'[oss-security] Re: eCryptfs key wrapping help to crack user password'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: eCryptfs key wrapping help to crack user password
From:       cve-assign () mitre ! org
Date:       2015-02-28 4:11:46
Message-ID: 20150228041146.904966C0016 () smtpvmsrv1 ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> In this case, a wrapping key is generated from the user password
> using the hash function SHA-512 applied 65536 times. By default, the
> wrapping key is hashed with the default fixed salt
> (0x0011223344556677) and stored in the a file.
> This was already noticed in bug :
> https://bugs.launchpad.net/ecryptfs/+bug/906550


> https://bugs.launchpad.net/ecryptfs/+bug/906550/comments/5

> all installations end up wrapping (encrypting) the mount passphrase
> with the user login password and the DEFAULT SALT VALUE. A unique salt
> value among almost all installations makes them a convenient target
> for a rainbow table attack on the wrapped-passphrase file.

> I got here because I am dabbling with a config package to implement
> mandatory eCryptfs encrypted home for all users of a system

Use CVE-2014-9687. Our interpretation is that this is a vendor CVE
request based on a vendor's perspective that ecryptfs-setup-private's
use of the default salt was never the intended behavior. (For example,
http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/view/head:/doc/beginners_guide/ecryptfs_beginners_guide.tex
says "It is highly advised that you also provide a salt along with the
password, which will help make an attack against your files harder
than if you use the default salt.")

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU8T+GAAoJEKllVAevmvmsK88H/RM59bZPtTnS7oPAsXrAmYeY
7zx+ZkmYxwOpTr5HQg/IZw16MnSb83GG7YtRa6XjTadf8jBYuzZpHxAnWncjo+em
6Q3fmTG9yayBcZVV/7/99+mvOcbHE+sF20qg/imRawHUEWQx8wVxk2Z/G6Ef4Eff
kM2fhxKJRfRo1Xb7r3ZPsnQzA2xz3aO9EZaqbsGsQCSoFp9yEmIqiCHL7f8datOw
lOfLJX4U+au/IMMxGkGr+gZZYMCVZb7TUnQDIQXDB1oC4W6Lk5yWfKOqI/3pmaie
muK0BpzE5P4RMLgnP2voHuvOXM9WnjlTeV1wC80qYMVP9UJsjWiaMIV5d1shxYw=
=RVyA
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic