Uploaded image for project: 'OASIS Open Document Format for Office Applications (OpenDocument) TC'
  1. OASIS Open Document Format for Office Applications (OpenDocument) TC
  2. OFFICE-2726

ODF 1.2 Part 3 section 4.8.9 manifest:key-derivation-name description

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Applied
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: ODF 1.2 CD 05
    • Fix Version/s: ODF 1.2 CD 06
    • Component/s: Packaging, Part 2 (Packages) [1.2: 3], Security
    • Labels:
      None
    • Environment:

      This issue applies in all versions and drafts starting with the OASIS ODF 1.0 Standard. The specific location, wording and proposed changes are against ODF 1.2 CD05 Part 3.

    • Proposal:
      Hide

      1. Replace the first two sentences and the first bullet-list item with the following:

      """
      The manifest:key-derivation-name attribute specifies the name of the password-based key-derivation algorithm used to derive a cryptographic key for use in encryption and decryption of the file.

      The defined values for the manifest:key-derivation name attribute are:

      • PBKDF2: The PBKDF2 key derivation method with HMAC-SHA-1 for the pseudorandom function (PRF). See [RFC2898] sections 5.2 and B.1.1.
        """

      2. In the last paragraph of section 4.8.9 that begins "If the value of this attribute is PBKDF2 ... " add the sentence

      """
      The start key should have at least 160 bits (20 octets). The manifest:salt should provide at least 64 bits (8 octets) but not more than 408 (51 octets). Note: Start keys longer than 512 bits (64 octets) are permissible but are not useful if already message-digest values; manifest:salt values having more than 160 bits (20 octets) are unlikely to add to the strength of the key derivation, which uses 160-bit intermediate results regardless of the number of bits requested in the delivered key.
      """

      Show
      1. Replace the first two sentences and the first bullet-list item with the following: """ The manifest:key-derivation-name attribute specifies the name of the password-based key-derivation algorithm used to derive a cryptographic key for use in encryption and decryption of the file. The defined values for the manifest:key-derivation name attribute are: PBKDF2: The PBKDF2 key derivation method with HMAC-SHA-1 for the pseudorandom function (PRF). See [RFC2898] sections 5.2 and B.1.1. """ 2. In the last paragraph of section 4.8.9 that begins "If the value of this attribute is PBKDF2 ... " add the sentence """ The start key should have at least 160 bits (20 octets). The manifest:salt should provide at least 64 bits (8 octets) but not more than 408 (51 octets). Note: Start keys longer than 512 bits (64 octets) are permissible but are not useful if already message-digest values; manifest:salt values having more than 160 bits (20 octets) are unlikely to add to the strength of the key derivation, which uses 160-bit intermediate results regardless of the number of bits requested in the delivered key. """
    • Resolution:
      Hide

      1. Replace the first sentence of 4.8.9 manifest:key-derivation-name with:

      """
      The manifest:key-derivation-name attribute specifies the name of the password-based key-derivation algorithm used to derive a cryptographic key for use in encryption and decryption of the file.
      """

      In the first list item, change
      """
      The PBKDF2 key derivation method. See [RFC2898].
      """
      to
      """
      The PBKDF2 key derivatiohn method with HMAC-SHA-1 for the Pseudo-Random Function (PRF). See [RFC2898] sections 5.2 and B.1.1.
      """

      Show
      1. Replace the first sentence of 4.8.9 manifest:key-derivation-name with: """ The manifest:key-derivation-name attribute specifies the name of the password-based key-derivation algorithm used to derive a cryptographic key for use in encryption and decryption of the file. """ In the first list item, change """ The PBKDF2 key derivation method. See [RFC2898] . """ to """ The PBKDF2 key derivatiohn method with HMAC-SHA-1 for the Pseudo-Random Function (PRF). See [RFC2898] sections 5.2 and B.1.1. """

      Description

      1. In section 4.8.9 the first sentence is

      "The manifest:key-derivation-name attribute specifies the name of the algorithm used to derive a name."

      It should not end with "... algorithm used to derive a name."

      It should say, "... password-based key-derivation algorithm used to derive a cryptographic key for use in encryption and decryption of the file."

      2. In the first bullet in the list following the second sentence, it says that a defined value for the attribute is

      "PBKDF2: The PBKDF2 key derivation method. See [RFC2898].

      This is incomplete. PBKDF2 is a general procedure that depends on use of a Pseudo-Random Function (PRF) for its operation. The choice of PRF must also be know in order for an encryption to be decrypted correctly.

      One way to repair this is to add HMAC-SHA-1 to the definition as the understood PRF, using the procedure in the example in [RFC2898].

      Finally, the size of the salt is relevant to the cryptographic strength of the key derivation. 64 bits is useful for implementation reasons, when HMAC-SHA-1 is the PRF. Longer values are usable but more than 120 bits probably adds no further strength to the key derivation, no matter what key size is produced from the PBKDF2 derivation.

        Attachments

          Activity

            People

            • Assignee:
              orcmid Dennis Hamilton (Inactive)
              Reporter:
              orcmid Dennis Hamilton (Inactive)
            • Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: