Thank you.
Let me conclude it, as follows. Please correct and add some comments if
necessary.
1. There are two separate components
- password manager (implemented by .....)
- form manager (implemented by .....)
2. User's passwords are stored in *.s, users's forms are saved in *.w in the
user profile directory. (where * is randomly generated). By default, they
are not encrypted but obscurred using a BASE64 encoding.
3. Usernames and passwords are encrypted if the user select "Encrypt
Sensitive
Information". (But forms are not encrypted). The encryption of the passwords
uses a fixed triple-DES key. The key used for encryption is itself encrypted
by
a 'PBE key' and is stored in key3.db. A PBE key uses a password, which is
chosen by the user, and would be the user's master encryption password.
4. To attack key3db, an attacker would need to
- know the users's master encryption password
- have access to *.s (the users's password file)
Are those above correct ? If so, I still have some (last) questions and
problem,
as follows:
Regarding no 3, so where is the user's master encryption password itself is
stored ? in key3.db as well ?
Regarding no 1, I'd like to know which libraries implement the password
manager, and which libraries implement the form manager ?
(libcmt.so / libprotocol.so ?)
When I selected "Encrypt Sensitive Information" in the password manager, I
got an error dialog that says "Unable to convert stored data", and I could
not get my passwords encrypted. The same message also appears when "use
encryption when storing sensitive data" checkbox (in the preferences window)
is clicked, and the checkbox keep unchecked. I was trying both on linux &
win98, using mozilla 0.8, which results the same message.
Is there any documents about key3.db and cert7.db ?
Thank you very much.
Regards,
Bagus.
