[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] Updated: (OFFICE-3703) Proposal: ODF 1.3Protection-Key Enhancements
[ http://tools.oasis-open.org/issues/browse/OFFICE-3703?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dennis Hamilton updated OFFICE-3703:
------------------------------------
Proposal:
[Updated 2011-08-01]
Version 1.02 body of the proposal is maintained at http://www.oasis-open.org/committees/document.php?document_id=43052 , with specification of explicit changes to the text of these sections of ODF 1.2 for incorporation in ODF 1.3 CSD01:
1. Front Page
2. Section 19.697 table:protection-key
3. Section 19.698 table:protection-key-digest-algorithm
4. Section 19.850 text:protection-key
5. Section 19.851 text:protection-key-digest-algorithm
Two new protection-key-digest-algorithm URIs are proposed. One for sha1-salt with a minimum 20 byte salt, one for authz160 with a minimum 20-byte binary protection-key that is not dependent on a password and cannot be subjected to brute-force attack to obtain a password.
was:
Version 1.00 body of the proposal is maintained at http://www.oasis-open.org/committees/document.php?document_id=42871 , with specification of explicit changes to the text of these sections of ODF 1.2 for incorporation in ODF 1.3 CSD01:
1. Front Page
2. Section 19.697 table:protection-key
3. Section 19.698 table:protection-key-digest-algorithm
4. Section 19.850 text:protection-key
5. Section 19.851 text:protection-key-digest-algorithm
Two new protection-key-digest-algorithm URIs are proposed. One for sha1-salt with a 160 bit salt, one for secure160 with a 160 bit binary protection-key that is not dependent on a password and cannot be subjected to brute-force attack to obtain a password.
The proposal is updated to version 1.02 that allows the sha1-salt to be variable length (but a minium of 20 bytes). Also, the secure160 algorithm is renamed authz160 and the protection-key value is a minimum of 20 bytes. The proposal text explains the motivation for this and also addresses provisional use between CSD0x and whatever appears in ODF 1.3.
> Proposal: ODF 1.3 Protection-Key Enhancements
> ---------------------------------------------
>
> Key: OFFICE-3703
> URL: http://tools.oasis-open.org/issues/browse/OFFICE-3703
> Project: OASIS Open Document Format for Office Applications (OpenDocument) TC
> Issue Type: Improvement
> Components: Table, Text
> Affects Versions: ODF 1.2
> Environment: This is an enhancement, described in terms of changes to OpenDocument-v1.2-cs01.
> Reporter: Dennis Hamilton
> Fix For: ODF 1.3 CSD 01
>
>
> The use of password hashes in easily-discovered XML element and attribute values is subject to compromise of the hashed password. Although the use of increasingly-stronger digest algorithms may lengthen the time required for carrying out a brute-force attack on the hash, memorable passwords remain subject to compromise and the attack becomes easier as processor technology advances.
>
> In addition, the presence of hashes in plain sight in XML documents allows the digest value to be easily compared with the same digest value elsewhere, revealing worthy targets to an adversary. In addition, the digest value is easily removed/replaced. And an extracted digest value can be repurposed for malicious purposes.
>
> This proposal introduces two protection-key digest algorithms that are intended to mitigate (but not eliminate) risks associated with use of digest algorithms and provision of the digests in plain view in XML documents.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]