[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: kwallet crypto misuse
From:       George Staikos <staikos () kde ! org>
Date:       2014-01-13 8:59:01
Message-ID: CAFKiAGDwoeMn+VGeU5VMAP3ihRCcXpf+KC2ttq=-dSbLk9DMqw () mail ! gmail ! com
[Download RAW message or body]


This issue has been known for years but it seems kwallet is unmaintained. I
had to stop working on it before I could fix this,  among other issues.
Somebody should fix the crypto, yes, though I'm not sure how urgent an
issue this really is.
 On Jan 2, 2014 3:15 AM, "Florian Weimer" <fweimer@redhat.com> wrote:

> I just noticed this is now public:
>
> <http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/>
>
> Short summary: kwallet uses Blowfish to encrypt its password store, and
> despite an attempt at implementing CBC mode (in a file called cbc.cc no
> less), it's actually ECB mode.  UTF-16 encoding combined with Blowfish's 64
> bit block size means there are just four password characters per block.
>  Encryption is convergent as well.  This may enable recovery of passwords
> through codebook attacks.
>
> Should we treat this as a minor vulnerability?
>
> --
> Florian Weimer / Red Hat Product Security Team
>


[prev in list] [next in list] [prev in thread] [next in thread]