Full Disclosure mailing list archives
PasswordSafe 3.0 weak random number generator allows key recovery attack
From: Markus Jansson <seemyhomepage () katsokotisivuilta ni>
Date: Thu, 23 Mar 2006 23:14:27 +0200
I wonder why havent anyone posted this one here yet?!? Concidering the fact that Password Safe is used to create and store users secure passphrases in one database, the compromise of this database could be horrible...therefore I see this attack/bug also as horrible.
http://www.securityfocus.com/archive/1/428552/30/0/threaded"Title : PasswordSafe 3.0 weak random number generator allows key recovery attack
Date : March 23, 2006 Product : PasswordSafe 3.0 Discovered by : ElcomSoft Co.Ltd. ... PasswordSafe 3.0 utilizes two different random number generator (RNG) functions: Win32 API RtlGenRandom() and standart Visual C++ rand(). RtlGenRandom() is not available on Windows prior to Windows XP (i.e. Windows 2000, Windows NT, Windows Me) so rand() is used instead. Specifically, rand() is used to generate 256-bit database encryption key. It is widely known that using rand() in cryptographic applications is not secure due to its predictbility and small internal state. ... It is possible to mount guaranteed decryption attack on PasswordSafe 3.0 databases created under OS prior to Windows XP. The attack is very simple: 1. Generate 256-bit key for every possible seed value 2. Decrypt first database record (the structure is documented, so we have known plaintext attack) 3) Check decrypted value against the known plaintext ... The total number of all possible seed values is limited by 2^32, so it is quite feasible. Our experiments show that the key can be recovered in less than 6 hours on the single PC (Pentium 4)." Can anyone confirm 1) Is version 2.xx also vulnerable (either on XP or other OS)?2) Password Safe has ability to create secure passphrases, are they too insecure because PRNG is insecure in PSv3?
3) Is there a fix available? 4) Is there a more secure password manager solution available? ;) -- My computer security & privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- PasswordSafe 3.0 weak random number generator allows key recovery attack Markus Jansson (Mar 23)
- Re: PasswordSafe 3.0 weak random number generator allows key recovery attack Dave Korn (Mar 24)