> -----Original Message----- > From: Damjan Jovanovic [mailto:dam...@apache.org] > Sent: Friday, June 10, 2016 07:29 > To: Apache OO <dev@openoffice.apache.org> > Subject: Re: A Question about Open Office Password Protected Text > Documenets > > Hi Roger > > If you saved them in OpenOffice's default format, OpenDocument (.odt / > .ods > / .odb etc.), then yes. Password protection is part of the OpenDocument > standard, and should be supported by us and other OpenDocument software > such as AbiWord, Gnumeric, Microsoft Office, etc. for a long time. The > encryption techniques are all well documented and use common well > established ciphers, hash functions and password strengthening > procedures. > > With long term storage, the problem won't be data becoming inaccessible > due > to encryption (provided you remember your passwords), so much as the > opposite problem, of data becoming too easily accessible, since older > versions of OpenDocument used weaker encryption ciphers, potentially > making > document encryption too easy to crack by future weaknesses discovered in > those ciphers and with more powerful computers in the future. [orcmid]
There is a misunderstanding here. The problem of using the latest-and-greatest (i.e, based on AES) supported encryptions is that older versions of software won't be able to open it and versions that have not upgraded their support or for which there is an interoperability defect won't open it either. We ran into this recently where users of Mac OSX could no longer open some password-protected files. It is not in our power to offer a guarantee about this. At the moment, the basic cryptography used since ODF 1.0 is working. There is no way that the project can assert that this will apply in perpetuity and that software to accomplish it will always be available. That is beyond our means. Finally, the use of better hash algorithms and AES as a check-box item do *not* eliminate the known exposure of ODF documents to cryptographic attack and decryption by an adversary. ODF encryption should *never* be used for highly-confidential documents, especially files subject to security-classification regimes of governments or other entities. I don't belief any such agency would permit ODF encryption to be used; encryption would be accomplished by other means. The reasons for that are quite simple: 1. All ODF encryption is password-based. That is the greatest single vulnerability, especially if the same password is used on multiple documents. There are extremely well-known and highly-available means for attacking encryptions using memorable passwords. This vulnerability trumps everything. This is something the software does not control and cannot mitigate much. Note that advertised password-recovery software *does* succeed against password-protected ODF documents on occasion. The advances in computer performance (especially graphics processors) ensure that the number of passwords that are defeated by such software will only increase. 2. Because the encryption is of a static, persistent document, the attack can be conducted off-line for a sustained time and using coordinated crowd-sourced attacks. Advances in technology have neutralized the measures used to make attacking of the password computationally difficult. This means that documents retaining long-duration secrets are the most vulnerable if not adequately protected against disclosure. 3. The particular encryption approach (not the low-level choice of the stream-level encryption algorithm) leaks information about the original ODF document to the point where some unencrypted information may be determined by means other than actually having to decrypt it. That revelation can be used to expedite attack on the password used for the unknown parts. As a final thought. It is revealing that Microsoft Office will not produce ODF documents that are saved with a password, although it will otherwise support ODF format. In addition, the software refuses to open such documents, although it certainly could go that far, in principle. So there is no means to rescue password-saved ODF documents in the most widely-available ODF-supporting software on the planet. - Dennis > > Regards > Damjan > > On Fri, Jun 10, 2016 at 3:42 PM, Roger Bentley > <roger.bent...@outlook.com> > wrote: > > > Dear Sir/Madam > > > > I have a large number of important documents that I have created over > the > > years in Open Office, which were created as password protected > documents. > > > > Is there any likelihood in the future of any ‘redundancy’ or suchlike > > where these documents would be no longer accessible by future then > current > > software etc? Or will the files always remain safe, in that there > will > > always be an Open Office allied program capable of unlocking their > password > > protected format? > > > > I will be very grateful of your reply. > > > > With sincere regards > > > > Roger Bentley --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
