Bugtraq mailing list archives
Re: PasswordSafe 3.0 weak random number generator allows key recovery attack
From: "Dave Korn" <davek_throwaway () hotmail com>
Date: Thu, 23 Mar 2006 19:41:11 -0000
info () elcomsoft com wrote:
Title : PasswordSafe 3.0 weak random number generator allows key recovery attack Date : March 23, 2006 Product : PasswordSafe 3.0
Say, are you referring to /the/ PasswordSafe 3.0, you know, the one by that Schneier guy, the one that's on sourceforge, ..... ... the one that's still in BETA for god's sake and which comes plastered in warnings like " This is still a BETA release! It should NOT be used as the only tool for storing "real" password information. For securely storing real password entries, please use release 2.16." ;-) Heh, this is a QC / bug report, not a security advisory! There is currently no such thing as "PasswordSafe 3.0", and http://passwordsafe.sourceforge.net/ refers to it as "3.0Beta1". (But yeh, this is a valid issue and of course should be fixed before the product is actually released).
It is possible to mount guaranteed decryption attack on PasswordSafe 3.0 databases created under OS prior to Windows XP. The attack is very simple: 1. Generate 256-bit key for every possible seed value 2. Decrypt first database record (the structure is documented, so we have known plaintext attack) 3) Check decrypted value against the known plaintext The total number of all possible seed values is limited by 2^32, so it is quite feasible. Our experiments show that the key can be recovered in less than 6 hours on the single PC (Pentium 4).
Solution/workaround ====================================================================== PasswordSafe should not use rand() function; cryptographic RNG should be used instead.
I think he should probably pre-pend a random amount of random pad bytes to the start of the file as well. Help to hide the known plaintext from even being at a known offset into the ciphertext stream. cheers, DaveK -- Can't think of a witty .sigline today....
Current thread:
- PasswordSafe 3.0 weak random number generator allows key recovery attack info (Mar 23)
- Re: PasswordSafe 3.0 weak random number generator allows key recovery attack Dave Korn (Mar 23)
- <Possible follow-ups>
- Re: PasswordSafe 3.0 weak random number generator allows key recovery attack ronys (Mar 27)