From oss-security Mon Jan 13 08:59:01 2014 From: George Staikos Date: Mon, 13 Jan 2014 08:59:01 +0000 To: oss-security Subject: [oss-security] Re: kwallet crypto misuse Message-Id: X-MARC-Message: https://marc.info/?l=oss-security&m=138960361928987 MIME-Version: 1 Content-Type: multipart/mixed; boundary="--001a1135ef167f96a504efd649c7" --001a1135ef167f96a504efd649c7 Content-Type: text/plain; charset=ISO-8859-1 This issue has been known for years but it seems kwallet is unmaintained. I had to stop working on it before I could fix this, among other issues. Somebody should fix the crypto, yes, though I'm not sure how urgent an issue this really is. On Jan 2, 2014 3:15 AM, "Florian Weimer" wrote: > I just noticed this is now public: > > > > Short summary: kwallet uses Blowfish to encrypt its password store, and > despite an attempt at implementing CBC mode (in a file called cbc.cc no > less), it's actually ECB mode. UTF-16 encoding combined with Blowfish's 64 > bit block size means there are just four password characters per block. > Encryption is convergent as well. This may enable recovery of passwords > through codebook attacks. > > Should we treat this as a minor vulnerability? > > -- > Florian Weimer / Red Hat Product Security Team > --001a1135ef167f96a504efd649c7--