Date: prev next · Thread: first prev next last
2012 Archives by date, by thread · List index


Hi :)
I think the intention at this point is just to get rid of the password protection and open the 
file, or at least the data in the file.  Protecting it again is for another day!
Regards from
Tom :)  





________________________________
From: Dennis E. Hamilton <dennis.hamilton@acm.org>
To: 'Tom Davies' <tomdavies04@yahoo.co.uk>; 'Dr. R. O Stapf' <reinhold@stapf-online.com>; 
users@global.libreoffice.org 
Sent: Tuesday, 16 October 2012, 15:37
Subject: RE: [libreoffice-users] Re: how to crack a PW in LO?

Some protections are preserved in conversions between Office binaries and OpenOffice.  But the 
protections in OOXML have digital hashes that are computed differently than those in ODF.  They 
are not inter-convertible. 

Since the implementations tend to drop those protections in either direction, there is an easy 
round-trip technique to over-ride protections (but not encryption).  Of course, there may be other 
incompatibilities that can have the result be undesirable.

- Dennis

PS: To preserve the protection, you'd either have to recover the password and rehash, or ask the 
user for the password as part of the conversion so it could be rehashed.  There are conceivable 
extensions in the implementation of ODF that could facilitate protection preservation, but it 
might not be worth the effort considering that the protections don't really protect anything [;<).

-----Original Message-----
From: Tom Davies [mailto:tomdavies04@yahoo.co.uk] 
Sent: Tuesday, October 16, 2012 08:21
To: dennis.hamilton@acm.org; 'Dr. R. O Stapf'; users@global.libreoffice.org
Subject: Re: [libreoffice-users] Re: how to crack a PW in LO?

Hi :)
Brilliant!!  Ahhh, just thought of a problem.  Was it xls or xlsX?  If it has an X at the end then 
just rename the file to replace .xlsx with .zip and then double-click on it.  

Can the xml files be pulled into a new file without pulling the password along at the same time?
Regards from
Tom :)  





________________________________
From: Dennis E. Hamilton <dennis.hamilton@acm.org>
To: 'Dr. R. O Stapf' <reinhold@stapf-online.com>; users@global.libreoffice.org 
Sent: Tuesday, 16 October 2012, 14:34
Subject: RE: [libreoffice-users] Re: how to crack a PW in LO?

It is important to separate the use of passwords to set 
protections from use of a password to encrypt the document.  

Only "Save with Password" provides cryptographic security 
of the document.  

The "Save with Password" encryption is difficult to attack.  
The password is usually the weakest point and the password 
may fall to a variety of attacks that use pre-computed 
dictionaries of SHA1 digests and other brute-force 
techniques.  It is also possible that an attack may break 
the encryption without discovering the password itself.  
All of these attacks are believed to required great effort.  
In general, one should expect that a password used in 
"Save with Password" is not discoverable unless it is 
carelessly chosen or heavily reused.  

The harder the password is to attack, the harder it is
to recover, of course. 

In contrast, all of the protection settings are insecure.  

The protections are trivial to remove.  It can be done 
by any knowledgeable user with a Zip utility and an XML 
editor.  It is not necessary to know the password to 
remove the protection.  However, all passwords used in 
making protection settings should be considered compromised.  
That is because the document stores an SHA1 or other unsalted
hash in "plain view" in the document.  These hashes are 
cracked with ease using conventional systems.  A password 
used to set a protection should not be used for any 
more-private purpose.  In particular, if the same passwords
are used for protections on unencrypted documents and for 
saving with password (encryption), the encryption can be 
broken directly using the SHA1 digest from the protection 
setting.

Protection settings are on spreadsheet fields and sheets.  
There are protection settings on text as well.  The 
protection against altering change-tracking and the 
protection for keeping a document read-only are all of 
this kind.  The protection is useful for avoiding mistaken
alterations.  

It is easy for all of these protections to be removed, the
document altered, and the protections restored with the 
very same unlocking password without ever having to 
know the password.  

A digital signature can prevent the document from undetected
alterations, but that doesn't work for turnaround documents 
where some alterations are meant to be allowed.

There is more explanation of the use and risk of protections, 
and their removal, here:
<https://tools.oasis-open.org/version-control/svn/oic/Advisories/00009-ProtectionKeySafety/trunk/description.html>

A proposal for more-reliable security of protection passwords 
(but not the protections themselves) is before the
OASIS ODF TC:
<https://www.oasis-open.org/committees/document.php?document_id=46220>.

- Dennis


-----Original Message-----
From: Dr. R. O Stapf [mailto:reinhold@stapf-online.com] 
Sent: Tuesday, October 16, 2012 06:30
To: users@global.libreoffice.org
Subject: Re: [libreoffice-users] Re: how to crack a PW in LO?

you are perfectly right about this!!!


On 16.10.2012 22:22, Andrew Douglas Pitonyak wrote:
Unless you have a lot of time to kill (days, weeks, months, etc), you are much better off not 
forgetting your password.



-- 
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted




-- 
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.