Date: Mon, 13 Jan 2014 03:59:01 -0500 From: George Staikos <staikos@....org> To: Florian Weimer <fweimer@...hat.com> Cc: security@....org, oss-security@...ts.openwall.com Subject: Re: kwallet crypto misuse This issue has been known for years but it seems kwallet is unmaintained. I had to stop working on it before I could fix this, among other issues. Somebody should fix the crypto, yes, though I'm not sure how urgent an issue this really is. On Jan 2, 2014 3:15 AM, "Florian Weimer" <fweimer@...hat.com> wrote: > I just noticed this is now public: > > <http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/> > > Short summary: kwallet uses Blowfish to encrypt its password store, and > despite an attempt at implementing CBC mode (in a file called cbc.cc no > less), it's actually ECB mode. UTF-16 encoding combined with Blowfish's 64 > bit block size means there are just four password characters per block. > Encryption is convergent as well. This may enable recovery of passwords > through codebook attacks. > > Should we treat this as a minor vulnerability? > > -- > Florian Weimer / Red Hat Product Security Team >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