incubator-ooo-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 119090] Default Encryption Fails for Down-Level Implementations
Date Mon, 19 Mar 2012 16:44:12 GMT

--- Comment #8 from orcmid <> 2012-03-19 16:44:12 UTC ---

I think there is some unspoken assumption that using AES256-cbc is somehow more
secure than using Blowfish CFB.  There is no basis for that.  Attackers use the
weakest points they can find.

In the case of ODF encryption, the weakest point is the use of password-based
encryption.  It is no less attackable, regardless of the block cipher used. 
The fact that ODF encryption provides digests that can be used to check whether
a decryption is correct makes that attack even easier, along with the fact that
most packages contain files for which the plaintext is readily known.

The next weak point is the fact that a single start-key is derived from the
password and used for the block-cipher key derivation of all of the individual
parts.  That makes that common start-key value also a point of attack,
including by using start-key candidates purloined from elsewhere.  The move
from SHA1 to SHA256 for the start-key-derivation raises the bar, but it is
still a point of attack.  The provisions of ODF encryption that assist attack
on the password also assist here.

I'm not arguing that an attack is known.  Only that the choice between
AES256-cbc and Blowfish CFB is irrelevant with regard to the attack surface of
document for which ODF encryption has been applied.  It is especially
irrelevant with regard to the pain that an automatic change of the encryption
will cause in terms of the down-level and cross-product unacceptability of the

There is no security trade-off here.  It is entirely an interoperability issue.

Configure bugmail:
------- You are receiving this mail because: -------
You are on the CC list for the bug.

View raw message