Randomnes in LibreOffice Encryption
Steve Martin
Steve.Martin at ruhr-uni-bochum.de
Tue Dec 10 13:57:27 UTC 2019
Hi,
At
"http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part3.html#__RefHeading__752859_826425813"
I read:
> The defined values for the manifest:key-derivation-name attribute are:
>
> •PBKDF2: The PBKDF2 key derivation method with HMAC-SHA-1 for the
> Pseudo-Random Function(PRF). See [RFC2898] sections 5.2 and B.1.1.
HMAC-SHA-1 for the Pseudo-Random Function(PRF)? HMAC-SHA-1 is a
deterministic function. That means I enter a value and get a value out.
And no matter how many times I call the function with the input value, I
always get the same output value. So, with HMAC-SHA-1 is no randomnes
possible. So PRFs exists when PRNG (Pseudo Random Number Generator)s
exists.
I looked at the referenced RFC 2898: "PKCS #5: Password-Based
Cryptography Specification Version 2.0"
(https://www.ietf.org/rfc/rfc2898.txt) how this will be made. In RFC
2898 at the end of page 6 and start of page 7 is written the following:
> If a random number generator or pseudorandom generator is not
> available, a deterministic alternative for generating the salt (or the
> random part of it) is to apply a password-based key derivation function
> to the password and the message M to be processed. For instance, the
> salt could be computed with a key derivation function as S = KDF (P,
> M). This approach is not recommended if the message M is known to
> belong to a small message space (e.g., "Yes" or "No"), however, since
> then there will only be a small number of possible salts.
My question: Which method is implemented in LibreOffice? Does
LibreOffice use a PRNG or the method specified in the ODF standard with
the HMAC-SHA-1() function over the plaintext and (password)/(hash of the
password))? The second one is a little bit insecure.
Thanks four help.
Greetings
Steve
More information about the LibreOffice
mailing list