Making kwallet more secure

Ingo Klöcker kloecker at kde.org
Sun Aug 24 19:36:38 BST 2008


On Sunday 24 August 2008, Michael Leupold wrote:
> On Sunday 24 August 2008, Ingo Klöcker wrote:
> > On Saturday 23 August 2008, Michael Leupold wrote:
> > > (Note: The "security" I talk about is only meant to secure
> > > against attacks from malicious software and malicious people who
> > > get access to your computer).
> >
> > As others have already pointed out there's no way to secure against
> > such attacks. If malicious software owns your computer (or your
> > user account) then you are doomed in any case.
>
> I'm currently looking into (future) ways to secure the wallet into
> attacks of that sort. The main problem is that you'd have to
> establish some authenticity for the application performing a request
> on kwalletd. There are already ways (on Linux) how this could be done
> but they are not widely deployed yet.
>
> Eg. SELinux would allow us to declare policies on which applications
> could access the wallet by assigning a wallet role to them and
> allowing only that role to access the wallet on the session bus (or
> by some other IPC mechanism like message queues or shared memory).
> Unfortunately this isn't cross-platform and I haven't even found a
> way to figure out the calling process for any of the native IPC
> mechanisms on windows platforms.

I wouldn't pay to much attention to portability if you have the chance 
to greatly improve the security on one platform. kwallet should be as 
secure as the platform it is running on allows (instead of as secure as 
all platforms it can potentially run on allow).


> > kwallet protects passwords stored in the file system against
> > adversaries who _only_ have read access to your hard disk. No more,
> > no less.
>
> Yes, I understand this limitation. I do however believe that with the
> rise of secure computing we will have means to store passwords more
> secure in the future and that we should use them when they become
> available.

Of course.


> Having a look at what is/might be available will allow us 
> to at least provide means to implement those mechanisms later.

Sure. Since those mechanisms will have to be implemented in hardware or 
in the kernel (see SELinux) all we as application developers can (and 
should) do is use those mechanisms once they become available (even if 
they are not available on all systems). So it's definitely good to look 
what is available now and what might be available in the future.

You might want to have a look in the usage of crypto smartcards for 
encrypting the wallet. This will at least prevent attacks by password 
sniffers and keyboard loggers. (But it won't really increase the 
security because if somebody can install a password sniffer on your 
system then he can as well install a man-in-the-middle between kwallet 
and the smartcard.)


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20080824/2622a676/attachment.sig>


More information about the kde-core-devel mailing list