I'm getting a few replies to my question, and I'd like to clarify it a bit:
1. I'm not interested in a master-key. The idea is that everything decrypts automatically. 2. My question was more FS oriented, less cryptographic oriented, and could be rephrased as: "Can I use a different constant for my key in the code I release to the public, and not be in violation of the FS principles?" (For the crypto-nitpickers, a random IV will do? :) Thanks. On 6/25/05, Itay Duvdevani <[EMAIL PROTECTED]> wrote: > Hello, list. > > Recently I was wondering about applications like Mozilla's Password > Manager, KWalletManager and applications of this sort. > > I assume these applications use encryption to store my passwords on the disk. > Unfortunately, the code is open, and I find this sort of protection > pretty weak (unless I'm mistaking somewhere along the way). > > Since the source code is available to everyone, I conclude my > passwords can be easily deciphered by anyone who has access to the > code. > > Encryption method is known, and so is the encryption key (whether in > the source code or anywhere on my hard drive). > > My questions are these: > 1. Is it so? Is stealing passwords from these application is as > possible as I see it? > 2. If I wanted to build a password manager of this sort, and release > it under the GPL, could I choose *not* to release the encryption key > as part of the source code, and keep it hidden and secret from the > world, or this would prevent me from releasing it under the GPL (or > any other free license)? If it will, how can I build a secure FS > application of this sort? Any ideas? > > Thanks, > - Itay. > ================================================================To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
