From: Dave Collins <TheDaveC<ollins@us...> - 2005-11-26 08:15:30
Sorry about being a bit confusing I will try to explain further.
Lets say Alice has a V2 PWS database a PDA or USB device and one on a
PC in a "safe place". When Alice goes into the field she takes her PDA
with her, before and after she synchronizes her databases.
While working on Bob the Builder's computer Alice adds a record for the
Admin password and changes the record for her none admin password on
While having a quite beer with Bob at the local pub, Mallory get hold of
the PDA while Alice is getting a round of drinks. He can not read the
database however he changes a few bytes just for fun.
The next morning Alice tries to synchronize her database however it
fails to open due to Mallory's modifications.
Carol follows a similar process to Alice however she users unencrypted
(U|G)UID's and timestamps. While getting her round of drinks Mallory,
who knows the format of the database changes random bytes in the a
number of records and the timestamps of those records. When Carol
synchronizes her PWS she will copy the corrupted records over the top of
her correct records on her PC. When she opens her database she has found
that she has corrupted both her database.
> I'm not sure what your point is. Yes, data can be corrupted. But
> encrypted data can be corrupted just as easy (even easier) than unencrypted
> data. The timestamp & GUID provide no information that could be used to
> decrypt the data, which is the important part.
> James Curran
> (Hopefully, I've set Outlook to fool sourceforge into setting this directly
> to the list).
> -----Original Message-----
> From: passwordsafe-devel-admin@...
> [mailto:passwordsafe-devel-admin@...] On Behalf Of Dave
> Sent: Friday, November 25, 2005 6:36 PM
> To: James Curran/MVP
> Cc: passwordsafe-devel@...
> Subject: Re: [Passwordsafe-devel] Validation flaw addressed in version 2.14
> If you have unencrypted timestamps and guid's an attacher (Eve i
> could change some of the timestamps and guids and this would cause them
> to over ride you correct data.