<humor>
OK, that's IT. TGOS, it's time for Gladiator style combat to finish this!
</humor>
Really, let's get to it.
*The Background:*
TGOS, as best I can tell, wants to write a program so the user can open
their (I hope) password file and manage the stored passwords for the
sites they visit.
This would work by the user starting this program, choosing their
database file, and then entering the Master Password. The problem that
TGOS was having was that he didn't know what encryption scheme was being
used to encode the database.
*The Problem:*
It seems that Mozilla does not save the database as a text-based file
and then encrypt that with the Master Password using an encyrption
scheme such as Cast/IDEA/Twofish/Serpent.
*Reality, as I understand it.*
Mozilla uses a token, either a local software token, or a removable
hardware token. These tokens contains the necessary algorithms for use
in the encryption process. Then when a username/password combo is
stored, Mozilla uses a randomly generated key to encrypt the combo. It
then stores this key, the algorithm identifier, and the starting vector
in the password file.
*From Here:*
The program that TGOS proposes needs to be able to work in the same way
that Mozilla works to create/read the keys, he just wants it to be able
to read/edit/delete keys from the system. This lets him look up the
username/password that he has forgotten, edit any that have been entered
incorrectly, or has changed, and delete any that are depricated or
should not be used.
So the program needs to be able to access the token, and then read the
password file to run against the token to produce the information. The
only question here is "How does the Master Password relate to the token?"
Is the Master Password used by Mozilla internally only? I mean, if you
had the token and the password file, would there be any need for the
Master Password to decrypt the keys?
Also, this discussion might do better on the Mozilla Crypto Mailing
List. More information can be found at
http://www.mozilla.org/crypto-faq.html#1-2
See the bottom of the Answer 2 to see the address for the Newsgroup for
Cypto and the mailing list for Crypto.
Thanks to all, but I hope we can lay this discussion down to rest on
this group for now. TGOS, we here are not the Crypto writers, I myself
am a Mozilla user who needed some information, logged in, has trolled,
and dispenses advice whenever I know enough not to hurt myself or others.
Chris LeBlanc
- Re: Password Manager File - The Final Conflict Chris LeBlanc
- Re: Password Manager File - The Final Conflict Ben Bucksch
