lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 14 Mar 2003 14:51:19 -0800
From: Dan Harkless <bugtraq@...kless.org>
To: bugtraq@...urityfocus.com
Subject: Re: Obfuscating sensitive data? (was: response to tax software not encrypting tax info)



Andreas Beck <becka@...atec.de> writes:
> 2) If 1) cannot be done for some reason, use _strong_ encryption to
>    _encrypt_ the data. XORing them with "wrdlbrmft" will just make an
>    attacker laugh, assuming he is just a bit smarter than a piece of wood.
>    Never just obfuscate the passwords by using a generic key. Even if
>    the app picks one individual key at installation time, it has to be
>    stored somewhere and when you can retrieve the file, chances are, that
>    you can as well retrieve the stored key.

A more important argument against the application picking a random key at
installation time is that if it gets lost (e.g. due to disk or registry
corruption), the user's data is gone (which could have serious results in
cases such as tax programs).

Any secret required to decrypt the data should be supplied by the user so
that they can take whatever steps are appropriate to make sure it doesn't
get lost.

> IMHIO obfuscating data serves only one purpose: Not giving away Information
> to someone _briefly_ _viewing_ over the file. That's o.k. to keep the
> sysadmin from the temptation to hit a user that picks a weak or offensive
> password with a wet haddock. It's as well o.k. to guard a password against 
> a coworker that happened to look over your shoulder when you opened the 
> wrong file. But it is NOT o.k., if an attacker can retrieve the file and 
> play around with it all day.

Obfuscation should never be encouraged over encryption, but obfuscation is
certainly better than nothing (cleartext).  Your comparison ignores the fact
that the vast majority of people stumbling across someone's tax return on a
file sharing network would have neither the inclination nor the ability to
write or find software capable of de-obfuscation.

Naturally true encryption is greatly desired just in case a true attacker
_is_ out there, but obfuscation will certainly protect against that 99.x% of
the population that _could_ download your tax return if they wanted to, but
won't (or won't figure out how to get the obfuscated info out of it if they
do).

--
Dan Harkless
bugtraq@...kless.org
http://harkless.org/dan/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