In terms of password-based encryption, the vulnerability to direct attack on the password has not changed measurably since ODF 1.0. However, the advances in processor performance have made many more attacks feasible.
The move from Blowfish and 8-bit CFB (default) to (optional) AES-CBC has also reduced the amount of work required in an attack because modern processor chips have special instructions to make AES go faster, speeding the trial of different passwords as successful for decryption. Modern x64 processors with fast graphics GPUs help accelerate other stages of an attack as well. The heavy lifting is in creating hashes of trial passwords and then carrying out a key generation process to set up a decryption attempt. There are built in time delays, although the default delay count (1024) is not that daunting. These actions increase the "work factor" for a password attack, but poor password choices still yield easily. There are also features of OpenOffice-lineage encrypted documents that assist an attack in determining whether it has found a promising decryption or not. TRIAL DECRYPTION I created a "Save with Password" document using a 4 character password chosen randomly from the full ASCII 95-character set. I used the trial version of Accent OFFICE Password Recovery 7.10 build 2425 x64, available from <http://passwordrecoverytools.com/office-password.asp>. That release is from July of 2012. I used a Dell Studio XPS 9000 with x64 i7-980 (12 cores @ 3.33GHz), 18GB RAM, and ATI Radeon HD 5980 dual GPU. I am running Windows 7 Ultimate x64 SP1. The Accent OFFICE software does not recognize my GPU so it just pounded the CPU cores. (I have never heard my computer fans work so hard as with this software.) 1. For the document saved from LibreOffice 3.6.2, Accent OFFICE does not recognize the ODF 1.2 use of AES and could not handle the document. (This is doubtless a temporary condition and determined attackers are certainly not so limited.) 2. With the same document and password encrypted in the ODF 1.2 default Blowfish, Accent OFFICE's default attempt had an estimated run time of 1h18m and proposed a test of 235 million passwords. That attempt failed in the 30 minute time-limit of the trial version. 3. I repeated (2) using the option to make a brute-force attack. I specified that characters from the set of all ASCII printable characters (95) were used and that there were not more than 4 characters. The estimate was 85,828,704 tries and 27m03s. In fact, the password was found in under 10 minutes. (I had stepped away that long.) PREDICTIONS 4. BAD NEWS #1: When such software also handles the ODF 1.2 AES options, it will take no longer, perhaps even less time. 5. BAD NEWS #2: No GPU power was applied to this problem. It might not have mattered, but it won't be worse and could provide even more rapid decryption. 6. GOOD NEWS #1 (for now): Even allowing for (4-5), the estimates for longer passwords are heartening: Pwd Accent OFFICE Length Time Estimate (same conditions) <5 27m03s <6 1d19h <7 173d3h <8 45y197d You can see why length and random selection from the full 95 ASCII codes matters. Using larger character sets is even better, of course. I routinely use 15-character randomly-chosen passwords that are never used for more than one purpose. 7. GOOD NEWS #2 (for now): It is possible to crowd-source this work on multiple processors or as a challenge with multiple hackers over the internet, where the attack space is subdivided. Normally, one would not want to share the document, especially if its decryption is extremely valuable. However, there are parts of encrypted ODF documents that are benign and usable in a community/cloud-based attack. Once the password is recovered for that portion, the holder of the complete document can decrypt all of it. 8. WORSE NEWS #3: The kinds of passwords that folks routinely use to encrypt their own files remain easy to discover. The default 1h14m estimate will probably snag them. This makes recovery of a lost password feasible but it also means the privacy of the password and of the encrypted file is not what you might wish it to be were such a document to leave your personal possession. - Dennis -----Original Message----- From: Sandy Harris [mailto:[email protected]] Sent: Friday, October 19, 2012 21:29 To: [email protected] Subject: Re: [libreoffice-users] Re: how to crack a PW in LO? Googling on "open office password crack" turns up dozens of things. Here's one that looks real, if outdated: http://www.theregister.co.uk/2007/04/20/openoffice_password_crack/ That's 2007; we can hope O-O have improved the system since then Anyone know? The best-known purveyors of commercial password cracking services are Elcomsoft. PDFs, Word Documents, ... This Elcomsoft presentation on Adobe e-book passwords http://www.cs.cmu.edu/~dst/Adobe/Gallery/ds-defcon/sld001.htm got their employee Dimitri Skylarov arrested, and led to much controversy. Eventually, charges were dropped. Turns out they have one for O-O. http://www.downloadatlas.com/elcomsoft_recovery/openoffice-password-recovery-by-intelore.html -- For unsubscribe instructions e-mail to: [email protected] Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- For unsubscribe instructions e-mail to: [email protected] Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
