oss-sec mailing list archives
Re: kwallet crypto misuse
From: gremlin () gremlin ru
Date: Sat, 4 Jan 2014 18:02:30 +0400
On 03-Jan-2014 12:44:42 -0500, Daniel Kahn Gillmor wrote:
UTF-16 encoding combined with Blowfish's 64 bit block size means there are just four password characters per block.
But this is: any and all passwords, being used for encryption key generation, must be hashed, then salted, then hashed again. SHA-256 may be a good choice for generating Blowfish 256-bit key this way.
what kind of hashing and salting are you talking about?
I'm talting about that very kind of hashing and salting which is normally used to generate an encryption key for symmetric cipher from the supplied password.
i don't think hashing and salting makes sense in the context that you were quoting above. Are you aware that kwallet stores a database of passwords that need to be able to be produced back for the user (or the user's applications) in the clear?
Are you aware that database of passwords is just user's data, which may be virtually anything? Suppose you want to generate a password for some resource and store it safely. One of the easiest methods to do that is running `mkpassphrase | gpg -ea > some_resource.gpg` but let's suppose you don't want to keep a keypair on that machine, so most likely you'll run `mkpassphrase | gpg -ca > some_resource.gpg` GPG will ask you (twice) for a password and produce the output like -----BEGIN PGP MESSAGE----- jA0ECgMC0nbVtnsmoZ9g0lQBFVTSY/avTaGibkt/dFGciqjGih1OXfLCPBRkv9gq sDqdOrjzSO0A+P5ziDalFWJEaNQR5mYQaj/eUP8YAM4e5baFvW+7mSMesuMXqEY1 +E0TCzY= =9DoC -----END PGP MESSAGE----- Now, once you need to access the data (generated password in this exemple), you may run `gpg < some_resource.gpg` provide the encryption password (try "Rent/Author!film2Cool") and get back the previously generated password: Sticky5scum0robust#Comic So, please don't mess the encryption password (key source) and stored password (user's data). -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net
Attachment:
_bin
Description:
Current thread:
- Re: kwallet crypto misuse, (continued)
- Re: kwallet crypto misuse cve-assign (Jan 02)
- Re: Re: kwallet crypto misuse Daniel Kahn Gillmor (Jan 02)
- Re: kwallet crypto misuse cve-assign (Jan 02)
- Re: Re: kwallet crypto misuse Kurt Seifried (Jan 02)
- Re: Re: kwallet crypto misuse Daniel Kahn Gillmor (Jan 02)
- Re: Re: kwallet crypto misuse Michael Samuel (Jan 02)
- Re: kwallet crypto misuse cve-assign (Jan 02)
- Re: kwallet crypto misuse gremlin (Jan 02)
- Re: kwallet crypto misuse Daniel Kahn Gillmor (Jan 03)
- Re: kwallet crypto misuse Simon McVittie (Jan 03)
- Re: kwallet crypto misuse Daniel Kahn Gillmor (Jan 03)
- Re: kwallet crypto misuse cve-assign (Jan 03)
- Re: kwallet crypto misuse Daniel Kahn Gillmor (Jan 03)
- Re: kwallet crypto misuse gremlin (Jan 04)