Hey everybody, good to see you. Hope you are still able to listen to a talk, not completely exhausted from... How many talks was that so far? Like how many tracks? Some 15, 20

since yesterday. Good. I will try not to bore you too much. First question, who of you has been using LibreOffice here? Great, that's pretty much everyone. You use LibreOffice? Oh, you are just not raising your hand, so me of course as well.

Excellent. Who of you is using GPG for, I suppose, email? That's almost everybody, great. So you are in the perfect talk for that. Yeah, this is about GPG, OpenPGP support in LibreOffice. This has been kindly sponsored by

the German Federal Agency of Computer Security. That's the logo there. So, that out of the way. Some words about me. My name is Thorsten Berins. I work for

CIB. In another capacity, I was one of those guys who went with the code and did LibreOffice back in the day. I'm still involved with that project and I'm the German foundation that's kind of collecting some money and

holding some trademarks and running some servers and I'm in the board. Other than that, I've been working with that code since quite a few years. Early at Sun and then at SUSE. And also I'm a pretty outspoken

supporter for open standards and free software. I've been working with the OASIS ODFTC since many years. I've been involved for a few years with the OXML from the other side because we were trying to get a handle there and get back in the day for OpenOffice to get stuff

properly documented so we can implement that. Yeah, sorry for a little bit of advertising here, but this is my company or our company, CIB. It's a medium-sized company based in Munich, some offices all across Europe. We do tons of things.

One of them is LibreOffice. This is a bit more about more specifically what we are doing. LibreOffice is just one of the products or the

services that we're providing. To a large extent, we're a consultancy business so you come to us and we implement stuff for you or we fix your bug or we build your product. We also have products like long-term support for LibreOffice and other stuff, mobile application, PDF

tools, document processing tools, a number of banks that we provide with mass production systems for documents so that you get your account statements or for insurance agencies, those annual invoices.

For LibreOffice, as I said, we are doing consultancy. This is one of the consultancy projects, this GPG for Libre. We also do long-term support. We have a number of customers there who don't want to

upgrade in the pace that the LibreOffice upstream project is updating just about once a year. We also have some support, some trainings. We do macro stuff and extension stuff and all of

that. If you have questions on that, just come to me after the talk and we chat. I'm not going to go much deeper here. Just if you want to do something with LibreOffice in a professional capacity, we have some thousands of seats to run there and need

some help there. We are one of the companies who can provide the help. Okay, so back to the actual topic of the talk, which is GPG for Libre. That's the short name for it, the longer name is in the talk. First, we will look a little bit into

signing, which is the part of, so there's two parts, signing and encryption. Signing is the part that is actually available as we speak in LibreOffice 5.4, so you can get that in a production-ready version and you don't need to run or compile

some bleeding-edge code. Why in the first place did we do that or why is the BSI, the Federal Agency of Computer Security, why are they funding that? First of all, there

can't be enough crypto these days. The more crypto we do and the more products there are built in crypto, the harder life is for the bad guys, be that state-level actors or just playing criminals. So the more tiny little pieces of crypto

are there that are guarding, protecting, securing your communication and your data, the better. So this is one of the many, many areas and many, many places where just adding crypto improves overall security and makes our

digital life a little bit less vulnerable. And LibreOffice is fairly widespread, so that's an estimate of 120 million users out there using that, so adding that piece helps perhaps a little bit to improve that. Another aspect, so

LibreOffice already or OpenOffice back in the day and LibreOffice inherited that code. There is since I think 2005 or something, there is support for S-MIME or X.509

certificates built in. That's cool, but that's perhaps not the easiest thing to do if you want everybody to use crypto because it's kind of involved, it's not so easy to

get those keys, it's not so easy to get other people to trust those keys, it's not so easy especially under Linux to actually make LibreOffice or OpenOffice find your key. It's not so nice, it's not so very usable. And one of

the goals really was to get something that is almost natural, like just at the tip of your fingers, like you just click here and it's all done. You don't need to set up things, you don't need to run shell scripts or do system level or system administrative level stuff. So

that was one of the tools. It has to be very easy, so the trivial stuff like signing or encryption has to be very easy and if you do more involved things then you're good, you're fine, but the initial experience should be very easy. So the outcome should be something cheap, ubiquitous, like it should be everywhere, it should be

