peegiddy wrote:Having created a number of ODP files and saved them with a password. I can no longer open them.
<?xml version="1.0" encoding="UTF-8"?>
<manifest:manifest xmlns:manifest="urn:oasis:names:tc:opendocument:xmlns:manifest:1.0" manifest:version="1.2">
<manifest:file-entry manifest:media-type="application/vnd.oasis.opendocument.presentation" manifest:version="1.2" manifest:full-path="/"/>
<manifest:file-entry manifest:media-type="" manifest:full-path="Configurations2/accelerator/current.xml" manifest:size="0">
<manifest:encryption-data manifest:checksum-type="SHA1/1K" manifest:checksum="aIk0hF8iBJyxRmiDLvoz1FATtrk=">
<manifest:algorithm manifest:algorithm-name="Blowfish CFB" manifest:initialisation-vector="orsvidqQ9SE="/>
<manifest:key-derivation manifest:key-derivation-name="PBKDF2" manifest:key-size="16" manifest:iteration-count="1024" manifest:salt="+2jAZa9wZ7dO718PJ0ePjw=="/>
<manifest:start-key-generation manifest:start-key-generation-name="SHA1" manifest:key-size="20"/>
</manifest:encryption-data>
</manifest:file-entry>
<manifest:file-entry manifest:media-type="application/vnd.sun.xml.ui.configuration" manifest:full-path="Configurations2/"/>
<manifest:file-entry manifest:media-type="text/xml" manifest:full-path="content.xml" manifest:size="173305">
<manifest:encryption-data manifest:checksum-type="SHA1/1K" manifest:checksum="ek+xCaFx6gN7pdMU+wHrEoy9kGA=">
<manifest:algorithm manifest:algorithm-name="Blowfish CFB" manifest:initialisation-vector="fYdMUocNotE="/>
<manifest:key-derivation manifest:key-derivation-name="PBKDF2" manifest:key-size="16" manifest:iteration-count="1024" manifest:salt="qsYb+L7P8jGgJG5+6QX0SQ=="/>
<manifest:start-key-generation manifest:start-key-generation-name="SHA1" manifest:key-size="20"/>
</manifest:encryption-data>
</manifest:file-entry>
<manifest:file-entry manifest:media-type="image/png" manifest:full-path="Pictures/100000000000032E00000297FAFC88C5.png" manifest:size="160179">
<manifest:encryption-data manifest:checksum-type="SHA1/1K" manifest:checksum="YYZEhBTxEiS/f70l2vBksE8NhNE=">
<manifest:algorithm manifest:algorithm-name="Blowfish CFB" manifest:initialisation-vector="OlBGIyOREPQ="/>
<manifest:key-derivation manifest:key-derivation-name="PBKDF2" manifest:key-size="16" manifest:iteration-count="1024" manifest:salt="uC4WxQrgeDtwg+1okMYfAQ=="/>
<manifest:start-key-generation manifest:start-key-generation-name="SHA1" manifest:key-size="20"/>
</manifest:encryption-data>
</manifest:file-entry>
<manifest:file-entry manifest:media-type="image/jpeg" manifest:full-path="Pictures/10000000000002580000023ED8BD9987.jpg" manifest:size="72502">
<manifest:encryption-data manifest:checksum-type="SHA1/1K" manifest:checksum="dOvlwOGTb72BVM9/s9wb87Ivb2w=">
<manifest:algorithm manifest:algorithm-name="Blowfish CFB" manifest:initialisation-vector="I+Rf4uEZMns="/>
<manifest:key-derivation manifest:key-derivation-name="PBKDF2" manifest:key-size="16" manifest:iteration-count="1024" manifest:salt="NClHVAj3NaS4cDzNcDHcIw=="/>
<manifest:start-key-generation manifest:start-key-generation-name="SHA1" manifest:key-size="20"/>
</manifest:encryption-data>
</manifest:file-entry>
<manifest:file-entry manifest:media-type="image/jpeg" manifest:full-path="Pictures/10000000000007D0000003B95A972D22.jpg" manifest:size="370385">
<manifest:encryption-data manifest:checksum-type="SHA1/1K" manifest:checksum="SpOrml6yPN1XFGsKJuJ0WxHUdME=">
<manifest:algorithm manifest:algorithm-name="Blowfish CFB" manifest:initialisation-vector="E05xdjYwpzk="/>
<manifest:key-derivation manifest:key-derivation-name="PBKDF2" manifest:key-size="16" manifest:iteration-count="1024" manifest:salt="trVDJxaiG5m/2LxuHOUnLw=="/>
<manifest:start-key-generation manifest:start-key-generation-name="SHA1" manifest:key-size="20"/>
