Re: [Passwordsafe-devel] Validation flaw addressed in version 2.14
Popular easy-to-use and secure password manager
Brought to you by:
ronys
From: Dave C. <The...@us...> - 2005-11-26 08:15:30
|
James, Sorry about being a bit confusing I will try to explain further. Lets say Alice has a V2 PWS database a PDA or USB device and one on a PC in a "safe place". When Alice goes into the field she takes her PDA with her, before and after she synchronizes her databases. While working on Bob the Builder's computer Alice adds a record for the Admin password and changes the record for her none admin password on Bobs computer. While having a quite beer with Bob at the local pub, Mallory get hold of the PDA while Alice is getting a round of drinks. He can not read the database however he changes a few bytes just for fun. The next morning Alice tries to synchronize her database however it fails to open due to Mallory's modifications. Carol follows a similar process to Alice however she users unencrypted (U|G)UID's and timestamps. While getting her round of drinks Mallory, who knows the format of the database changes random bytes in the a number of records and the timestamps of those records. When Carol synchronizes her PWS she will copy the corrupted records over the top of her correct records on her PC. When she opens her database she has found that she has corrupted both her database. Dave pas...@no... wrote: > I'm not sure what your point is. Yes, data can be corrupted. But > encrypted data can be corrupted just as easy (even easier) than unencrypted > data. The timestamp & GUID provide no information that could be used to > decrypt the data, which is the important part. > > Truth, > James Curran > > (Hopefully, I've set Outlook to fool sourceforge into setting this directly > to the list). > > > -----Original Message----- > From: pas...@li... > [mailto:pas...@li...] On Behalf Of Dave > Collins > Sent: Friday, November 25, 2005 6:36 PM > To: James Curran/MVP > Cc: pas...@li... > Subject: Re: [Passwordsafe-devel] Validation flaw addressed in version 2.14 > > > James, > If you have unencrypted timestamps and guid's an attacher (Eve i > guess) > could change some of the timestamps and guids and this would cause them > to over ride you correct data. > > |