peer-to-peer, so there shouldn't be any central authority like with X.509 that needs to, you don't need to have a certificate authority, you don't need to have this, or at least not necessarily this chain of trust. And then for LibreOffice it also would be

really nice if it's cross-platform because LibreOffice is cross-platform, so I think this is just Windows or just Mac or something that's kind of not so great. So why did we then go for GPG or OpenPGP? Well it has

almost all of those features, plus a number of extra ones like, for example, noise. I mean it's very well established, it's probably reasonably secure, it's been out there for a long, long time, so I suspect most of the

bugs, most of the problems have been discovered already. It has nice things like smart cards, plugins, like this YubiKey stuff, so if you want to have kind of extra layers of security that you can add to that, or two factor authentication, that sort of thing.

Another question of course is beyond this nice fuzzy feeling like oh, crypto makes us more secure, there are those aspects especially for signing, that's like, so why

would somebody want to sign a document that's imminently editable, so why would that help? I mean for PDF it's kind of signing a paper, it's a document that is kind of, it's like a printout, it's fixed, but why would it help for something like a text document that you can still

edit or a presentation or a spreadsheet? Well actually, so there's multiple layers there. First of all, it's helpful to know that someone who has reviewed a document and sent it along can be sure that it's like on the way it can't be tampered with, so the other side can be sure this

guy has signed it and it arrives at the state that this person deemed it's okay. The second thing is it also authenticates the other side, so I can be sure that it's this guy, the middle man who signed it and changed something. It's also integrity, so I can be sure that

no middle man came and inserted some evil macro virus or something, or some funny PNG that's kind of triggering a buffer overflow. And there's this nice little thing called non-repudiation, which means

the other side also cannot claim, no, no, I didn't send you that, yes you did, yes, here's the signature, or at least it proves that somebody with possession of that person's key did produce that, which is not, I mean, in front of a court, it might not be exactly the same, but for the sake of the argument, let's assume

it's the same. Yeah, so for the, and for the encryption, it's of course this, like with cloud, I mean, you can say what point is there to encrypt it, I mean, it's on my disk, but well, your disk is not encrypted, or maybe you have some cloud storage

there, something that's syncing that to the cloud, or it's some file share, or it gets back up in your company, so it's kind of helpful, at least if there's no extra price, or not much of an extra price of pain, to also secure so-called data at rest, so

data that's not, I mean, data in transit, that's kind of obvious that it should be, and it's, these days it's pretty much 100%, so everybody's using HTTPS, so data that's in transit is usually secure, but data at rest, which is on your disk, or in your

network share, or in the cloud, sometimes ain't, so, and it also helps to be able at least to offer that option to make that unreadable to the occasional attacker.

Yeah, so, good, let's get into the media's race, what's this all about, or how did we do that? Well, we took LibreOffice, and we took this CPGME, which is an abstraction, IPC abstraction

around GPG and some other tools, and so we plug that into LibreOffice, and we call some function stamp, and outcomes signed, or, and, or, encrypted ODF, and on the other side of the fence

there's IPC layer, or just plain calling, just plain program, just spawning a process, and handing some arguments there, so, GPG, that's called my IPC, so we hand over all the hard

crypto, and entering the pin, and perhaps storing that pin for a while, so you don't have to enter it again and again, we leave that to something that is provably, or at least very

likely more secure, and better audited than LibreOffice, LibreOffice has some 10 million lines of code, it's entirely possible that not every line there is completely fine, so, and just the surface, the attack surface is much

smaller, and the code is much better reviewed for GPG, so that's kind of extra, extra layer of security, so we just hand it over to GPG, let them do the crypto, and get the encrypted document, or the signed digest, or the

signed part of the document back, we also use whatever is there on the system for key management, so that's a basic level of handling keys built into LibreOffice, but whenever, for example, you want to do trust editing, or you want to, whatever, add a subkey or an email

address or something like that, you're going to send to one of those guys, and there's just a list of executables that are tried in order, that's most of them there, so that should largely have you covered, so write this

