[Dshield] password security
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Fri Feb 6 15:59:47 GMT 2009
On Fri, 06 Feb 2009 08:35:40 +0100, Stephane Grobety said:
> When I had to solve that problem for myself, I wrote a small text
> editor that incorporates both strong encryption, an FTP client, a
> rudimentary version control system and an automated downloader.
Kids, don't try this at home. ;)
It's amazingly easy to get this sort of thing terribly wrong. Common errors
include not realizing that the program's data in RAM can end up out on an
unencrypted swap area, or creating temporary work files that aren't themselves
encrypted, using a strong crypto algorithm in a weak manner, and various
other ways of leaving the master key around in plaintext format so a miscreant
can get it.
As Bruce Schneier said:
"There are two kinds of cryptography in this world: cryptography that will stop
your kid sister from reading your files, and cryptography that will stop major
governments from reading your files."
If you think you've designed the latter, you're almost certainly wrong...
(As an object proof, I'll point out that Bruce himself attacked this
"save a user's passwords" issue: http://www.schneier.com/passsafe.html
And somebody found a hole in version 1 and 2:
http://www.securiteam.com/windowsntfocus/6C0022AEVQ.html
And a different hole:
http://www.webhostingtalk.nl/bugtraq-mailing-lijst/27482-leak-information-counterpane-bruce-schneiers-now-open-source-password-safe-program.html
And yet another different hole in version 3:
http://www.derkeiler.com/Mailing-Lists/VulnWatch/2006-03/msg00012.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/list/attachments/20090206/7516bb0c/attachment.bin
More information about the Dshield
mailing list