On 10.12.19 14:57, Steve Martin wrote:
Hi,At "http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part3.html#__RefHeading__752859_826425813" I read:The defined values for the manifest:key-derivation-name attribute are:•PBKDF2: The PBKDF2 key derivation method with HMAC-SHA-1 for the Pseudo-Random Function(PRF). See [RFC2898] sections 5.2 and B.1.1.HMAC-SHA-1 for the Pseudo-Random Function(PRF)? HMAC-SHA-1 is a deterministic function. That means I enter a value and get a value out. And no matter how many times I call the function with the input value, I always get the same output value. So, with HMAC-SHA-1 is no randomnes possible. So PRFs exists when PRNG (Pseudo Random Number Generator)s exists.
of course, but if you use an *actual* random function to derive the key from the salt and the password then you'll have trouble decrypting the resulting ciphertext...
I looked at the referenced RFC 2898: "PKCS #5: Password-Based Cryptography Specification Version 2.0" (https://www.ietf.org/rfc/rfc2898.txt) how this will be made. In RFC 2898 at the end of page 6 and start of page 7 is written the following:If a random number generator or pseudorandom generator is not available,
LibreOffice requires one.
available, a deterministic alternative for generating the salt (or the random part of it) is to apply a password-based key derivation function to the password and the message M to be processed. For instance, the salt could be computed with a key derivation function as S = KDF (P, M). This approach is not recommended if the message M is known to belong to a small message space (e.g., "Yes" or "No"), however, since then there will only be a small number of possible salts.
My question: Which method is implemented in LibreOffice? Does LibreOffice use a PRNG or the method specified in the ODF standard with the HMAC-SHA-1() function over the plaintext and (password)/(hash of the password))? The second one is a little bit insecure.
both: the method specified in ODF applies the HMAC-SHA1 function to generate the key from the salt, not to generate the salt.