[10336] in bugtraq
Re: stored credentials was: Netscape 4.5 vulnerability
daemon@ATHENA.MIT.EDU (Juha =?iso-8859-1?Q?J=E4ykk=E4?=)
Fri Apr 23 13:23:53 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Message-Id: <372034BC.3F11DD51@utu.fi>
Date: Fri, 23 Apr 1999 11:52:12 +0300
Reply-To: Juha =?iso-8859-1?Q?J=E4ykk=E4?= <juolja@UTU.FI>
From: Juha =?iso-8859-1?Q?J=E4ykk=E4?= <juolja@UTU.FI>
X-To: Bernd Eckenfels <lists@LINA.INKA.DE>
To: BUGTRAQ@NETSPACE.ORG
> Well actually you can use one key/passphrase to secure all the stored
> credentials. This has the advantage that you dont need to rember all
> credential (which is impossible for secret keys anyway). But it has t=
he
> disadvantage, that the security is
> a) breakable by trojans/backdooring
> b) as secure as the (weakest) manual entered passwort
No, no, no. You missed the point. We were discussing programs (or
bunches of programs or even OSes) which store user credentials for late=
r
access WITHOUT the need for a user to supply any password, key or
credential. Such as is implemented in netscape communicator when it
stores pop/imap passwords in prefs.js. In this case the credentials
stored by the program are indeed "encrypted" (XORed) but in order to
enable the program to retrieve this information without user interactio=
n
even after a system restart, the password used to "encrypt" the
credentials is stored somewhere within the binary itself, the windows
registry or even derived from the user name or something. Which ever th=
e
method, the password is easily reproduced and used to decrypt the
credentials protected with it. There is no way around this when we want
to access the encrypted credential information without user interaction
(to be precise I should add: after a system restart). There can never b=
e
true security in such a system. End of story.
What you propose is basically a Single-SignOn technique which still
needs ONE passphrase. They are a totally different story and not the
subject here.
--
Juha J=E4ykk=E4, juhaj@iki.fi
PS See http://www.dcs.ex.ac.uk/~aba/rsa/ for latest version of RSA in
perl.
Here goes the RSA code in two lines:
print pack"C*",split/\D+/,`echo
"16iII*o\U@{$/=3D$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|d=
c`
