Autor: Robert Ransom Data: Para: The Tails public development discussion list Asunto: Re: [Tails-dev] Please review & merge
feature/install-password-manager
Some issues in keepassx 0.4.3-1ubuntu3 (according to the changelogs,
nothing I'm pointing out is fixed in Debian's 0.4.3-2):
* The icons in share/keepassx/icons/ appear to be from the Oxygen
theme, and appear to be missing both their copyright and license
information (Oxygen is LGPL) and their preferred form for modification
(especially clientic.png).
* src/lib/random.cpp will use fake entropy produced by a
non-cryptographic PRNG with a 32-bit seed if it fails to open or read
from /dev/urandom.
* src/dialogs/CollectEntropyDlg.cpp records the (low-entropy) sequence
of keys pressed by the user, and discards the keystroke event timings
which contain most of the entropy.
* It uses the Gladman implementation of AES, which makes no attempt to
resist timing side-channel attacks. (It also supports using Twofish
to encrypt password databases; Twofish cannot be implemented
efficiently without side-channel leaks.)
* It also includes an RC4 implementation (RC4 also cannot be
implemented efficiently without side-channel leaks), and uses a single
global RC4 key to ‘encrypt’ multiple strings in memory (see
src/lib/SecString.[hc]) by XORing each of them with (part of) the same
sequence of keystream bytes.
The cryptography used on disk should be adequate, aside from the
side-channel leaks and the fake RNGs. (It encrypts the whole file
using a block cipher in CBC mode with a random IV and mediocre
integrity protection.)
The other password managers you've considered are probably at least as
bad as this one.
:%0A>%20%0A>%20*%20The%20icons%20in%20share/keepassx/icons/%20appear%20to%20be%20from%20the%20Oxygen%0A>%20theme,%20and%20appear%20to%20be%20missing%20both%20their%20copyright%20and%20license%0A>%20information%20(Oxygen%20is%20LGPL)%20and%20their%20preferred%20form%20for%20modification%0A>%20(especially%20clientic.png).%0A>%20%0A>%20*%20src/lib/random.cpp%20will%20use%20fake%20entropy%20produced%20by%20a%0A>%20non-cryptographic%20PRNG%20with%20a%2032-bit%20seed%20if%20it%20fails%20to%20open%20or%20read%0A>%20from%20/dev/urandom.%0A>%20%0A>%20*%20src/dialogs/CollectEntropyDlg.cpp%20records%20the%20(low-entropy)%20sequence%0A>%20of%20keys%20pressed%20by%20the%20user,%20and%20discards%20the%20keystroke%20event%20timings%0A>%20which%20contain%20most%20of%20the%20entropy.%0A>%20%0A>%20*%20It%20uses%20the%20Gladman%20implementation%20of%20AES,%20which%20makes%20no%20attempt%20to%0A>%20resist%20timing%20side-channel%20attacks.%20%20(It%20also%20supports%20using%20Twofish%0A>%20to%20encrypt%20password%20databases;%20Twofish%20cannot%20be%20implemented%0A>%20efficiently%20without%20side-channel%20leaks.)%0A>%20%0A>%20*%20It%20also%20includes%20an%20RC4%20implementation%20(RC4%20also%20cannot%20be%0A>%20implemented%20efficiently%20without%20side-channel%20leaks),%20and%20uses%20a%20single%0A>%20global%20RC4%20key%20to%20%E2%80%98encrypt%E2%80%99%20multiple%20strings%20in%20memory%20(see%0A>%20src/lib/SecString.%5Bhc%5D)%20by%20XORing%20each%20of%20them%20with%20(part%20of)%20the%20same%0A>%20sequence%20of%20keystream%20bytes.%0A>%20%0A>%20The%20cryptography%20used%20on%20disk%20should%20be%20adequate,%20aside%20from%20the%0A>%20side-channel%20leaks%20and%20the%20fake%20RNGs.%20%20(It%20encrypts%20the%20whole%20file%0A>%20using%20a%20block%20cipher%20in%20CBC%20mode%20with%20a%20random%20IV%20and%20mediocre%0A>%20integrity%20protection.)%0A>%20%0A>%20%0A>%20The%20other%20password%20managers%20you've%20considered%20are%20probably%20at%20least%20as%0A>%20bad%20as%20this%20one.%0A>%20%0A>%20%0A>%20Robert%20Ransom%0A>%20%0A>%20 "Responder a esta mensaxe"){kind=icon}