LIBREOFFICE LOCKDOWN & ENCRYPTION Improvements to document - - PowerPoint PPT Presentation

▶

Jul 25, 2023 345 likes •502 views

LIBREOFFICE LOCKDOWN & ENCRYPTION Improvements to document security & permissions Thorsten Behrens, CIB software GmbH FOSDEM 2020, Brussels, February 3, 2020 1 Yours Truly Thorsten Behrens thb@libreoffice.org Since 2015 with

SLIDE 1

Thorsten Behrens, CIB software GmbH FOSDEM 2020, Brussels, February 3, 2020 LIBREOFFICE LOCKDOWN & ENCRYPTION Improvements to document security & permissions

SLIDE 2

Yours Truly

Thorsten Behrens – thb@libreoffice.org

Since 2015 with CIB & built the

LibreOffice team there

One of those LibreOffice

forkers/founders, also on The Document Foundation board

Working with this code since about

2001 (OpenOffice, then LibreOffice)

Hacker, computer scientist, FLOSS &

Open Standards lover

SLIDE 3

CREDITS

Vasily Melenchuk Serge Krot Samuel Mehrbrodt

SLIDE 4

ANOTHER „ENTERPRISE“ FEATURE WE MISSED

1. FOR DESKTOP USERS
2. PERMIT ENTERPRISES TO CENTRALLY

CONTROL WHAT USERS CAN DO

3. WITH THEIR COMPUTERS & THEIR

DOCUMENTS

SLIDE 5

ARCHITECTURE FOR MS RIGHTS MANAGEMENT (RMS)

Offjce user

LibreOffice

LibreOffice Extension / RMS API Wrapper RMS Client 2.1 RMS Server Code signature Client or user certificate

UNO API

SLIDE 6

SEQUENCE DIAGRAM FOR A RMS DECRYPTION

LibreOffice RMS Extension Client RMS agent GnuPG process gpg

Authenticate against client, request session key Ensure integrity of client-side (OS and RMS client application)

GnuPG process gpg Server RMS code

Request session key Session key with permission meta data Decrypt document Active Directory

SLIDE 7

LibreOffice Wrapper Extension

SLIDE 8

ARCHITECTURE FOR GNUPG (SUGGESTION)

Offjce user

LibreOffice

LibreOffice Extension GnuPG plus WKS / permitted keychain Code signature User private key

UNO API

SLIDE 9

IMPLEMENTATION

SLIDE 10

CORE API CHANGE FOR THIS FEATURE

interface XPackageEncryption: css::uno::Xinterface { boolean readEncryptionInfo( [in] sequence < css::beans::NamedValue > rOleStreams); boolean generateEncryptionKey( [in] string rPassword); boolean decrypt( [in] css::io::XInputStream rxInputStream, [out] css::io::XOutputStream rxOutputStream); sequence<css::beans::NamedValue> createEncryptionData( [in] string rPassword); boolean setupEncryption( [in] sequence<css::beans::NamedValue> rMediaEncData); sequence<css::beans::NamedValue> encrypt( [in] css::io::XInputStream rxInputStream); boolean checkDataIntegrity(); };

SLIDE 11

SOME SCREENSHOTS

SLIDE 12

SOME SCREENSHOTS

SLIDE 13

Any questions? :)

SLIDE 14

Thorsten Behrens, CIB software GmbH FOSDEM 2020, Brussels, February 3, 2020 LIBREOFFICE LOCKDOWN & ENCRYPTION Improvements to document security & permissions

Yours Truly

Thorsten Behrens – thb@libreoffice.org

LibreOffice team there

forkers/founders, also on The Document Foundation board

2001 (OpenOffice, then LibreOffice)

Open Standards lover

CREDITS

Vasily Melenchuk Serge Krot Samuel Mehrbrodt

ANOTHER „ENTERPRISE“ FEATURE WE MISSED

CONTROL WHAT USERS CAN DO

DOCUMENTS

ARCHITECTURE FOR MS RIGHTS MANAGEMENT (RMS)

LibreOffice

UNO API

SEQUENCE DIAGRAM FOR A RMS DECRYPTION

LibreOffice RMS Extension Client RMS agent GnuPG process gpg

Authenticate against client, request session key Ensure integrity of client-side (OS and RMS client application)

GnuPG process gpg Server RMS code

Request session key Session key with permission meta data Decrypt document Active Directory

LibreOffice Wrapper Extension

ARCHITECTURE FOR GNUPG (SUGGESTION)

LibreOffice

UNO API

IMPLEMENTATION

CORE API CHANGE FOR THIS FEATURE

SOME SCREENSHOTS

SOME SCREENSHOTS

Any questions? :)

THANK YOU!