desktop-packages team mailing list archive

Thread
Date

[Bug 1158373] Re: Use of insecure crypto for storing passwords

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Fri, 27 Mar 2015 13:24:29 -0000
Reply-to: Bug 1158373 <1158373@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Information type changed from Private Security to Public Security

** Changed in: remote-login-service (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to remote-login-service in Ubuntu.
https://bugs.launchpad.net/bugs/1158373

Title:
  Use of insecure crypto for storing passwords

Status in remote-login-service package in Ubuntu:
  Confirmed

Bug description:
  remote-login-service caches the information returned from the server
  (including usernames and passwords) by encrypting it and storing it in
  a file.

  The crypto used for the file is totally wrong and insecure. It is
  trivial to perform an attack on this file and recover the contents and
  the user password.

  In crypt.c:

  - A password should not be used as an AES encryption key. The user password, along with a salt, should be put through a key-derivation function such as PBKDF2 before being used as the AES key.
  - The key should not be used as the IV. The IV needs to be random.
  - Cipher should at least be GCRY_CIPHER_AES256

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/remote-login-service/+bug/1158373/+subscriptions