Bugtraq mailing list archives
Re: stored credentials was: Netscape 4.5 vulnerability
From: juolja () UTU FI (Juha Jäykkä)
Date: Fri, 23 Apr 1999 11:52:12 +0300
Well actually you can use one key/passphrase to secure all the stored credentials. This has the advantage that you dont need to rember all credential (which is impossible for secret keys anyway). But it has the disadvantage, that the security is a) breakable by trojans/backdooring b) as secure as the (weakest) manual entered passwort
No, no, no. You missed the point. We were discussing programs (or bunches of programs or even OSes) which store user credentials for later access WITHOUT the need for a user to supply any password, key or credential. Such as is implemented in netscape communicator when it stores pop/imap passwords in prefs.js. In this case the credentials stored by the program are indeed "encrypted" (XORed) but in order to enable the program to retrieve this information without user interaction even after a system restart, the password used to "encrypt" the credentials is stored somewhere within the binary itself, the windows registry or even derived from the user name or something. Which ever the method, the password is easily reproduced and used to decrypt the credentials protected with it. There is no way around this when we want to access the encrypted credential information without user interaction (to be precise I should add: after a system restart). There can never be true security in such a system. End of story. What you propose is basically a Single-SignOn technique which still needs ONE passphrase. They are a totally different story and not the subject here. -- Juha Jäykkä, juhaj () iki fi PS See http://www.dcs.ex.ac.uk/~aba/rsa/ for latest version of RSA in perl. Here goes the RSA code in two lines: print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
Current thread:
- Re: stored credentials was: Netscape 4.5 vulnerability Juha Jäykkä (Apr 23)
- <Possible follow-ups>
- Re: stored credentials was: Netscape 4.5 vulnerability Jefferson Ogata (Apr 23)
- Re: stored credentials was: Netscape 4.5 vulnerability Valdis.Kletnieks () VT EDU (Apr 25)
- Re: stored credentials was: Netscape 4.5 vulnerability Jay R. Ashworth (Apr 24)