Bug 122942

Summary: No proof that KWallet is secure; need details
Product: [Applications] kwalletmanager Reporter: Tristan Miller <psychonaut>
Component: generalAssignee: Unknown <null>
Status: RESOLVED FIXED    
Severity: normal CC: maestro_4
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Tristan Miller 2006-03-01 23:49:27 UTC 
Version:            (using KDE KDE 3.5.1)
Installed from:    SuSE RPMs

According to the KWallet Handbook, "the wallet subsytem provides a convenient and secure way to manage all your passwords", and that data is saved "in a strongly encrypted file".

I'm sorry, but simply stating that the data is "encrypted" doesn't reassure me.  Can you please add details to the documentation indicating what method of encryption is used?  There are far too many snake-oil cryptography programs out there that use trivially breakable schemes, such as simple ciphers, or simply "security by obscurity".  What proof do we have that KWallet is any different from these systems?

PGP may be "tedious and inconvenient", as the KWallet manual says, but it also happens to be secure.  If I knew that KWallet was using GnuPG (or something similar) as a backend, I would feel a lot safer.  On the other hand, if the encryption scheme is just something the KWallet developers dreamed up, then it's almost certainly not safe to use for sensitive data.
Comment 1 Tristan Miller 2006-03-02 00:05:59 UTC 
George, I just found your paper on KWallet at <http://www.staikos.net/~staikos/papers/2003/kwallet-kastle-2003.ps>.  It might refer to a much older version of KWallet, but contains a lot of information useful to people who want to be assured that KWallet is secure.  For example, you explain that you use Blowfish, SHA-1, and MD5.  It's good to know that you are using standard encryption and hashing functions rather than rolling your own, but this information should go in the KWallet documentation, not hidden on a personal website somewhere.  Advanced users won't recommend KWallet to each other or to novice users unless they have this information.
Comment 2 Ned Boony 2006-03-22 10:01:15 UTC 
AGREED. 100%.
Comment 3 Jürgen Starek 2007-07-24 18:04:33 UTC 
*** This bug has been confirmed by popular vote. ***
Comment 4 Jaime Torres 2010-01-07 19:37:31 UTC 
SVN commit 1071214 by jtamate:

BUG: 122942
CC: kde-i18n-doc@kde.org
Include some more information about how the encrypted data is managed by kwallet.
http://reviewboard.kde.org/r/2388/

 M  +12 -3     index.docbook  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1071214