Summary: | [Feature Request] Add support for encryption algorithms other than Blowfish and GPG | ||
---|---|---|---|
Product: | [Frameworks and Libraries] frameworks-kwallet | Reporter: | Celeste Liu <CoelacanthusHex> |
Component: | general | Assignee: | Valentin Rusu <valir> |
Status: | REPORTED --- | ||
Severity: | normal | CC: | arthur200126, eric, kdelibs-bugs, mk.mateng, rsimmons0 |
Priority: | NOR | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | unspecified | ||
OS: | All | ||
Latest Commit: | Version Fixed In: |
Description
Celeste Liu
2021-10-23 06:37:18 UTC
Gnome-keyring use AES128 and SHA256 for a long time, but kwallet still uses Blowfish and SHA1. This is bad for our users' security. It should be emphasized that Blowfish has not yet been broken at all, and that the way Kwallet uses SHA1 (amateur KDF, essentially) is not attacked either — for now. It is true that SHA1 has been "broken", but Kwallet since 4.13 has been using proper PBKDF2_SHA512. This is not to say moving up to a more commonly used / "modern" pair like AES-scrypt or chacha20-argon2 is useless — more eyes on an algo is always a good thing; rather, any benefit from such a move need to be balanced against additional complexity in data structure and versioning information. (In reply to Mingye Wang from comment #2) > rather, any benefit > from such a move need to be balanced against additional complexity in data > structure and versioning information. One thing that can be noticed is that there is a block cipher abstraction layer in the code of kwallet for adding other block encryption algorithms in the future. I think the original designer planned to add other algorithms, but we don't know why it was shelved. https://github.com/KDE/kwallet/tree/master/src/runtime/kwalletd/backend *** Bug 276634 has been marked as a duplicate of this bug. *** *** Bug 281237 has been marked as a duplicate of this bug. *** |