Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: ODF 1.3, ODF 1.2 COS 1
    • Fix Version/s: ODF 1.3 CSD 01, ODF 1.4
    • Labels:
      None
    • Environment:

      This is an enhancement, described in terms of changes to OpenDocument-v1.2-os-part3

    • Proposal:
      Hide

      [Updated 2013-05-04]

      Version 1.03 simplifies the 1.02 proposal while also improving the security characteristics of the encryption, providing authentication of the decryption for each encrypted file in the Zip package. Version 1.03 is available at https://www.oasis-open.org/committees/document.php?document_id=49077

      A. Rationale

      B. Proposed Changes

      1. Front Page
      2. Normative References
      3. Section 4.8.3 manifest:checksum-type
      4. Section 4.8.6 manifest:start-key-generation-name

      C. Deployment Considerations

      D. Cryptographic Strength Considerations

      Show
      [Updated 2013-05-04] Version 1.03 simplifies the 1.02 proposal while also improving the security characteristics of the encryption, providing authentication of the decryption for each encrypted file in the Zip package. Version 1.03 is available at https://www.oasis-open.org/committees/document.php?document_id=49077 A. Rationale B. Proposed Changes 1. Front Page 2. Normative References 3. Section 4.8.3 manifest:checksum-type 4. Section 4.8.6 manifest:start-key-generation-name C. Deployment Considerations D. Cryptographic Strength Considerations
    • Resolution:
      Hide

      Member-submitted proposal for ODF 1.3

      Show
      Member-submitted proposal for ODF 1.3

      Description

      In the default encryption method for packages, the same start-key, the SHA1 digest of the user-entered-password, is used for all key generations for encrypting the individual parts of the package. Although the start-key is a secret, its successful attack permits decryption of the entire package.

      This proposal adds a method by which the start key is different for every key generation, relying on the cryptographically-random and different manifest:salt that is created for each key generation. This means that successful attack of one start key does not provide the start key for any of the other encryptions.

      Note: This procedure does not materially impact attacks on the user-specified password, which remain at least as vulnerable as memorable passwords generally are.

      In addition, the proposal adds an additional manifest:checksum-type that employs a message-authentication procedure on the entire compressed plaintext file. HMAC-SHA1 is used. The resulting checksum value is the same size as the current manifest:checksum. However, the MAC is created over the entire compressed plaintext and the key for the MAC is the derived key used in the encryption and decryption of the same file. This accomplishes password-based authentication along with the password-based encryption/decryption.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              orcmid Dennis Hamilton (Inactive)
            • Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: