RE: [libreoffice-users] Re: how to crack a PW in LO?

In terms of password-based encryption, the vulnerability to direct attack on the password has not 
changed measurably since ODF 1.0.  However, the advances in processor performance have made many 
more attacks feasible.  

The move from Blowfish and 8-bit CFB (default) to (optional) AES-CBC has also reduced the amount of 
work required in an attack because modern processor chips have special instructions to make AES go 
faster, speeding the trial of different passwords as successful for decryption.  Modern x64 
processors with fast graphics GPUs help accelerate other stages of an attack as well.  

The heavy lifting is in creating hashes of trial passwords and then carrying out a key generation 
process to set up a decryption attempt.  There are built in time delays, although the default delay 
count (1024) is not that daunting.  These actions increase the "work factor" for a password attack, 
but poor password choices still yield easily.

There are also features of OpenOffice-lineage encrypted documents that assist an attack in 
determining whether it has found a promising decryption or not.  

TRIAL DECRYPTION

I created a "Save with Password" document using a 4 character password chosen randomly from the 
full ASCII 95-character set.

I used the trial version of Accent OFFICE Password Recovery 7.10 build 2425 x64, available from 
<http://passwordrecoverytools.com/office-password.asp>.  That release is from July of 2012.

I used a Dell Studio XPS 9000 with x64 i7-980 (12 cores @ 3.33GHz), 18GB RAM, and ATI Radeon HD 
5980 dual GPU.  I am running Windows 7 Ultimate x64 SP1.

The Accent OFFICE software does not recognize my GPU so it just pounded the CPU cores.  (I have 
never heard my computer fans work so hard as with this software.)

 1. For the document saved from LibreOffice 3.6.2, Accent OFFICE does not recognize the ODF 1.2 use 
of AES and could not handle the document.  (This is doubtless a temporary condition and determined 
attackers are certainly not so limited.)

 2. With the same document and password encrypted in the ODF 1.2 default Blowfish, Accent OFFICE's 
default attempt had an estimated run time of 1h18m and proposed a test of 235 million passwords.  
That attempt failed in the 30 minute time-limit of the trial version.

 3. I repeated (2) using the option to make a brute-force attack.  I specified that characters from 
the set of all ASCII printable characters (95) were used and that there were not more than 4 
characters.  The estimate was 85,828,704 tries and 27m03s.  In fact, the password was found in 
under 10 minutes.  (I had stepped away that long.)

PREDICTIONS

 4. BAD NEWS #1: When such software also handles the ODF 1.2 AES options, it will take no longer, 
perhaps even less time.

 5. BAD NEWS #2: No GPU power was applied to this problem.  It might not have mattered, but it 
won't be worse and could provide even more rapid decryption.

 6. GOOD NEWS #1 (for now): Even allowing for (4-5), the estimates for longer passwords are 
heartening:

       Pwd   Accent OFFICE
    Length   Time Estimate (same conditions)
        <5   27m03s
        <6   1d19h
        <7   173d3h
        <8   45y197d

    You can see why length and random selection from the full 95 ASCII codes matters.  Using larger 
character sets is even better, of course.  I routinely use 15-character randomly-chosen passwords 
that are never used for more than one purpose.

 7. GOOD NEWS #2 (for now): It is possible to crowd-source this work on multiple processors or as a 
challenge with multiple hackers over the internet, where the attack space is subdivided.  Normally, 
one would not want to share the document, especially if its decryption is extremely valuable.  
However, there are parts of encrypted ODF documents that are benign and usable in a 
community/cloud-based attack. Once the password is recovered for that portion, the holder of the 
complete document can decrypt all of it.

 8. WORSE NEWS #3: The kinds of passwords that folks routinely use to encrypt their own files 
remain easy to discover.  The default 1h14m estimate will probably snag them.

This makes recovery of a lost password feasible but it also means the privacy of the password and 
of the encrypted file is not what you might wish it to be were such a document to leave your 
personal possession.

 - Dennis

-----Original Message-----
From: Sandy Harris [mailto:sandyinchina@gmail.com] 
Sent: Friday, October 19, 2012 21:29
To: users@global.libreoffice.org
Subject: Re: [libreoffice-users] Re: how to crack a PW in LO?

Googling on "open office password crack" turns up dozens of things.

Here's one that looks real, if outdated:
http://www.theregister.co.uk/2007/04/20/openoffice_password_crack/

That's 2007; we can hope O-O have improved the system since then
Anyone know?

The best-known purveyors of commercial password cracking services
are Elcomsoft. PDFs, Word Documents, ...

This Elcomsoft presentation on Adobe e-book passwords
http://www.cs.cmu.edu/~dst/Adobe/Gallery/ds-defcon/sld001.htm
got their employee Dimitri Skylarov arrested, and led to much
controversy. Eventually, charges were dropped.

Turns out they have one for O-O.
http://www.downloadatlas.com/elcomsoft_recovery/openoffice-password-recovery-by-intelore.html

-- 
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted


-- 
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted