[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [oic] encryption of signature files
I'm not certain what Dennis is referring to, but it might be the known-text attack on ZIP files that has been known for 15 years or so. Essentially, the table of contents for the ZIP file readable by anyone, so if you can look at the names of the files in the ZIP and correctly guess a portion of the plain text in one of those files, you can reduce the cost of a brute force attack to determine the encryption key. The more bits you can guess in the plain text, the easier it will be to recover the key. -Rob Hanssens Bart <Bart.Hanssens@fedict.be> wrote on 12/11/2009 01:06:20 PM: > > > I have a pent-up pending analysis and blog post on the ODF 1.x package > > encryption scheme's vulnerability to known-plaintext attacks. Thefact that > > the digital signature files cannot be encrypted is also something that > > should raise eyebrows in document security circles. > > Hmz, probably I'm missing something here, but I haven't read that one cannot > encrypt the signature files (or other files in META-INF, except the > manifest.xml) > > As far as I know, one cannot encrypt the manifest (otherwise it'll be a tad > difficult to get to the encryption/decryption parameters), nor the mimetype > stream... > > Part 3 mentions that, for encrypted documents, Thumbnails/thumbnail.png > may be a dummy one (but I haven't seen a statement that one isn't allow to > simply encrypt that one as well, although that might cause some trouble for > environments trying to show the preview, so probably not a good idea) >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]