Fwd: KWallet weaknesses

Dirk Mueller mueller at kde.org
Mon Dec 8 19:28:32 GMT 2003

On Monday 08 December 2003 10:18, Werner Koch wrote:

> It gives a false sense of security.  As time passes, someone will use
> Kwallet for stuff it was not designed for and thus either make really
> clear that it may only be used for certain things under that and that
> context or better add the standard level of paranoia and make it safe
> for more things one can image right now.

Ok, lets get some result out of the discussion: 

a) You said the passphrase -> key code is bad. Which code should we use 
instead? Where can we get a working implementation, or verify our own?

b) You said that the version numbers will allow replay attacks. Though I don't 
see how they're relevant or what you could ever gain from it, how should we 
fix this problem?


More information about the kde-core-devel mailing list