[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Credentials held unencrypted in memory during runtime

From: Simon Large <simon.tortoisesvn_at_gmail.com>
Date: Wed, 13 Apr 2011 09:52:34 +0100

On 12 April 2011 18:28, Simon Large <simon.tortoisesvn_at_gmail.com> wrote:
> On 12 April 2011 18:02, Stefan Küng <tortoisesvn_at_gmail.com> wrote:
>> On 12.04.2011 18:28, Bob Archer wrote:
>>>> On Tue, Apr 12, 2011 at 10:54 AM, Stefan Küng
>>>> <tortoisesvn_at_gmail.com>  wrote:
>>>>> On Tue, Apr 12, 2011 at 16:50, Ron Wilson<ronw.mrmx_at_gmail.com>
>>>> wrote:
>>>>>> If this is truly the case, then SVN is not implemted correctly.
>>>>>> However, that would be for a different mail list.
>>>>>
>>>>> So, how should it be implemented?
>>>>
>>>> I will assume the algorithm used is strong. Therefore the main
>>>> sources
>>>> of weakness would be a fixed key, poor key generation, poor
>>>> handling
>>>> of the key or mistakes in implementation.
>>>
>>> I expect it uses the windows DPAPI.
>>
>> It uses CryptProtectData to encrypt the auth data on disk.
>> But that only means it's encrypted for those who use text editors to
>> read the files.
>> A simple app can use CryptUnprotectData to decrypt the files again.
>>
>> That's not a bug or a security issue, it's by design and correct.
>> Because the auth cache is there so the user doesn't have to enter that
>> data every time it's needed. Meaning it must be available without the
>> user having to enter yet another password, which implies that the
>> decryption can be done automatically.
>> So: if it can be decrypted automatically, anyone with a compiler can do it.
>>
>> If that was a security issue, all browsers have the same issue because
>> they allow you to save the auth data for websites too.
>
> So the bottom line is, as with web browsers, if your password is that
> sensitive you should not cache it at all. That would be mighty
> inconvenient with TSVN because multiple server round trips are often
> required, each one needing authentication. So you can either cache the
> auth data temporarily and get your work done, or you can opt never to
> cache it and put up with the repeated password prompts. User choice.

Actually I think this statement was incorrect. The in-memory cache is
always used when the user requests not to cache authentication on
disk, so the user choice is only "cache on disk" or "cache in memory
until process exits". There is no option to avoid caching completely.

Simon

-- 
:       ___
:  oo  // \\      "De Chelonian Mobile"
: (_,\/ \_/ \     TortoiseSVN
:   \ \_/_\_/>    The coolest Interface to (Sub)Version Control
:   /_/   \_\     http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2719357
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-13 10:52:39 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.