www.berlin6.org

1. Open Document Exchange Formats:
Security, Protection
& Experiences
Christian Zier
Federal Office for Information Security
Berlin6 Open Access Conference
12.11.2008, Düsseldorf

2. Agenda
➢ My place of work
➢ Standards and Open Standards
➢ Open Document Exchange Formats
➢ Security and Protection
➢ ODF and OOXML
➢ Migration at the BSI

3. My place of work: BSI
 Federal Office for Information
Security (Bonn, Germany)
 Federal public agency within the
area of responsibility of the
Federal Ministry for the Interior
 Founded in 1991
unique as a public agency in
comparison to other European establishments
 Staff: around 460 employees
 Budget: 52 million €
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 3

4. Focus of activities
 Internet security
 Secure e-government
 IT baseline protection
 Cryptographic innovation
 Biometrics
 Security from eavesdropping
 Certification and approval
 Protection of critical infrastructure
 Awareness campaign on IT security
 National / international security co-operation
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 4

6. Standards
 British Standards Institute:
 publicly available technical document
 developed in cooperation with interested
parties
 based on scientific results and technical experiences
 intention is to improve the public welfare
 Subsystems can communicate via standardized interfaces
 Basis for interoperable products
 Promote competition between implementations
 Multiple competing standards for the same purpose
question the meaning of standards
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 6

7. Open Standards
 Independent of implementations and manufacturers
 Competition between implementations, not standards
 Increases interoperability, avoids vendor lock-ins
 Facilitates developement of independent + FOSS
 Ensures future-proof access to archived data
 Makes sure that authors can acess their own documents
 There exist various definitions
 Standard has to be a common denominator
→ extensible to additional features
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 7

8. Open Document Exchange Formats
Open document exchange formats are
 independent
 developed in an open process
 sufficiently documented
Advantages of open document exchange formats:
 enhance competition and software diversity
 increase interoperability and automation
 enhance adaptability
 ensure archive security & guarantee future proof
 extensible to additional features
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 8

9. Open Document Exchange Formats
contd.
 Authors retain access to and
control over their documents
 E-Government needs ODEF for
internal / external workflows, ...
and secure documents
 Process to Open Document
Exchange Formats:
Not a question of if,
it´s a question of how!
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 9

10. Security and Protection
 Attacks on IT-Systems increasingly via manipulated binary
office documents
 Attacks are performed by well organized groups with good
technical knowledge.
 For protection, we need to inspect documents
to detect potentially malicious software (binary code)
 In case of critical vulnerability
protection might imply blocking all
documents of proprietary standard
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 10

11. Security and Protection
contd.
 ODEF are well structured and meet the requirements:
 Structure allows for complete, transparent analyses
 Detection of malicious code strongly improved
 Possibilities to hide malicious code strongly reduced
 Efficient isolation of potentially dangerous code (e.g.
macros, pictures, videos ...)
 Suspicious content can be filtered out without necessarily
losing the information of the entire document
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 11

12. ODF (ISO 26300)
 Developed by Sun Microsystems and OASIS
 Many idependent implementations (OO, Koffice, AbiWord)
 Meets security requirements of eGovernment:
structured format, can be scrutinised
 Has been examined and tested
 Possibility to directly access and
edit the XML-files
 Macros uniquely identified with tags
 No definition for a mathematical formula
language reduces interoperability.
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 12

13. OOXML (ISO 29500)
 Developed by Microsoft and Ecma International
 ISO 29500 has not yet been officially published
 There exists no implementation of this standard
 Security scans probably more elaborate + costly due to
 different tags in different document types for same
properties (text color and alignment)
 6x more voluminous spec., indicates more complexity
 No tags for handling macros, also reduces interoperability
 More complex standard might reduce number of
independent implementations and interoperability
 Only few independent implementations to be expected
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 13

14. Migration in the BSI
 In the past few years, BSI has
 migrated from Windows to Linux (around 50%)
 migrated from Microsoft Exchange to KOLAB Groupware
(http://www.kolab.org) with Kontact and Outlook clients
 migrated from MS Office to StarOffice (~100%)
 About 500 installations of StarOffice
 Some installations of MS Office left
(stand-alone and TS)
 Focus on text-documents as a start
 Exchange documents: ODF (and PDF)
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 14

15. Migration in the BSI
Experiences
 The more recent the software, the less trouble
 Positive:
 Packaging and rollout easier with Linux
 Bugs can be found easier and fixed faster
 Better encryption functionality
 Negative (Debian Woody):
 Detection of printers
 Printing PDF-files
 Conversion of most templates after analysing for parts
problematic to convert
 Migration was supported by training for StarOffice
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 15

16. Migration: Lessons learned
 „Where can I find this feature, where has that button
gone?“
 „I want to return to Windows!“
 „This document looked fine on the other machine!?“
 People only accept a few drawbacks
 The every-day-scenarios have to work at least 90%
 Very important in administration: document templates
 Similarity of StarOffice to MS-Office was helpful
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 16

17. Migration: Lessons learned
contd.
 Success strongly depends on willingness to engage into
new software
 Many people care more about (good) applications than
document standards → need good implementations of
typical workflows for open documents.
 Only few severe problems → need more interoperability.
Might have read this before:
It's not a question of IF, it's a question of HOW!
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 17

18. Contact
Federal Office for
Information Security (BSI)
Christian Zier
Godesberger Allee 185-189
53175 Bonn
Tel: +49 (0)228-9582-5946
Fax: +49 (0)228-9582-5400
christian.zier@bsi.bund.de
www.bsi.bund.de
www.bsi-fuer-buerger.de
Christian Zier, BSI, Germany Berlin 6 Open Access Conference, 12.11.2008, Düsseldorf Folie 18