Password field security and information leaking

Ivan Čukić ivan.cukic at kde.org
Mon Oct 15 13:14:35 BST 2018


 
> It seems to me that a notional end-user application is the one that
> actually needs to *use* the password though, which might imply that the
> U/I for entering the password needs to be in a different process?

Depends.

I investigated all of this primarily for Plasma Vaults. The implementation is 
split into a Plasma applet and a kded module. Currently, the password 
requesting UI is in the kded module because I didn't want for it to go between 
processes in an insecure manner.

With the proposed change, the password entry could go into the Plasma Applet, 
where the password user would be the kded module.

I think the same organization would be fitting for some other applications as 
well. Consider KMail - password entry is in KMail, while the Akonadi agents 
are the users.

> Or might it instead be possible to split things up even more, so that
> end-user applications speak to an authentication agent, which performs
> authentication on the application's behalf, and the agent itself handles
> U/I separately? Again, similar to existing GPG and SSH model.
> 
> The downside I see is that it might be confusing and distracting for
> users to do 99% of their application configuration inside the
> application itself, and then have to go through an "auth agent popup
> window" experience for the authentication piece only.
> 
> But even there, if the application is able to use a secure password
> entry widget, it could perhaps be possible to be able to safely set or
> update authentication credentials in the same app config U/I (i.e. have
> the app itself serve the pinentry-qt role).

This sounds interesting. Let's see how this evolves. I'll use Vaults as a 
guinea pig, and I'll try to make it generic enough to support both single-
process entry+usage and the previously mentioned split.

I agree that it would be awkward to have the password entry outside of an 
application. If it's in the same process as the password user, I'm not sure 
doing a roundabout through an agent would have any benefits. Unless the agent 
also serves for 'remembering' the password like some KWallet++ (the formerly 
planned KSecretService). 

> GPG and SSH already have some facilities for handling this use case, I
> think. Would it be possible to e.g. use pinentry-qt for this?

Pinentry communication is not encrypted. But, we could provide a nice 
pinentry-kde if we wanted that supports the pinentry protocol and adds our own 
extensions for encrypted communication.

Cheers,
Ivan




dr Ivan Čukić
KDE, ivan.cukic at kde.org, https://cukic.co/
gpg key fingerprint: 8FE4 D32F 7061 EA9C 8232  07AE 01C6 CE2B FF04 1C12





More information about the Kde-frameworks-devel mailing list