RE: [Passwordsafe-devel] ElcomSoft Co.Ltd. fould a flaw in V3Beta1
Popular easy-to-use and secure password manager
Brought to you by:
ronys
From: DK <dk...@ds...> - 2006-03-24 22:30:32
|
Rony, My view, for what it is worth, do we have a choice? It has to be cryptographically robust - otherwise why exist? If not Yarrow - what other? David -----Original Message----- From: pas...@li... [mailto:pas...@li...] On Behalf Of Rony Shapiro Sent: 24 March 2006 06:31 To: pas...@li... Cc: mar...@gm... Subject: [Passwordsafe-devel] ElcomSoft Co.Ltd. fould a flaw in V3Beta1 Hi, The good folks at ElcomSoft have found a weakness in the new release that makes the master encryption key vulnerable to a brute-force attack when running pwsafe on pre-XP versions of Windows, basically since we fallback to the rand() prng for those platforms. For more details, see http://www.securityfocus.com/archive/1/428552/30/0/threaded. (It's annoying that they titled their note as a flaw in "3.0", which means I'll probably have to bump the version number to 3.1 when we leave beta...) Aside from hauling in an industrial strength PRNG (Yarrow?) and grovelling around for bits of entropy, does anyone have a suggestion as to how to replace rand or otherwise fix the flaw? Thanks to Markus Jansson for pointing me to the ElcomSoft note. Cheers, Rony ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Passwordsafe-devel mailing list Pas...@li... https://lists.sourceforge.net/lists/listinfo/passwordsafe-devel |