On 1/9/13, intrigeri <[email protected]> wrote: > Hi, > > please review & merge feature/install-password-manager. > ticket: todo/install_password_manager > candidate for 0.17
Some issues in keepassx 0.4.3-1ubuntu3 (according to the changelogs, nothing I'm pointing out is fixed in Debian's 0.4.3-2): * The icons in share/keepassx/icons/ appear to be from the Oxygen theme, and appear to be missing both their copyright and license information (Oxygen is LGPL) and their preferred form for modification (especially clientic.png). * src/lib/random.cpp will use fake entropy produced by a non-cryptographic PRNG with a 32-bit seed if it fails to open or read from /dev/urandom. * src/dialogs/CollectEntropyDlg.cpp records the (low-entropy) sequence of keys pressed by the user, and discards the keystroke event timings which contain most of the entropy. * It uses the Gladman implementation of AES, which makes no attempt to resist timing side-channel attacks. (It also supports using Twofish to encrypt password databases; Twofish cannot be implemented efficiently without side-channel leaks.) * It also includes an RC4 implementation (RC4 also cannot be implemented efficiently without side-channel leaks), and uses a single global RC4 key to ‘encrypt’ multiple strings in memory (see src/lib/SecString.[hc]) by XORing each of them with (part of) the same sequence of keystream bytes. The cryptography used on disk should be adequate, aside from the side-channel leaks and the fake RNGs. (It encrypts the whole file using a block cipher in CBC mode with a random IV and mediocre integrity protection.) The other password managers you've considered are probably at least as bad as this one. Robert Ransom _______________________________________________ tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev
