openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <>
Subject RE: A Question about Open Office Password Protected Text Documenets
Date Fri, 10 Jun 2016 18:56:41 GMT
I forgot something important.

By default, Apache OpenOffice, as recently as AOO 4.1.2, does *not* use any encryption methods
other than those that have been used since ODF 1.0 in 2005.  So statements about more-advanced
methods do not apply for AOO.

I believe AOO will accept (some of) the additional parameters defined for encrypted documents
with ODF 1.2, but AOO does not produce such encryptions on documents saved-with-password.

 - Dennis


I created a simple saved-with-password .odt using AOO 4.1.2 Writer.  My options for this were

  Tools > Options > Load/Save > General > ODF format version > 1.2 extended

When I specified Save with Password, there are no options to choose anything with regard to
how that is done.

When I inspected the .odt via Zip, the manifest.xml reveals the following about encryption
of the first file in the manifest:

    <manifest:file-entry manifest:media-type="" 
       <manifest:encryption-data manifest:checksum-type="SHA1/1K" 
          <manifest:algorithm manifest:algorithm-name="Blowfish CFB" 
                manifest:key-size="16" manifest:iteration-count="1024" 

This is the default approach since ODF 1.0.  

I was able to open this document in both AOO 4.1.2 (with the password I created), and also
in LibreOffice 5.0.0.  I resaved the document from LibreOffice into a new file, reusing the
same password.  I was able to open that document in AOO 4.1.2 with that password too.

The LibreOffice 5.0.0 encryption is different.  Here is how the manifest.xml in the LibreOffice
saved file reports the encryption parameters for the same document part as above:

          manifest:media-type="" manifest:size="0">

          <manifest:key-derivation manifest:key-derivation-name="PBKDF2" 
               manifest:key-size="32" manifest:iteration-count="1024" 


The differences are mainly use of SHA256 instead of SHA1 and the use of AES256 instead of

The most-vulnerable aspects are the manifest:key-derivation technique and the manifest:start-key-generation.
 The manifest:iteration-count of 1024 is negligible.  Oh, and the unencrypted stream, Configurations2/accelerator/current.xml,
is completely known already.

> -----Original Message-----
> From: Dennis E. Hamilton []
> Sent: Friday, June 10, 2016 10:55
> To:
> Subject: RE: A Question about Open Office Password Protected Text
> Documenets
> > -----Original Message-----
> > From: Damjan Jovanovic []
> > Sent: Friday, June 10, 2016 07:29
> > To: Apache OO <>
> > Subject: Re: A Question about Open Office Password Protected Text
> > Documenets
> >
> > Hi Roger
> >
> > If you saved them in OpenOffice's default format, OpenDocument (.odt /
> > .ods
> > / .odb etc.), then yes. Password protection is part of the
> OpenDocument
> > standard, and should be supported by us and other OpenDocument
> software
> > such as AbiWord, Gnumeric, Microsoft Office, etc. for a long time. The
> > encryption techniques are all well documented and use common well
> > established ciphers, hash functions and password strengthening
> > procedures.
> >
> > With long term storage, the problem won't be data becoming
> inaccessible
> > due
> > to encryption (provided you remember your passwords), so much as the
> > opposite problem, of data becoming too easily accessible, since older
> > versions of OpenDocument used weaker encryption ciphers, potentially
> > making
> > document encryption too easy to crack by future weaknesses discovered
> in
> > those ciphers and with more powerful computers in the future.
> [orcmid]
> There is a misunderstanding here.  The problem of using the latest-and-
> greatest (i.e, based on AES) supported encryptions is that older
> versions of software won't be able to open it and versions that have not
> upgraded their support or for which there is an interoperability defect
> won't open it either.
> We ran into this recently where users of Mac OSX could no longer open
> some password-protected files.
> It is not in our power to offer a guarantee about this.  At the moment,
> the basic cryptography used since ODF 1.0 is working.  There is no way
> that the project can assert that this will apply in perpetuity and that
> software to accomplish it will always be available.  That is beyond our
> means.
> Finally, the use of better hash algorithms and AES as a check-box item
> do *not* eliminate the known exposure of ODF documents to cryptographic
> attack and decryption by an adversary.  ODF encryption should *never* be
> used for highly-confidential documents, especially files subject to
> security-classification regimes of governments or other entities.  I
> don't belief any such agency would permit ODF encryption to be used;
> encryption would be accomplished by other means.
> The reasons for that are quite simple:
>  1. All ODF encryption is password-based.  That is the greatest single
> vulnerability, especially if the same password is used on multiple
> documents.  There are extremely well-known and highly-available means
> for attacking encryptions using memorable passwords.  This vulnerability
> trumps everything.  This is something the software does not control and
> cannot mitigate much.  Note that advertised password-recovery software
> *does* succeed against password-protected ODF documents on occasion.
> The advances in computer performance (especially graphics processors)
> ensure that the number of passwords that are defeated by such software
> will only increase.
>  2. Because the encryption is of a static, persistent document, the
> attack can be conducted off-line for a sustained time and using
> coordinated crowd-sourced attacks.  Advances in technology have
> neutralized the measures used to make attacking of the password
> computationally difficult.  This means that documents retaining long-
> duration secrets are the most vulnerable if not adequately protected
> against disclosure.
>  3. The particular encryption approach (not the low-level choice of the
> stream-level encryption algorithm) leaks information about the original
> ODF document to the point where some unencrypted information may be
> determined by means other than actually having to decrypt it.  That
> revelation can be used to expedite attack on the password used for the
> unknown parts.
> As a final thought.  It is revealing that Microsoft Office will not
> produce ODF documents that are saved with a password, although it will
> otherwise support ODF format.  In addition, the software refuses to open
> such documents, although it certainly could go that far, in principle.
> So there is no means to rescue password-saved ODF documents in the most
> widely-available ODF-supporting software on the planet.
>  - Dennis
> >
> > Regards
> > Damjan
> >
> > On Fri, Jun 10, 2016 at 3:42 PM, Roger Bentley
> > <>
> > wrote:
> >
> > > Dear Sir/Madam
> > >
> > > I have a large number of important documents that I have created
> over
> > the
> > > years in Open Office, which were created as password protected
> > documents.
> > >
> > > Is there any likelihood in the future of any ‘redundancy’ or
> suchlike
> > > where these documents would be no longer accessible by future then
> > current
> > > software etc?  Or will the files always remain safe, in that there
> > will
> > > always be an Open Office allied program capable of unlocking their
> > password
> > > protected format?
> > >
> > > I will be very grateful of your reply.
> > >
> > > With sincere regards
> > >
> > > Roger Bentley
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message