</manifest:encryption-data>
</manifest:file-entry>
peegiddy wrote:I'm not certain what the manifest script is for - I cant see any clue to a PW and with the newly created file I get a simialr result to that you gave
<manifest:algorithm manifest:algorithm-name="Blowfish CFB"
<?xml version="1.0" encoding="UTF-8"?>
<manifest:manifest xmlns:manifest="urn:oasis:names:tc:opendocument:xmlns:manifest:1.0" manifest:version="1.2">
<manifest:file-entry manifest:media-type="application/vnd.oasis.opendocument.presentation" manifest:version="1.2" manifest:full-path="/"/>
<manifest:file-entry manifest:media-type="" manifest:full-path="Configurations2/accelerator/current.xml" manifest:size="0">
<manifest:encryption-data manifest:checksum-type="SHA1/1K" manifest:checksum="aIk0hF8iBJyxRmiDLvoz1FATtrk=">
<manifest:algorithm manifest:algorithm-name="Blowfish CFB" manifest:initialisation-vector="rivFdd+DNQc="/>
<manifest:key-derivation manifest:key-derivation-name="PBKDF2" manifest:key-size="16" manifest:iteration-count="1024" manifest:salt="L/Xovm4rarig7SK4QXZCqA=="/>
<manifest:start-key-generation manifest:start-key-generation-name="SHA1" manifest:key-size="20"/>
</manifest:encryption-data>
</manifest:file-entry>
<manifest:file-entry manifest:media-type="application/vnd.sun.xml.ui.configuration" manifest:full-path="Configurations2/"/>
<manifest:file-entry manifest:media-type="text/xml" manifest:full-path="content.xml" manifest:size="8438">
<manifest:encryption-data manifest:checksum-type="SHA1/1K" manifest:checksum="J9/a456I8whuby+mJykNU+bkWNo=">
<manifest:algorithm manifest:algorithm-name="Blowfish CFB" manifest:initialisation-vector="RGoMB32vl1o="/>
<manifest:key-derivation manifest:key-derivation-name="PBKDF2" manifest:key-size="16" manifest:iteration-count="1024" manifest:salt="ZniuCrn0Ywl8SWV0+Vfb+A=="/>
<manifest:start-key-generation manifest:start-key-generation-name="SHA1" manifest:key-size="20"/>
</manifest:encryption-data>
</manifest:file-entry>
<manifest:file-entry manifest:media-type="image/gif" manifest:full-path="Pictures/10000000000000C8000000C8410EA8A4.gif" manifest:size="1129">
<manifest:encryption-data manifest:checksum-type="SHA1/1K" manifest:checksum="6O+IB0VbwvzuZb1iaCPTTTvVqBw=">
<manifest:algorithm manifest:algorithm-name="Blowfish CFB" manifest:initialisation-vector="GY7v4pGZ/kE="/>
<manifest:key-derivation manifest:key-derivation-name="PBKDF2" manifest:key-size="16" manifest:iteration-count="1024" manifest:salt="rXbXTgBzJQyjaZ4gxNTofg=="/>
<manifest:start-key-generation manifest:start-key-generation-name="SHA1" manifest:key-size="20"/>
</manifest:encryption-data>
</manifest:file-entry>
<manifest:file-entry manifest:media-type="text/xml" manifest:full-path="settings.xml" manifest:size="9472">
<manifest:encryption-data manifest:checksum-type="SHA1/1K" manifest:checksum="ATGFYb/7fd29/O2S20jA9FQUWzE=">
<manifest:algorithm manifest:algorithm-name="Blowfish CFB" manifest:initialisation-vector="iPHNFCrQS/0="/>
<manifest:key-derivation manifest:key-derivation-name="PBKDF2" manifest:key-size="16" manifest:iteration-count="1024" manifest:salt="YaOJc6TO8nnuE3HtDS1IUw=="/>
<manifest:start-key-generation manifest:start-key-generation-name="SHA1" manifest:key-size="20"/>
</manifest:encryption-data>
</manifest:file-entry>
<manifest:file-entry manifest:media-type="text/xml" manifest:full-path="styles.xml" manifest:size="44857">
<manifest:encryption-data manifest:checksum-type="SHA1/1K" manifest:checksum="AL+91IV7KvL0ZNc/5gkfbPuYmE4=">
<manifest:algorithm manifest:algorithm-name="Blowfish CFB" manifest:initialisation-vector="EeuXcehLLtY="/>
<manifest:key-derivation manifest:key-derivation-name="PBKDF2" manifest:key-size="16" manifest:iteration-count="1024" manifest:salt="co/eLZAf35IaqT6KFb9Rfw=="/>
