[13029] in bugtraq
Re: Netscape password scrambling
daemon@ATHENA.MIT.EDU (der Mouse)
Tue Dec 21 15:28:54 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <199912201713.MAA12851@Twig.Rodents.Montreal.QC.CA>
Date: Mon, 20 Dec 1999 12:13:17 -0500
Reply-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> More importantly, some people have claimed that the entire password
> saving issue is a red herring since there is no way to protect a
> secret on the host.
I don't think I've said so, but I agree with those "some people".
> This criticism is worth thinking about more carefully. We suggest
> that Netscape "raise the bar" by using triple-DES and hiding key
> material for the cipher throughout the code. But can't you just
> apply some clever SoftICE to find the key? Of course you can! Doing
> so requires much more sophistication than simply cracking a "magic
> decoder ring" scrambler, however.
Yeah...but it doesn't need to be done but once. Once someone does it
and the key is known, decrypting a crypted password is a total
no-brainer. (Exploiting some of the subtler security holes requires a
degree of sophistication, too - but once exploit code is written,
*using* it is typically well within the reach of even the
point-and-drool crowd.)
The only way this would be of any use is if a new random[%] key is
generated for each install. Never having installed Netscape, I don't
know whether their install procedure is such that this is feasible.
But it does seem to me to be the only way to actually do anything of
the sort - then the attacker needs to steal the relevant key material
from wherever the install procedure stashed it (inside the executable,
perhaps?) as well as stealing the file with the encrypted password.
[%] And it needs to be at least semi-decently random, too - a trivial
massaging of something the attacker can trivially discover Just
Won't Do.
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
