Spreadsheet Table Protection Options

Summary

Proposal owner: Kohei Yoshida

Proposal short name: Spreadsheet Table Protection Options

Requested changes to the ODF Standard

Table protection options

A new section will be introduced as a sub-section of Section 8.1 General to describe the new element <table:table-protection>. This new element will specify various options associated with the protected table as its attributes.

Text changes/additions: Section 8.1.x table:protection-option (new section)

If a table is protected, the table can enforce additional usage constraints, or protection options, to prevent users from performing certain actions in addition to the editing of protected cells. Each table can specify zero or more protection options when protected. If there is at least one protection option, the corresponding <table:table> element must have a <table:table-protection> element as its immediate child element. The <table:table-protection> element can have one or more boolean attributes each corresponding with different individual protection option. Each protection option can either enable or disable the specified action: the value of "true" indicates that the specified action is enabled, while the value of "false" indicates the action is disabled.

The protection options can control the following actions:

The <table:table-protection> element can have the following attributes: table:select-protected-cells, and table-select-unprotected-cells. These attributes can only store a single boolean value. When any of these attributes is absent, the value of "false" is assumed.

Text changes/additions: Section 17.x table:select-protected-cells (new section)

The table:select-protected-cells attribute specifies whether or not the table allows users to select cells that are marked "protected" when the table is protected. The default value for this attribute is false.

The table:select-protected-cells attribute can be used with the following elements: <table:table-protection>.

Text changes/additions: Section 17.x table:select-unprotected-cells (new section)

The table:select-unprotected-cells attribute specifies whether or not the table allows users to select cells that are not marked "protected" when the table is protected. The default value for this attribute is false.

The table:select-unprotected-cells attribute can be used with the following elements: <table:table-protection>.

Schema changes/additions:

<define name="table-table-protection">
    <element name="table:table-protection">
        <attribute name="table:select-protected-cells">
            <ref name="boolean"/>            
        </attribute>
        <attribute name="table:select-unprotected-cells">
            <ref name="boolean"/>            
        </attribute>
    </element>
</define>

Additional hashing algorithm

Additionally, Section 17.698 table:protected will specify an alternative hashing algorithm identified by http://docs.oasis-open.org/office/ns/table/legacy-hash-excel as the value of the protection-key-digest-algorithm attribute. This legacy hash algorithm refers to the algorithm outlined in Section 3.3.1.81 of the first draft of the ECMA TC-45 OOXML specification. It has been agreed that, because of the weakness of this legacy hash algorithm, a hash value generated by this algorithm should be double-hashed by one of the hashing algorithms listed in [xmlenc-core]. This implies that we need an additional attribute to specify the second hash algorithm.

(Note: there was an error in the algorithm specified in the aforementioned section of the OOXML spec. The correct algorithm is available in http://kohei.us/2008/01/18/excel-sheet-protection-password-hash/. The algorithm is also duplicated in this proposal below.)

Text changes/additions: Section 17.700 table:protection-key-digest-algorithm

The table:protection-key-digest-algorithm specifies the algorithm used to generate the hash value for the table:protected attribute. It takes the values described in §5.7 of [xmlenc-core]. Reading applications shall support SHA1, which is the default, and SHA256. They may support other algorithms described in §5.7 of [xmlenc-core] or alternative algorithms. Writing applications should use SHA256.

The default value for this attribute is http://www.w3.org/2000/09/xmldsig#sha1.

