Re: Commit: Password dialog


Subject: Re: Commit: Password dialog
From: Aaron Lehmann (aaronl@vitelus.com)
Date: Wed Oct 17 2001 - 16:38:22 CDT


On Wed, Oct 17, 2001 at 03:16:33PM -0400, Dom Lachowicz wrote:
> Maybe I need to explain myself better.
>
> MSWord documents CAN be password protected. Note that this password is really
> easy to crack because of the simple XOR scheme used, but since cracking that
> password automatically would probably be a violation of the DMCA or some other
> law, we instead try something legal - namely, getting the password from the
> user and then authenticating the user using that token.

Oh, so it's for DOC.

If you guys want I'll write an autocracking plugin and distribute it
seperately at my own risk. The idea that XOR even gives you an
illusion of security that should be protected by the DMCA is BS.

> The DOC Import Filter needs a way to get a password from the user when it
> encounters one of these password-protected documents. That's ALL this dialog
> is meant for, at least for the time being. To the best of my knowledge,
> there's no effort underway to password-protect or encrypt AbiWord documents.
> Thomas Frydrych suggested implementing something like this as a plugin maybe
> sometime in the future. If you want the effect of an encrypted document right
> now, an easy suggestion is to use an external PGP program. And yes, MD5 is
> being deprecated in favor of SHA.

Agree strongly.

BTW, what cipher is usually used with a key produced by SHA-1, since
it is a 160 bit output? I imagine it could be trunctated to 128 bits,
but then the security advanteges over MD5 are questionable. I suppose
Blowfish could be keyed at 160 bits...



This archive was generated by hypermail 2b25 : Wed Oct 17 2001 - 16:38:34 CDT