Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Feb 2015 20:01:00 -0600
From: Tyler Hicks <tyhicks@...onical.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: eCryptfs key wrapping help to crack user password

[adding cve-assign to cc]

On 2015-02-10 16:49:19, Tyler Hicks wrote:
> On 2015-02-10 15:07:24, Sylvain Pelissier wrote:
> > Hi,
> > 
> > I have noticed that ecryptfs-utils is the default program used by the
> > Ubuntu distributions for home folder encryption since version 10.04.
> > In this case, a wrapping key is generated from the user password
> > using the hash function SHA-512 applied 65536 times. By default, the
> > wrapping key is hashed with the default fixed salt
> > (0x0011223344556677) and stored in the a file.
> > This was already noticed in bug :
> > https://bugs.launchpad.net/ecryptfs/+bug/906550
> > For  Ubuntu installations time-memory trade-off (rainbow tables, etc.)
> > can apply, as well as bulk dictionary attacks to crack user passwords
> > of Ubuntu installations when the home folder encryption is activated.
> > I am currently working to correct this weakness.
> 
> Thanks for reporting this issue, Sylvain.
> 
> I have confirmed the analysis above and upstream ecryptfs-utils is
> working to correct the problem.
> 
> Tyler

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