Security/Encryption

Encrypted documents shouldn't have any non encrypted content

Currently it is possible to add any non encrypted content into encrypted documents, simply by putting new streams into the zip archive.

This way, someone could for example add macro code into documents without the need to know the password.

The possibility to add content to an encrypted document is quite bad, and it becomes worse with macros, because passwords increase the level of trust the user has to a document, when it was encrypted by a person he knows.

OOo will detect the macros, and ask the user whether or not to execute them. The user might trust the author of the document, and because of the encryption normally nobody should have been able to manipulate it, so he will probably allow OOo to execute the macros. At least, it's not possible to bind the macros to some event, so it would get executed automatically.

In general, an encrypted document shouldn't have any non encrypted content. Exceptions are some files in the META-INF folder: manifest.xml, which is needed to get the encryption information, and the digital signature files also might not be encrypted, depending on the signature implementation.

Encryption Implementation in OOo 3.2

For OOo 3.2, we plan to improve the document encryption, or better, the handling of documents which have issues like mentioned above (issue #XXXXX).

When OOo opens an encrypted document, it will check via the manifest if all files are encrypted. All encrypted files in a ODF zip archive must use the same encryption key. It is also necessary to check the actual file content, and not the manifest alone. This could be done on access, or in a background process for all files. When detecting not encrypted files, OOo will show a warning to the user, and will not execute any unencrypted macros in encrypted documents.