Date: Fri, 27 Feb 2015 23:11:46 -0500 (EST) From: cve-assign@...re.org To: tyhicks@...onical.com, sylvain.pelissier@...il.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: eCryptfs key wrapping help to crack user password -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > In this case, a wrapping key is generated from the user password > using the hash function SHA-512 applied 65536 times. By default, the > wrapping key is hashed with the default fixed salt > (0x0011223344556677) and stored in the a file. > This was already noticed in bug : > https://bugs.launchpad.net/ecryptfs/+bug/906550 > https://bugs.launchpad.net/ecryptfs/+bug/906550/comments/5 > all installations end up wrapping (encrypting) the mount passphrase > with the user login password and the DEFAULT SALT VALUE. A unique salt > value among almost all installations makes them a convenient target > for a rainbow table attack on the wrapped-passphrase file. > I got here because I am dabbling with a config package to implement > mandatory eCryptfs encrypted home for all users of a system Use CVE-2014-9687. Our interpretation is that this is a vendor CVE request based on a vendor's perspective that ecryptfs-setup-private's use of the default salt was never the intended behavior. (For example, http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/view/head:/doc/beginners_guide/ecryptfs_beginners_guide.tex says "It is highly advised that you also provide a salt along with the password, which will help make an attack against your files harder than if you use the default salt.") - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU8T+GAAoJEKllVAevmvmsK88H/RM59bZPtTnS7oPAsXrAmYeY 7zx+ZkmYxwOpTr5HQg/IZw16MnSb83GG7YtRa6XjTadf8jBYuzZpHxAnWncjo+em 6Q3fmTG9yayBcZVV/7/99+mvOcbHE+sF20qg/imRawHUEWQx8wVxk2Z/G6Ef4Eff kM2fhxKJRfRo1Xb7r3ZPsnQzA2xz3aO9EZaqbsGsQCSoFp9yEmIqiCHL7f8datOw lOfLJX4U+au/IMMxGkGr+gZZYMCVZb7TUnQDIQXDB1oC4W6Lk5yWfKOqI/3pmaie muK0BpzE5P4RMLgnP2voHuvOXM9WnjlTeV1wC80qYMVP9UJsjWiaMIV5d1shxYw= =RVyA -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