Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 13 Jan 2014 03:59:01 -0500
From: George Staikos <staikos@....org>
To: Florian Weimer <fweimer@...hat.com>
Cc: security@....org, oss-security@...ts.openwall.com
Subject: Re: kwallet crypto misuse

This issue has been known for years but it seems kwallet is unmaintained. I
had to stop working on it before I could fix this,  among other issues.
Somebody should fix the crypto, yes, though I'm not sure how urgent an
issue this really is.
 On Jan 2, 2014 3:15 AM, "Florian Weimer" <fweimer@...hat.com> wrote:

> I just noticed this is now public:
>
> <http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/>
>
> Short summary: kwallet uses Blowfish to encrypt its password store, and
> despite an attempt at implementing CBC mode (in a file called cbc.cc no
> less), it's actually ECB mode.  UTF-16 encoding combined with Blowfish's 64
> bit block size means there are just four password characters per block.
>  Encryption is convergent as well.  This may enable recovery of passwords
> through codebook attacks.
>
> Should we treat this as a minor vulnerability?
>
> --
> Florian Weimer / Red Hat Product Security Team
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