https://issues.apache.org/ooo/show_bug.cgi?id=119090
--- Comment #8 from orcmid <[email protected]> 2012-03-19 16:44:12 UTC --- @Rob I think there is some unspoken assumption that using AES256-cbc is somehow more secure than using Blowfish CFB. There is no basis for that. Attackers use the weakest points they can find. In the case of ODF encryption, the weakest point is the use of password-based encryption. It is no less attackable, regardless of the block cipher used. The fact that ODF encryption provides digests that can be used to check whether a decryption is correct makes that attack even easier, along with the fact that most packages contain files for which the plaintext is readily known. The next weak point is the fact that a single start-key is derived from the password and used for the block-cipher key derivation of all of the individual parts. That makes that common start-key value also a point of attack, including by using start-key candidates purloined from elsewhere. The move from SHA1 to SHA256 for the start-key-derivation raises the bar, but it is still a point of attack. The provisions of ODF encryption that assist attack on the password also assist here. I'm not arguing that an attack is known. Only that the choice between AES256-cbc and Blowfish CFB is irrelevant with regard to the attack surface of document for which ODF encryption has been applied. It is especially irrelevant with regard to the pain that an automatic change of the encryption will cause in terms of the down-level and cross-product unacceptability of the result. There is no security trade-off here. It is entirely an interoperability issue. -- Configure bugmail: https://issues.apache.org/ooo/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
