Date: Thu, 26 Feb 2015 20:01:00 -0600 From: Tyler Hicks <tyhicks@...onical.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: eCryptfs key wrapping help to crack user password [adding cve-assign to cc] On 2015-02-10 16:49:19, Tyler Hicks wrote: > On 2015-02-10 15:07:24, Sylvain Pelissier wrote: > > Hi, > > > > I have noticed that ecryptfs-utils is the default program used by the > > Ubuntu distributions for home folder encryption since version 10.04. > > In this case, a wrapping key is generated from the user password > > using the hash function SHA-512 applied 65536 times. By default, the > > wrapping key is hashed with the default fixed salt > > (0x0011223344556677) and stored in the a file. > > This was already noticed in bug : > > https://bugs.launchpad.net/ecryptfs/+bug/906550 > > For Ubuntu installations time-memory trade-off (rainbow tables, etc.) > > can apply, as well as bulk dictionary attacks to crack user passwords > > of Ubuntu installations when the home folder encryption is activated. > > I am currently working to correct this weakness. > > Thanks for reporting this issue, Sylvain. > > I have confirmed the analysis above and upstream ecryptfs-utils is > working to correct the problem. > > Tyler Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