24 March 2015

LibreOffice & Apache OpenOffice Password Recovery 

* LibreOffice 3.4.5 and lower can write files whose password protection relies on Blowfish;
* LibreOffice 3.4.4 and lower can read files whose password protection relies on Blowfish;
* LibreOffice 3.4.5 and higher can read files whose password protection relies on AES-256;
* LibreOffice 3.5.0 and higher can write files whose password protection relies on AES-256;

* OpenOffice.org 3.3 and lower can read/write files  whose password protection relies on SHA1/Blowfish;
* Apache OpenOffice 3.4 and higher can read/write files whose password protection relies on SHA256/AES;

https://wiki.openoffice.org/wiki/User:TJFrazier/Encryption contains a transitional macro for AOo 3.4, to read SHA1/Blowfish encrypted documents.

The Crypto++ library contains routines for encrypting/decrypting blowfish, AES-256, and other algorithms for ciphers.

http://sourceforge.net/projects/ooomacros/files/PasswordCracker/
is an OOo extension/macro that brute forces passwords.
It was last updated in 2005, so it won't work with LibO 3.5.0, and higher, or AOo 3.4 and higher. I noticed that SourceForge didn't offer "Code" on the project components line, so source code might not be available.

http://archive09.linux.com/articles/61635 is an article from 2007 on breaking documents encrypted with OOo.

http://ringlord.com/dl/Decrypting%20ODF%20Files.pdf is an in-depth explanation of how to decrypt ODF File Format files.

One of the commercially distributed password recovery tools claims that the estimated time to recover a password are:
* 5 characters: 28 minutes;
* 6 characters: 44 hours;
* 7 characters: 174 days;
* 8 characters: 45 years;
I'm assuming the normal stupid password selection process that is typically used.

At 10,000 passwords per second, brute force for the 192 ASCII set of glyphs:
(This is run of the mill equipment.) 


Glyphs  Duration    Unit 


2 1.84 seconds;
3 5.90 minutes;
4 0.786 days;
5 21.57 weeks;
6 79.65 years;
7 1.53E+004 years;
8 2.94E+006 years;
9 5.64E+008 years;
10 1.08E+011 years;
11 2.08E+013 years;
12 3.99E+015 years;
13 7.66E+017 years;
14 1.47E+020 years;
15 2.82E+022 years;
16 5.42E+024 years;
17 1.04E+027 years;
18 2.00E+029 years;
19 3.84E+031 years;
20 7.37E+033 years;

At 1,000,000,000 passwords per second, brute force for the 192 ASCII set of glyphs:
(This is COTS hardware, albeit optimized for this specific task.) 




Glyphs  Duration    Unit


2 0.00 seconds;
3 0.00 seconds;
4 0.68 seconds;
5 130.46 seconds;
6 6.96 hours;
7 55.66 days;
8 29.36 years;
9 5.64E+003 years;
10 1.08E+006 years;
11 2.08E+008 years;
12 3.99E+010 years;
13 7.66E+012 years;
14 1.47E+015 years;
15 2.82E+017 years;
16 5.42E+019 years;
17 1.04E+022 years;
18 2.00E+024 years;
19 3.84E+026 years;
20 7.37E+028 years;

At 1,000,000,000 passwords per second, brute force for the 65536 Unicode Base Plane set of glyphs:
(This uses COTS hardware, albeit optimized for this specific task.) 




Glyphs  Duration    Unit 


2 2.15 seconds;
3 39.09 hours;
4 293.27 years;
5 1.92E+007 years;
6 1.26E+012 years;
7 8.25E+016 years;
8 5.41E+021 years;
9 3.55E+026 years;
10 2.32E+031 years;
11 1.52E+036 years;
12 9.98E+040 years;
13 6.54E+045 years;
14 4.29E+050 years;
15 2.81E+055 years;
16 1.84E+060 years;
17 1.21E+065 years;
18 7.91E+069 years;
19 5.18E+074 years;
20 3.40E+079 years;

At 10,000,000,000 passwords per second, brute force for the 65536 Unicode Base Plane set of glyphs:
(This uses COTS hardware, albeit somewhat specialized, and optimized for this specific task.)