KGPG or something for KDE, that's also supported, I forgot to add that to the slides. Okay, this is a bit more technical, just tell me if it's getting, by the way, if there's any questions so far, just feel free to

ask, just shout at me, we don't necessarily have to have that at the end, so this is, like, diving a little bit deeper into how this, with multiple processes that works, does anybody

know this nice mobile application, by the way, that's some impress remote control and some nice laser pointer here, and I really like it, and I mentored the GSOC student who implemented that, and it's really cool. So for the certificate manager this just gets handed over here, and then it's kind of doing

this editing of the keys, and it's also interacting here with the GPG, and so essentially there's two, I mean there's also some key management or key listing functions that we're calling, but essentially we're just calling two functions, this GPGME and there's a sign and encrypt, and we just pass some

data buffer there, and get the data buffer back, and everything else happens in this GPG process, so we were waiting until this is done, and this is interacting with the agent, so when you have an agent running and you don't, whatever, some 10 minutes or half an hour timeout, so you don't need to

retype the passphrase over and over again, this is all kind of nicely encapsulated, and outcomes either signed or encrypted ODF here. So this works really wonderfully on Linux,

that probably will work reasonably wonderfully on Mac, that doesn't currently work at all on Windows. Yeah, actually I was a bit surprised, you might not be surprised, but I was a little bit surprised because, so the problem is that LibreOffice is an open source project, so we

really, really, really want to build whatever we run from source. So we built from source on Linux, we built from source on Mac, and it's not a problem for GPGME, but we want to build from source also on the Windows, and that's a problem with GPGME, because GPGME is a kind of hardcore auto-tools, auto-conf project,

it simply doesn't build, like I tried very hard, and it doesn't build on Windows. And so you're asking me, what's the story with GPG for Win? Well, they cross-build, they build on Linux,

they use MinGW, and they cross-build there, so they have all the Linux tool chain, and then, but the problem is we can't, that sounds like, well, where's the problem, but the problem is, we want to build, we have to build on Windows, and we can't, at least

technically from the upstream project, we can't kind of spin up some Linux VM, and hand over the building to that, and then get the binaries back, and then plug it all in, that's a bit involved. And we also can't, although there has been attempts, we can't build LibreOffice, we

can't cross-build LibreOffice, because we need, for binary compatibility, we need the Microsoft compiler, this is very unfortunate, as I said, there were some attempts to do cross-building, but it turns out that our users don't really care, that we are those freedom lovers, and like to build on Linux, they only

care that their extensions that they paid money for, potentially that they still work, and they don't, because the ABI, the C++ ABI is different, if you use GCC and the C++ libs there, or you use the Visual Studio compiler, so

that's unfortunate, so that's the reason why for LibreOffice 5.4, there's only Linux supported, although I'm reasonably proud to say that Linux is really, really well supported, so that works, although it's a .0 version, I'm

aware of one bug, and it's fixed, it's going to be fixed in 5.4.1, which is out in, I think, a week or something, and we plan to support Windows, so I have some, some badass guy sitting on that problem, to port that over, we hope to

ship that for 6.0, which is due in end of January next year, and it's really just compiling, well actually I got it to compile, it's just not linking, but at the end of the day it's not working, so, yeah, but in theory it should, so technically the same support, the same techniques, the

same abstraction works on Windows, so there's software there, like, like some Outlook plugin that uses that, but it's using the cross-build binaries that we can't, good, so what did we

actually do, I mean, that was what we didn't do, it's like we didn't manage yet to get it working on Windows, what did we actually do, some, some, some screenshots there, I will also show a quick demo if I make that, should it still work, so

first of all, we did some UI improvements, what you see here is this info bar, that's this, like you know that from the browser probably, that's kind of newish, not so like 20 years old UI concept, so whatever, the software wants to tell you something that is,

that doesn't require immediate answer, like, so it's just not popping a dialogue in front of your face, it's just kind of gently telling you that something is happening, it's this info bar, so we, we, we added that, the reason why we added that is this, this little thing

here, you see this, I mean, you probably don't see that, which is the point entirely, so this tiny little icon in the status bar, that historically was showing the signature status, and do you see that, you know,

you don't see that, I don't see that either, so it's kind of blown up some thousand percent here, this is, this one, so this is absolutely pointless, I mean, the screens have grown by, by so much, you don't see that, so this is

like, still there, but it's not, so when, when the signature is invalid, you get this red info bar, which is very obvious, and the signature is okay, like, it's technically valid, but you don't trust the key, you get this orange one, and if everything's fine, then you get this nice blue here, but this, this line

