[Libreoffice] can no longer encrypt files if build with --disable-mozilla

Dennis E. Hamilton dennis.hamilton at acm.org
Sun Jun 26 12:23:41 PDT 2011

I don't know what the intention for LibreOffice is, but I can say that there are likely changes being made in anticipation of ODF 1.2 approval.

There has been extensive tightening to the Encryption specification in the Package description for ODF 1.2.  That specification is now separated into Part 3 of the ODF 1.2 Committee Specification 01 which is now under Public Review as a Candidate OASIS Standard.

Consulting that document might provide some insight into changes that have occurred in the OO.o code base.  I'll take responsibility for what I hope is a more rigorous specification of package encryption in ODF 1.2, but I have no idea how this is tied to changes in the ODF 1.2-anticipating *Office.org implementations.

 - Dennis


manifest:checksum-type="sha256-1k" is now recommended for the hash that is used to verify that the decryption appears to be correct, although consumers are expected to support both "sha1-1k" and "sha256-1k".  (Part 3 section 4.8.3)

is now recommended for the initial hash of the password that is then used for encryption-key derivation.  Consumers are required to support that value and the two other values,
"SHA1" and "http://www.w3.org/2000/09/xmldsg#sha1".  (Part 3 section 4.8.6)

These are the only places where SHA256 has been explicitly introduced in conjunction with package encryption.  The PBKDF2 key-derivation is still based on HMAC-SHA-1 although there is now provision for alternative key-derivation algorithms.

I assume the change for manifest:start-key-generation-name is simply to provide a better hash and make it a bit harder to attack the password.  Some believe that the detection of SHA1 collisions makes these cases of SHA1 usage compromised.  That does not appear to be very relevant since the start-key is not recorded anywhere, in contrast with the protection-key hash values which an ODF document can be littered with.

The change for manifest:checksum-type does not appear cryptographically significant since it doesn't change anything with regard to how the manifest:checksum might be exploited as information leakage in aid of known-plaintext discovery/attack.

-----Original Message-----
From: libreoffice-bounces+dennis.hamilton=acm.org at lists.freedesktop.org [mailto:libreoffice-bounces+dennis.hamilton=acm.org at lists.freedesktop.org] On Behalf Of Markus Mohrhard
Sent: Sunday, June 26, 2011 11:27
To: libreoffice-dev
Subject: [Libreoffice] can no longer encrypt files if build with --disable-mozilla


is it in our intention that we can no longer encrypt files if we build with --disable-mozilla? It seems that this was introduced through our latest merge from OOo. It seems that we need SHA-1 and SHA256 since the latest merge. SHA-1 still works but for SHA-256 we rely on NSS which is disabled if we build with --disable-mozilla.

Does anyone know why they added SHA-256?


More information about the LibreOffice mailing list