Embed Size (px)
DESCRIPTION
www.berlin6.org
Citation preview
Open Document Exchange Formats:Security, Protection
& Experiences
Christian Zier
Federal Office for Information Security
Berlin6 Open Access Conference12.11.2008, Düsseldorf
Agenda
➢ My place of work➢ Standards and Open Standards➢ Open Document Exchange Formats ➢ Security and Protection➢ ODF and OOXML➢ Migration at the BSI
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 3
My place of work: BSI
Federal Office for Information Security (Bonn, Germany)
Federal public agency within the area of responsibility of the Federal Ministry for the Interior
Founded in 1991unique as a public agency in comparison to other European establishments
Staff: around 460 employees
Budget: 52 million €
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 4
Focus of activities
Internet security
Secure e-government
IT baseline protection
Cryptographic innovation
Biometrics
Security from eavesdropping
Certification and approval
Protection of critical infrastructure
Awareness campaign on IT security
National / international security co-operation
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 6
Standards
British Standards Institute: publicly available technical document
developed in cooperation with interestedparties
based on scientific results and technical experiences
intention is to improve the public welfare
Subsystems can communicate via standardized interfaces
Basis for interoperable products
Promote competition between implementations
Multiple competing standards for the same purpose question the meaning of standards
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 7
Open Standards
Independent of implementations and manufacturers
Competition between implementations, not standards
Increases interoperability, avoids vendor lock-ins
Facilitates developement of independent + FOSS
Ensures future-proof access to archived data
Makes sure that authors can acess their own documents
There exist various definitions
Standard has to be a common denominator→ extensible to additional features
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 8
Open Document Exchange Formats
Open document exchange formats are independent
developed in an open process
sufficiently documented
Advantages of open document exchange formats: enhance competition and software diversity
increase interoperability and automation
enhance adaptability
ensure archive security & guarantee future proof
extensible to additional features
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 9
Open Document Exchange Formats contd.
Authors retain access to andcontrol over their documents
E-Government needs ODEF for internal / external workflows, ...and secure documents
Process to Open DocumentExchange Formats:
Not a question of if,it´s a question of how!
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 10
Security and Protection
Attacks on IT-Systems increasingly via manipulated binary office documents
Attacks are performed by well organized groups with good technical knowledge.
For protection, we need to inspect documentsto detect potentially malicious software (binary code)
In case of critical vulnerabilityprotection might imply blocking alldocuments of proprietary standard
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 11
Security and Protectioncontd.
ODEF are well structured and meet the requirements: Structure allows for complete, transparent analyses
Detection of malicious code strongly improved
Possibilities to hide malicious code strongly reduced
Efficient isolation of potentially dangerous code (e.g. macros, pictures, videos ...)
Suspicious content can be filtered out without necessarily losing the information of the entire document
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 12
ODF (ISO 26300)
Developed by Sun Microsystems and OASIS
Many idependent implementations (OO, Koffice, AbiWord)
Meets security requirements of eGovernment:structured format, can be scrutinised
Has been examined and tested
Possibility to directly access andedit the XML-files
Macros uniquely identified with tags
No definition for a mathematical formulalanguage reduces interoperability.
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 13
OOXML (ISO 29500)
Developed by Microsoft and Ecma International
ISO 29500 has not yet been officially published
There exists no implementation of this standard
Security scans probably more elaborate + costly due to different tags in different document types for same
properties (text color and alignment)
6x more voluminous spec., indicates more complexity
No tags for handling macros, also reduces interoperability
More complex standard might reduce number of independent implementations and interoperability
Only few independent implementations to be expected
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 14
Migration in the BSI
In the past few years, BSI has migrated from Windows to Linux (around 50%)
migrated from Microsoft Exchange to KOLAB Groupware (http://www.kolab.org) with Kontact and Outlook clients
migrated from MS Office to StarOffice (~100%)
About 500 installations of StarOffice
Some installations of MS Office left (stand-alone and TS)
Focus on text-documents as a start
Exchange documents: ODF (and PDF)
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 15
Migration in the BSIExperiences
The more recent the software, the less trouble
Positive: Packaging and rollout easier with Linux
Bugs can be found easier and fixed faster
Better encryption functionality
Negative (Debian Woody): Detection of printers
Printing PDF-files
Conversion of most templates after analysing for parts problematic to convert
Migration was supported by training for StarOffice
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 16
Migration: Lessons learned
„Where can I find this feature, where has that button gone?“
„I want to return to Windows!“
„This document looked fine on the other machine!?“
People only accept a few drawbacks
The every-day-scenarios have to work at least 90%
Very important in administration: document templates
Similarity of StarOffice to MS-Office was helpful
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 17
Migration: Lessons learned contd.
Success strongly depends on willingness to engage into new software
Many people care more about (good) applications than document standards → need good implementations of typical workflows for open documents.
Only few severe problems → need more interoperability.
Might have read this before:
It's not a question of IF, it's a question of HOW!
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 18
Contact
Federal Office for Information Security (BSI)
Christian ZierGodesberger Allee 185-18953175 Bonn
Tel: +49 (0)228-9582-5946Fax: +49 (0)228-9582-5400
