Re: password safes for mac
I'm using 1password, but mostly because of the UI, I haven't done a cryptanalysis of it. the wifi sync to the iphone is a little worrisome. Adam On Sat, Jun 27, 2009 at 09:57:39PM -0400, Perry E. Metzger wrote: | | Does anyone have a recommended encrypted password storage program for | the mac? | | Perry | | - | The Cryptography Mailing List | Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
NIST optimized AES hardware...
Apparently, NIST has produced an interestingly optimized design for AES S-box hardware implementations: http://cryptome.org/0001/nist062309.htm Perry -- Perry E. Metzgerpe...@piermont.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: password safes for mac
On Sat, Jun 27, 2009 at 09:57:39PM -0400, Perry E. Metzger wrote: > Does anyone have a recommended encrypted password storage program for > the mac? The PasswordSafe project also produces a Java variant "PasswordSafeSWT" that seems to run well enough on OSX. It may be a large assumption, but one would hopefully be able to presume that one group could produce two viable variants, albeit in different languages. The only red flag that is raised initially for me is that the last release was in 2007. That could either indicate development has died or simply that it's a stable product with no great need for tweaking. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: password safes for mac
Jon Callas writes: > On Jun 27, 2009, at 6:57 PM, Perry E. Metzger wrote: >> Does anyone have a recommended encrypted password storage program for >> the mac? > > I would recommend the built-in keychain for anything that it works with. There are some things it doesn't work with that are of interest here. Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: password safes for mac
pe...@piermont.com (Perry E. Metzger) on Sunday, June 28, 2009 wrote: >It has problems. Among other things, it only mlocks your session key >itself into memory, leaving both the AES key schedule (oops!) and the >decrypted data (oops!) pageable into swap. (Why bother mlocking the text >of the key if you're not going to lock the key schedule?) You should probably use the encrypted swap feature on the Mac. System Preferences -> Security -> Use secure virtual memory. Cheers - Bill --- Bill Frantz| gets() remains as a monument | Periwinkle (408)356-8506 | to C's continuing support of | 16345 Englewood Ave www.pwpconsult.com | buffer overruns. | Los Gatos, CA 95032 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: password safes for mac
On Jun 27, 2009, at 6:57 PM, Perry E. Metzger wrote: Does anyone have a recommended encrypted password storage program for the mac? System applications and non-broken 3rd party applications on OS X store credentials in Keychain, which is a system facility for keeping secrets. Your user keychain is encrypted with your login password, and items in it have application-level ACLs ("this credential can only be read by these applications"). The definition of "application" for the purpose of Keychain ACLs is derived from OS X code signing, so if someone tampers with one of your apps on disk, the resulting application won't get access to Keychain until you explicitly approve it. You can inspect and modify your keychain with the Keychain Access application, which also allows you to add your own items. -- Ivan Krstić | http://radian.org - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: password safes for mac
Bill Frantz writes: > pe...@piermont.com (Perry E. Metzger) on Sunday, June 28, 2009 wrote: > >>It has problems. Among other things, it only mlocks your session key >>itself into memory, leaving both the AES key schedule (oops!) and the >>decrypted data (oops!) pageable into swap. (Why bother mlocking the text >>of the key if you're not going to lock the key schedule?) > > You should probably use the encrypted swap feature on the Mac. > > System Preferences -> Security -> Use secure virtual memory. Sure, but whether an application does mlock properly is a proxy for whether other things are done properly. I looked at that because I could do so in about five minutes without much fuss. Doing a proper audit of 28klocs is otherwise not something one does casually. Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: password safes for mac
On Jun 27, 2009, at 6:57 PM, Perry E. Metzger wrote: Does anyone have a recommended encrypted password storage program for the mac? I would recommend the built-in keychain for anything that it works with. Jon - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: password safes for mac
Thorsten Holz writes: > On 28.06.2009, at 20:34, Perry E. Metzger wrote: >> The fact that it isn't open source worries me a bit -- it means I >> can't >> verify that it does things correctly. Also, it integrates heavily with >> lots of things, which makes me further worry about bugs. I'm looking >> for >> something very simple if possible. > > KeePassX (http://www.keepassx.org/) might then be the right tool for > you. Simple, non-intrusive password manager, everything is open- > source, and it is even cross-platform. Thanks for the tip, I just quickly glanced at the code. It has problems. Among other things, it only mlocks your session key itself into memory, leaving both the AES key schedule (oops!) and the decrypted data (oops!) pageable into swap. (Why bother mlocking the text of the key if you're not going to lock the key schedule?) It is also a pretty large program (nearly 28k lines!) written in C++. (They even created a "SecString" class just for the session key.) This much code is too big for me to understand and audit for real -- doubtless there are more things I would want to know lurking. (Of course, this is why I wanted to have something open source to look at -- I have no idea if 1Password does things like mlocking correctly and I never will know because it is closed source and thus not amenable to examination.) Perry -- Perry E. Metzgerpe...@piermont.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: password safes for mac
On 28.06.2009, at 20:34, Perry E. Metzger wrote: The fact that it isn't open source worries me a bit -- it means I can't verify that it does things correctly. Also, it integrates heavily with lots of things, which makes me further worry about bugs. I'm looking for something very simple if possible. KeePassX (http://www.keepassx.org/) might then be the right tool for you. Simple, non-intrusive password manager, everything is open- source, and it is even cross-platform. Cheers, Thorsten - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: password safes for mac
Bob Mahoney writes: >> Does anyone have a recommended encrypted password storage program for >> the mac? > > I use 1Password, and I've been very happy. Good integration with the > iPhone. The fact that it isn't open source worries me a bit -- it means I can't verify that it does things correctly. Also, it integrates heavily with lots of things, which makes me further worry about bugs. I'm looking for something very simple if possible. Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: password safes for mac
I use 1Password, and I've been very happy. Good integration with the iPhone. http://agilewebsolutions.com/products/1Password -Bob On Jun 27, 2009, at 9:57 PM, Perry E. Metzger wrote: Does anyone have a recommended encrypted password storage program for the mac? Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
password safes for mac
Does anyone have a recommended encrypted password storage program for the mac? Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com