OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [OASIS Issue Tracker] Updated: (OFFICE-3709) ODF 1.3: Package Encryption Enhancements


     [ http://tools.oasis-open.org/issues/browse/OFFICE-3709?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dennis Hamilton updated OFFICE-3709:
------------------------------------

             Proposal: 
[Updated 2013-05-04]

Version 1.03 simplifies the 1.02 proposal while also improving the security characteristics of the encryption, providing authentication of the decryption for each encrypted file in the Zip package.

    A. Rationale

    B. Proposed Changes

               1. Front Page 
               2. Normative References
               3. Section 4.8.3 manifest:checksum-type
               4. Section 4.8.6 manifest:start-key-generation-name

    C. Deployment Considerations

    D. Cryptographic Strength Considerations



  was:
[Updated 2011-08-15]

Version 1.02 body of the proposal is maintained at http://www.oasis-open.org/committees/document.php?document_id=43224 , with specification of explicit changes to the text of these sections of ODF 1.2 for incorporation in ODF 1.3 CSD01 part 3: 

    A. Rationale

    B. Proposed Changes

               1. Front Page 
               2. Normative References
               3. Section 4.8.3 manifest:checksum-type
               4. Section 4.8.6 manifest:start-key-generation-name

    C. Deployment Considerations

    D. Cryptographic Strength Considerations

The proposal adds one new URI for a method that appends the manifest:salt to the user-specified password for digesting as the start key. The proposal adds a second new method that produces a manifest:checksum value that carries a salt and uses HMAC-SHA1 to produce the value for verifying that the decryption is correct.

          Environment: This is an enhancement, described in terms of changes to OpenDocument-v1.2-os-part3  (was: This is an enhancement, described in terms of changes to OpenDocument-v1.2-cs01-part3)
        Fix Version/s: ODF 1.3
    Affects Version/s: ODF 1.3
          Description: 
In the default encryption method for packages, the same start-key, the SHA1 digest of the user-entered-password, is used for all key generations for encrypting the individual parts of the package.  Although the start-key is a secret, its successful attack permits decryption of the entire package.

This proposal adds a method by which the start key is different for every key generation, relying on the cryptographically-random and different manifest:salt that is created for each key generation.  This means that successful attack of one start key does not provide the start key for any of the other encryptions.

Note: This procedure does not materially impact attacks on the user-specified password, which remain at least as vulnerable as memorable passwords generally are.

In addition, the proposal adds an additional manifest:checksum-type that employs a message-authentication procedure on the entire compressed plaintext file.  HMAC-SHA1 is used.  The resulting checksum value is the same size as the current manifest:checksum.  However, the MAC is created over the entire compressed plaintext and the key for the MAC is the derived key used in the encryption and decryption of the same file.  This accomplishes password-based authentication along with the password-based encryption/decryption.

  was:
In the default encryption method for packages, the same start-key, the SHA1 digest of the user-entered-password, is used for all key generations for encrypting the individual parts of the package.  Although the start-key is a secret, its successful attack permits decryption of the entire package.

This proposal adds a method by which the start key is different for every key generation, relying on the cryptographically-random and different manifest:salt that is created for each key generation.  This means that successful attack of one start key does not provide the start key for any of the other encryptions.

Note: This procedure does not materially impact attacks on the user-specified password, which remain at least as vulnerable as memorable passwords generally are.

In addition, the proposal adds an additional manifest:checksum-type that is salted in a way that avoids production of duplicate checksums for the same-plaintext files in different encrypted documents, reducing any attack surface that the detection of same-plaintext files may offer..


The v1.03 update introduces a standard method, HMAC-SHA1, as an alternative for manifest:checksum on each file.  To authenticate manifest:checksum, the derived key also used for decryption is required.  This, along with increasing the iteration count for key derivation via PBKDF2 will make provide a significant impediment to identification of known plaintexts.

The only ODF-unique technique is with a new manifest:start-key-generation-name that employs a unique start key generation for each encrypted file, relying on the salt that is also used in the key derivation, but not in the same manner.

> ODF 1.3: Package Encryption Enhancements
> ----------------------------------------
>
>                 Key: OFFICE-3709
>                 URL: http://tools.oasis-open.org/issues/browse/OFFICE-3709
>             Project: OASIS Open Document Format for Office Applications (OpenDocument) TC
>          Issue Type: Improvement
>          Components: Packaging, Part 3 (Packages), Security
>    Affects Versions: ODF 1.3, ODF 1.2 COS 1
>         Environment: This is an enhancement, described in terms of changes to OpenDocument-v1.2-os-part3
>            Reporter: Dennis Hamilton
>            Assignee: Dennis Hamilton
>             Fix For: ODF 1.3, ODF 1.3 CSD 01
>
>
> In the default encryption method for packages, the same start-key, the SHA1 digest of the user-entered-password, is used for all key generations for encrypting the individual parts of the package.  Although the start-key is a secret, its successful attack permits decryption of the entire package.
> This proposal adds a method by which the start key is different for every key generation, relying on the cryptographically-random and different manifest:salt that is created for each key generation.  This means that successful attack of one start key does not provide the start key for any of the other encryptions.
> Note: This procedure does not materially impact attacks on the user-specified password, which remain at least as vulnerable as memorable passwords generally are.
> In addition, the proposal adds an additional manifest:checksum-type that employs a message-authentication procedure on the entire compressed plaintext file.  HMAC-SHA1 is used.  The resulting checksum value is the same size as the current manifest:checksum.  However, the MAC is created over the entire compressed plaintext and the key for the MAC is the derived key used in the encryption and decryption of the same file.  This accomplishes password-based authentication along with the password-based encryption/decryption.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]