Glyphs  Duration    Unit
2 0.21 seconds;
3 3.91 hours;
4 29.33 years;
5 1.92E+006 years;
6 1.26E+011 years;
7 8.25E+015 years;
8 5.41E+020 years;
9 3.55E+025 years;
10 2.32E+030 years;
11 1.52E+035 years;
12 9.98E+039 years;
13 6.54E+044 years;
14 4.29E+049 years;
15 2.81E+054 years;
16 1.84E+059 years;
17 1.21E+064 years;
18 7.91E+068 years;
19 5.18E+073 years;
20 3.40E+078 years;

Various things that can speed up the decryption time:
* Knowing some, or all of the password;
* Using good wordlists;


* Incorporating known mangling patterns into the software decryption process;
* Throwing more hardware at the password;


 


OpenWall sells a pretty good starting wordlist, for use with John The Ripper.


http://www.openwall.com/wordlists/. It will have to be modified, for use with any software that decrypts ODF formatted files. 


 












Posted by



at





No comments:
  


















Labels:
,

















          

        

          

        

05 March 2015


          

        









LibreOffice or Apache Open Office?










Wandering into my inbox I found an email with a question:





> in my search I read that LibreOffice is better than OpenOffice...but it is not clear why!!??


    

  • The people at The Document Foundation would like LibreOffice (https://www.libreoffice.org/) to be used;
    • 

  • The people at The Apache Software Foundation would like Apache Open Office (http://www.openoffice.org/) to be used;
    • 

  • The people at MultiRáció Ltd. would like EuroOffice (http://www.multiracio.com/index.php) to be used;
    • 




So which one should be used?



It all depends upon what you use an office suite for. For the majority of use cases, it does not matter.  The end result is the same.



From a strictly objective POV, the biggest difference between those three programs, is that LibreOffice can read, write, and edit more file formats than the other two can.  



From an extremely subjective POV, the biggest difference is that Apache OpenOffice tolerates more "flakiness" within documents than the other two do.



Straddling the border of subjective, and objective, EuroOffice can handle more languages, and writing systems in a document, than the other two can.  It isn't just that it ships with language tools for half a dozen languages. The dictionary  toolbar provides "instant" translation of the word under the cursor.

It does, however, seem strange to me, that it includes a built-in grammar checker, but not spell checker, for Lithuanian.



Extensions created for the current version of LibreOffice, or Apache OpenOffice usually can be installed, and will work on the other.  These extensions can usually be installed, and will work under EuroOffice.



Extensions created for EuroOffice often rely on an API that currently is exclusive to EuroOffice. In its favour, MultiRáció has converted some of those extensions for LibreOffice and Apache OpenOffice.



Going by the A11Y tools on my system, all three are equally inaccessible. More pointedly, it demonstrates a crying need for an office suite that is designed from the ground up, specifically for individuals with accessibility requirements.



Licensing is either the most important, or least important issue.  It all depends upon what else is done with the office suite.



If your organization is going to customize the program, than the Apache License is the easiest to comply with, even if it makes no formal attempt to do so. Thus, Apache Open Office is the ideal choice.



If you want the ability to sue somebody, despite the license saying you can not do so (the standard non-FLOSS license), then  MultiRáció and EuroOffice is the way to go.





The most important thing to know, is what the use-case is:


    

  • Do you really need an office suite?
    • 

  • Would a stand alone program be more suitable?
    • 


If your cyberlife consists of:


    

  • Dwelling in spreadsheets, perhaps Gnumeric is more suitable;
    • 

  • Writing scientific reports, perhaps a TeX solution is more suitable;
    • 

  • Creating pretty charts, perhaps R is more suitable;
    • 

  • Drawing pretty pictures, perhaps GIMP is more suitable;
    • 

  • Databases, then Python and SQLite, PostGres, or MariaDB is more suitable; 
    • 


For anything more than a general answer, that fails to provide an answer, the only way to know what works best for any specific use case, is by testing the different programs out. 









Posted by



at





No comments:
  


















Labels:

















        

      









Subscribe to:
Posts (Atom)