On Sat, 25 Jun 2005 20:40:29 +0300 Itay Duvdevani <[EMAIL PROTECTED]> wrote:
> I'm getting a few replies to my question, and I'd like to clarify it a bit: > > 1. I'm not interested in a master-key. The idea is that everything > decrypts automatically. Storing your key in the binary is not safe, source available or not. I didn't do cracking, but I did do embeded work and on occation I would debug the programs in binary (hex) form. It didn't take long for the binary code to be as readable as regular assembly. > 2. My question was more FS oriented, less cryptographic oriented, and > could be rephrased as: "Can I use a different constant for my key in > the code I release to the public, and not be in violation of the FS > principles?" (For the crypto-nitpickers, a random IV will do? :) > If you store the key in the program its easily breakable and it wont matter much if you provide the source with a different key. May delay by another 30 minutes. Probably not. I don't think its in violation of the FS principles, especially if its you own program and then you are also allowed to provide the program on a double licence if you wish. A very little better solution is to use a key created by the user and stored on the local system (like ssh lets you do), but that any good only if its on a remote computer (if you connect remotely to the encrypted system and using an rsa like method). Only semi safe solution is to ask for a pass-phrase, or store a key on removable storage. > Thanks. > > On 6/25/05, Itay Duvdevani <[EMAIL PROTECTED]> wrote: > > Hello, list. > > > > Recently I was wondering about applications like Mozilla's Password > > Manager, KWalletManager and applications of this sort. > > > > I assume these applications use encryption to store my passwords on the > > disk. > > Unfortunately, the code is open, and I find this sort of protection > > pretty weak (unless I'm mistaking somewhere along the way). > > > > Since the source code is available to everyone, I conclude my > > passwords can be easily deciphered by anyone who has access to the > > code. > > > > Encryption method is known, and so is the encryption key (whether in > > the source code or anywhere on my hard drive). > > > > My questions are these: > > 1. Is it so? Is stealing passwords from these application is as > > possible as I see it? > > 2. If I wanted to build a password manager of this sort, and release > > it under the GPL, could I choose *not* to release the encryption key > > as part of the source code, and keep it hidden and secret from the > > world, or this would prevent me from releasing it under the GPL (or > > any other free license)? If it will, how can I build a secure FS > > application of this sort? Any ideas? > > > > Thanks, > > - Itay. > > > > ================================================================To > unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] > > > +++++++++++++++++++++++++++++++++++++++++++ > This Mail Was Scanned By Mail-seCure System > at the Tel-Aviv University CC. > +++++++++++++++++++++++++++++++++++++++++++ This Mail Was Scanned By Mail-seCure System at the Tel-Aviv University CC. ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
