incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject Watch out for OpenOffice Crypto
Date Wed, 15 Jun 2011 20:50:58 GMT
This is a heads-up concerning these requirements: 
< http://www.apache.org/dev/crypto.html>.

There are cryptographic functions in the OpenOffice code base, specifically for providing
digital signatures on document and also for encryption of ODF packages.  

It appears that the Apache procedures for such code kick in *before* the code itself is placed
in public view (i.e., committed to the SVN repository).

I guess it is time I looked at the JIRA to see if there is a good place to track this kind
of thing.

 - Dennis

DETAILS

Digital Signature provisions are new in ODF 1.2 although some ODF 1.1 implementations include
an OpenOffice.org-specific early implementation.  They are implemented in current releases
of OpenOffice.org and LibreOffice, at least.  XML DSig is used in a profile that deals with
the fact that components within a Zip file are being signed.  Late additions to the ODF 1.2
sequence of Committee Drafts introduced provisions for ETSI profiles, especially XaDES.

The encryption provisions have been included since ODF 1.0 (at least).  The specification
for ODF 1.2 has been tightened, providing additional encryption methods beyond the default
use of Blowfish and Password Based Key Derivation (PBKDF2) using HMAC-SHA1.  I don't know
that any alternative encryptions are yet to be found in the wild.

There are also some password-protection one-way functions in OpenOffice, mainly for obscuring
passwords use to set locks of various kinds within documents.  The digest algorithms are not
considered encryption method.  (The FAQ is handy for this and related questions: < http://www.apache.org/dev/crypto.html#faq>.)

BACKGROUND

I have been thinking that the Apache OOo would be a good place to do a reference implementation
for a supplemental whole-package encryption that has been discussed on the ODF TC but that
was considered too late in the game for ODF 1.2 (Now OASIS ODF 1.2 Committee Specification
01 and pending public review as a Candidate OASIS Standard).  The nice part of such an effort
is that it is independent of the rest of OOo development.  It is about a wrapper that encloses
the ODF package as a single encrypted file.  There are a number of technical matters to be
tested as part of choosing a specific approach for ODF 1.3 (say), and having a pilot reference
implementation would help settle some of those questions as well as alert implementers in
mitigating potential disruption, especially of down-level implementations.
 
It was thinking about that mini-sub-project that led to the policies on handling encryption
caught my eye.




Mime
View raw message