was full, yeah, that's a little, so we integrated all, so this is, this is actually the old dialogue from, yes, say

it again, that's a great, just coming up here, so the question was, if I open a document with a valid section, signature, and a good key, what am I seeing, so

let me just play and show you, that's

the wrong, that's what you see, so we

did discuss that, so my, my, originally the colour was green, that I was picking there, but I was told that green is not a good idea, so you really want this blue, which just kind

of means like, be calm, it's all good, it's all wonderful, green is too exciting, so let me do that, so, and if I save

then, but let's quickly, we just finished the sentence, and then we go, we can play with the, with the feature a bit, I mean, there should be time, so what I wanted to tell you is that

this is an integrated list of all valid keys that I have, or valid certificates that I have for signing, you see two X509 certificates there at the top, and then comes a chunk of open PGP keys that I happen to have in my

keychain, and the idea behind that was that it shouldn't matter for the user, it's really, he or she, the only thing that she should be interested in is, this is my selection of keys, and then I can perhaps choose whatever

my recipient might be knowing, or whatever is still valid, so I just click on that, and there's no weird UI, no external program, that's kind of outside the LibreOffice user experience showing up there.

Just that, oh, and press remote has stopped, I'm very unfortunate, so I need this one. So again? This is the same list that your browser tries to start opening HTTPS.

Can you repeat the question? So the question is whether that's the same, this X509, whether that's the same CA that my browser is using for HTTPS. Yes and no, so it's technically, it comes from, under Linux, it comes from

Firefox, and it's also the same concept, like with a certificate authority, but it's a different, I mean you need, actually, either you do something like C-A-CERT, which happens not to be in any browser, so it's kind of involved, so you need to tell everybody to install that root

certificate, or you buy that, it costs actual money to get yourself some certificate there, so that's some 70 bucks a year or so that you pay for that. Okay, so there's this little button there, so start certificate manager, and then you get the

Seahorse or the Cleopatra, and you can do some key editing. But, yeah, why not, let's do the demo a bit. So this is the, this is the document, and so what it says

now, I don't know if that's visible from the back of the room, the signature was valid, the document has been modified, and now it's yellow, so I can give me this one, and then it tells me, well, before you do anything with signing, you rather save

that, because what's happening, it's signing on the XML level, so whatever I'm doing now, I need an exported XML version of that document, so I'm saving that, and then I can just do this sign, and I'm using my

test key here, and this is a test, and that's very funny, you can't see that, but I'm gonna, you still can't see

that, which is a shame, now you can see that. So that's the pin entry. GPG is very smart there, so it

has detected that I have a terminal connected, because the version of LibreOffice I'm showing you is some developer builds on the way to 541, that I was just downloading and unpacking and starting from the terminal, so it detects the terminal, connected to the process, and it's now

giving me that, so that wouldn't normally happen to you, normally when you install that, then you start that probably from your window manager or from a desktop environment, but there we go. I found that pretty amusing the first time, because I couldn't find the pin entry,

until I was checking the debugger console. So you see this again, this is the same small icon up here, and it's also in the status bar, so it's almost invisible, but when I close that guy, then I'm again

getting the info bar again, which is blue again, so it's all fine. So what we can do now is we can tamper with that document a bit. Let me get editor somehow,

in the front, there we go. Here's the screen, that's very helpful.

So that's this document here. So this is a little bit of editor magic, is that visible? Maybe I should, a little bit bigger. Okay, like that. So this is the actual ODF

document, this is the text you've just been seeing here. So let's now do some fun here,

let me save that, and then we reload the document, and voila, so signature is invalid. So that's what we would expect. I can now redo the, or undo

the change, and save again. And I'm sure I didn't try that before, but I would expect the signature to be okay again, shame.

So there's some amount of reformatting. This is not part of the signed content, but it's possible that the editor was doing some funny formatting things

here, and it's not, so what happens technically is that there's some amount of canonicalization going on, so it shouldn't matter whether

there's space here or here. But, so what is it saying anyway? Okay, so there's something else we can do, okay.

So there's 15, is that for 45 minutes or for an hour? Okay, so we would then have 15 minutes for questions, excellent, good, good, good. So let's not go down here

so much, so just trust me, so it's erring on being safe. So whatever you do, for example, if you, there's something else to show, how that works.

