Does LibreOffice encrypt password-protected files

Does LibreOffice actually encrypt a file when one saves it using the "Save with password" option?

Any details are welcome (encryption method, key size, SALT usage, padding, etc).

LibreOffice uses the OpenDocument Format which is a zip encrypted archive containing mainly xml files representing the document.

If you set a password to read the document, all those contained files inside the zip archive will be encrypted separately, except the metadata which remains as clear text.

Up to LibreOffice 3.5 (up to ODF 1.1), the Blowfish algorithm is used for encryption, current versions use AES-256 instead.

Here are some resources providing further details:

From http://listarchives.libreoffice.org/global/users/msg15359.html:

Saving a document with password is indeed an encryption. The encryption methods are specified in the ODF Specification for encrypting the parts of the Zip package. (There is no ODF-specified encryption for the single- XML-file form of an ODF document.)

The default method, that works for all ODF 1.0/1.1/1.2 documents in packages (e.g., ODT, ODP, and ODS files), is by Password Based Key Derivation (PBKDF2) using HMAC and SHA1 starting with an SHA1 digest of the UTF-8 user-chosen password. The encryption with the derived key is Blowfish with 8-bit Cipher Feedback (8-bit CFB). This is done on each file of the Zip package that carries the parts of the ODF document. (Each part has a different, randomly-derived initialization vector, but the derived key is the same for all of them.)

Starting with ODF 1.2, additional encryption methods can be chosen. However, there are interoperability issues if the document is intended to be opened with anything but the computer and software that was used to encrypt it (actually a common use case but not when secure interchange is intended).

From https://wiki.documentfoundation.org/ReleaseNotes/3.5#Different_Encryption_Algorithm:

In LibreOffice 3.5, a different and more secure encryption algorithm (AES-256) is used for password protected files in the ODF 1.2 and ODF 1.2 Extended file formats. The new cipher is activated by default. Blowfish encryption in ODF 1.2 files is considered deprecated

From https://en.wikipedia.org/wiki/OpenDocument_technical_specification#Encryption:

When OpenDocument file is password protected the file structure of bundle remains the same, but contents of XML files in package are encrypted using following algorithm:

1. The file contents are compressed with the DEFLATE algorithm.
2. A checksum of a portion of the compressed file is computed (SHA-1 of the file contents, or SHA-1 of the first 1024 bytes of the file, or SHA-256 of the first 1024 bytes of the file) and stored so password correctness can be verified when decrypting.
3. A digest (hash) of the user entered password in UTF-8 encoding is created and passed to the package component. ODF versions 1.0 and 1.1 only mandate support for the SHA-1 digest here, while version 1.2 recommends SHA-256.
4. This digest is used to produce a derived key by undergoing key stretching with PBKDF2 using HMAC-SHA-1 with a salt of arbitrary length (in ODF 1.2 – it's 16 bytes in ODF 1.1 and below) generated by the random number generator for an arbitrary iteration count (1024 by default in ODF 1.2).
5. The random number generator is used to generate a random initialization vector for each file.
6. The initialization vector and derived key are used to encrypt the compressed file contents. ODF 1.0 and 1.1 use Blowfish in 8-bit cipher feedback mode, while ODF 1.2 considers it a legacy algorithm and allows Triple DES and AES (with 128, 196 or 256 bits), both in cipher block chaining mode, to be used instead.

LibreOffice uses the following Encryption techniques:

• Blowfish
• AES-CBC (used by default since LibreOffice 3.5)

How ever, if the passphrase is weak, it can be easily cracked by brute-force technique.

Related links :

• how to crack a PW in LO?

• how secure is libreoffice when using password protect