Uploaded image for project: 'OASIS Open Document Format for Office Applications (OpenDocument) TC'
  1. OASIS Open Document Format for Office Applications (OpenDocument) TC
  2. OFFICE-2639

Prepare Deprection of Visible Hashed Copies of Passwords

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Applied
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: ODF 1.0, ODF 1.0 (second edition), ODF 1.1, ODF 1.2, ODF 1.2 Part 1 CD 4
    • Fix Version/s: ODF 1.2 Part 1 CD 5
    • Component/s: Security, Table, Text
    • Labels:
      None
    • Environment:

      use of *:protection-key attributes in all applications of OpenDocument text and spreadsheet documents.

    • Proposal:
      Hide
      • In section 19.698 table:protected make the following changes in the indicated subsections:
        • 19.698.4 <table:table>
          REPLACE the second sentence
          """
          If the table is protected, the table:protection-key attribute can specifiy a password to prevent a user from resetting the protection flag to enable editing.
          """
          WITH the text
          """
          When <table:table> element attribute table:protected="true", presence of the table:protection-key attribute signifies that the flag and the resulting protection SHALL be over-ridden only by satisfaction of the authorization requirements for table:protection-key unlocking.
          """
          DELETE the second paragraph in its entirety:
          """
          To avoid saving the password directly into the XML file, only a hash value of the password is stored within the table:protection-key attribute.
          """
      • 19.699 table-protection-key

      REPLACE the entire text (two sentences)
      """
      The table:protection-key attributes specifies the hash value of the password assigned to protect a table, table cell or scenario. The hash value is calculated using the algorithm specified by the table:protection-key-digest-algorithm attribute.
      """
      WITH the text
      """
      The table:protection-key attribute, when present, signifies that the protection set for a table, table cell, or scenario is locked against removal. The value of the table:protection-key attribute consists of binary data used in authenticating a request to authorize unlocking of the protection. The authentication procedure is identified by the table:protection-key-digest-algorithm attribute.
      """
      CHANGE the data type of table:protection-key to base64Binary

      • 19.700 table:protection-key-digest-algorithm

      REPLACE the first paragraph (5 sentences)
      """
      The table:protection-key-digest-algorithm specifies the algorithm used to generate the hash value for the table:protected attribute. It takes the value described in §5.7 of [xmlenc-core]. Consumers shall support SHA1, which is the default, and SHA256. They may support other algorithms described in §5.7 of [xmlenc-core] or alternative algorithms. Producers should use SHA256.
      """
      WITH the text
      """
      The table:protection-key-digest-algorithm attribute value is a URI that identifies a protection-over-ride authentication procedure. The procedure determines how the table:protection-key-value is used in authentication of a request to over-ride the protection setting associated with the table:protection-key.

      When the URI identifies a message-digest algorithm specified in §5.7 of [xmlenc-core], the value of table:protection-key SHALL be the hash coded copy of the password that is required to authorize over-ride of the table:protected setting. The input supplied to the digest algorithm SHALL consist of the UTF-8 encoding of the password text. The UTF-8 encoding SHALL represent only those Unicode characters permitted in XML documents as specified in Section 2.2 of [XML 1.0] with all white-space characters ignored. The UTF-8 encoding SHALL be truncated at 2^61-1 octets.

      Any other procedures, their identifying URIs, and their application of table:protection-key values SHALL be implementation-defined. The URI SHOULD resolve to a resource at which a specification of the procedure is provided.

      Consumers SHALL support message digest algorithms SHA1 and SHA256. When a consumer does not recognize or support the identified procedure, the consumer behavior SHALL be implementation-defined.
      """

      • 19.727 table:structure-protected

      REPLACE all of the first paragraph
      WITH
      "The table:structure-protected attribute specifies whether a table is protected from the insertion, deletion, moving or renaming of tables in the <office:spreadsheet>. When table:structure-protected="true", presence of the table:protection-key attribute signifies that the flag and the resulting protection SHALL be over-ridden only by satisfaction of the authorization requirements for table:protection-key unlocking.
      """

      • 19.851 text:protected

      REPLACE the first two paragraphs
      WITH the text
      """
      The text:protected attribute specifies whether a section is protected against being edited. When text:protected="true", presence of the text:protection-key attribute signifies that the flag and the resulting protection SHALL be over-ridden only by satisfaction of the authorization requirements for text:protection-key unlocking.
      """

