KWallet weaknesses (was: [PATCH] Make pinentry-qt read and store passphrases in KDE 3.2's wallet)

Werner Koch wk at
Thu Dec 4 16:19:53 CET 2003

On Thu, 4 Dec 2003 11:50:18 +0100, Ingo Klöcker said:

> BTW, AFAIK KWallet hasn't been audited by anyone (except George). Or has 
> it?

I just browsed over it and figured some of the usual crypto beginner's

 * No intialization vector used in CBC mode -> FATAL problem.

 * Passphrase to key conversion is not one of the standards like
   pkcs#5 or the OpenPGK S2K method.  Instead a simple brute force
   thing is tried by repeating the hashing the hash 2000 times.  I
   also found no salt!

 * The protocol used is not decribed.

 * The plaintext files seems to be filled with random during
   initalization.  I can't see a reason for this.  This won't replace
   an IV.

I may have not grasped everything in the code and thus I better
apologize in advance.  Having said this, the bottom line is that using
Kwallet as it stands now seems to be a major security problem.  It
might be wise to tell George to read Peter Gutmann's recent papers on
the deficiencies of various VPN protocols.


Werner Koch                                      <wk at>
The GnuPG Experts                      
Free Software Foundation Europe        

More information about the Gpa-dev mailing list