One notable alternative algorithm is http://docs.oasis-open.org/office/ns/table/legacy-hash-excel, which refers to the hashing algorithm as defined in the following C code snippet.

typedef unsigned char sal_uInt8;
typedef unsigned short sal_uInt16;

sal_uInt16 getPasswordHash(const char* szPassword)
{
    sal_uInt16 cchPassword = strlen(szPassword);
    sal_uInt16 wPasswordHash = 0;
    if (!cchPassword)
        return wPasswordHash;
 
    const char* pch = &szPassword[cchPassword];
    while (pch-- != szPassword)
    {
        wPasswordHash = ((wPasswordHash >> 14) & 0x01) | 
                        ((wPasswordHash << 1) & 0x7fff);
        wPasswordHash ^= *pch;
    }
 
    wPasswordHash = ((wPasswordHash >> 14) & 0x01) | 
                    ((wPasswordHash << 1) & 0x7fff);
 
    wPasswordHash ^= (0x8000 | ('N' << 8) | 'K');
    wPasswordHash ^= cchPassword;
 
    return wPasswordHash;
}

Although this hashing algorithm is very weak and not recommended for use in new documents, hash values generated by this algorithm are in widespread use among legacy spreadsheet documents. As such, when converting such legacy documents to ODF, writing applications should apply additional hashing to the original hash value and store that value to the document in order to compensate for the weakness of the aforementioned legacy hash algorithm. The table:protection-key-digest-algorithm-2 specifies the hashing algorithm to be used to double-hash the original hash value.

Text changes/additions: Section 18.x table:protection-key-digest-algorithm-2 (new section)

The table:protection-key-digest-algorithm-2 specifies the algorithm to use to double-hash the hash value generated by the algorithm specified by the table:protection-key-digest-algorithm. Values allowed in the table:protection-key-digest-algorithm are also allowed in the table:protection-key-digest-algorithm-2 attribute. When this attribute is not specified, conforming applications shall not double-hash the original hash value.

Schema changes/additions:

<define name="office-spreadsheet-attlist" combine="interleave">
    <optional>
        <attribute name="table:structure-protected">
            <ref name="boolean"/>
        </attribute>
    </optional>
    <optional>
        <attribute name="table:protection-key">
            <ref name="string"/>
        </attribute>
    </optional>
    <optional>
        <attribute name="table:protection-key-digest-algorithm">
            <ref name="anyURI"/>
        </attribute>
    </optional>
    <optional>
        <attribute name="table:protection-key-digest-algorithm-2">
            <ref name="anyURI"/>
        </attribute>
    </optional>
</define>

<define name="table-table-attlist" combine="interleave">
    <optional>
        <attribute name="table:protected">
            <ref name="boolean"/>
        </attribute>
    </optional>
    <optional>
        <attribute name="table:protection-key">
            <text/>
        </attribute>
    </optional>
    <optional>
        <attribute name="table:protection-key-digest-algorithm">
            <ref name="anyURI"/>
        </attribute>
    </optional>
    <optional>
        <attribute name="table:protection-key-digest-algorithm-2">
            <ref name="anyURI"/>
        </attribute>
    </optional>
</define>

Rationale

Use cases

When protecting a table, it is sometimes useful to limit cell selection to only those that are not protected, so that when moving the cell cursor the cursor would only move from one unprotected cell to another, skipping over those that are protected.

Another rationale for this addition is for the interoperability with Excel documents, since Excel already supports a superset of the proposed protection options. In this proposal only two options are proposed due to lack of reference implementation; however, in future more options will likely be added as they become implemented by ODF-supporting applications.

Alternatives considered

There are no alternatives considered for this feature.

Impacts

Conformance

This proposal does not add any mandatory feature or behaviors to ODF documents or applications. If an ODF application does not support table protection options, it can ignore them. Likewise, if the application does not support proposed double-hashing or the specified legacy algorithm, it can ignore the password altogether in which case the table remains protected but without password. This is possible because the protection of a table does not involve encryption of its content.

Backwards compatibility

There is no impact on the existing ODF processors since this proposal will not change the behaviors of any existing features. Old processors can still read all the other elements while skipping the new attributes and element.

Accessibility impact

There is no impact on accessibility.

Workflow (to be filled in by TC Chairs)

Category: CategoryNewProposal

Date Proposal initially made:

Dates Proposal discussed on TC calls: 14 July 2008

Date vote is requested:

Date vote is held:

Results of vote:

Spreadsheet_Table_Protection_Options (last edited 2009-08-12 18:04:25 by localhost)