Fwd: KWallet weaknesses

Werner Koch wk at gnupg.org
Mon Dec 8 09:18:53 GMT 2003


On Fri, 5 Dec 2003 17:15:36 +0100, Dirk Mueller said:

> As far as I know, KWallet *does* have an initialisation vector for each 
> folder. 

Sorry, I did not know that because it is not easy to grok that from
the source within a few minutes.  Martin told me about the slides
later.  Please put this reference into the source or at least put a
Lynx usable URL into it.

> of trying to brute force the wallet. Its *much* easier to just steal the 
> unencrypted data while the wallet is unlocked. 

It gives a false sense of security.  As time passes, someone will use
Kwallet for stuff it was not designed for and thus either make really
clear that it may only be used for certain things under that and that
context or better add the standard level of paranoia and make it safe
for more things one can image right now.

> I fail to see how they affec the wallet. What do you gain by adding protection 

Simply as a general advise on how not to design cryptographic
protocols.

  Werner

-- 
Werner Koch                                      <wk at gnupg.org>
The GnuPG Experts                                http://g10code.com
Free Software Foundation Europe                  http://fsfeurope.org





More information about the kde-core-devel mailing list