We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

LibreOffice lockdown and encryption improvements

00:00

Formal Metadata

Title
LibreOffice lockdown and encryption improvements
Title of Series
Number of Parts
490
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
LibreOffice has builtin support for working with encrypted documents since a long time (with some recent improvements adding OpenPGP support). Further support for more fine-grained control of what a user can do with access-restricted documents was though missing. Come and see what recent improvements we implemented for LibreOffice 6.4 and 6.5, to permit fine-grained access controls to individual LibreOffice documents, matching the feature set of MS Rights Management Solution.
EncryptionInformation securitySoftwareInformation securityWindowDemo (music)Slide ruleBitComputer animation
CodeComputerHacker (term)WhiteboardOpen setStandard deviationStandard deviationOpen setRevision controlState transition systemOpen sourceComputer animation
Branch (computer science)Client (computing)BitDigital rights managementOffice suiteRegulator geneMathematicsINTEGRALCodePatch (Unix)SoftwareNumberControl engineeringComputer animation
Enterprise architectureComputerCAN busControl engineeringVirtual machineClient (computing)TouchscreenExtension (kinesiology)NeuroinformatikModal logicGame controllerLevel (video gaming)File systemBitOperating systemComputer fileVirtualizationComputer animation
ArchitectureData managementPublic key certificateCodeClient (computing)Key (cryptography)CloningLibrary (computing)Public-key cryptographyCryptographyVirtual machineExtension (kinesiology)Physical systemConnectivity (graph theory)Interactive televisionComputer fileEmailQuicksortServer (computing)ChainMetreMappingWebsiteDigital rights managementWrapper (data mining)MereologyBitCodeLetterpress printingPasswordIntegrated development environmentComputer animation
Sequence diagramEncryptionCodeServer (computing)Extension (kinesiology)Dean numberClient (computing)Open sourceCodeKey (cryptography)Extension (kinesiology)MereologyMetreSequenceOffice suiteIntegrated development environmentComputer animation
ArchitectureCodeThermal expansionOffice suiteWrapper (data mining)BitPhysical systemFlow separationAuthenticationExtension (kinesiology)CodeQuicksortPoint (geometry)Similarity (geometry)Connectivity (graph theory)Computer animation
Core dumpMathematicsInterface (computing)Boolean algebraEncryptionSequenceString (computer science)MathematicsCore dumpEncryptionPatch (Unix)BitNumbering schemeKey (cryptography)Sound effectSingle-precision floating-point formatMultiplication signMedical imagingFile archiverStandard deviationRandom number generationOpen sourceElectric generatorOffice suiteSlide ruleCryptographyNumberComputer animation
TouchscreenGamma functionInformationGroup actionRight angleNumberWordWrapper (data mining)Open sourceExtension (kinesiology)Physical systemBitComputer animation
Combinational logicMereologyRight angleWindowType theoryConnectivity (graph theory)Computer animation
Open sourcePoint cloudFacebookComputer animation
Transcript: English(auto-generated)
OK, shall we start? Sorry for the small delay. I managed to, I thought I would give you a demo. What I was actually about to talk about was on Windows.
Unfortunately, I managed to lock myself out of BitLocker. So I can't explore it. So this is absolutely on topic, because the talk's about lockdown, encryption, security. Sometimes it's a bit too secure, so you can't access even your legitimate data anymore.
Anyway, so one slide about me, just anybody who might not know me. My name is Frassen Behrens. I work for CIV. We do consulting around LibreOffice. We also do LTS versions and lots of other cool things. I'm with the project since many years.
I'm also active on the document foundation board, et cetera. And beyond that, I'm out there and advocating for open source and open standards. Right, so credits. This is mostly not my work. So I'd like to highlight the people who did the actual
work, my colleagues, Vasily, Sash, and Samuel. The work itself, I will talk about here mostly. It's an example that it was a customer project. There was a very large bank
that wanted to use LibreOffice, which is a great thing. The problem is that banking regulations all over the world are sometimes rather strict. And one of the challenges that this bank was facing
was the fact that they couldn't let the users arbitrarily access documents. So they needed to put controls under what people could do with Office documents. For example, not let them print or copy that,
or even take screenshots from it. So you might know that from PDF. For PDF, it's a suggestion, so readers can obviously ignore that. There's other software, but there's like rights management system,
but there's more for lockdown here. And in this particular case, there is some from Microsoft, from Microsoft Office, their solution called Microsoft RMS, rights management solution, that is pretty effective in locking down
what users can do with their documents. And that's actually, there was a requirement, one of the entry requirements for that customer to even be able to employ software on their client machines. So we went and thought about that and looked a bit into the technology there
and figured out it's actually possible to do that with LibreOffice. So we went ahead and it's actually right now, so there's a branch where it's implemented, there's a number of patches waiting for integration into the upcoming LibreOffice 7.0.
We didn't quite manage 6.4 for that because it was rather involved and lots of API changes and code changes there, so we didn't want to risk that. Right, so that's for the outset.
That's essentially what I just told you, but I didn't want to distract you with the slide. The challenge really there is for desktop computers because on a desktop machine, users usually have a lot of things they can do.
They can do copy paste, they can save under a different name and then do things. They can perhaps look at the file system and just take the bits and walk away with them if there's a temporary file. They can take screenshots, et cetera. So there's a level of control necessary
and also a level of lockdown and lockdown support from the operating system that you need. And to the best of my knowledge, that is probably only really working to that extent on Windows, at least for client side.
You can do a lot more if you have a virtual machine or a virtual desktop solution, where the users can't really get at the bits. But you can then probably still do screenshots, but I suppose you can do that anyway with a, I mean, just physically take a picture from the screen.
Right, so that's how it looks for this Microsoft thing. Basically, what happens is there's a document that's encrypted on the server