So this is the actual, it's pretty printed a bit,

is that somehow visible? So what happens here is that, so this is a zip, ODF is a zip archive, so it has a number of documents like images and XML files. So what's it doing, it's calculating a digest for each

and every of those embedded fragments, like XML fragments and images, and sticks that into this document signatures XML and then it calculates a signature over this XML part

here and then puts that into the signature value here. So that's basically how it's working, so when you change the content XML, this digest value here will be different and if the digest value will be different here

then the signature for this document signatures XML won't match anymore. Okay, so back to the talk. Yeah, so this is again what I was showing you, so that's the certificate manager there that comes up.

That's how the markup looks, so this is based on, this is actually already standard ODF, so all those PGP extensions that you find here, this PGP data, our key ID and key

packet, that's already standardized, that's already just nobody used it yet, so we could just add that, write that out and yeah, it's not going to be invalid or problematic or any work in the standard.

So encryption, so in contrast to the signature stuff which is all wonderful rock solid works standardized, shipped in the product, this is kind of still work in progress. I have something to show you today that's actually

encrypting an ODF document, but there are some buts, first of all it's my private branch, secondly it's not working, round tripping doesn't quite work and third, we need to extend ODF for that, so that needs to go to the ODFTC for

standardization and it's kind of extended ODF than what we write at least for a while until this is properly standardized, so I think it's probably best to demode that straight away.

Okay, so we see some random git hash there, that's some development version, so we're going to save that one, so

this is but ugly, but that's one of the so-called liberal office internal dialogues, so that's not using the system file dialogue but the kind of home grown one, I need that because I need this extra flag here, this is, I mean in

principle this can be added to the system dialogues as well, it's just a bit more work and I didn't get to that, so let's try that here, so what

happens now, it's loading some 1200 keys because that's what happens to be in my PGP key ring, this is a debug version, so I have to talk for some minute or two to not have you bored too much, but it will

eventually pop up this dialogue, this certificate selection dialogue, where you can then select keys like for the recipients, the plan is to encrypt to self automatically, there's a little bit of magic involved there and some

heuristics that might not always work, so that there will be probably some user configurable setting where you can set some, like for email as well, where you can set some preferred key for that, so that you always encrypt against that one, so now we

have the list here and then we can write Klaus Miller, now it's doing the encryption and saving that and the signature has vanished again because I was saving, I could add that

again, it would just go on top and now we would check the it's a little bit more involved, so we need to, so this content

XML, this is now encrypted, so you don't see much, I mean that's the entire point, what you do see is something here, so the only file that is not encrypted in an encrypted ODF is

the manifest because you need the information like which key and where to start from, so

let's load that here, so again this is based on existing

standards, so it's not like you are reinventing the wheel there, we take XML encryption, the XML encryption standard, cherry pick the parts that we need for that and so the plan is that this has not yet

happened but once this is working reliably and I'm pretty sure that there's nothing much left, I'm going to write a proposal to the ODF TC that says look guys, this is XML's encryption standard and this is the schema and we need that in LibreOffice and can we just

embed that into the ODF schema and that has worked pretty well in the past and what you see, what's here is like some key, encrypted key element section that basically says I have a key here, that's the transport

key, this is just a random sequence of some 16 bytes of random numbers that's actually used to encrypt the streams and that itself is encrypted with the key ID here, this is base

64 but it's just a normal GPG key ID and there's also the key itself, the public key is embedded, so that's another nice feature of this LibreOffice work there that it's a nice way to

distribute keys because with every document that you sign and with every document that you encrypt you will give the other person your key which is very helpful because that's another, I mean the more different ways there are to get someone a key the harder it is to give this person a

key that is forged and the key managers usually tell you oh there's a key with the same user ID but it's a different key should I import that or not, do you trust that or not. And it's also something that it's hard to modify because it's already there in this

document so if somebody wants to attack somebody or wants to play man in the middle or girl in the middle he or she would need to kind of make sure that all those documents are cleansed or updated as well. So that is largely, oh yeah and

then that's kind of, this is the part that I'm not done yet with and I'm not completely happy with so this is per file, per stream information on how the actual files are encrypted and there's a variety of algorithms to use and that's

kind of work in process, progress, sorry. So that's about all I wanted to tell you, some roadmap there I mentioned a few aspects there so what we have as of today if you go to libreoffice.org you can download 5.4 if you run Linux and if you have

ever created a private key you can start signing documents today. For February 2018 you plan that for Windows, I hope we get this done for OS X as well, if it's too much work I don't know about Android, technically it

should be working, there's also key managers for Android, it's just, well there's almost always so much to do and so little time so it's, at least for me it's not a priority but again I mean this is open source so if somebody is interested in helping with OS X or with

