From 25205d5b29d0aade0ebd7c6405a91995d02a3a7c Mon Sep 17 00:00:00 2001 From: Michael Stahl Date: Wed, 9 Nov 2016 18:42:46 +0100 Subject: package: ODF: bump PBKDF2 iteration counts Given recent elections we need to build a higher wall to keep the government out of our documents, and we will make the government pay for it. These iteration counts were considered appropriate a decade ago. http://security.stackexchange.com/questions/3959/recommended-of-iterations-when-using-pkbdf2-sha256 We get similar numbers on SandyBridge-E desktop and Haswell i7-4600U laptop: * with 10k iterations ~20 msec per derivation * with 100k iterations ~195 msec per derivation * with 150k iterations ~290 msec per derivation We can't go too high though because in ODF every package stream gets its own derived key with a different salt, so a document with embedded images may need a lot of these. Change-Id: I6894e71ed399f8c340eff97a9191c8d8419789a6 --- package/source/zippackage/ZipPackageStream.cxx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'package') diff --git a/package/source/zippackage/ZipPackageStream.cxx b/package/source/zippackage/ZipPackageStream.cxx index 17a6fac66f6b..932a5af4dab6 100644 --- a/package/source/zippackage/ZipPackageStream.cxx +++ b/package/source/zippackage/ZipPackageStream.cxx @@ -655,7 +655,7 @@ bool ZipPackageStream::saveChild( uno::Sequence < sal_Int8 > aSalt( 16 ), aVector( GetBlockSize() ); rtl_random_getBytes ( rRandomPool, aSalt.getArray(), 16 ); rtl_random_getBytes ( rRandomPool, aVector.getArray(), aVector.getLength() ); - sal_Int32 nIterationCount = 1024; + sal_Int32 const nPBKDF2IterationCount = 100000; if ( !m_bHaveOwnKey ) { @@ -665,7 +665,7 @@ bool ZipPackageStream::saveChild( setInitialisationVector ( aVector ); setSalt ( aSalt ); - setIterationCount ( nIterationCount ); + setIterationCount(nPBKDF2IterationCount); } // last property is digest, which is inserted later if we didn't have -- cgit