<manifest:start-key-generation manifest:start-key-generation-name="SHA1" manifest:key-size="20"/>
</manifest:encryption-data>
</manifest:file-entry>
<manifest:file-entry manifest:media-type="text/xml" manifest:full-path="meta.xml" manifest:size="1176">
<manifest:encryption-data manifest:checksum-type="SHA1/1K" manifest:checksum="csv4mPgbGZ1PKdzo8AHNKowzoFE=">
<manifest:algorithm manifest:algorithm-name="Blowfish CFB" manifest:initialisation-vector="bQ3YcVEpR8I="/>
<manifest:key-derivation manifest:key-derivation-name="PBKDF2" manifest:key-size="16" manifest:iteration-count="1024" manifest:salt="V6hL5rhqqFwv+hvt6ER78g=="/>
<manifest:start-key-generation manifest:start-key-generation-name="SHA1" manifest:key-size="20"/>
</manifest:encryption-data>
</manifest:file-entry>
</manifest:manifest>
peegiddy wrote:Would altering the date of the file make any difference to the p/word protection ?
Also would altering PC system date have any bearing ?
I ask as the system date and file save date were altered to have them all having same date toe ensure the correct version was used
TIA
Peter
Edit: It appears that AOO uses both the randomly generated "initialisation-vector" and the "salt" in the encryption of a component |
<manifest:file-entry manifest:media-type="" manifest:full-path="Configurations2/accelerator/current.xml" manifest:size="0">
<manifest:encryption-data manifest:checksum-type="SHA1/1K" manifest:checksum="aIk0hF8iBJyxRmiDLvoz1FATtrk=">
<manifest:algorithm manifest:algorithm-name="Blowfish CFB" manifest:initialisation-vector="rivFdd+DNQc="/>
<manifest:key-derivation manifest:key-derivation-name="PBKDF2" manifest:key-size="16" manifest:iteration-count="1024" manifest:salt="L/Xovm4rarig7SK4QXZCqA=="/>
<manifest:start-key-generation manifest:start-key-generation-name="SHA1" manifest:key-size="20"/>
</manifest:encryption-data>
</manifest:file-entry>
The above, which is in section 17.7.4, seems to be about a close as the standard gets to explaining the SHA1/1K password check. SH1A1/1K means that the SHA1 of the first 1024 bytes of the decrypted content.xml (which is deflate compressed data) is compared to the SHA1/1K in META-INF/manifest.xml. It it matches the password was almost certainly correct. This seems ok to me, but there may be some corner cases where it could leak information about the plaintext document. For example, if the attacker is able come up with a close guess for the initial part of the password plaintext document (perhaps the document mostly consist of a known header, or the attacker has an earlier version) he/she may be able to try variations of the document until the SHA1/1K is matched. Either adding random bytes to the start of the plaintext content.xml or encrypting the SHA1/1K with the same blowfish algorithm and key would help.
Password Variation
Often the problem with the password is that it was typed incorrectly. The user can make a mistake or type the password with CAPS LOCK turned on. Moreover, the user often remembers the approximate appearance of the password but fails to recall it in detail. In this case we can take the approximate password and test every possible variant, such as case changes (password -> PASSWORD, Password, PAssword, pASSWORD etc), omission of one of the characters, doubling characters, inserting or replacing the character with the neighboring characters and so on. Usually the number of combinations is not very large and it is possible to test them all in a little time.
Sea Mac wrote:This problem has been in the OpenOffice codebase for over a DECADE - affecting ANY password protected file type - and the developers are powerless to find and fix it.
Users browsing this forum: shilliard and 3 guests