Randomnes in LibreOffice Encryption

Michael Stahl mst at libreoffice.org
Tue Dec 10 15:56:42 UTC 2019 

On 10.12.19 14:57, Steve Martin wrote:
> Hi,
> 
> At 
> "http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part3.html#__RefHeading__752859_826425813" 
> I read:
> 
>> The defined values for the manifest:key-derivation-name attribute are:
>>
>>   •PBKDF2: The PBKDF2 key derivation method with HMAC-SHA-1 for the 
>> Pseudo-Random Function(PRF). See [RFC2898] sections 5.2 and B.1.1.
> 
> HMAC-SHA-1 for the Pseudo-Random Function(PRF)? HMAC-SHA-1 is a 
> deterministic function. That means I enter a value and get a value out. 
> And no matter how many times I call the function with the input value, I 
> always get the same output value. So, with HMAC-SHA-1 is no randomnes 
> possible. So PRFs exists when PRNG (Pseudo Random Number Generator)s 
> exists.

of course, but if you use an *actual* random function to derive the key 
from the salt and the password then you'll have trouble decrypting the 
resulting ciphertext...

> I looked at the referenced RFC 2898: "PKCS #5: Password-Based 
> Cryptography Specification Version 2.0" 
> (https://www.ietf.org/rfc/rfc2898.txt) how this will be made. In RFC 
> 2898 at the end of page 6 and start of page 7 is written the following:
> 
>> If a random number generator or pseudorandom generator is not 
>> available,

LibreOffice requires one.

>> available, a deterministic alternative for generating the salt (or the 
>> random part of it) is to apply a password-based key derivation 
>> function to the password and the message M to be processed. For 
>> instance, the salt could be computed with a key derivation function as 
>> S = KDF (P, M). This approach is not recommended if the message M is 
>> known to belong to a small message space (e.g., "Yes" or "No"), 
>> however, since then there will only be a small number of possible salts.

> My question: Which method is implemented in LibreOffice? Does 
> LibreOffice use a PRNG or the method specified in the ODF standard with 
> the HMAC-SHA-1() function over the plaintext and (password)/(hash of the 
> password))? The second one is a little bit insecure.

both: the method specified in ODF applies the HMAC-SHA1 function to 
generate the key from the salt, not to generate the salt.

More information about the LibreOffice mailing list