Watch out for OpenOffice Crypto

["Dennis E. Hamilton" <de...@acm.org>]

This is a heads-up concerning these requirements: 
< http://www.apache.org/dev/crypto.html>.

There are cryptographic functions in the OpenOffice code base, specifically for providing digital signatures on document and also for encryption of ODF packages.  

It appears that the Apache procedures for such code kick in *before* the code itself is placed in public view (i.e., committed to the SVN repository).

I guess it is time I looked at the JIRA to see if there is a good place to track this kind of thing.

 - Dennis

DETAILS

Digital Signature provisions are new in ODF 1.2 although some ODF 1.1 implementations include an OpenOffice.org-specific early implementation.  They are implemented in current releases of OpenOffice.org and LibreOffice, at least.  XML DSig is used in a profile that deals with the fact that components within a Zip file are being signed.  Late additions to the ODF 1.2 sequence of Committee Drafts introduced provisions for ETSI profiles, especially XaDES.

The encryption provisions have been included since ODF 1.0 (at least).  The specification for ODF 1.2 has been tightened, providing additional encryption methods beyond the default use of Blowfish and Password Based Key Derivation (PBKDF2) using HMAC-SHA1.  I don't know that any alternative encryptions are yet to be found in the wild.

There are also some password-protection one-way functions in OpenOffice, mainly for obscuring passwords use to set locks of various kinds within documents.  The digest algorithms are not considered encryption method.  (The FAQ is handy for this and related questions: < http://www.apache.org/dev/crypto.html#faq>.)

BACKGROUND

I have been thinking that the Apache OOo would be a good place to do a reference implementation for a supplemental whole-package encryption that has been discussed on the ODF TC but that was considered too late in the game for ODF 1.2 (Now OASIS ODF 1.2 Committee Specification 01 and pending public review as a Candidate OASIS Standard).  The nice part of such an effort is that it is independent of the rest of OOo development.  It is about a wrapper that encloses the ODF package as a single encrypted file.  There are a number of technical matters to be tested as part of choosing a specific approach for ODF 1.3 (say), and having a pilot reference implementation would help settle some of those questions as well as alert implementers in mitigating potential disruption, especially of down-level implementations.
 
It was thinking about that mini-sub-project that led to the policies on handling encryption caught my eye.

Re: Watch out for OpenOffice Crypto

[Ross Gardler <rg...@apache.org>]

On 15/06/2011 21:50, Dennis E. Hamilton wrote:
> This is a heads-up concerning these requirements:
> <  http://www.apache.org/dev/crypto.html>.
>
> There are cryptographic functions in the OpenOffice code base, specifically for providing digital signatures on document and also for encryption of ODF packages.
>
> It appears that the Apache procedures for such code kick in *before* the code itself is placed in public view (i.e., committed to the SVN repository).

This is correct. Good catch.

We mentors should have dealt with that already - thanks for being vigilant.

Ross

>
> I guess it is time I looked at the JIRA to see if there is a good place to track this kind of thing.
>
>   - Dennis
>
> DETAILS
>
> Digital Signature provisions are new in ODF 1.2 although some ODF 1.1 implementations include an OpenOffice.org-specific early implementation.  They are implemented in current releases of OpenOffice.org and LibreOffice, at least.  XML DSig is used in a profile that deals with the fact that components within a Zip file are being signed.  Late additions to the ODF 1.2 sequence of Committee Drafts introduced provisions for ETSI profiles, especially XaDES.
>
> The encryption provisions have been included since ODF 1.0 (at least).  The specification for ODF 1.2 has been tightened, providing additional encryption methods beyond the default use of Blowfish and Password Based Key Derivation (PBKDF2) using HMAC-SHA1.  I don't know that any alternative encryptions are yet to be found in the wild.
>
> There are also some password-protection one-way functions in OpenOffice, mainly for obscuring passwords use to set locks of various kinds within documents.  The digest algorithms are not considered encryption method.  (The FAQ is handy for this and related questions:<  http://www.apache.org/dev/crypto.html#faq>.)
>
> BACKGROUND
>
> I have been thinking that the Apache OOo would be a good place to do a reference implementation for a supplemental whole-package encryption that has been discussed on the ODF TC but that was considered too late in the game for ODF 1.2 (Now OASIS ODF 1.2 Committee Specification 01 and pending public review as a Candidate OASIS Standard).  The nice part of such an effort is that it is independent of the rest of OOo development.  It is about a wrapper that encloses the ODF package as a single encrypted file.  There are a number of technical matters to be tested as part of choosing a specific approach for ODF 1.3 (say), and having a pilot reference implementation would help settle some of those questions as well as alert implementers in mitigating potential disruption, especially of down-level implementations.
>
> It was thinking about that mini-sub-project that led to the policies on handling encryption caught my eye.
>
>
>