OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Commented: (OFFICE-2739) ODF 1.2 Part 3 4.8.5manifest:initialisation-vector underspecified


    [ http://tools.oasis-open.org/issues/browse/OFFICE-2739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22764#action_22764 ] 

Dennis Hamilton commented on OFFICE-2739:
-----------------------------------------

If we say that the IV value is always of the exact size required by the algorithm method, then the other business about how the IV is extracted (when the given value is shorter or longer) is not required.

There are some security considerations that apply to choice of IV that tend to be recommended by the different algorithm descriptions and their security analyses, but they don't REQUIRE that the considerations be honored.  

We might say that the algorithm definition should be consulted for cryptographic security considerations that apply to the creation of the IV value.  For example, for our use of Blowfish CFB and all of the CBC methods in [xmlenc-core], the IV needs to (1) be cryptographically random and (2) the same IV should not ever be used with the same PBKDF-generated key and encryption algorithm.  These considerations arise from interdependencies that our use of encryption in packages introduce.  Although they can be discovered from a careful study of source materials (as I did), these our the interdependencies that come from our use and we should account for them somehow, it seems to me.  It lets folks know we arrived at these on purpose and with care and we are passing that on to them.

> ODF 1.2 Part 3 4.8.5 manifest:initialisation-vector underspecified
> ------------------------------------------------------------------
>
>                 Key: OFFICE-2739
>                 URL: http://tools.oasis-open.org/issues/browse/OFFICE-2739
>             Project: OASIS Open Document Format for Office Applications (OpenDocument) TC
>          Issue Type: Bug
>          Components: Packaging, Part 3 (Packages), Security
>    Affects Versions: ODF 1.2 CD 05
>         Environment: This issue applies for ODF 1.0/1.1/IS 26300 and drafts of ODF 1.2.  The specific text and location that is addressed here is that in ODF 1.2 CD05 Part 3.
>            Reporter: Dennis Hamilton
>            Assignee: Dennis Hamilton
>             Fix For: ODF 1.2 CD 06
>
>
> Section 4.8.5 does not indicate what the governing characteristics of the initialisation vector are and where the requirements for it are obtained.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]