Making kwallet more secure

Sun Aug 24 20:06:18 BST 2008

On Sunday 24 August 2008 11:36:38 am Ingo Klöcker wrote:
> On Sunday 24 August 2008, Michael Leupold wrote:
> > On Sunday 24 August 2008, Ingo Klöcker wrote:
> > > On Saturday 23 August 2008, Michael Leupold wrote:
> > > > (Note: The "security" I talk about is only meant to secure
> > > > against attacks from malicious software and malicious people who
> > > > get access to your computer).
> > >
> > > As others have already pointed out there's no way to secure against
> > > such attacks. If malicious software owns your computer (or your
> > > user account) then you are doomed in any case.
> >
> > I'm currently looking into (future) ways to secure the wallet into
> > attacks of that sort. The main problem is that you'd have to
> > establish some authenticity for the application performing a request
> > on kwalletd. There are already ways (on Linux) how this could be done
> > but they are not widely deployed yet.
> >
> > Eg. SELinux would allow us to declare policies on which applications
> > could access the wallet by assigning a wallet role to them and
> > allowing only that role to access the wallet on the session bus (or
> > by some other IPC mechanism like message queues or shared memory).
> > Unfortunately this isn't cross-platform and I haven't even found a
> > way to figure out the calling process for any of the native IPC
> > mechanisms on windows platforms.
>
> I wouldn't pay to much attention to portability if you have the chance
> to greatly improve the security on one platform. kwallet should be as
> secure as the platform it is running on allows (instead of as secure as
> all platforms it can potentially run on allow).
>
> > > kwallet protects passwords stored in the file system against
> > > adversaries who _only_ have read access to your hard disk. No more,
> > > no less.
> >
> > Yes, I understand this limitation. I do however believe that with the
> > rise of secure computing we will have means to store passwords more
> > secure in the future and that we should use them when they become
> > available.
>
> Of course.
>
> > Having a look at what is/might be available will allow us
> > to at least provide means to implement those mechanisms later.
>
> Sure. Since those mechanisms will have to be implemented in hardware or
> in the kernel (see SELinux) all we as application developers can (and
> should) do is use those mechanisms once they become available (even if
> they are not available on all systems). So it's definitely good to look
> what is available now and what might be available in the future.
>
> You might want to have a look in the usage of crypto smartcards for
> encrypting the wallet. This will at least prevent attacks by password
> sniffers and keyboard loggers. (But it won't really increase the
> security because if somebody can install a password sniffer on your
> system then he can as well install a man-in-the-middle between kwallet
> and the smartcard.)
>
>
> Regards,
> Ingo

Not only smartcards, but having the wallet store in the TPM if the device has 
one, would greatly enhance the security of the stored passwords, and again 
could block attacks by sniffers and key loggers.

-- 
Gary L. Greene, Jr.
Sent from: peorth
 12:04:18 up 15:16,  8 users,  load average: 0.02, 0.08, 0.09
==========================================================================
Developer and Project Lead for the AltimatOS open source project
Volunteer Developer for the KDE open source project
See http://www.altimatos.com/ and http://www.kde.org/ for more information
==========================================================================

Please avoid sending me Word or PowerPoint attachments.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20080824/9c28ecb2/attachment.sig>