[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] kwallet crypto misuse
From: gremlin () gremlin ! ru
Date: 2014-01-03 7:27:12
Message-ID: 20140103072712.GB16139 () gremlin ! ru
[Download RAW message or body]
On 02-Jan-2014 09:15:15 +0100, Florian Weimer wrote:
> I just noticed this is now public:
> http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/
> Short summary: kwallet uses Blowfish to encrypt its password
> store, and despite an attempt at implementing CBC mode (in a
> file called cbc.cc no less), it's actually ECB mode.
That's unpleasant, but not really a fatal issue...
> UTF-16 encoding combined with Blowfish's 64 bit block size means
> there are just four password characters per block.
But this is: any and all passwords, being used for encryption key
generation, must be hashed, then salted, then hashed again. SHA-256
may be a good choice for generating Blowfish 256-bit key this way.
> Encryption is convergent as well. This may enable recovery of
> passwords through codebook attacks. Should we treat this as a
> minor vulnerability?
Is it really minor?
--
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ðòé gremlin ôþë ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic