4.1.3.1 ECMA-376 Document Encryption

ECMA-376 document encryption [ECMA-376]  using standard encryption does not support CBC and does not have a provision for detecting corruption, although a block cipher (specifically, AES) is not known to be subject to bit-flipping attacks. ECMA-376 documents using agile encryption are required to use CBC and corruption detection, and are not subject to the issues noted for standard encryption.

When setting algorithms for agile encryption, the SHA-2 series of hashing algorithms is preferred. MD2, MD4, and MD5 are not recommended. Older cipher algorithms, such as DES, are also not recommended.

Passwords are limited to 255 Unicode code points.