OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [OASIS Issue Tracker] (OFFICE-3703) Proposal: ODF 1.3 Protection-Key Enhancements


    [ https://issues.oasis-open.org/browse/OFFICE-3703?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=73045#comment-73045 ] 

Patrick Durusau commented on OFFICE-3703:
-----------------------------------------

Implementors are encouraged to submit complete encryption/security drafts for further TC review.

> Proposal: ODF 1.3 Protection-Key Enhancements
> ---------------------------------------------
>
>                 Key: OFFICE-3703
>                 URL: https://issues.oasis-open.org/browse/OFFICE-3703
>             Project: OASIS Open Document Format for Office Applications (OpenDocument) TC
>          Issue Type: Improvement
>          Components: Security, Table, Text
>    Affects Versions: ODF 1.0, ODF 1.0 (second edition), ODF 1.1, ODF 1.2, ODF 1.2 COS 1
>         Environment: This is an enhancement, described in terms of changes to OpenDocument-v1.2-os.
>            Reporter: Dennis Hamilton
>            Assignee: Dennis Hamilton
>            Priority: Major
>             Fix For: ODF-Later
>
>
>    The use of password hashes in easily-discovered XML element and attribute values is subject to compromise of the hashed password.  Although the use of increasingly-stronger digest algorithms may lengthen the time required for carrying out a brute-force attack on the hash, memorable passwords remain subject to compromise and the attack becomes easier as processor technology advances.  Currently (May 2013) there is an explosive growth in hacks involving the discovery of passwords that are authenticated by use of unsalted digest algorithms.
>    
>  In addition, the presence of hashes in plain sight in XML documents allows the digest value to be easily compared with the same digest value elsewhere, revealing worthy targets to an adversary.  In addition, the digest value is easily removed/replaced.  An extracted digest value can be repurposed for malicious purposes.
>    
> This proposal introduces two protection-key digest algorithms, AUTHZ160 and SHA1DK that are intended to mitigate risks associated with use of digest algorithms and provision of the digests in plain view in XML documents.  AUTHZ160, the recommended new default, uses protection-keys that are not derived from a password at all.  They are 100% protection against discovery of an actual password known to the user by analysis of the protection key.  SHA1DK uses a cryptographically-random salt and an iterative key derivation procedure that makes discovery of a password by repeated trials very costly. 



--
This message was sent by Atlassian JIRA
(v7.7.2#77003)


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]