nfoWorks: tools for document interoperability

d110801 nfoWorks devNote
  Provisional Namespace ns/odf/1.2/security#
 Package Encryption Enhancements

nfoWorks>dev>
2011>08>

d110801c>
 0.03 2017-06-14 20:21

ns/odf/1.2/security#
Package Security Enhancements

 

tools for document interoperability
nfoWorks > ns> odf> 1.2> security> Package Security Enhancements
  1. Overview
      

1. Overview

There are security weaknesses in the <manifest:encryption-data> provisions for encryption of ODF packages.  The nfoware-defined enhancements reduce the attack surface.  They are not particularly strong countermeasures: they do little to impede readily-available "password-recovery" software that succeeds by attacking the password directly.

1.1 In the password-based encryption of ODF 1.0/1.1/1.2 documents there are two hazards involving message-digest algorithms:

1.1.1 The <manifest:encryption-data> manifest:checksum attribute value is a digital hash of (the beginning of) the unencrypted file.  This discloses information about the unencrypted file and makes it easy to detect encryptions of files for which the plaintext may already be known.

1.1.2 User-entered passwords are transformed into a start key using a message digest algorithm.  The algorithm is typically SHA1 (default) or SHA256.  This start key is then used in the encryption of each file in the package.  Although the password itself is usually the weakest point in the encryption, the start key is also subject to attack, such as attempting known hash values.

1.2 In ODF 1.2 the <manifest:encryption-data> manifest:checksum-type attribute identifies the procedure by which the manifest:checksum value (1.1.1) is derived.  Six algorithms are allowed: SHA1, SHA1-1k (on first 1k bytes only), SHA256, SHA256-1k (recommended), SHA512, and RIPEMD-160.  ODF 1.2 consumers are required to support SHA1-1k and SHA256-1k.

1.3 In ODF 1.2 the <manifest:start-key-generation> manifest:start-key-generation-name attribute identifies the procedure by which the start key for a given package file encryption is derived (1.1.2).  Four algorithms are allowed: SHA1, SHA256 (recommended), SHA512, and RIPEMD-160.  ODF 1.2 consumers are required to support SHA1 (default) and SHA256.

{EdNote: Definition of local names and identifiers for the extended procedures will be provided as provisional use becomes appropriate.

[RFC2104]
{EdNote: References to W3C and IETF specification, references to the relevant ODF TC issues and documents, possibly OIC material as well.  Note that permalinks could be into a common bibliographic index, and that is where revisions would be linked, etc.}
Construction Structure (Hard Hat Area)
Creative Commons License You are navigating nfoWorks.
This work is licensed under a
Creative Commons Attribution 2.5 License.

0.03 2017-06-14 20:21 -0700
Attribution:
Hamilton, Dennis E.
 Provisional Namespace ns/odf/1.2/security# Package Encryption Enhancements.   nfoWorks devNote d110801c 0.03 November 2, 2012.  Accessed at <http://nfoWorks.org/dev/2011/08/d110801c.htm>.
Revision History:
0.03 2012-11-02-16:04 Define the Situation
The provisions to be extended are summarized along with description of the weakness to be strengthened.  Provisional local names are not yet available.
0.02 2012-04-13-12:58 Working Draft
Identify the skeleton working draft under the revised namespace stem,  ns/odf/1.2/
0.01 2011-10-01-19:29 Change Title
The Namespace is changed to Provisional Namespace and the title is restructured
0.00 2011-08-20-17:21 Initial Placeholder
Provide boilerplate and initial professional-appearance insert page for the namespace landing page.  The text information is basically in the professional-appearance content.  There can be additional linked material here, however.
Construction Structure (Hard Hat Area)
Creative Commons License You are navigating nfoWorks.
This work is licensed under a
Creative Commons Attribution 2.5 License.

created 2011-08-20-1654 -0700 (pdt)
$$Author: Orcmid $
$$Date: 17-06-14 20:21 $
$$Revision: 331 $