      19.852 text:protection-key

      REPLACE the entire first (and only) paragraph
      WITH the text
      """
      The text:protection-key attribute, when present, signifies that the corresponding text:protected setting is locked against removal. The value of the text:protection-key attribute consists of binary data used in authenticating a request to authorize over-riding of the protection. The authentication procedure is identified by the text:protection-key-digest-algorithm attribute.
      """

      CHANGE the data type of text:protection-key to base64Binary

      • 19.853 text:protection-key-digest-algorithm

      REPLACE the entire first paragraph
      WITH the text
      """
      The text:protection-key-digest-algorithm attribute value is a URI that identifies a protection-over-ride authentication procedure. The procedure determines how the text:protection-key value is used in authentication of a request to over-ride the protection setting associated with the text:protection-key. The interpretation of and provisions applicable to text:protection-key-digest-algorithm are identical to those for table:protection-key-digest-algorithm except for the use of text:protection-key instead of table:protection-key.

      Show
      In section 19.698 table:protected make the following changes in the indicated subsections: 19.698.4 <table:table> REPLACE the second sentence """ If the table is protected, the table:protection-key attribute can specifiy a password to prevent a user from resetting the protection flag to enable editing. """ WITH the text """ When <table:table> element attribute table:protected="true", presence of the table:protection-key attribute signifies that the flag and the resulting protection SHALL be over-ridden only by satisfaction of the authorization requirements for table:protection-key unlocking. """ DELETE the second paragraph in its entirety: """ To avoid saving the password directly into the XML file, only a hash value of the password is stored within the table:protection-key attribute. """ 19.699 table-protection-key REPLACE the entire text (two sentences) """ The table:protection-key attributes specifies the hash value of the password assigned to protect a table, table cell or scenario. The hash value is calculated using the algorithm specified by the table:protection-key-digest-algorithm attribute. """ WITH the text """ The table:protection-key attribute, when present, signifies that the protection set for a table, table cell, or scenario is locked against removal. The value of the table:protection-key attribute consists of binary data used in authenticating a request to authorize unlocking of the protection. The authentication procedure is identified by the table:protection-key-digest-algorithm attribute. """ CHANGE the data type of table:protection-key to base64Binary 19.700 table:protection-key-digest-algorithm REPLACE the first paragraph (5 sentences) """ The table:protection-key-digest-algorithm specifies the algorithm used to generate the hash value for the table:protected attribute. It takes the value described in §5.7 of [xmlenc-core] . Consumers shall support SHA1, which is the default, and SHA256. They may support other algorithms described in §5.7 of [xmlenc-core] or alternative algorithms. Producers should use SHA256. """ WITH the text """ The table:protection-key-digest-algorithm attribute value is a URI that identifies a protection-over-ride authentication procedure. The procedure determines how the table:protection-key-value is used in authentication of a request to over-ride the protection setting associated with the table:protection-key. When the URI identifies a message-digest algorithm specified in §5.7 of [xmlenc-core] , the value of table:protection-key SHALL be the hash coded copy of the password that is required to authorize over-ride of the table:protected setting. The input supplied to the digest algorithm SHALL consist of the UTF-8 encoding of the password text. The UTF-8 encoding SHALL represent only those Unicode characters permitted in XML documents as specified in Section 2.2 of [XML 1.0] with all white-space characters ignored. The UTF-8 encoding SHALL be truncated at 2^61-1 octets. Any other procedures, their identifying URIs, and their application of table:protection-key values SHALL be implementation-defined. The URI SHOULD resolve to a resource at which a specification of the procedure is provided. Consumers SHALL support message digest algorithms SHA1 and SHA256. When a consumer does not recognize or support the identified procedure, the consumer behavior SHALL be implementation-defined. """ 19.727 table:structure-protected REPLACE all of the first paragraph WITH "The table:structure-protected attribute specifies whether a table is protected from the insertion, deletion, moving or renaming of tables in the <office:spreadsheet>. When table:structure-protected="true", presence of the table:protection-key attribute signifies that the flag and the resulting protection SHALL be over-ridden only by satisfaction of the authorization requirements for table:protection-key unlocking. """ 19.851 text:protected REPLACE the first two paragraphs WITH the text """ The text:protected attribute specifies whether a section is protected against being edited. When text:protected="true", presence of the text:protection-key attribute signifies that the flag and the resulting protection SHALL be over-ridden only by satisfaction of the authorization requirements for text:protection-key unlocking. """ 19.852 text:protection-key REPLACE the entire first (and only) paragraph WITH the text """ The text:protection-key attribute, when present, signifies that the corresponding text:protected setting is locked against removal. The value of the text:protection-key attribute consists of binary data used in authenticating a request to authorize over-riding of the protection. The authentication procedure is identified by the text:protection-key-digest-algorithm attribute. """ CHANGE the data type of text:protection-key to base64Binary 19.853 text:protection-key-digest-algorithm REPLACE the entire first paragraph WITH the text """ The text:protection-key-digest-algorithm attribute value is a URI that identifies a protection-over-ride authentication procedure. The procedure determines how the text:protection-key value is used in authentication of a request to over-ride the protection setting associated with the text:protection-key. The interpretation of and provisions applicable to text:protection-key-digest-algorithm are identical to those for table:protection-key-digest-algorithm except for the use of text:protection-key instead of table:protection-key.
    • Resolution:
      Hide

      Adapt 19.698.4 <table:table>/table:protected:

      Adapt 2nd sentence from

      If the table is protected and the table:protection-key attribute is present, an authorization is required for resetting the protection flag to enable editing.

      to

      If the table is protected, the table:protection-key attribute can specify an authorization requirement for resetting the protection flag to enable editing.

      19.699 table:protection-key: Adapt description to.

      The table:protection-key attribute, when present, specifies that an authorization is required for removing the protection of a table, table cell or scenario. The authentication procedure is identified by the table:protection-key-digest-algorithm attribute 19.700. The attribute value is binary data that may be used by the authentication procedure.

      19.700 protection-key-digest-algorithm: Replace first paragraph with:

      The table:protection-key-digest-algorithm attribute value is an IRI that identifies an authentication procedure for removing a protection.

      If the IRI identifies a message-digest algorithm specified in §5.7 of [xmlenc-core], the value of table:protection-key attribute shall be the hash value of the password that is required to authorize removal of the protection. The password shall be provided as a sequence of bytes in UTF-8 encoding.

      Any other procedures, their identifying IRIs, and their application of table:protection-key values are implementation-defined.

      Consumers shall support http://www.w3.org/2000/09/xmldsig#sha1, which is the default, and http://www.w3.org/2000/09/xmldsig#sha256. They may support other algorithms described in §5.7 of [xmlenc-core] or alternative procedures. Producers should use http://www.w3.org/2000/09/xmldsig#sha256, or an alternative procedure that is not based on storing passwords in any form, including hash-coded copies.

      19.797 table:structure-protected. Replace first paragraph with:
      The table:structure-protected attribute specifies whether a table is protected from the insertion, deletion, moving or renaming of tables in the document. If the table structure is protected and the table:protection-key attribute is present, an authorization is required for resetting the protection flag to enable editing.

      19.851 text:protected Replace the note with
      If the section is protected and the text:protection-key attribute is present, an authorization is required for resetting the protection flag to enable editing.

      19:852 text:protection-key Adapt description to.

      The text:protection-key attribute, when present, specifies that an authorization is required for removing the protection of a section. The authentication procedure is identified by the text:protection-key-digest-algorithm attribute 19.852. The attribute value is binary data that may be used by the authentication procedure.

      19.852 text:protection-key-digest-algorithm Replace first paragraph with:

      The text:protection-key-digest-algorithm attribute value is an IRI that identifies an authentication procedure for removing a protection.

      If the IRI identifies a message-digest algorithm specified in §5.7 of [xmlenc-core], the value of text:protection-key attribute shall be the hash value of the password that is required to authorize removal of the protection. The password shall be provided as a sequence of bytes in UTF-8 encoding.

      Any other procedures, their identifying IRIs, and their application of text:protection-key values are implementation-defined.

      Consumers shall support http://www.w3.org/2000/09/xmldsig#sha1, which is the default, and http://www.w3.org/2000/09/xmldsig#sha256. They may support other algorithms described in §5.7 of [xmlenc-core] or alternative procedures. Producers should use http://www.w3.org/2000/09/xmldsig#sha256, or an alternative procedure that is not based on storing passwords in any form, including hash-coded copies.

