On 6/25/05, Orr Dunkelman <[EMAIL PROTECTED]> wrote: > On Sat, 25 Jun 2005, Itay Duvdevani wrote: > > > Hello, list. > > > > Recently I was wondering about applications like Mozilla's Password > > Manager, KWalletManager and applications of this sort. > > > > I assume these applications use encryption to store my passwords on the > > disk. > > Unfortunately, the code is open, and I find this sort of protection > > pretty weak (unless I'm mistaking somewhere along the way). > Sure thing. > > That's why you can look your password file using a "master password", or > using gpg.
My question was regrading applications that are not password-protected. As Ilya said, in any case, a professional dude could get the key and algorithm from my binary. Since it is obvious that when I don't use a master password it will be possible to extract the passwords from my db, I want to prevent the trivial case or source-lookup (No anti-debugging tricks for the binary, yet :). > > > Since the source code is available to everyone, I conclude my > > passwords can be easily deciphered by anyone who has access to the > > code. > Everybody knows which algorithm you used for encryption, and unless you > use the master password, everybody also knows what the "secret" key is > (which is usually some paramter depending on user name, machine name, > etc.) > Anyone who knows these parameters can find the key. > > > > > Encryption method is known, and so is the encryption key (whether in > > the source code or anywhere on my hard drive). > true (up to usage of master passwords). > > > > > My questions are these: > > 1. Is it so? Is stealing passwords from these application is as > > possible as I see it? > yes, see my previous comments. That's why it's important to use master > passwords. > Even after using them, when the appilcation is active, and you ahve > entered the master password, then the secret passwords can be considered > decipherred. > > > 2. If I wanted to build a password manager of this sort, and release > > it under the GPL, could I choose *not* to release the encryption key > > as part of the source code, and keep it hidden and secret from the > > world, or this would prevent me from releasing it under the GPL (or > > any other free license)? If it will, how can I build a secure FS > > application of this sort? Any ideas? > The key is not part of the code. Even if it's a constant value I use in one of my headers? (Ofcourse, the app will use a random IV :) Is it in violation of an FS license, putting a dummy value in the code I release? > > the same is true for FS, password files, etc. just make sure the user uses > a good master passwords, and everything will be fine. > > -- > Orr Dunkelman, > [EMAIL PROTECTED] > > "If it wasn't for C, we'd be writing programs in BASI, PASAL, and OBOL", anon > > Spammers: http://vipe.technion.ac.il/~orrd/spam.html > GPG fingerprint: C2D5 C6D6 9A24 9A95 C5B3 2023 6CAB 4A7C B73F D0AA > (This key will never sign Emails, only other PGP keys.) > ================================================================To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
