Friday May 29, 2009

ODF / OpenOffice.org Document Encryption

Quite frequently, people ask about the document encryption used in OpenOffice.org for ODF documents. Which algorithms are used? Is it really secure?

If you try some internet search, it's difficult to find the really useful information.
To make it easier for all, including me when I again have to answer such questions, I decided to write down some information here.

ODF documents are Zip archives, and the encryption is applied to all ODF relevant streams, and not to the zip archive itself.
The encryption is described in the ODF 1.1 specification, chapter 17.3:

17.3 Encryption The encryption process takes place in the following multiple stages:

1. A 20-byte SHA1 digest of the user entered password is created and passed to the package component.

2. The package component initializes a random number generator with the current time.

3. The random number generator is used to generate a random 8-byte initialization vector and 16-byte salt for each file.

4. This salt is used together with the 20-byte SHA1 digest of the password to derive a unique 128-bit key for each file. The algorithm used to derive the key is PBKDF2 using HMAC-SHA-1 (see [RFC2898]) with an iteration count of 1024.

5. The derived key is used together with the initialization vector to encrypt the file using the Blowfish algorithm in cipher-feedback (CFB) mode.

Each file that is encrypted is compressed before being encrypted. To allow the contents of the package file to be verified, it is necessary that encrypted files are flagged as 'STORED' rather than 'DEFLATED'. As entries which are 'STORED' must have their size equal to the compressed size, it is necessary to store the uncompressed size in the manifest. The compressed size is stored in both the local file header and central directory record of the Zip file.

So the ODF encryption can be considered to be quite strong.

If you search for ODF encryption, very likely you will stumble over many password recovery tools. But none of these tools found any weaknesses in ODF encryption. All these tools can only provide brute force attacks for ODF documents.

I found this on the web site from Intelore, one of the major password recovery tools providers:

"As a true open source product with UNIX roots, OpenOffice.org supports strong document protection for ultimate security. All OpenOffice documents can be saved with a password, enabling strong password security. OpenOffice.org uses industry standard encryption methods that are extremely hard to break."

If you have other opinions about ODF encryption quality, please let me know...

Posted by Malte Timmermann ( May 29 2009, 01:35:51 PM CEST ) Permalink Comments [8]