KWallet weaknesses (fwd)

Martijn Klingens martijn at
Fri Dec 5 10:41:39 GMT 2003

I wanted to send this to security at and George in private, but as
Ingo escalated the other mail to core-devel I'd better send this one there


---------- Forwarded message ----------
Date: Thu, 04 Dec 2003 20:34:03 +0100
From: Werner Koch <wk at>
To: Martijn Klingens <klingens at>
Subject: Re: KWallet weaknesses

On Thu, 4 Dec 2003 19:26:38 +0100, Martijn Klingens said:

> Could you send this to security at and to George Staikos
> <staikos at> (in perhaps slightly more polite wording :) ?

Please forward it yourself, it has been posted to a public list.
Frankly I revised my wording right before sending to be more polite.

> See also
> for more info on the wallet btw.

Interesting.  I have misread something, apparently the first block is
used as an IV which should work.  However the design is not
straightforward and the use of the encrypted SHA1 hash for integrity
protection has a couple of problems when not done properly.

The "quick recognition of format revisons" feature has the
disadvantage of rollback attacks.

The random number generator use is questionable (if /dev/urandom
fails, use /dev/random (even with a comment to fix the blocking

I'd strongly suggest to use a standard protocol for encrypting this.
Either CMS which is really hard to implement or OpenPGP which is
pretty easy and the code can be sucked from other implementations.

Feel free to forward this to George or any list.  And well, please
mentally wipe out the "crypto beginner's fault" remark.  I read too
many crypto papers over the last weeks where homemade protocol design
was harshly criticized.


Werner Koch                                      <wk at>
The GnuPG Experts                      
Free Software Foundation Europe        

More information about the kde-core-devel mailing list