Fwd: KWallet weaknesses (was: [PATCH] Make pinentry-qt read and store passphrases in KDE 3.2's wallet)
Dirk Mueller
mueller at kde.org
Fri Dec 5 16:15:36 GMT 2003
On Thursday 04 December 2003 23:21, Ingo Klöcker wrote:
> the following is a short comment from Werner Koch (author of GnuPG) on
> KWallet. A flaw in KWallet is much more serious than a flaw in any
> other KDE program. So we really have to make extra sure that there's no
> flaw in KWallet's crypto code that could cause the data it's supposed
> to protect to be compromised.
Great reasoning, but was it necessary to make it public before the affected
parties were able to investigate the claims and potentially provide a fix?
> * No intialization vector used in CBC mode -> FATAL problem.
As far as I know, KWallet *does* have an initialisation vector for each
folder.
> * Passphrase to key conversion is not one of the standards like
> pkcs#5 or the OpenPGK S2K method. Instead a simple brute force
> thing is tried by repeating the hashing the hash 2000 times. I
> also found no salt!
Thats indeed a problem. However, I doubt that anyone would actually go the way
of trying to brute force the wallet. Its *much* easier to just steal the
unencrypted data while the wallet is unlocked.
As far as I can see, this was not covered by Werner's analysis.
> * The protocol used is not decribed.
It is described in George's slides which he presented at N7y. We also refined
the storage protocol during this session a bit. I agree it might be better to
put that along the source code in CVS.
> * The plaintext files seems to be filled with random during
> initalization. I can't see a reason for this. This won't replace
> an IV.
I think thats a misinterpretation of the code.
> Kwallet as it stands now seems to be a major security problem.
Well, anything that maps n passwords for n > 1 to the safety of one master
password is by definition a security problem. There is nothing to discuss
about that, no matter how clever you design your wallet.
Maybe we should add a disclaimer like "Don't put the authorisation codes
required to launch nuclear weapons into a kwallet. " up when the kwallet is
used for the first time.
However, kwallet has a reason for existence: its extremely nice for
more-or-less throwaway web-accounts. there are dozens of places where you
have to enter one password or the other for some kind of authorisation, like
mailman interfaces, nonpublic webpages etc.
Evidence shows that the plethora of places you can only access with a password
increases drastically. Users cope with this in two ways: a) they use the same
throwaway password for all accounts. b) they deduct the password from the
login page itself. like repeating a word that is shown on the login page, or
some part of the domain/url, possibly slightly altered with a tiny algorithm.
comparing with these two very common strategies, kwallet is like a 10 meter
thick stainless steel dugout.
That said, I think its a much bigger security problem that KMail stores POP3
and IMAP passwords essentially unencrypted in its configuration file rather
than using a kwallet for it.
I tried to talk George into providing different access levels, or passwords
for each kwallet folder (a folder for webaccounts, a folder for mail accounts
and a folder for private data like your credit card number or similiar), but
for some reason we decided against this. Can't actually remember anymore why.
> might be wise to tell George to read Peter Gutmann's recent papers on
> the deficiencies of various VPN protocols.
I fail to see how they affec the wallet. What do you gain by adding protection
against insertion or replay attacks? KWallet is not "talked over the wire".
More information about the kde-core-devel
mailing list