Home page logo
/

basics logo Security Basics mailing list archives

Re: store passwords securely in the internet
From: Andre Pawlowski <sqall () h4des org>
Date: Tue, 13 Apr 2010 13:57:21 +0200

Yes it is. It's just a string which includes the program name and
version. Because of this string I can also check the version of the
encrypted container. This means if I changed something in the way the
program stores the passwords in following versions, the program can
update the store automatically the next time the user type in the
masterpassword.

Has anyone a better idea to do so without being vulnerable for known
plaintext attacks?


Andre Pawlowski

-------------------------------------------------------------------

Ordnung braucht nur der Dumme, das Genie beherrscht das Chaos.
        -Albert Einstein

On 04/13/2010 02:11 AM, Greg R wrote:
Is the header of an easily predicted format? If so, that opens you up to
a known plaintext attack on the masterkey. Look into how Password safe
solves this problem.

Greg



On Apr 7, 2010, at 11:40 PM, Andre Pawlowski <sqall () h4des org> wrote:

The container is decrypted with this password. If someone entered a
wrong masterpassword, the program will decrypt the container with this
wrong masterpassword, then it checks the header and will see that it
was a wrong masterpassword and gives you an error.

You see, the masterpassword is not stored on the server.

Andre Pawlowski

-------------------------------------------------------------------

Ordnung braucht nur der Dumme, das Genie beherrscht das Chaos.
   -Albert Einstein


On 04/07/2010 10:01 PM, Jhfjjf Hfdsjj wrote:
Wait, if the master password is never stored on the hard disk WHERE
is it stored? Gotta be somewhere in order for it to be used to
decrypt something.



----- Original Message ----
From: Andre Pawlowski<sqall () h4des org>
To: security-basics () securityfocus com
Sent: Tue, April 6, 2010 2:40:05 PM
Subject: store passwords securely in the internet

Hi guys,

I've written a program to store your passwords secure in a container
on a server. It's written for the Horde framework and is called
eleusis ( http://h4des.org/index.php?inhalt=eleusis ). The idea was
to have your passwords everytime available when you are online even
when you are using an internet cafe or a pc at work.

When the user creates a passwordstore, he must give a masterpassword.
With this masterpassword every password you want to save will encrypt
with blowfish. For every step (reading, writing) you have to enter
the masterpassword, because nothing will write unencrypted to the
hard disk. The masterpassword is never stored. When the user entered
the masterpassword, the program will decrypt the container and check
the header. If the header is correctly decrypted, the program will
continue its work, if not, it will show you an error message.

The whole project is written in php. A weak point of the program is
the http protocol. When the user doesn't use https to transfer the
data the passwords will send decrypted over the net.

I hope there is any use for this program and I'm glad if anyone of
you send me any critics or suggestions.

Regards



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your
company and how your customers can tell if a site is secure. You will
find out how to test, purchase, install and use a thawte Digital
Certificate on your Apache web server. Throughout, best practices for
set-up are highlighted to help you ensure efficient ongoing management
of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1

------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]