Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: kwallet crypto misuse
From: gremlin () gremlin ru
Date: Sat, 4 Jan 2014 18:02:30 +0400

On 03-Jan-2014 12:44:42 -0500, Daniel Kahn Gillmor wrote:

UTF-16 encoding combined with Blowfish's 64 bit block size
means there are just four password characters per block.

But this is: any and all passwords, being used for encryption
key generation, must be hashed, then salted, then hashed
again. SHA-256 may be a good choice for generating Blowfish
256-bit key this way.

what kind of hashing and salting are you talking about?

I'm talting about that very kind of hashing and salting which is
normally used to generate an encryption key for symmetric cipher
from the supplied password.

i don't think hashing and salting makes sense in the context
that you were quoting above. Are you aware that kwallet stores
a database of passwords that need to be able to be produced back
for the user (or the user's applications) in the clear?

Are you aware that database of passwords is just user's data, which
may be virtually anything?

Suppose you want to generate a password for some resource and store
it safely. One of the easiest methods to do that is running

`mkpassphrase | gpg -ea > some_resource.gpg`

but let's suppose you don't want to keep a keypair on that machine,
so most likely you'll run

`mkpassphrase | gpg -ca > some_resource.gpg`

GPG will ask you (twice) for a password and produce the output like

-----BEGIN PGP MESSAGE-----

jA0ECgMC0nbVtnsmoZ9g0lQBFVTSY/avTaGibkt/dFGciqjGih1OXfLCPBRkv9gq
sDqdOrjzSO0A+P5ziDalFWJEaNQR5mYQaj/eUP8YAM4e5baFvW+7mSMesuMXqEY1
+E0TCzY=
=9DoC
-----END PGP MESSAGE-----

Now, once you need to access the data (generated password in this
exemple), you may run

`gpg < some_resource.gpg`

provide the encryption password (try "Rent/Author!film2Cool") and
get back the previously generated password: Sticky5scum0robust#Comic

So, please don't mess the encryption password (key source) and stored
password (user's data).


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault