Making kwallet more secure

Thiago Macieira thiago at kde.org
Sat Aug 23 11:45:48 BST 2008


Michael Leupold wrote:
>Hi everyone,
>My main concerns however are:
>1) kwalletd has no means to really authenticate applications connecting.
> While it does have ACLs every application opens a wallet using a name
> it specifies itself (so malicious applications could fool the user and
> by using another application's name you can "bypass" ACLs).
>2) every application on the messagebus can spy on passwords being sent
>
>If possible I'd like to stay with dbus as it's interoperable and
> convenient.

Then you can't get rid of #1 and #2 above.

>Possible solutions (or rather open questions to people who know more
> than me): 

> - Can I trust the information about the caller that's 
> provided on receiving a message? If so I could use the interfaces to
> figure out the caller's PID and get more information to present to the
> user. I could also set ACLs based on the caller's path.

This is hardly cross platform. The PID is not a guaranteed information on 
D-Bus (it may fail to retrieve the PID and that's not a fatal problem). 
And even with the PID, you have to use non-cross-platform code to get the 
path of the executable.

>- an encrypted dbus transport. Unfortunately judging from libdbus
> sources encryption should be implementable but I doubt anyone is
> working on it and I can't help the feeling it's not something the dbus
> people would be very happy about.

Do it on top of D-Bus. Pass your data in a QByteArray. Let the sender and 
receiver only know how to decrypt it.

I have no idea how you'll implement that.

>- encryption inside the kwallet protocol using some tls-like techniques.
> This would most likely work - at least to stop spying on the bus.
>- Make kwallet use p2p d-bus. Actually I'm not sure if that would work
> because I couldn't find enough information about that matter. If I
> create a new bus bypassing the daemon, couldn't other processes still
> connect to it as well?

QtDBus doesn't support P2P connections yet.

>(Note: The "security" I talk about is only meant to secure against
> attacks from malicious software and malicious people who get access to
> your computer).

You've already lost if there's malicious software running. And if someone 
has physical access to the computer, you've already lost too.

-- 
  Thiago Macieira  -  thiago (AT) macieira.info - thiago (AT) kde.org
    PGP/GPG: 0x6EF45358; fingerprint:
    E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20080823/6f7c0318/attachment.sig>


More information about the kde-core-devel mailing list