site!

Almost daily, the OpenOffic.org Security Team receives mails from people who downloaded from commercial sites and had to charge for that in advance, or are asked for some kind of key or serial number when they want to install.

Selling OpenOffice.org is allowed, and is fine as long as you get some extra service, like a CD, printed handbook or support. Unfortunately, some people and companies try to make easy money with OpenOffice.org, without providing any extras, and these download sites are often in the first hits when searching for OOo downloads.

If you are not sure whether or not a download site can be trusted, simply use http://OpenOffice.org.This is very easy to remember, and mirrors make sure that you don't have to care about optimal download locations yourself.

Posted by Malte Timmermann ( May 07 2009, 12:25:45 PM CEST ) Permalink Comments [5]