that gets downloaded by any possible means, mail attachment, shared file system, you name it, downloads. So normally, users can't access that. So if they want to access it, they need to authenticate against this little thing here in the middle,
the, I don't know if I got a mouse, yes, I do. This guy here, which then talks to the client, a little component on the client, on the desktop machine.
And what, in the end, this little plug in there needs, it's a temporary session key. That is not something that the user will get permanently. That's not like public key cryptography. That's some password that the user can always use.
It's a temporary session key. The problem with a temporary session key is that if the user can get access to that, it becomes a non-temporary session key. So you really want this whole thing to be controlled or a trustworthy environment where the key
and the data cannot get out. So that's why this RMS rights management system requires at least the code that interacts with the system and that decrypts and handles the data to be signed so that the client side can actually assess
whether it has been tampered with. So code has to be signed and the extension has to be signed and the user needs to authenticate against this decline site which then talks to the server and then the server says, okay, when the trust chain is intact,
it will hand out a temporary session key. And the session key then travels all the way back and the extension can then, using the client component and decrypt the document, but then needs to, for that to work, then needs to tell LibreOffice to disable certain things like, for example, copy paste or printing
or saving under a different name. So for that, we had to tweak a bit what LibreOffice can do. There were already, there were a few things already that could be done in terms of lockdown, but it wasn't far from complete.
So the most important part that we had to change was the way that document and decryption works because that had to happen in this client library. And since we wanted to, at least in principle, have this technology agnostic and there are ways to do,
you cannot prevent a screenshot, but there are ways to at least clone that sort of system for something like GPG and other public key cryptography systems. So we added API for that.
There's a very small wrapper extension that maps the API to the RMS system that you could use also. It's really small. It's more or less passing things through, an adapter, if you will. And you can do that just the same for other technology,
for Mac or for Linux. So this API then disables or enables, depending on the meter data that gets passed on the features. So that's how it works as a sequence diagram,
more or less, again, what I mentioned. The important part really is the integrity here. So that at least the extension needs to be signed. And the session key doesn't really never
leaves this kind of lockdown or signed code. So that never really ends up in liberal office code, for example. So that stays within this kind of lockdown environment. And liberal office gets the decrypted bits
out of the API, plus meter data, what is permitted, what it can do with that or cannot do. So most of that work actually ended up in liberal office and there's a bit of a wrapper on top.
Potentially, you can do something similar with Glue PG. The sticking point really is you want to authenticate both the user and you want to authenticate the code. So there has to be some, for other systems,
some sort of measuring from the outside that ensures that, so there has to be a separate system component that looks at liberal office and the extension and authenticates or asserts that it's intact. So that is something that potentially,
depending on somebody coming up and thinking that's a good idea and perhaps funding that, there could be something we can do with that API in place. So time-wise, oh yeah, there's still some time left.
So that's the core change that we did that affects essentially how liberal office decrypts and encrypts documents. That has some knock-on effects that would also permit
novel encryption schemes without any core changes. So there's some thinking around changing or adjusting the way that ODF encryption, package encryption works. That's right now a bit clumsy
because ODF is a zip archive, essentially, and the encryption works like every single item in the zip archive gets encrypted individually, which is not a problem if you have, I don't know, a standard writer document with no images.
If you have a large Empress document with hundreds of slides and hundreds of images, then every single image gets encrypted and decrypted, which is a drain on your random number generator, on your entropy.
And it's also really bloody slow because the encryption setup, usually if you use a password, it gets some key generation function, so it iterates a number of thousands of times over the key to get an encryption key. And you need to do that for every single document, and it's really, really slow.
So with that, let's now plug in encryption and decryption method available in LibreOffice. Well, almost, as I said, the patches are not merged. It's a stack of changes that didn't make LibreOffice 6.4.
Okay, so yeah, I would have loved to show you that live. The problem is, as I said, that lockdown worked a bit too well. So that's how it looks in Word.
But obviously, I had permission to read this document. I got all the rights here, so I got this little info bar there that tells me what I can do with it. And then there's a toolbar where you can say, well, I want to save that,
and I want to give this group of users that kind of permission now, which unfortunately, I can't show you because it's just a screenshot. And that's how it looks in LibreOffice. So we tweaked, I mean, among other things, we also tweaked the info bar. So the info bar can now do rather nice,
complex things like this here. So multi-line and formatting there, and more than one control, et cetera. So that's exactly the same document against exactly the same RMS instance, and it comes up with exactly the right permissions.
And so that works transparently in that system. And as I said, it's a small wrapper extension that unfortunately, we can't open source that for a number of reasons. One of them is actually it needs to be signed and blocked down and being taken aside.
Okay, any questions so far? Nicolas. Is it by purpose that you use RMS? I'm sorry, that's the acronym for that. That's lots of ambiguity.
I mean, you just don't have so many combinations of three letters, but it's, no, in this case, it's not on purpose. This RMS type needs to be answered. Yeah, right. But it's a, it's a part of Windows. It is a, it's an optional component that I believe, at least under Windows 10,
you can just say this is a package prerequisite and it gets installed. Yeah, yeah, yeah, yeah. You look like you want to ask a question or make a comment.
Right. Okay. Okay. If there's no further question, thanks for your attention.