Android or even with the core implementation just come to me after the talk, I will most happily tell you where to start. Yeah, so encryption as I said this is not in release yet, this is in a private branch I'm working on but this will also

most definitely be done for liberal for 6.0 that needs ODF extensions and for ODF next whatever that is 1.3 or 2.0 that's a bit unclear but we will be working with the ODFTC to get this standardised so that the encryption part is

also standard ODF. That said, right now liberal office is the only application or user agent or user facing application that supports that. I did find a little Python library though that also

supports this PGP extensions from the XML encryption and XML signature standard. Okay, great, interesting. It should have been right. Thanks for staying, thanks for

your attention, I hope you heard a little bit of interesting stuff here. I now open for questions. If there's any, yes please.

So is there any other office suite, if I captured that correctly, that supports that? So broadly no, so for X.509

there is support in OXML, it would be possible to add that in the same vein there for PGP. I just wonder whether there's any point, whether there's any chance that Microsoft would support that.

If it's part of ODF, then perhaps they might. I guess Microsoft has a lot of corporate. And X.509 is really a big corporate, like if you're a big corporation and you have like this strictly hierarchical

and it's all kind of under control and you can deploy to millions of computers, then X.509 is sort of okay. But for something distributed, for something like, even in Germany, even the public sector in Germany is so diverse, like so many different entities and

everybody has their own IT, so it's now impossible to have some federal level, all of Germany, X.509, at least from what I hear. So yeah, but it's up to all of us, just if this is liberal,

I mean it's open source, so it's easy to take the code and run with it. It's up to all of us to lobby other projects, other implementers to support that. But it's also not doing any harm. I mean, so the worst that happens is that if it's signed, then, well,

there's no signature information shown. So it's like getting a document without the signature. It's not terrible.

So the comment was that it's good marketing for liberal office and that it kind of helps perhaps to get more people to use liberal office because liberal office instances can talk to each other. That's true. I mean, there's always this,

I mean, even for liberal office, it's only in the 5.4, so there will be some time for this to diffuse into general use. More questions? I have no idea.

Well, I can, maybe if you can have more questions while I'm trying to figure that out.

So, any further questions while I'm fighting with Git? So you said you have your own key store. No. So historically liberal office and open office used the Firefox key store

for under Linux. Optionally the Thunderbird one, which is kind of a disaster because under Linux there's no one single key store. I mean, GPG is sort of that now. I mean, there's also X.509 support

and we could in theory also support that the GPGME with X.509. It's just not, it doesn't have a priority right now.

So that's about the size of the patch. If you can see that, maybe I should change the color. Start. Visible, so this is, it's not, oh, actually no, I'm lying.

That's the encryption part. So the, for the signature part, that's some, I don't know, a thousand, 1,500 lines of code perhaps. Let's change that.

Lot of complexity, even better solve it for the Linux. I mean, because of the, also the sign and the... So, actually I think on, so it's not, I mean it's, so the hard part with LibreOffice is always like finding this one line.

Sorry, I should repeat the question. So, you said, the question was whether that's not adding too much complexity to the code, if I got you. Yeah, especially in light.

Yeah, and my, so my statement there is that it's usually, I mean, most of what we're doing there is so some 70% of the functionality is there because of X.509 support. We're just piggybacking on top of that. And in the process of implementing that,

we also remove quite some code. So we just, while working with the code, we just covered unused areas that we were just removing. So on balance, I mean, we're talking about 10 million lines of code. Here on balance, it's, it's a rounding error.

There are some, I mean, there's some added complexity, but it's not much to the, of course, to the files, because we always embed, now we always embed the GPG key. That's some whatever kilobyte or two that's added to the file size. But only if you use the feature, if you don't sign and you don't pay the price.

Okay, thank you.