      Show
      Adapt 19.698.4 <table:table>/table:protected: Adapt 2nd sentence from If the table is protected and the table:protection-key attribute is present, an authorization is required for resetting the protection flag to enable editing. to If the table is protected, the table:protection-key attribute can specify an authorization requirement for resetting the protection flag to enable editing. 19.699 table:protection-key: Adapt description to. The table:protection-key attribute, when present, specifies that an authorization is required for removing the protection of a table, table cell or scenario. The authentication procedure is identified by the table:protection-key-digest-algorithm attribute 19.700. The attribute value is binary data that may be used by the authentication procedure. 19.700 protection-key-digest-algorithm: Replace first paragraph with: The table:protection-key-digest-algorithm attribute value is an IRI that identifies an authentication procedure for removing a protection. If the IRI identifies a message-digest algorithm specified in §5.7 of [xmlenc-core] , the value of table:protection-key attribute shall be the hash value of the password that is required to authorize removal of the protection. The password shall be provided as a sequence of bytes in UTF-8 encoding. Any other procedures, their identifying IRIs, and their application of table:protection-key values are implementation-defined. Consumers shall support http://www.w3.org/2000/09/xmldsig#sha1 , which is the default, and http://www.w3.org/2000/09/xmldsig#sha256 . They may support other algorithms described in §5.7 of [xmlenc-core] or alternative procedures. Producers should use http://www.w3.org/2000/09/xmldsig#sha256 , or an alternative procedure that is not based on storing passwords in any form, including hash-coded copies. 19.797 table:structure-protected. Replace first paragraph with: The table:structure-protected attribute specifies whether a table is protected from the insertion, deletion, moving or renaming of tables in the document. If the table structure is protected and the table:protection-key attribute is present, an authorization is required for resetting the protection flag to enable editing. 19.851 text:protected Replace the note with If the section is protected and the text:protection-key attribute is present, an authorization is required for resetting the protection flag to enable editing. 19:852 text:protection-key Adapt description to. The text:protection-key attribute, when present, specifies that an authorization is required for removing the protection of a section. The authentication procedure is identified by the text:protection-key-digest-algorithm attribute 19.852. The attribute value is binary data that may be used by the authentication procedure. 19.852 text:protection-key-digest-algorithm Replace first paragraph with: The text:protection-key-digest-algorithm attribute value is an IRI that identifies an authentication procedure for removing a protection. If the IRI identifies a message-digest algorithm specified in §5.7 of [xmlenc-core] , the value of text:protection-key attribute shall be the hash value of the password that is required to authorize removal of the protection. The password shall be provided as a sequence of bytes in UTF-8 encoding. Any other procedures, their identifying IRIs, and their application of text:protection-key values are implementation-defined. Consumers shall support http://www.w3.org/2000/09/xmldsig#sha1 , which is the default, and http://www.w3.org/2000/09/xmldsig#sha256 . They may support other algorithms described in §5.7 of [xmlenc-core] or alternative procedures. Producers should use http://www.w3.org/2000/09/xmldsig#sha256 , or an alternative procedure that is not based on storing passwords in any form, including hash-coded copies.

      Description

      Since ODF 1.0, there is a security vulnerability in the use of hashed copies of passwords as values of *:protection-key attributes. Having the hashed password copies retrievable from the document permits discovery of the password and attack on other uses of it.

      Although a number of cases are already implemented, using SHA-1 and apparently SHA-256, it is proposed to prepare for deprecation of *:protection-key usages where the value of the attribute is a directly-derived as a hash-coded copy of a potentially-memorable/-reusable password.

      No safe algorithm is proposed, since there is no known-safe implementation currently in use. Such implementations are known to be possible, however.

      To make room for introduction of safe algorithms that do not depend on the OpenDocument producer and consumer ever receiving an user secret in any form recoverable or verifiable from the document, this proposal simply restates the current provisions so that non-hashed-password methods can be introduced without expanding the number of attributes or interfereing with current implementations.

      In order to accomplish this, the repetitious restatements of how *:protection-key works are also removed from all places except where that attribute and *:protection-key-digest-algorithm are defined directly.

      NOTE 1: These changes impact and supersede the Issues OFFICE-2561, OFFICE-2562, and OFFICE-2563

      NOTE 2: These changes are solely for allowing remedy to the use of hashed copies of passwords. No effort is made to resolve other questions that might apply in how protections work and are specified.

        Attachments

        There are no Sub-Tasks for this issue.

          Activity

            People

            • Assignee:
              Patrick Patrick Durusau
              Reporter:
              orcmid Dennis Hamilton (Inactive)
            • Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: