Review Request 117157: Unlock session via DBus

Valentin Rusu kde at rusu.info
Fri Apr 4 23:55:49 BST 2014 

On Thursday, April 03, 2014 08:42:32 PM Michael Pyne wrote:
> On Fri, April 4, 2014 02:20:28 Valentin Rusu wrote:
> > On Sunday, March 30, 2014 05:25:58 PM Michael Pyne wrote:
> > > In fact the list of folders and keys present in KWallet (though
> > > not their values) can be queried without unlocking KWallet, or even
> > > causing
> > > it to prompt to unlock.
> > 
> > Could you please elaborate more on the possibility to enumerate the keys
> > without opening the wallet?
> 
> From the KWallet::Wallet API docs:

That's right, folder and entry names can be queried. However, KWallet data is 
entirely encrypted in the .kwl files. Only folder and entry name hashes are 
stored as-is, when using the classic backend. If using the GPG backend, all of 
the file contents is encrypted using QGPGME.

> > bool Wallet::keyDoesNotExist(...):
> > 
> > Determine if an entry in a folder does not exist in a wallet.
> > 
> > This does not require decryption of the wallet. This is a handy
> > optimization to avoid prompting the user if your data is certainly not in
> > the wallet.
> Wallet::folderDoesNotExist() has similar verbiage.
> 
> "enumerating" is overstating the case here since there's no direct support
> for enumerating folders or keys. But all the same, it's not hard at all to
> brute- force potential folder or key names using the same method used to
> guess valid Coinbase user identities that just hit the news.
> 
> Of course if an attacker is running code they'd probably just find it easier
> to open the .kwl directly and read the folder and key names, since
> apparently those are stored unencrypted, if the API docs are to be
> believed.

Only folder and entry name hashes are to be found in the classic format .kwl 
file, as I described above. GPG wallets, on the other hand, are entirely 
encrypted.

> 
> Note that there is a valid use case for this feature: It would be
> tremendously annoying for a user to have to open their wallet just so an
> application can verify if it does or does not have an entry stored in the
> wallet. Instead the application can defer opening the wallet (and forcing
> the password prompt0 until the value is actually needed.

Well, that's true. That's why kwalletd compares key and folder names by hash 
value, for the classic backend. With GPG, the wallet is literally opened then 
queried. This won't prompt the password dialog though, courtesy gpg-agent.


-- 
Valentin Rusu
irc: valir
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20140405/552dd9bc/attachment.sig>

More information about the kde-core-devel mailing list