ODF / OpenOffice.org Document Encryption

Quite frequently, people ask about the document encryption used in OpenOffice.org for ODF documents. Which algorithms are used? Is it really secure?

If you try some internet search, it's difficult to find the really useful information.
To make it easier for all, including me when I again have to answer such questions, I decided to write down some information here.

ODF documents are Zip archives, and the encryption is applied to all ODF relevant streams, and not to the zip archive itself.
The encryption is described in the ODF 1.1 specification, chapter 17.3:

17.3 Encryption The encryption process takes place in the following multiple stages:

  1. A 20-byte SHA1 digest of the user entered password is created and passed to the package component.

  2. The package component initializes a random number generator with the current time.

  3. The random number generator is used to generate a random 8-byte initialization vector and 16-byte salt for each file.

  4. This salt is used together with the 20-byte SHA1 digest of the password to derive a unique 128-bit key for each file. The algorithm used to derive the key is PBKDF2 using HMAC-SHA-1 (see [RFC2898]) with an iteration count of 1024.

  5. The derived key is used together with the initialization vector to encrypt the file using the Blowfish algorithm in cipher-feedback (CFB) mode.

Each file that is encrypted is compressed before being encrypted. To allow the contents of the package file to be verified, it is necessary that encrypted files are flagged as 'STORED' rather than 'DEFLATED'. As entries which are 'STORED' must have their size equal to the compressed size, it is necessary to store the uncompressed size in the manifest. The compressed size is stored in both the local file header and central directory record of the Zip file.

So the ODF encryption can be considered to be quite strong.

If you search for ODF encryption, very likely you will stumble over many password recovery tools. But none of these tools found any weaknesses in ODF encryption. All these tools can only provide brute force attacks for ODF documents.

I found this on the web site from Intelore, one of the major password recovery tools providers:

"As a true open source product with UNIX roots, OpenOffice.org supports strong document protection for ultimate security. All OpenOffice documents can be saved with a password, enabling strong password security. OpenOffice.org uses industry standard encryption methods that are extremely hard to break."

If you have other opinions about ODF encryption quality, please let me know...


I wonder why Blowfish rather than AES. Using Blowfish means it isn't able to be used where FIPS 140-2 crypto is required - such as in US govt.

Posted by Darren Moffat on May 29, 2009 at 08:13 AM CEST #

Thanks, Malte.
Why not publish this on the OOo wiki? Better yet, why not make this an item in the OOo online help?

Posted by Martin Srebotnjak on May 29, 2009 at 10:36 AM CEST #

This is definitely too techy to be acceptable for the online help of an end user product. But some end user oriented documentation and a link into our wiki for the tech savvy users would be fine, I think.

Posted by Mathias Bauer on May 29, 2009 at 01:43 PM CEST #

Hi Darren,

funny, Glenn Brunette aked me the same question offline some weeks ago:)

This was my answer:

I don't know why Blowfish was chosen over AES. Maybe AES was to new in
the game when people started working on the OOo XML file format starting
in 2000.

Wrt FIPS and others: Exactly for the reason that different institution
might have different requirements wrt which encryption algorithms are
allowed/accepted, the upcoming ODF 1.2 specification will allow usage of
other algorithms.

Posted by Malte on June 02, 2009 at 01:52 AM CEST #

Hi Martin,

you might have seen that I want to start a OOo security project. Once this is started, I am sure we will add such information to the Wiki.

Posted by Malte on June 02, 2009 at 01:54 AM CEST #

Can you add a line break above to reduce the width of this post? Thanks.

Posted by Graham Perrin on June 02, 2009 at 10:19 PM CEST #

Hi Graham,

I didn't notice that the blog editor added some <pre> tags. I have removed them, so the lines should break correctly now...

Posted by Malte on June 03, 2009 at 02:19 AM CEST #

Hi Malte,
do you know samething about link in OOo calc to other calc password protect files?
I can't find something nowhere.
Sorry if this isn't the right place to ask.

Posted by Miguel Ángel on October 02, 2009 at 04:34 PM CEST #

this is cool, this is what we want dude......

Posted by links of london on November 28, 2009 at 07:02 PM CET #

Fancy knowing that.I'm counting on you.

Posted by uvip on December 17, 2009 at 01:51 AM CET #

Post a Comment:
  • HTML Syntax: NOT allowed

Malte Timmermann


« June 2016