[Libreoffice] Encrypted password -- NEW ENCRYPTION BUG!

Dennis E. Hamilton dennis.hamilton at acm.org
Tue May 31 12:59:17 PDT 2011 

There is a new problem around encryption (and, consequentially, protection) in LO 3.4.0rc2 on x86 Windows.  This may be related to the non-operating "Change Password" feature.

The problem is that encryption of documents won't turn off, so there is no way to save a decrypted document as unencrypted.  LO 3.4.0rc2 always encrypts all saves of a previously-encrypted document.  It uses the previous password automatically (or its hash, which is what the encryption uses for its key-generation operations).

This has been confirmed with LO 3.4.0rc2 on x86 Windows (Vista running in Virtual PC on Windows 7).  I have also confirmed that the problem does not exist in LO 3.3.2.

1. The setup - A document is saved with encryption and as part of the setting of document properties on save, a protection password is also set and the document is marked as read-only (and change-recording is locked on).

2. In opening the document, after the password is provided, the document opens as read-only and the protection is in effect. The Document Properties | Security tab has the protection option greyed out (it doesn't say Unprotect but Protect) and the check boxes are greyed out with no checks in them.  This is common.  It happens with LO 3.3.2 also.

3. Doing a Save As, with the save with password NOT CHECKED, there should now be a writeable copy which, if opened, does not require a password, is not encrypted, is not read-only, and has the UNPROTECT option visible on the Document Properties | Security tab.  That is how it works for LO 3.3.2.

4. For LO 3.4.0rc2, what happens is the Save As makes an encrypted document.  It uses the password that was originally created for that (and which it is now remembering at least a hash for).  So we have a new document which is encrypted, read only, and protected, and opening the document takes us back to step (2).  There is no way out of this.  (Well, actually, it can be opened in LO 3.3.2 to rescue the document.)

 - Dennis

-----Original Message-----
From: libreoffice-bounces+dennis.hamilton=acm.org at lists.freedesktop.org [mailto:libreoffice-bounces+dennis.hamilton=acm.org at lists.freedesktop.org] On Behalf Of Dennis E. Hamilton
<http://lists.freedesktop.org/archives/libreoffice/2011-May/013065.html>
Sent: Tuesday, May 31, 2011 09:29
To: libreoffice at lists.freedesktop.org
Cc: kyoshida at novell.com; 'Marc Paré'
Subject: Re: [Libreoffice] Encrypted password -- change?

I am thinking two (or three) different features are being confused with each other.

[ ... ]

More information about the LibreOffice mailing list