password and keys

Chris Green cl at isbd.net
Wed Oct 21 08:29:26 UTC 2015


On Wed, Oct 21, 2015 at 08:37:52AM +0200, Gary J. Kirkpatrick wrote:
>    I added a password to Passwords and Keys.  I can unlock the "Login" but
>    Gnome is another matter.  This wasn't an issue before I added a
>    password to password and keys so no one who got into my computer could
>    see all the stored passwords.
>    I encrypted my files at installation.  I have the key for that but it
>    does not work on Gnome key storage under Certificates.  I thought
>    perhaps I confused an O for a 0 but that did not make any difference.
>    Is the encrypt password the one to use at Gnome key storage under
>    Certificates?
>    There are '"key servers" under Preferences. So I selected to publish
>    and automatically receive keys.  So far nothing has changed.  I am not
>    sure what this feature does.  It does not make sense from a security
>    point of view to allow someone to retrieve the key so easily.
>    thanks for any assistance
>    garyk

Not an answer to your question I'm afraid - but, in my opinion, the
keyring/secrets/passphrases handling in Gnome/Ubuntu is a total mess.
Its complexity makes managing security difficult and I'm sure, as a
result, lots of people have much less secure systems than they think
they have.

Part of the problem is that gpg (among others) is complex and has so
many options one rapidly gives up reading the man page.

Simple tasks like keeping passwords or encrypting a few data files are
not easy to do with the standard tools.  There are lots of small
programs one can install to do these jobs but they are often old[ish]
and use poor security mechanisms.

I used to use vi/vile's 'crypt' mechanism to keep a few files
encrypted, it's very old (compatible with the original vi) but its
dead easy to use.  I decided to update to a more secure mechanism and
it turned out to be much more difficult than it should be.

On thing I discovered on the way, there's a *big* weakness in the way
Gnome/GPG (and other distributions) does things.  Although the actual
encryption of data is, generally, very secure the passphrase used to
protect the key used for encryption *isn't* particularly secure.  The
passphrase is hashed to create a 128-bit or 256-bit (or whatever) key
and the key is used to encrypt the data.  Brute forcing the key to get
the passphrase isn't difficult *unless* the hashing mechanism takes a
long time (in computing terms).  The default hashing algorithm isn't
slow enough to be secure.  This weakness applies to lots of the
encrypting utilities as well, e.g. I thought ccrypt sounded secure
until the hashing algorithm was investigated.

-- 
Chris Green



More information about the ubuntu-users mailing list