 At first, Serol, what's about me, everything is okay with sound and video and slides. Hope so. Oh, nice. Serol, what's at first about myself, I am living in Belarus nowadays, working for Sips World Software Company for around 10 years, I think. And for around the last 5 years, I've been working for a LibreOffice and that's all. What I wanted to talk is about document encryption and what things are not only limited to password protection. At first, a classical story of why we do this and need this and how we can be able to restrict access to office documents. It is obvious situation for any companies, we need to somehow to hide our company secrets from unrestricted users. Simply synthesis and whichever possible, it is just to do password protection. It is accessible out of the box, for many office packages, very easy, no setup. We can store document anywhere, we can share it very easily, throw it via email, transfer with any possible means. But at the same time, we have huge, huge problems if this secret password is compromised and we are very limited how to control access on these documents. Another side is some complex content management systems. Like based on CNYS, like Al fresco, potentially any cloud storage is like next cloud, on cloud, Google Docs and so on and so on, there are many of them. They are interesting that documents are stored somewhere in the cloud or somewhere in special storage. But this means that we have limited access to these documents, potential problems with offline access, problems with sharing of, we cannot easily just to take document and put it somewhere else, accessible to other people. But at the same time, we have rather good control on access rights for these documents. We can flexibly control which user can do what, on which documents. This is kind of a cool thing. But after any possibilities in between. Right now, I will be talking just about one of them provided by Microsoft. I'm sure it is not only one, but I just want to have a kind of intro about what we are made and why we are made this feature. And this was implemented exactly to support this right management system for Microsoft. Just for example, I want to share some brief understanding of how these things are working. Like, classically, we have Alice and Bob and Alice wanted to transfer some secret file from to Bob. In our case, where is the RMS server somewhere located? Alice initiate request to RMS service, authenticate it. Usually this RMS server is with Active Directory, so authentication, user rights and so on and so on. And as a back, RMS server gives documents license to Alice. As a result, Alice using this document license generates symmetric key, encrypts the documents with this secret key and able to transfer this document freely. It is a document encrypted very similar way to password protected documents, but not a password protected. So it can be stored anywhere, used anywhere and transferred by any open sources, in this case to another user. To access this document, a recipient should also request RMS server for the encryption key. RMS server checks if this user is actually validated to do this, if different things matches and gives enough information to decrypt this document and the document is decrypted. This is a very brief understanding how this RMS system services from Microsoft is working. In real life, it is much more complicated, but for us, for our current moment, it is sufficient. What's with practically we have here, we're trying to find good to get benefits from both the ways I mentioned about. We have easy sharing of documents, like for password protected documents, so we can restore it anywhere on hard drive, on USB sticks, transferred by email, transferred anywhere in public, anywhere where encrypted. But at the same time, we have good control on who and how can access these documents. For this, obviously, it is defined by Active Directory, Microsoft, and all access rights can be set up very flexibly to any documents. Either user can have full access or read-only access, if user has a right to print document, if user have right to export document, somehow to extract the information from document, and that's all. So I'm definitely sure that it's not only the system which is able to do such things, but this is what was requested from us and what we support for this in LibreOffice. Well, as you see, LibreOffice is not able to recognize such encrypted Microsoft documents and display it in this way. Before going forward, I just wanted to deeper into how the encrypted document is really look like. For standard document, Microsoft will use XML-based packages, but for encrypted document, for password-attacked encrypted, as for this encryption type, we are still using a compound file, like in ancient times of binary doc format. So what should we really expect it to do? Here is a small representation of password-protected file, how it looks like, and all the streams inside this compound file. Whereas you can see encrypted package, which is the actual encrypted zip document. It is a correct DocX document, but it is encrypted. For correct reading of this document, at first, the reader should take a look at something wrong in my list. At first, there is a special stream called DataspaceMap, which contains information which Dataspace is actually used for this document. In this case, inside this DataspaceMap file, it contains information, well, we are using strong encryption Dataspace. Well, next we should read this strong encryption Dataspace file. And here, there is written information about used transformation. In this case, for password-protected, it is a strong encryption transformation. And when we read this meta-information about actual transformation, there is a file with details about encryption and what is really used for and how to decrypt it. So practically, the first phase when we can detect how the file is encrypted is this Dataspace name. For password-protected document, it is called Strong Encryption Dataspace. For RMS encrypted document, instead of Strong Encryption Dataspace, it is called the RAM Encrypted Dataspace. And of course, slightly different transformations are used and we store different information. Below there is a link to Microsoft specification with details about encrypted documents. But well, right now it is potentially we can go to what is actually happens on LibreOffice side. Practically, I did not invent something really or new. Just extracted existing password protection, wrapped it as an interface and Strong Encryption Dataspace. It is one of the implementation inside of the LibreOffice core. What the goal? It is with this idea, with this interface, we can provide any custom encryptions just by implementing this interface. Unfortunately, where API LibreOffice.org site was not updated yet with version 7.0. So for now, I will put a link just to IDLE file with information about this interface. But practically, there is nothing worth briefly talking about. And right now, what happens when LibreOffice is trying to open such encrypted documents? But first, LibreOffice sees that the documents document is actually encrypted as before. Later right now, we are parsing all this meta information inside the compiled file. What I was talking about is Dataspace map and to find corresponding Dataspace. I have a feeling that Microsoft invented such complex format to have kind of a chain of different transformation potentially. So we can probably have a deregulation encrypted document and then password encrypted at the same time. But practically, I wasn't able to do this. So let's assume that anyway, we still have just one protection document. And when LibreOffice is trying to create a special service with this Dataspace naming. As I mentioned before, we already have implementation out of the box in LibreOffice for password protection. For any other cases, LibreOffice obviously will not find corresponding service and will say, well, I'm not able to open this document. Otherwise, like before, the document is being decrypted, but just we're using off this new interface. Let me show briefly how it looks on real world example. Where is it? Sample writer document. Here is a special toolbar for this information received from this RMS service. This here is a list of special templates to not to set up and tweak all the details of the document who is able to access it, what types of access develop a feature like templates. But not the case for it and let's see everything is oops, misspell. Okay. And right now, as I shown at the end before, there was a request to RMS server, received license for this document and this information here now stored inside the meta information for documents. And once we save it, and we can try to look what is looked like. So probably you see it is a compound file. It is not, we have contain encrypted package here, which is of course the byte mess. And what I was saying, it is has the ram encrypted data space with information like which transformation to use and so on. And this document obviously can be opened with a word or a word is also the triggering that we have current user, of course, has a full access to document. But if I switch to another user, it will show corresponding access or no access even at all. There are potentially some of the documents interesting created by some user from some another user, just a small one on an attempt to open document. I am often created to RMS service or it is no password request, but for fresh setup, it will be, it will say, well, you need to enter credentials and blah, blah, blah. So this document is not created by me, by current user. I cannot change the permissions of it, but I am able to edit and do different things on it. At the same time, if I open another document, here is a document which is open at read-only. I cannot do nothing on it. I cannot save it. I cannot export it. Looks like I have a print preview. Don't remember. Yeah, for this case, and one really interesting case that read-only without right to export document. So for me right now, it is displayed the document I see in contents, but I've experimented with the transfer and usually it's a LibreOffice instance is not visible completely. So in previous Windows builds, it was just a black screen instead of this window. But for fresh builds, it is just disappear. I cannot able to make a screenshot of this document. I cannot able to do anything. I cannot copy paste from it. It is not visible with screen capture, not visible on screenshot, not visible in TeamViewer, not visible in Jitsi. Quite fun feature as for me. And let's back to feature. And something else. I was mentioning about features about the document access control. And yes, we are also right now implemented inside LibreOffice. Here is a code snippet, which is disabling printing for current document. As usual, we need to have access to a model of document. And there is a special property, which we are setting with setArts method. Nothing critical. Right now implemented the following logs. Log print, pretty opvules. Log export, it is disabling for current document, save as, export as features. Log edit document read only also was shown. Log content extraction, it is that I was not able to show with share screen. In this mode, unable to copy information from document, unable to cut information from document, with RMS feature and Windows feature, it is not possible even to show screenshot of this document. And also it is not accessible from extensions via UNO calls. So access to document model is prohibited. And separate log, log save. By itself, it is useless if you have ability just to save or not to save document. But in combination with others, for example, some user have ability just to edit document. But he has no ability to, for example, to print document or to export document. He can just edit and save back. Let's in brief all how the features are working here. Because it is somewhat tricky in implementation, I've created a sample extension for this API. It can be accessible from here. Practically it implements a new service, which is called XOR encryption data space. It is making the things especially exactly like for other normal Windows, sorry, Dockix protection simulates all the streams, but it is actually, practical encryption is just primitive XOR site. And it is used just for demo purposes. Sorry, we don't see the slide anymore currently. We only see your title slide. Moment, need to, I'll reload. Nothing from which slide you will not be able to see something is broken locally. Basically, since the end of the demo, we didn't see the slides. Demo, demo, demo was somewhere. So about lock printing, I was talking and it is visible. So this one, the snippet I was showing, yes. And actually what I was talking right now is what this demo extension. It is a link to GitHub with sources. And basically what I have told already, sample data space, sample encryption with XOR encryption. I was too lazy to invent some new CPP extension. Just it was based on complex toolbar control from SDK. So it probably contains a mess of different unnecessary things. And one important topic. Why this is implemented as an interface and not inside the core? Well, I think it is not a very good idea to have another dependency for whatever seldom used document types. But for built it will be dependencies to some special SDKs from Microsoft. Where a bunch of different versions, really a mess of different versions exist. Version for Azure information protection, Microsoft information protection, RMS SDK version, version 2.1, RMS SDK version 4.2. Practically for document encryption level they behave almost identically. But high level IP implementation for different languages, for different platforms are completely different. So it is easy to get lost there. There are some license nuances there because the sources Microsoft did provide for free. They do not contain specific encryption used for office documents. Well, this is making it absolutely useless for LibreOffice. We are not able to encrypt documents which can be later opened by Microsoft Word. It is a good playground for any custom file formats, but not for LibreOffice. And another topic, quite important. The UI and usability of these things. Customers wanted quite specific toolbar with specific features. Not like in Microsoft, they don't want complex all features of RMS document access properties. So user should not spend half an hour to tweak and tune on all the access rights and all possibilities. And he should not have access to do these things. So as I showed in my extension, it is quite easy with several clicks it is provided. So that's why it is implemented in this way with some new encryption API and extension. So with provided example, it is relatively easy to create any other implementation for this RMS service with any other demands how it should look and feel like or any other encryption. Potentially it is not limited to defined by Microsoft. And that's all I wanted to say right now. There are a couple of minutes remaining of my talk. Any questions? Can you on-share your screen? Thanks. One question, is it limited only to Windows because of the Microsoft dependencies at this time? No, Microsoft also provided SDKs for all platforms, even for mobile platforms. But I'm not quite sure that I was not using them practically. So I'm not sure if it is a case for LibreOffice, but way do exist. So for any custom project, you can use some API SDK for Linux, for macOS, for mobile platforms. One question, please, if possible. Can you hear me? Yeah, it's Stefan speaking from TVF Steam. At some point of your presentation you showed them a document not to be exported, because the export was grayed out. But below there was export as and it was active, in my opinion. Is that right? It should not be active. Moment I'll double check by myself how it looks like for me. Reason of this export. The export as is actually visible, but all the submenus of this menu are disabled. So top-level menu is still enabled. So you cannot use export as? Yes, it is also submenus of export as are disabled also. But top-level menu is, it is just you, I think. Okay, thank you. In this case, thanks all for watching.