On Sat, Jun 25, 2005 at 08:30:24PM +0300, Itay Duvdevani wrote: > On 6/25/05, Orr Dunkelman <[EMAIL PROTECTED]> wrote: > > On Sat, 25 Jun 2005, Itay Duvdevani wrote: > > > > > Hello, list. > > > > > > Recently I was wondering about applications like Mozilla's Password > > > Manager, KWalletManager and applications of this sort. > > > > > > I assume these applications use encryption to store my passwords on the > > > disk. > > > Unfortunately, the code is open, and I find this sort of protection > > > pretty weak (unless I'm mistaking somewhere along the way). > > Sure thing. > > > > That's why you can look your password file using a "master password", or > > using gpg. > > My question was regrading applications that are not password-protected. > > As Ilya said, in any case, a professional dude could get the key and > algorithm from my binary. > > Since it is obvious that when I don't use a master password it will be > possible to extract the passwords from my db, I want to prevent the > trivial case or source-lookup (No anti-debugging tricks for the > binary, yet :).
If that is all you're after, use something like base64 encoding. It won't get you much security but at least you won't get a false sense of security. And a casual viewer still won't be able to read the data. Please read a bit on "security by obscurity" (google will help). If you want the data to be secret, defend it from potential attackers. One may decide that the local filesystem/user account is safe enough. This is normally true (unless someone else has admin priviliges on the same system) and has the atvantage of being very convinient. However if someone else does manage to gain access to the files, you're in trouble. > Even if it's a constant value I use in one of my headers? > (Ofcourse, the app will use a random IV :) > > Is it in violation of an FS license, putting a dummy value in the code > I release? Depending on the license. If you write the code and have full copyrights you can do whatever you like (unless you decide to sue yourself). If you want it to be a free software, others must be able to reproduce your work in irder to be able to distribute modified work. But whatever. If all the data needed to decipher is exposed to the attacker and the attacker has access to code that can decipher it, checking how exactly the code deciphers it can't be too big a problem to someone who really wants. Even if you only provide machine-language implementation. -- Tzafrir Cohen | [EMAIL PROTECTED] | VIM is http://tzafrir.org.il | | a Mutt's [EMAIL PROTECTED] | | best ICQ# 16849755 | | friend ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
