lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 23 Mar 2006 19:41:11 -0000
From: "Dave Korn" <davek_throwaway@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Re: PasswordSafe 3.0 weak random number generator allows key recovery attack


info@...omsoft.com wrote:
> Title         : PasswordSafe 3.0 weak random number generator allows
> key recovery attack
> Date          : March 23, 2006
> Product       : PasswordSafe 3.0

  Say, are you referring to /the/ PasswordSafe 3.0, you know, the one by 
that Schneier guy, the one that's on sourceforge, .....

 ... the one that's still in BETA for god's sake and which comes plastered 
in warnings like

" This is still a BETA release! It should NOT be used as the only tool for 
storing "real" password information. For securely storing real password 
entries, please use release 2.16."

  ;-) Heh, this is a QC / bug report, not a security advisory!  There is 
currently no such thing as "PasswordSafe 3.0", and 
http://passwordsafe.sourceforge.net/ refers to it as "3.0Beta1".  (But yeh, 
this is a valid issue and of course should be fixed before the product is 
actually released).

> It is possible to mount guaranteed decryption attack on PasswordSafe
> 3.0 databases created under OS prior to Windows XP. The attack is
> very simple:
>
> 1. Generate 256-bit key for every possible seed value
> 2. Decrypt first database record (the structure is documented, so
>    we have known plaintext attack)
> 3) Check decrypted value against the known plaintext
>
> The total number of all possible seed values is limited by 2^32, so
> it is quite feasible. Our experiments show that the key can be
> recovered in less than 6 hours on the single PC (Pentium 4).

> Solution/workaround
> ======================================================================
>
> PasswordSafe should not use rand() function; cryptographic RNG should
> be used instead.

  I think he should probably pre-pend a random amount of random pad bytes to 
the start of the file as well.  Help to hide the known plaintext from even 
being at a known offset into the ciphertext stream.



    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