|
Message-ID: <20150227020059.GA4890@boyd>
Date: Thu, 26 Feb 2015 20:01:00 -0600
From: Tyler Hicks <tyhicks@...onical.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: eCryptfs key wrapping help to crack user password
[adding cve-assign to cc]
On 2015-02-10 16:49:19, Tyler Hicks wrote:
> On 2015-02-10 15:07:24, Sylvain Pelissier wrote:
> > Hi,
> >
> > I have noticed that ecryptfs-utils is the default program used by the
> > Ubuntu distributions for home folder encryption since version 10.04.
> > In this case, a wrapping key is generated from the user password
> > using the hash function SHA-512 applied 65536 times. By default, the
> > wrapping key is hashed with the default fixed salt
> > (0x0011223344556677) and stored in the a file.
> > This was already noticed in bug :
> > https://bugs.launchpad.net/ecryptfs/+bug/906550
> > For Ubuntu installations time-memory trade-off (rainbow tables, etc.)
> > can apply, as well as bulk dictionary attacks to crack user passwords
> > of Ubuntu installations when the home folder encryption is activated.
> > I am currently working to correct this weakness.
>
> Thanks for reporting this issue, Sylvain.
>
> I have confirmed the analysis above and upstream ecryptfs-utils is
> working to correct the problem.
>
> Tyler
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.